The internet is full of lies. Without plenty of effort, you can’t even prove my name is Thursday Bram. So why should you hand over your bank account numbers, passwords and other financial data to me?
That’s essentially what Mint and other money management sites are asking you to do. These companies have many benefits for those of us focused on productivity and, for some of us, those benefits have outweighed our healthy senses of paranoia. I’m not saying that money management companies are all out to get us (and some of them are actually very good), but it’s worth taking a very close look at what sites you trust.
I realize it may not seem fair to be so suspicious — after all, these sites never did anything to me. But pretty much everything on the internet is a matter of trust. Consider Mint’s “Privacy & Security” page: in 20 minutes I could have an identical page up on my site. Merely posting a page isn’t enough to win my trust — although the information Mint has posted is very convincing.
What is enough to win my trust?
I think a video of Bruce Schneier pronouncing a site’s trustworthiness would be enough to convince me — but only because I already trust Schneier as an expert on security.
Beyond that, it’s a matter of finding some very specific facts that will help me to decide on whether to trust a given site.
Where is a company based?
Most folks running websites have the best of intentions. The country they’ve set up their servers in, though, can have some extensive effects on who gets to see your information simply by asking. In the U.S., there are certain laws meant to prevent companies from passing around your private information. But in more controlled societies — think China — certain government officials can access secure information with no intermediary steps.
Knowing location is also important in case something goes wrong. I know I’d rather use a money management site based in my own country in the event that they did distribute it to someone with nefarious plans. At least, in that case, I could take the company to court.
Reading this policy is a fairly good indicator of Mint’s trustworthiness — and therefore its success as a money management application. The key is the inclusion of a way to address security issues through a third party organization with a reputation for trustworthiness. It’s easy to scoff at using such third party organizations, and listing links to their sites on your own, but those seals are actually a good indicator, if you can confirm that they are correctly displayed.
Mint’s partnership with TRUSTe is a great example. TRUSTe has been around since 1997 and was founded by, among others, the Electronic Frontier Foundation. That sort of history and such well-known associates make for a good indicator of trust.
What are other people saying about the company in question?
Beyond fancy logos, though, a real indicator of whether a website is worth trusting is the buzz around the web. Just Googling a site’s name can get you a whole load of information, though you might consider adding words like ‘security’ in your search. A surprising number of people don’t do even this basic level of research before handing over details like the password to their email — I can name a half dozen social networking sites that ask for exactly that in order to import your contacts. It’s nice that we have such an environment of trust online, but we’re just asking for problems when we give away such information willy-nilly.
Such due diligence can be enough to warn you off of releasing your information, though. At the very least, it can give you a head’s up of security issues that might make you want to wait before signing up for a service.
Unfortunately, buzz doesn’t always help early adopters. If you’re always the first person into the private beta, you may not have heard about any bugs or problems that a company has experienced, let alone if other people have some questions about trust.
How much time should I spend on research?
I don’t necessarily delve into the technical security specs of every site I sign up for, and I wouldn’t even argue that there is a need to. But before handing over information like your bank account numbers — or the password to the email account where you’ve saved those numbers — it’s worth spending 15 or 30 minutes to make sure that your sensitive information isn’t going to take a walk after you’ve entered it.
After this sort of review, Mint has all the elements of a reliable site. They’re able to earn trust, rather than rely on people looking for a quick fix and ignoring a few warning signs. Yes, Mint solves some significant productivity and money management questions, but it does so in such a way as to reassure users.
I do still have a few concerns, of course. Any site known to save financial information on numerous people is going to be a target of all sorts of malicious attacks. And no site is going to take users on a walk through of the exact protections and vulnerabilities of their system. Aaron Patzer, Mint’s CEO, has discussed the site’s security on several occasions, and in general, it seems like information submitted to the site is fairly secure. I’m willing to roll the dice and take a chance on Mint — especially since none of the early adopters have gotten burned yet.