Digital Trust: A Fragile Social Compact?

A week ago, when I sat down to think about what I wanted to say here today, one of my helpful associates offered that, "any idiot can weigh in on trust." Although I didn't like the connotation, he seemed to be telling me that I met the principal qualification.

And he was right, of course. Many do. Many have. "Trust" has forever been a favorite topic for preachers, lovers, lawyers, and let's not forget the marketing MBAs.

Leaders of all types — elected and un-elected — assert their trustworthiness and implore others to trust them.

The Google search engine tells me that the word "trust" pops up in conjunction with the word "election" on a million English-language web pages. I tried several other combinations. "Trust" and "love" had 2.5 million hits. The most impressive count, by far, was google's report that there are 3.5 million web pages that use the word "trust" in some conjunction with the word "policy." (Now, why are you not surprised?)

At an earlier stage in my life, in a flight of whimsy, ambition or just plain stupidity, I agreed to augment the NSC staff in the White House to deal with the growing set of issues around the famed clipper chip, one of the more spectacular bumps on the road to digital trust.

I'm reminded of the story that my good friend, Mike McConnell, now a vice president at my firm, but then the director of the National Security Agency when he convinced the Clinton Administration to unleash the clipper chip on the digital world. Ten years on, he still feels that he is wearing a clipper chip strapped to his posterior like a rudder. every once in a while, even now, someone sneaks up behind him and gives that rudder a little shove to remind him just how spectacular an episode the clipper chip was.

On my very first day, I was asked on the spur of the moment to represent the White House in a mock debate on clipper chip at the Georgetown University Law School. Brimming with self importance at my new found status in life, I set myself to the task. However each faction on the stage, the FBI, the software industry, and the privacy community had cheering sections in the audience. Various points were variously cheered and boo'd. Catcalls all around. To call it a debate would have been kind. A public lynching would have been more appropriate. I felt as if I were in outer space, losing oxygen fast. One of the more bizarre installments in the dialogue on digital trust — a good lesson in humility.

I'll only say that it got worse before it got better.

"In God We Trust," was a terse post-Civil War prayer when it first appeared — embossed on a two-penny coin issued in 1864 — the coin didn't last, but the motto met with such acclaim that it became a staple of US currency.

It was probably not too much later that this motto was adapted into a statement of terms and conditions — posted above the bar in many of the finer liquor establishments around the capital and elsewhere — "In God We Trust, All Others Pay Cash."

Currency is a good touchstone for any discussion of Trust. Think about the money in your pocket. The paper and coins have virtually no intrinsic value, and the US Treasury has been off the gold standard since Nixon.

An American dollar bill is worth more than ink on paper only so long as there is widespread confidence that the government has the wherewithal to back it up; that the currency itself is difficult to counterfeit; and that its designated value will be widely accepted by others in exchange for goods and services.

The worldwide reputation of Wall Street as the premier market for capital and equity — the whole edifice which permits the trade of financial instruments far beyond the basics of stocks and bonds, futures and options — is based wholly upon the trust that investors have in the Street.

Recent examples of "crony capitalism," — Anderson and Enron; and investment bank analysts whose stock recommendations had no integrity behind them — have predictably roiled the market and frightened off investors, both Americans and those from other countries who have provided essential liquidity.

The implications of a public loss of trust goes far deeper than the plunge in the market. Trust is really the glue that holds together the social fabric. When it frays, we all hurt. When it can be enhanced, we all benefit.

As Jedediah Purdy put it in this month's Atlantic Monthly:

"We walk down the street unarmed, invest our money with strangers, and pay taxes all because we trust that nobody will mug us, take the cash to Cancún, or use government revenue to enrich a family company. The only other way to coordinate complex activity is coercion which, as the Soviets learned, is neither efficient nor pleasant."

It has become fashionable to worry about public trust and confidence in the U.S. Although current events give us boom and bust cycles, it seems clear that Americans' trust and confidence in government, business, organized religion, civic institutions — and in each other — have declined steadily over the past several decades.

Trust in government was in the pits through the 1990s, but it rose sharply in the aftermath of 9/11. Trust in business, on the other hand, soared during the boom of the 1990s — but it tanked when the bubble popped amid revelations of greed, misbehavior, and crime among the corporate elite.

Yet, anyone thinking about trust in cyberspace is forced to confront the degree to which trust is the essential fulcrum for productive and substantive interactions between individuals — and between organizations and individuals — both off-line and online.

Absent coercion, we will engage, serve, or sell successfully in cyberspace only to the degree that we earn or inculcate trust in the man or woman at the remote keyboard.

