The dictionary defines trust as “to believe that someone is good and honest and will not harm you, or that something is safe and reliable.” Trust can be a difficult thing for people to grasp, but in the digital environment, it can be even more complex. We need trust in most daily situations, but with digital, virtual and cyber services such important parts of our lives, we need to better think, what digital trust really is.
The Covid-19 situation has accelerated the use of many virtual and digital services. In early March I was told that I must travel physically to sign an estate inventory for a meeting with other heirs. In April I was told I must not come physically and I must sign documents online. For me, this is a good example, how rapidly things can change, when otherwise it could take 10 years to approve this kind of change for laws and rules.
Even basic things, how to sign documents online is quite a mess today. DocuSign has a good position globally to sign documents, but it is not ‘official’ in all countries or situations. It has great usability, but it includes compromises between usability and security. In some countries authorities, banks or other service providers offer more secure signing solutions, e.g. based on e-ID cards or mobile identity tokens, but they are more difficult to use.
Maybe the strangest document signing was one official service in the USA, where signing was to type my name between slash symbols (seriously, this was the instruction: “The appropriate person must electronically sign the form by personally typing in any combination of alphanumeric characters preceded and followed by the forward-slash symbol (/); e.g., /mike miller/, /efr/, or /374/). This electronic signature should not be typed in by someone else on behalf of the proper signatory.”). Another extreme is my Hong Kong-based bank that compares documents I send to a sample of my signature and every second time I fail to write my signature in the same way.
Signing is just one very simple example of trust, but we have more complex things. Is the person I meet really who they claim to be? Are they going to keep their promise? If I talk confidentially, are they going to keep this information to themselves? If they buy something from me, are they going to pay, or do they have money to pay? These and many other questions in business and personal life crop up.
In physical life, we have solutions to handle several trust questions. People have ID cards to prove their identity. There are systems like credit scores, payslips and financial statements to prove the capability and history to pay. Human beings have also learned all kinds of signs (how people behave, facial expressions, personal history, and many other things) to make estimates, who and what they trust or don’t trust. Often the trust is also transferable. If I trust someone and he recommends that I trust someone he trusts, I will probably trust them.
In the online and digital world, we have more components and variables to evaluate and it makes it more complex to evaluate trust. Maybe we don’t see the other person at all, only his telephone number or email address. If we see someone online, how do you know the person is really who they claim to be. When we physically meet, people build trust with each other over time, but how can this work in the digital environment. If I share some documents and information online with a person, how can I ever know if and how the other person uses and shares them?
We also have solutions to handle these things virtually. For example, we need security devices and apps to get to our bank accounts; companies have access controls to their services and networks to use their virtual tools. For many of these services you still need to do something physically, e.g. visit somewhere or send some documents by mail. But doing something physically first is really a usability challenge for many online services, and COVID-19 has now put us in many situations where it is not even possible.
This is exactly the reason we have lower security in services where usability is better and it is not too difficult to start to use them. DocuSign is enough for many signatures; Zoom is secure enough to handle meetings; WhatsApp is the easy solution for daily chatting and email is the easiest way to send many documents. But we have seen enough cases that these solutions have also their risks, sometimes significant. We know they are enough for most needs, but many needs also go beyond the trust level they can offer.
This has demonstrated, in a very practical way, that we need new solutions to handle digital trust in daily situations. Those solutions need to have good usability and offer the right level of trust for each need. The cybersecurity discussion is easily very polarized. We have cybersecurity freaks that claim no system is secure enough and that no system with ordinary level usability can be secure. Then we have those ignorant people who are ready to use any system that is just an easy solution. We have many kinds of solutions for digital identity and security, but as a whole this area is still quite messy.
One reason is that the thought process to develop them is often very technical and focuses on one specific aspect of security. Maybe we should think more about what trust really means in different situations, and how people have handled it for thousands of years. A simple example is transferable trust or how your personal trust network could help you in digital services. Maybe in that way, we can find concepts and technologies to create real digital trust between people and devices.