Sunday, October 18, 2009

Thoughts on Trust

I was asked for my thoughts on trust, in relation to groups and networks. This was my response, not directly addressing the issue, but framing it I think in a relevant way.

I wrote this, which touches on it:

I have very mixed feelings about trust in and of itself.

My first reaction is that discussions of trust get started precisely in cases where there is no trust, and that this manifests itself in two areas:

- software and content vendors do not trust their consumers, and attempt to for conditions of authentication and registration on them - hence the misnamed miniker "trusted computing", which is actually an area of your own computer that is outside your control, and completely in the hands of the companies. Similarily, mobile phone are often thought of as "trusted platforms" precidely because complete control of the operating system environment is in the hands of the vendor - which is why Apple, eg., can remove applications at will

- customers do not trust the software and content vendors. Hence the need for people to be reassured that it is 'safe' for them to submit their credit card numbers and personal information to commerce sites and social networks. There are also issues regarding the ownership of their own content (vendors, so protective opf their own content, are careless to the point of irresponsibility with the rights of their customers)

A lot of the time, people talking about "trust" will say things that sound like they're talking about the second sort (whether people truth the vendors) but the solutions they propose (such as suthentication) are intended to solve issues of the first sort.

Two other dimensions of trust are almost never discussed at all:

- vendor-to-vendor trust. For the most part, companies on the internet do not trust each other at all. With good reason. This is why interactions between the vendors are tightly controled, via APIs or other arms-length mechanisms. Varioius trust mechanistms are build into the the technology, like anonymizing of data (notice how this applies in everything from financial transactions to OAuth to distribution of research results). These mechanisms are not put in place to protect users (though that is what will be said) but instead to protect themselves from the other vendors. Over time, this dimension mof (lack of) truth tends to lead toward the development of (closed) federations, rather than open networks, to the detriment of the wider internet.

- person to person. We don't truth each other (and we shouldn't). Spam, viruses and phishing are the most manifest cases of this sort of breach of trust. Consequently, we have attempted to create walls around ourselves - spam filters, social network buddy lists, so-not-call registries. We seek control over the flow of information into and out of our systems through technology over which we have less and less control (because of the needs of the other forms of 'trust'). How ironic it is that the mechanisms used to ensure vendors can trust computers are precisely those that lead to abuses such as spam and identity theft!

So what do I conclude from all this?

- the root of trust is mistrust
- different forms of trust are at odds with each other
- mechanisms that create trust often hurt the network as a whole
- for the network to work, we must all give up control - but at a measured pace, in step with each other, to avoid one element of the other abusing this greater openness
- and yet, this giving up of control cannot be absolute - in the final analysis, we must be able to assert ownership over out own environments (which means, either absolute ownership over the contents of them, or the right to remove that which we do not own)

So - there's a full paper, I think (or it would be after references and summaries of the discussion were added). Hope it was useful.