The engineering challenge is daunting. In order to effectively transfer any large portion of our traditional commerce into cyberspace, we will need some virtual equivalents for the complex and subtle matrix of convention, policy, procedures, instinct, culture, and law — refined over the pragmatic ages — by which we manage the exchange of products and services for money, trade in financial instruments, and barter gossip and wisdom for reputation and allegiance.

To tackle that Herculean task, it is probably necessary for those who design, implement, and manage these systems to become much more self-conscious — and need I add, modest — about the presumptions of trust we embed in the infrastructure.

They (by that, I really mean we) also need to parse and acknowledge the range of implicit and explicit trust requirements — even those we can't yet directly address — which are carried into any successful transaction by all the parties involved.

And were that not enough, we also can't forget the basics. As Tip O'Neal said, "All politics are local. So too, all issues of trust and security are situational, and ultimately meaningful only where the rubber hits the road."

As Bob Courtney — IBM's colorful and influential security evangelist 25 years ago — put in Courtney's "First Law":

"Nothing useful can be said about the security of a mechanism, except in the context of a specific application, in a specific environment."

It is immediately apparent that those of us involved with digital systems make two easy distinctions in the ways we professionally use the word trust.

On one hand, we use trust as a label for a device or system with asserted traits that all users, necessarily, are required to accept — like the "trusted computer base." If a trusted component fails, then — by definition — the security or integrity of the whole system has failed, either catastrophically, or in some managed mode.

On the other hand, we also use trust as the label for a desirable quality of voluntary dependence that can be neither guaranteed or required. We see this as the user's choice — don't we? — as to the degree he is willing to accept or qualify a dependant relationship between himself and the system or device at issue.

In our business, the distinction made is sometimes elusive, and the dichotomy subtle — perhaps purposely so.

We in this room are all aware of ongoing R&D that seeks to digitally model, implement, and validate trust in system and network architectures. Designs for trustworthy computers and networks; tighter protocols; safe system software; and fail-safe application code have consumed several generations of our most thoughtful engineers. (Yet the result, to put it charitably, is still a "work in progress.")

Collectively, and quite rightly, we are skeptical of absolutes — and particularly when they are offered in claims made for, and qualities attributed to, the logical and mechanical systems devised by men. Folklore underscores that skepticism with Murphy's Law ("Anything that can go wrong, will go wrong.") and Jake's Law ("With a big enough hammer, anything can be broken.")

As a society, we instinctively know that we can't absolutely trust any contrived system — however precisely, ambitiously, and earnestly we hear it described in RFPs and vendors' specs — but collectively, (as well as individually), we often come to rely upon the reassuring illusion.

In a technically advanced culture such as our own, we implicitly give our trust daily to the many hundreds of people who provide the critical infrastructure of daily life. We trust the airplane to fly and to get to its promised destination. When and if it doesn't — even if it is an enormously complex device like a space shuttle — we feel shocked. We demand accountability — an investigation to pinpoint and rectify the problem — and reassurance.

Every day, most of us go into our kitchens and open various cans and packages of food and eat it — with rarely a thought about the hundreds of people who have grown, fed, processed, packaged, and shipped that food ... protecting it and us as it traveled from some distant farm to our plates.

We implicitly have faith and confidence that these people will not only provide us with safe, healthful, food — but also that they will routinely make it available when and where we want to purchase it.

To function at all, such trusted systems require a certain minimal level of public trust and confidence. We eat our food with the blithe assumption — absent any evidence that these people do not deserve our trust — that vast numbers of people (whom we do not know and can not know) are, ipso facto, "trustworthy."

When the illusion collapses — as in the Tylenol Scare of 1984; or the disasters at Three Mile Island and Chernobyl — that public trust and confidence can evaporate overnight.

Sometimes — as when Tylenol's manufacturer, Johnson & Johnson, led pharmaceuticals and much of the grocery business into tamper-proof packaging and, by its actions, convinced the public that it had its priorities straight — that confidence can be recovered. But such a recovery — both costly and difficult — is never certain.

The second context in which we "IT" professionals use the word trust is much closer to the traditional use of the word in philosophy and psychology. Consider the concise definition offered by the Australian scholar Roger Clarke:

"Trust is confident reliance by one party about the behavior of other parties."

When I lived in Japan, I was fascinated by the way the Japanese prized the blowfish, Fugu, both as a deadly delicacy and a culinary masterpiece. The blowfish contains a poison that is 1,200 times stronger than cyanide; a single fish contains enough poison to kill 30 people. Improperly prepared, it kills its consumer. For this reason, there is an elaborate certification program for these licensed to prepare it. As the final exam for a Sushi chef who seeks a license to prepare Fugi for the public, the chef must himself catch, clean, and prepare the fish and then eat it. The popular joke is that, either way, the candidate gets a certificate!

