Personal Information in the Web 2.0 Era. How Do You Trust?


I do all my banking online. I watch my transactions carefully and I’m confident that if any of my accounts were compromised, I’d know soon enough to stop any damage. False sense of security? Maybe. My Aunt refuses to make a single online purchase, much less do her banking online. Is she being overly paranoid?

Aside from banking sites and places we enter credit card information, we put a great deal of trust into the sites we visit, giving them a lot of personal information. We are learning how to protect our children online, but how reckless are we being ourselves?

All too often, web applications ask for a lot of trust from visitors but don’t give it in return. Recently I visited a new site that promised to “budget, plan, forecast, organize and analyze your personal finances to achieve your goals.” It sounded like the perfect site to profile for a post here at WWD. After sign-up, you were expected to enter all of your personal financial information, short of the account numbers or PINs. No “About Us” or “FAQ” page. No forum or blog to reveal the thinking behind the site. The payment for the “enhanced” service was handled through PayPal, and even the domain was registered through Domains by Proxy (to hide the real contact information of the owner). I don’t think so.

Many sites use the “About” or “FAQ” page to talk about their hopes and dreams. That’s nice. But now tell us why we should trust you. If you’re not Google or Yahoo or another publicly traded company (or even if you are), give us a glimpse of the people behind the technology, and give us an idea of the steps you are taking to safeguard the data we are sharing with you. Nowadays, a http:// link isn’t enough to put anyone’s mind at ease. Going on instinct, I look for things like Truste or BBBOnline verification. I search for independent information about the company or site. Nothing is 100%, of course. The more a site asks from me, the more steps I expect the site to take to not only protect my data, but to be transparent about the methods they are using to do so.

Even if all the right pieces are in place, would you use a service like StolenID Search, a web application that searches stolen social security numbers to see if your number is compromised? The catch is that you have to enter that number into the site. For many people, myself included, social security numbers are very closely protected and we will not enter those digitis into a website easily. With good reason.

When it comes to trust, what do you look for in a web application before you hit that “sign up” button? Is there information that you won’t put online no matter what?


Judi Sohn

Paul, there’s nothing wrong with PayPal. Let me explain my thinking here, as I said it’s an “instinctual” thing with me. PayPal is easy. Anyone at any time can set up a PayPal account and start taking money with an email address. In combination with no information about the company and hidden domain registration it screams “fly-by-night” to me.

So if a company, let’s use BigContacts as an example, has an “About” page that includes information about the developers (right down to a phone number!) and a “Systems & Security” page that explains how the data is protected, I won’t notice or care that you take PayPal for payment. When I’m looking at whether or not I trust a website and I see no other reason to trust, I’ll look to see how they take their money…do they at least have enough of a business to get a merchant account?

I hope that helps, and I apologize if I made anyone nervous about their own sites.

Paul Freet

Can someone explain to me the inherent security risk posed by doing business with a site that uses paypal for processing their credit card transactions? How is that different than using any other mechant processor? At least they were upfront about it.

We use Paypal’s Virtual Terminal, so that might be a bit different, but I still don’t get what the issue is here. But, I’d really like to know because we will change processors if I learn something I don’t like.

Mark Evans

Excellent post, and relevant to me given my Paypal account was hacked into and I had a bunch of money extracted. Fortunately, the fine folks at Paypal are going to get my account back to normal.

alan p

I think trust will be a bigger issue in 2007 than previously, because so many of the social media services are being “gamed” by less salubrious people far more


In our society, people trust a website, an individual or an organization because they know that other people trust that website, individual or organization. Pagerank seems to be a good indicator of trustworthiness and I use that a lot. A longer green bar on my google toolbar means (to me) means that a lot of other important websites vouch that the particular website I’m visiting is trustworthy.

Island in the Net

The issue has nothing to do with web security but in the way personal financial information is handled. Your Aunt does not use online banking or shop online because she is worried about data privacy but she most likely gladly hands over her credit or debit card to a waiter or gas attendant who walks away to authorize a purchase.

