DARE Risks of CPA Assurance of WebTrust^SM Electronic Seals

and of DataTrust Privacy of Cookie Jars

Verifying that the company or person on the other end of the line is truly that company or that person has become known as authentication. The best-known web authentication service is VeriSign. In a single press release on September 16, 1997, the American Association of CPAs and the Canadian Institute of Chartered Accountants announced the public/chartered accountant WebTrust^SM Electronic Commerce Seal. The Seal was to be used by member firms that offer assurance services in the broad areas of the following:

1. Business Practice Disclosures
   
2. Transaction Integrity
   
3. Information Protection

Employees engaged in WebTrust activities are required to meet training standards set by the AICPA and the Canadian CICA.

In the area of authentication services, the best-known current provider is VeriSign at the URL shown in the "hint" above. VeriSign provided the expertise to make the WebTrust^SM online Seal difficult to forge.

The Better Business Bureau offers an online LogoTrust service that is somewhat unique. The BBB Online logo appears at registered company web sites. At those sites, the BBB Online Logo is hyperlinked to the BBB Online site which verifies that the link came from a legitimate site. This LogoTrust service is similar to WebTrust^SM services from VeriSign. However, VeriSign is better known in the digital signatures industry to date.

TRUSTe at http://www.TRUSTe.com is a DataTrust service aimed at protecting privacy rights and privacy agreements of companies and individuals that have shared information for an authorized purpose. For example, DataTrust is analogous to having an unlisted phone number. Telephone companies agree not to give out names, addresses, and phone numbers of persons who pay for unlisted numbers. In the case of listed phone numbers, however, telephone companies traditionally sell that data to anyone willing to pay the price for the data. Persons with listed phone numbers thereby find themselves deluged with telemarketers, junk mail solicitations, etc.

Unless web users have set their browser options not to accept cookies, companies build up information (e.g., names, addresses, phone numbers, product interests, browsing patterns, payment histories, etc.) that can be used and abused by companies such as DARE. For example, DARE may willingly or accidentally share cookie data (recipes?) with outsiders.

Under the WebTrust^SM program, accounting firms may offer DataTrust services similar to that of TRUSTe at http://www.TRUSTe.com. In fact TRUSTe uses Coopers & Lybrand and KPMG Peat Marwick accounting firms to conduct surprise investigations of possible misuse of the TRUSTe logo by its clients.

LogoTrust has less risk than DataTrust because it guards against fewer things that can go wrong. LogoTrust assures users that the logo is being used legitimately. There are, of course, potential lawsuits if damages ensue from its misuse. Restraints such as limits to the dollar amount of a transaction are not much protection since any person or company using a logo for fraudulent purposes may also change the transaction restraints.

Risks are somewhat reduced following legislation in the U.S. Congress regarding joint and several liability of CPAs. The risk of being the deep pocket defendant left to bear all of the damages in failures that are only partly attributable to CPA firm negligence has been greatly reduced. CPAs, however, are still subject to having to pay whatever share of the damages that courts attribute to those CPAs.

Apart from lawsuit risks, there are risks of bad publicity and tarnished reputation for failed assurances. CPAs have a competitive advantage at the moment because of public perception of CPAs as honest and diligent. Entering into more risky services such as information security assurances might tarnish both the reputation of a particular CPA firm and the CPA profession in general.

WebTrust assurances cover a broader range of electronic commerce transactions in addition to logo assurances. WebTrust can cover business practices and internal control. It requires more testing and professional competence in electronic commerce. Whereas some logo assurance services like TRUSTe require only after-the-fact self reporting, WebTrust service providers require client recertification every 90 days.

The broad spectrum of assurance services is given by the AICPA at
http://www.aicpa.org/assurance/scas/newsvs/index.htm
These include the following categories:

• Risk Assessment
  
• Business Performance Measurement
  
• Information Systems Reliability
  
• Electronic Commerce
  
• Health Care Performance Measurement
  
• ElderCare
  
• Other Opportunities

Those categories more closely aligned with computing and networking are Information Systems Reliability and Electronic Commerce. Information Systems Reliability is discussed in greater depth at http://www.aicpa.org/assurance/scas/newsvs/reliab/index.htm

Electronic Commerce Assurance Services are discussed in greater depth at http://www.aicpa.org/assurance/scas/newsvs/elec/index.htm

By way of illustration, instructors may want to have students discuss the various new security assurance services of KPMG at http://www.us.kpmg.com/irm/main.html

The answer to this assignment is given in Appendix 3 by John Howland and at http://ariel.cs.trinity.edu/~jhowland/security/security .

The answer to this assignment is given in Appendix 3 by John Howland and at http://ariel.cs.trinity.edu/~jhowland/security/security .