In the context of trade and commerce, trust is that quality of optimistic faith and confidence with which a relying party accepts risks, when, in the course of arranging a trade or transaction, he has exhausted all available options to avoid, transfer, share, or otherwise minimize those risks.

Trust, then, is the willing acceptance of risk by a party to a transaction, when there is no absolute guarantee that his interests will be protected.

The absence of risk or liability eliminates the need for trust.

Trust in this context has less to do with the technical intricacies of the transaction, per se, than it does with the cultural mindset and the information flow that allows each of the parties involved to reach a decision that it is worthwhile for them to execute a specific transaction.

This is — perhaps surprisingly — very deep water.

In just one technical niche, scholars have spent years trying to analyze and model the underlying belief models for authentication protocols. But the potential implication of various mechanisms that might allow people to quantify and overtly manage various types of authentication — assertions of identity, role, value, and eligibility — are significant.

Again there are everyday parallels. Merchants, banks, and their credit agencies often use relatively effective models to make profitable decisions. Often, however, either the buyer or the seller is at a severe disadvantage, with respect to his trading partner, in terms of reliable information about the other party, or the tradable item, or the trading process, or the contingent outcomes.

In such an asymmetric situation, trust — when there is significant exposure — may be the critical factor which allows a specific transaction to take place.

E-commerce today is largely characterized by the very factors that define a high-risk marketplace off-line: the parties have little or no knowledge about one another; there is often some significant elapsed time during which one party is vulnerable; and they are usually beyond arms reach: in different locations, probably in different legal jurisdictions.

Just because of this, the question of how to enable commerce to flourish in such an environment has become an obsession for many.

Social theorists and economists; engineers and mathematicians; social psychologists and statisticians; pollsters and philosophers; even biologists — not to mention those who study artificial intelligence and cybernetics — today delve deeply to explore the multiple aspects and expressions of interpersonal trust. The vigor and energy of this inquiry have expanded steadily over the past three decades, as global society has come to acknowledge Metcalfe's Law:

"The value of a network, to those who use it, increases in proportion to the square of the number of nodes or users on the network."

Or, more simply put, one phone is useless.

There are now international conferences on trust — one's coming up in April in Prague — and learned journals publish hundreds of papers exploring the subjective and objective mechanics of trust in various environments. Such scholarship branches off into a bewildering array of sub-topics and meta-topics as researchers seek to model the processes involved.

One reason for all this intellectual ferment — plumbing what on the surface seems to be such a simple idea — is the belated realization that social constructs like trust — or consent, as in contracts and digital signatures — are not simple at all.

A second reason is that many now believe that understanding trust in the real world — what some online call "TRW" — is critical to understanding the actual security requirements for online transactions, and may be a requirement for creating technological solutions to the problems that have emerged in electronic commerce.

Some prominent biologists, like Steven Pinker of MIT, now argue that human behavior patterns defined by trust — in particular, the urge to rage and retribution when we feel betrayed — might be "hard-wired" into the brain as a gut response that bypasses rational thinking.

Properties like that make trust — as a human phenomenon — especially difficult to understand.

Such behavior patterns are no less complex, no less subtle, where society has — over centuries — woven them into the fabric of the infrastructure we have created to manage our governance and our trade.

Yet, it may well be that only by coming to understand the subtle interdependencies at play within the pragmatic practice of interpersonal trust can we hope to design and develop — over decades — an acceptable arena for electronic commerce.

Any digital expression of trust — as a contrived phenomenon — must acknowledge, and perhaps take into account, not only the rational, social, and economic dimensions of trust — but maybe a biological expression as well.

Whatever the challenges, however, there are enormous social, technical, administrative, and economic imperatives that push us forward in this inquiry.

The economic logic — the heart of the thrust toward e-commerce — is clear.

Almost all transactions involve some potential for misrepresentation, non-compliance, or fraud. To deal with those risks, a cynical or distrustful party has to depend upon elaborate contracts, or arrange for some sort of performance monitor or oversight, or turn to litigation, to discourage such behavior. These all work — but they are all costly.

Mutual trust, when it is available, is a cheap and efficient alternative — so it offers a significant competitive advantage to any group or culture that can adopt it and rely upon it.

If not quite priceless then, trust in commerce is an enormously valuable asset.