As long as your financial data is available on a database in some networked environment it is potentially as risk.

An exercpt from this article here:

6.1.5 Financial security

Consumers also have legitimate concerns about using their credit/debit cards to make on-line payments – especially internationally.

There have been some spectacular cases of ‘hacking’ of credit card numbers from on-line banks and other companies (most of which are kept out of the public eye). Mike Webb (one of the authors of this report) himself experienced fraudulent use of his credit card as a result of making legitimate on-line transactions in 1999.

Although standards have improved, security experts such as Bruce Schneir[4] have identified the fundamental insecurity of computer-based systems, ensuring that hackers and others will continue to exploit security weaknesses on computer systems used by both businesses and consumers.

Schneir identifies a number of generic problems in trying to achieve 100% security using computer-based systems:

· Increasingly complex operating systems will inevitably include exploitable weaknesses unforeseen by software designers[5]

· It only takes one person to discover a security hole or weakness, and the information can be published globally (via secret hacking sites) to thousands of other hackers in a matter of minutes

· Security should be considered a process, not a product. It is only as secure as the weakest link, which is almost always people.[6] For example, as has often been reported, most users choose insecure passwords. ‘Cracking’ software can recover 20 per cent of all passwords in a few minutes, and 90 per cent of all passwords in less than a day.[7]

In addition, it should be noted that even in the West, where companies have several years’ experience operating networked systems, many companies have lax security policies. According to figures from the UK Department of Trade and Industry (DTI), about 33 per cent of UK businesses still do not have a firewall between their websites and their internal computer systems, leaving them vulnerable to hackers. And 66 per cent do not have intrusion detection systems, which could detect hackers if they penetrated other defences.[8]

However security experts also acknowledge that on-line financial transactions, such as the use of credit/debit cards, while never 100% secure, are likely in general to be more secure than off-line transactions.

jason knight


I’m Jason Knight the CEO of Wesabe, and we seem to be in the same space as the company that Judi writes about. At the risk of plugging our service here is how we handle trust and personal information: You can call me 800.511.8544 (12-4pm PST seven days a week) if you have any queastions about our privacy or security policies (or anything else you want to talk about). You can also email me All of our support email is handled by the developer who writes the code, and our goal is to be as close as possible to our users.

We must earn trust every day, but we are succeeding…we know it because our users tell us so.


Just playing devil’s advocate here, but whats wrong with just using a fake name? If the site isn’t trying to validate any of the information (which it shouldn’t be), just call yourself “Judi Smith.”

Judi Sohn

Amie, I wasn’t discounting the site on the fact that payment was through PayPal alone. Like you said, there are a lot of advantages to it. I was looking at their payment method in combination with all the other factors…private domain registration, no information about the company, etc. to form an overall opinion about the level of trust. If they provided a contact address or talked about the technology they used and they happened to use PayPal, I wouldn’t have any complaint.

Amie Gillingham

I wouldn’t be so quick to distrust a site that uses PayPal as its online payment component. For many smaller (or newer) online businesses, it’s an excellent way to handle the security issue and actually ensure the safety of one’s financial information. Our business currently uses PayPal exclusively for our subscription service to our website because they’re set up to handle recurrent payments and we don’t have access to any of our members’ financial information. In many ways, it’s like OpenID in that you set up once and can use that information in the places that are set up to accept it.


I think that the piece above raises a good point – simply having “https://” is simply not enough to put my mind at ease about disclosing my personal information to a website. In terms of what I look for in a web application before I sign up for it, a very important factor for me is if there is a brick-and-mortar component to the company. For instance, I feel confident going to my bank’s website to check the balance of my checking account. If there is a problem, I can call the bank to confirm the problem. Another important attribute for an online service to have is press coverage. Not to beat a dead horse in regards to banks, but if an online banking company has had press coverage, then to me, that means that there has been some investigation of that site, and that any difficulties or suspicious aspects or activities would have been reported. It is after that, that I can do my own investigation of the site.

Comments are closed.