The Online Trust Alliance (OTA) held its annual forum in San Jose, California this week. Security and Privacy professionals from major technology companies such as Google, Microsoft, Apple, Symantec, and Twitter were present, as were an assortment of VIPs such as the former White House Cyber-Security Coordinator, and the California Deputy Attorney General. The reason for this meeting of the minds? Working on various trust related projects with lofty, far reaching goals. Some of the questions these luminaries are trying to answer include, “who should run the Internet?”, “who should be responsible for policing it?”, “who should protect Internet users?”, and how to best do all of this while preserving freedom of speech and the free market economy.
Discussions included a high level model of “Internet Governance” that lays out the relationships between all the working parts of the Internet: registrars, hosting companies, ISPs, governments, individuals, etc. At the other end of the spectrum, there were presentations centered around Breach & Data Loss, Mobile Security, and day long workshops on technical topics such as email authentication (focusing on the new DMARC standard), and Anti-Botnet measures. The concept of online trust was put into perspective by Debra Bowen, the California Secretary of State, who told us why she doesn’t think that online voting’s time has come. This was particularly relevant with the U.S. Presidential election nearly upon us.
So, what is “trust” anyway? It’s not affection. It’s been established that the likelihood of a consumer paying for a service or a product from a company they trust is around 60%, while “loving” the company doesn’t raise that likelihood at all. Trust isn’t the same as security, although the two are related. It’s common knowledge that “anyone can be hacked”, as evidenced by the White House suffering a breach earlier this week. I think we’re getting closer to defining trust by realizing that we’re all human beings, that nobody is perfect, and that we can’t expect miracles. If a vendor that I “trust” has a data breach, I’d expect them to proactively notify me and explain in detail what has happened, what they’re doing to control the damage and remediate it. As everyone in the service industry can attest to, people are usually understanding when problems arise, provided that they’re contacted early. If they have to contact you, that’s a different story.
The concept of trust in the online world has always been tied to transparency. The people who built the Internet (no, not you Al Gore) were undoubtedly brilliant, but they were a bit naïve, developing software and networking protocols for a controlled environment in a simpler time. They never foresaw the threats we live with on a daily basis such as, hackers, crackers, spam, viruses, identity theft, ATM skimmers, key loggers, packet sniffers, terrorists, organized crime, etc. Consequently, they built an open network of computers that communicate in an open way. If there was a problem with this network, why not just look up the domain owner’s registration using WHOIS and give him a ring. Of course the name and address used to register the domain is accurate. Why would anyone want to lie about that or hide his/her identity?
Now fast forward to late 2012. You can’t write software, set up a network, or develop a business plan without covering the security aspects of your project. Threat operation centers protect us by monitoring Internet traffic 24x7. We go to sleep at night secure in the knowledge that government, the military, and armies of “white hat hackers” work tirelessly to protect our data, our identities, and our virtual and physical lives from harm. We trust them to have our best interests at heart. We trust our banks to employ only the most skilled professionals armed with state of the art tools to build secure systems. We trust our doctors and hospitals to safeguard our privacy, lest we suffer embarrassment if our little secrets get out. We trust Facebook not to do what we fear most, letting people outside our trusted circle of friends see what we did last night, where we live, what we said. We trust that our shiny new computers aren’t rolling off the production lines already infected by embedded viruses.
In the end, it all comes down to this simple human need to feel safe behind locked doors. Maybe someone else’s house will be robbed. If our number comes up, can our doors be forced open in the middle of the dark night, and if they are, will our security systems frighten them off or summon the police in time? If not, maybe the robbers will be satisfied with taking the TV. We don’t really need the TV anyway, do we? We can always replace it. There’s probably an app for that. There also isn’t an app for deciding who to trust, but maybe the founding fathers of the Internet were on to something. Maybe transparency IS the key. People tend to trust strong, visible brands. Who doesn’t want to receive their Amazon emails or Apple’s? If the iPhone 5 has some minor growing pains, such as failing to switch from a cellular network to wifi, using up my monthly data quota in a matter of hours, it’s ok. I’m sure that Apple will do the right thing, both fixing the technical issue, and refunding any overage charges. Of course I trust them. They’re APPLE.
31 Oct 2012