The Oxford dictionary defines trust as the “firm belief in the reliability, truth, ability, or strength of someone or something." A wonderful article on changingminds.org offers multiple interpretations for trust. When considering trust in the digital world, one in particular caught my attention:
“Trust means making an exchange with someone when you do not have full knowledge about them, their intent and the things they are offering to you.”
In the physical world, trust is established based on identity or context, built on familiarity (the frequency of our interactions), and ultimately dependent on experience. Just as importantly, trust is nuanced: We don't trust everyone equally. For example, we trust friends and family more than neighbors or casual acquaintances.
Yet frequently, we have to trust people that we don’t see often, such as doctors, mechanics, and tax accountants. What gives us the confidence to depend on these people? Specifically, how do we know that a doctor is a doctor? Probably, the fact that we can see the doctor is accredited or affiliated with a well-known hospital.
Now let’s contrast how we build trust in the physical world with how we establish trust in the digital world, where we cannot "see" anything. For example, I connect to my bank, my email provider, and to a variety of e-commerce sites—each of which requires me to provide personally identifiable information (PII) and, in some cases, credit card data. I can identify the websites I frequently visit based on the logo, colors, and layout, but attacks like phishing have long since rendered my ability to recognize the "look and feel" of an (online) entity practically useless. Without a tangible identity, there's no way I can build familiarity and hence trust.
How, then, do I know I am connecting to the online service provider that I want to use? Most merchants attempt to solve this problem by using digital certificates to verify their virtual identity. A certificate, much like a credit card or a passport, is issued by a "trusted" authority (a financial or government institution in the real world) and has an associated validity and purpose.
The similarities end there, however. Although we can “view” certificates, the attributes that make them unique (and hence, linked irrevocably to a physical entity) can only be "verified" by applications such as a web browser or an email client. Theoretically, then, it should be possible for an application to identify and, over time, trust an entity, shouldn't it?
Not so fast. There are a couple of reasons this isn't practical yet:
Unlike a physical attribute (such as a face, voice, or fingerprint), a digital attribute is inherently transient in nature. The digital "key" that serves as the unique attribute to identify an online entity is valid for a specified period of time and must then be replaced. Periodically replacing a digital key mitigates the risk of the key being duplicated. The more a key is used, the greater the chance it will be compromised. As such, best practices recommend the periodic re-generation of keys. The familiarity with a specific key (sometimes referred to as “certificate pinning”) isn’t particularly useful—especially when the keys themselves get replaced as often as every 90 days.
Digital keys and certificates are being stolen—and increasingly often. Individuals and state-sponsored organizations are targeting them with the specific goal of misrepresenting themselves to steal sensitive information. Given the fact that keys and certificates are the most widely used means for establishing online identity, they are constantly under attack. In a recent survey conducted by The Ponemon Institute100% of respondents (from Global 2000 companies) reported that they have had at least one attack on keys and certificates in the last 2 years.
Unlike the physical world, on the internet, the concept of trust is not as tangible. We cannot establish identity based on sight, and digital keys—the mechanism designed to verify identity and establish trust—are frequently updated, rendering familiarity impractical. Trust must be established every time, and cannot be based upon frequent interactions. Are we, then, limited to placing the same amount of trust in all our online transactions?