This is of the longish ramblingish variety, so be forewarned. I'm in a mood. Privacy geeks proceed & please comment. This one is a struggle for me...
So here's my soap box about the T word of TRUST.
So many other privacy kids are always talking about trust-- transactions happen because there's trust, systems are designed to create trust, consumers trust this, workers trust that yadda yadda yadda. TRUST TRUST TRUST.
Have you ever repeated a word so often that it no longer makes any sense? Trust trust trust.
How do I \*do\* that? How do I \*lead\* that? I can be trustworthy but being trusted or \*starting\* with trust as though it were an obvious ingredient is something entirely different.
This bothers me. The current use & overuse of "Trust" is imprecise and not all that actionable. So, I've tried to mentally break this down a bit here.
There are 2 kinds of 'trust'. The "I have to" (Trust 1.0) kind and the "respect borne out of good and consistent treatment" (Trust 2.0) kind.
"I have to" says that you MUST trust me because I am your only option.
You are the only person on the mountain with a length of rope & my choice is participate in the getting hoisted up activity or drop down the mountain & splat. Neither are very good transactions over time even if you may be grateful that the rope person saved your onions-- he or she may still be a twit who provides bad service.
In the digital world, you may "trust" this service/ gear provider because you may really need to make a spreadsheet, for example. The fact that the means to make that spreadsheet makes your computer crash now or in the future or exposes your other stuff to bugs or hackers is the choice you must make because failing to produce that computer assisted output means you lose your job in a financial splat. Or you just don't get to do fun & entertaining stuff like all the other cool kids-- a social splat if you will.
I trust 1.0 because I have no other choice.
Now the second brand of Trust 2.0 on line is the kind we all are trying to achieve & the kind to which most folks are trying to refer to with that word.
It is a concept aimed at making our users \*feel\* something or \*experience\* something subjectively so that they will come back to us again & again or will tell their friends about us again & again.
Trouble is that subjective feelings on the part of others isn't exactly actionable to a bunch of rabble that gets to say "we are the trusted solution" because you can't break down that subjective measure before it's broken itself down-- back to the 'trust me, I have a rope' model.
SO, in my opinion (not shared by many, but I have been thinking about it for quite a bit), we need to break down the actions and parameters and as much of the objective activities that need to happen that are likely to lead to the second variety of "respect borne out of good and consistent treatment" Trust 2.0 kind.
This is more in line with the concept of RESPECT & good manners (ie, rules/ standards) on line. We can measure these concepts, audit their presence or absence & improve over time. We can't get better at making others have emotions.
First, these concepts allow for a continuum of activities that happen over time-- I key element of trust.
I liked my husband when I first met him; he was smart, pretty cute & seemed to enjoy putting up with my weirdness. Like & respect were not the same as Trust. 11 years later I know what he's all about, I usually know how he is going to generally behave & that he's here for the long haul so I trust him. Our brand of trust has grown over the years to create a new variety. Same thing happens in all of our other relationships. I can also trust that other people in my life would, given the chance always treat me like rat turds. I trust them too & know what do do if they get near me, tie run like hell & don't look back.
Time audits itself in a sense-- bad stuff happening? Check. good stuff happening? Check.
Second, for trust to fit into the second, Trust 2.0, variety, both parties need to understand what the context is, why they are there & what will happen (or won't happen) if they come together to participate in a transaction.
If I am back on that mountain again, transparency can be simple-- looks like a good rope & a person strong enough to haul me up.
In an on line transaction I'm not just talking about Ts & Cs (although those might help with clarification). Notices that say things like, "this is an international organization, so your data may move across borders, but will be given a consistent level of protection wherever you are on the planet" or present the user with an open box for an email address where there is an on line newsletter on offer.
The notice can be small where things are obvious & must be larger (or clear & conspicuous if you want to get all FTC on me) where something non obvious, outside of the norm or unexpected may occur. (Informed Consent ala 100 years of juris prudence.)
For example, when Sun workers leave a Sun internal workspace, they may have the link presented to click on a third party vendor site that has its own branding and it's own linked policies. The notices, logos & other branding on that landing site set the expectation that the worker is now transacting services outside of Sun's direct control.
We can audit whether notice was presented even if we can't audit whether it's been understood. (That's a tricky item we can virtually discuss another day.)
Third, standards are the red haired stepchild of Trust 2.0 in that they really don't get the attention they so richly deserve. Standards are the good manners of transacting business or coding that make the transparency of the interaction and the constancy over time so much easier to achieve & understand.
In the US, when you approach another person at work, extend your right hand & that person will know what to do. You have made a signal that you are friendly, willing to do business & that you know at least some of the context to be able to put others at ease to open a communications channel. That's a tall order for a simple handshake, but it works.
We also drive on the right side of the road here or heavily mark up the 'one way' street if we deviate from that standard. Commerce happens on top of those simple rules & we initiate new users to participate on that platform over time. (Time is important, after all!)
The easiest exemplar "standard" in on line privacy is the humble asterisk \*. If it calmly sits next to a text box-- sometimes it's even dressed up fancy in red-- the user understands that he or she must put something there or he or she will hit a digital wall.
The further standard of where & how email addresses are used to communicate on line helps things along as well. I can choose to lie or give out a piece of PII of lesser value to me (my hotmail email or other designated spam box, for example) if I haven't learned to Trust 2.0 yet but I still need to hand over \*some\* PII to get what I want.
The more complicated standard is, of course, less easy to understand in this Trust 2.0 context.
Technically we hope to lead, cojole & convince many organizations to separating their data into rational groups and only sharing that which is necessary to perform the value added service & that which is expected & agreed to by the user. (containers, role based identity suites, federated liberty standards, thin clients & the like.)
When the system design & execution does this, systems can interact in a predictable and expected fashion. They can be secured with some level of assurance (not perfectly because there will always be smart bad people too), but with enough assurance that all the smart good people are working to untie (& untie again & untie again) that particular Gordian Knot.
We can audit whether these are used or how they are noticed when there are deviations.
4. GOOD MANNERS
Fourth, we will mutually agree what is good, kind, likable, valuable &, as a community, will decide what is unexpected, fraudulent or destructive to assets.
We can audit whether these happened or not once we decide what they should look like.
GOOD MANNERS x STANDARDS x TRANSPARENCY x TIME = T R U S T...maybe. The customers & users control how they subjectively \*feel\* about it.
GOOD MANNERS x STANDARDS x TRANSPARENCY x TIME = RESPECTFUL TREATMENT. Definitely. We control the factors that lead to a more objective, reasonable standard.
Bubble bubble. I've slipped off my soap box. I realize it's a nuance, but I think a productive one!! (
BTW to my friend who set off this particular rant, I've made this discussion anonymous & have thrown it out to the blogasphere because I feel pretty strongly that we've all been talking around the right thing & using the wrong words. I also believe the lexicography can lead to action.
Just a rambling thought...