The advantage that accrues to those societies where trust is available to grease the wheels of commerce is big.

Running a historical regression analysis over the 1980s, one thought-provoking World Bank study suggests that a 10 percent difference in the degree of generic trust available to the citizens of a nation is reflected in a 0.8 percent variance in economic growth.

The varied propensity to trust among nations ranges from "high trust" Norway — homogeneous and productive, where 65 percent of Norwegians expressed a willingness to trust their fellow citizens, to poverty-plagued Brazil, where only three percent of those surveyed felt they could presume that most Brazilians would not seek to take advantage of them.

The percentage of Americans who believe that they can trust "most other Americans" is now reported to be a little over 30 percent. (That figure has dropped steadily amid the social turmoil that has leavened American society since 1960, when the percentage of those willing to trust most anyone American was an innocent 55 percent.)

IBM Research recently published another study that offered a disturbing corollary. The degree to which the citizens express this willingness to trust one another is correlated not only with relative economic growth, but also, apparently, with the relative rate of growth for Internet access.

The Internet is expected to be an important source of economic growth in the 21st Century. The Congressional Budget Office in 2001 predicted that the US economy should grow at 2.1 percent, annually, over this first decade — a 0.9 percent increase over US growth for the period between 1974 and 1995.

Some U.S. government economists have recently estimated that the Internet will account for nearly half of this expected increase. Others suggest that the US manufacturing sector could leverage the efficiencies of the Net for productivity gains of between 0.2 and 0.4 percent, per year.

Whether such optimistic predictions come true, noted the team of IBM researchers, depends on whether U.S. companies and citizens choose to do business over the Internet: "how willing they are to accept the greater anonymity and associated possibilities for opportunism inherent in web-based transactions."

The IBM team warned that the so called "low-trust" countries — the majority of which have low to middle incomes — could take a double whammy. They are penalized first by low-trust in terms of higher transaction costs, and could again be penalized by their lower rate of adoption of growth-enhancing technology. This, IBM worried, could accentuate a digital divide, as poorer nations fall further and further behind.

It thus might not be surprising that, around the world, many clever people are obsessed with finding ways to transfer the capacity for inter-personal trust into Cyberspace. There is a vigorous and ambitious search for new ways to digitally represent — and qualify, validate, and distribute — information that could allow parties to a transaction to sustain (and perhaps even expand) their native capacity for trust, as they venture into electronic commerce.

We are talking here about food for babies; jobs; GNP; Motherhood; and beans-and-rice issues. The potential of trust — and the downside of distrust — in electronic commerce are both much bigger and more important than the Net's petty contemporary concerns over pop-ups and banner ads on websites, which (admittedly) sometimes try to herd potential customers like prey toward a hunter.

I'm not going to try to dazzle you with likely models for the future of Internet commerce. (And — with this audience — I'd probably get in trouble if I tried to parse out the details of alternative protocols!). Beyond that risk, the truth — at least in the short term — is that there are still just too many possibilities up in the air.

There are plenty of opportunities for a company to do everything 'right' — yet still fail, crushed in the sheer unpredictability of the environment.

In the longer term, I think it is likely that consumers will get what they believe they want, and that may not be what businesses think they require.

We have seen the failure of several commercial efforts to "colonize" the Internet; attempts to force the community of online users into a simple model drawn from pre-Internet commerce. Think of the hoopla for the "push" content providers, or the hype for commercial portals.

Think of the expectations of many that "digital signatures" would permit individuals, previously unknown to each other, to irrevocably commit themselves to a contract, solely on the basis of digital certs signed by a third party.

The ongoing controversy about the privacy of consumers' personal information is a good illustration of the degree to which merchants' perceptions of what the consumer wants may vary from genuine consumer preferences. I worry that market forces, alone, may not be providing adequate incentives for businesses to take those consumer preferences seriously, and adapt to them.

None of us should forget that the most important features of consumer electronic payments today — the $50 ceiling on liability for unauthorized transactions on consumer credit cards; and the obligation of the card issuer to resolve disputes between consumers and merchants on a credit card charges — would never have been adopted voluntarily by industry.

Federal regulators mandated those critical features for our enormously successful credit card payment systems.

In conclusion, one can only hope for some similar foresight to guide them, our legislators, and the marketplace as we consider other critical consumer concerns — and the potential of trust as an asset — and that somewhere on the other side of all this complexity is — if not simplicity — then a magnificent new construct, what the novelist William Gibson described as a "shared hallucination" when he coined the word "Cyberspace" in a dark, brilliant 1984 science fiction tale about a world without trust.

Thank you.