What is trust?
The Oxford dictionary defines trust as the “firm belief in the reliability, truth, ability, or strength of someone or something." A wonderful article on changingminds.org offers multiple interpretations for trust. When considering trust in the digital world, one in particular caught my attention:
“Trust means making an exchange with someone when you do not have full knowledge about them, their intent and the things they are offering to you.”
In the physical world, trust is established based on identity or context, built on familiarity (the frequency of our interactions), and ultimately dependent on experience. Just as importantly, trust is nuanced: We don't trust everyone equally. For example, we trust friends and family more than neighbors or casual acquaintances.
Yet frequently, we have to trust people that we don’t see often, such as doctors, mechanics, and tax accountants. What gives us the confidence to depend on these people? Specifically, how do we know that a doctor is a doctor? Probably, the fact that we can see the doctor is accredited or affiliated with a well-known hospital.
Now let’s contrast how we build trust in the physical world with how we establish trust in the digital world, where we cannot "see" anything. For example, I connect to my bank, my email provider, and to a variety of e-commerce sites—each of which requires me to provide personally identifiable information (PII) and, in some cases, credit card data. I can identify the websites I frequently visit based on the logo, colors, and layout, but attacks like phishing have long since rendered my ability to recognize the "look and feel" of an (online) entity practically useless. Without a tangible identity, there's no way I can build familiarity and hence trust.
How, then, do I know I am connecting to the online service provider that I want to use? Most merchants attempt to solve this problem by using digital certificates to verify their virtual identity. A certificate, much like a credit card or a passport, is issued by a "trusted" authority (a financial or government institution in the real world) and has an associated validity and purpose.
The similarities end there, however. Although we can “view” certificates, the attributes that make them unique (and hence, linked irrevocably to a physical entity) can only be "verified" by applications such as a web browser or an email client. Theoretically, then, it should be possible for an application to identify and, over time, trust an entity, shouldn't it?
Not so fast. There are a couple of reasons this isn't practical yet:
Unlike the physical world, on the internet, the concept of trust is not as tangible. We cannot establish identity based on sight, and digital keys—the mechanism designed to verify identity and establish trust—are frequently updated, rendering familiarity impractical. Trust must be established every time, and cannot be based upon frequent interactions. Are we, then, limited to placing the same amount of trust in all our online transactions?