Online Trust Conference Recap

By Eric Goldman

On October 2, Santa Clara University held a half-day conference called “Trust Online.” This event was co-sponsored by the Center for Science, Technology and Society, the High Tech Law Institute, the Markkula Center for Applied Ethics and Microsoft. We brought together policymakers, technologists, lawyers and academics to explore the process by which online companies engender trust from their customers. The topic of “trust” is complicated because it cuts across privacy, security and branding issues. In the end, we discussed all that and more.

The day started off with a keynote by Richard Clarke, formerly Bush’s chief cybersecurity czar. His talk started out on a disconcerting note as he described cyberspace as a place of “chaos” and “crime” (shades of California CIO Clark Kelso calling the Internet a “sewer”). But he got onto more productive grounds when talking about how consumers develop trust in different entities:

* trust in the government. Americans’ trust in government has fallen to an all-time low. This lack of trust in the government undermines trust across-the-board because, for example, consumers may be reluctant to disclose personal data to websites knowing that the government could get access to it.

* trust in the private sector. He echoed the conventional sentiment among privacy advocates that we need to worry more about Little Brother than Big Brother.

* trust in individuals. He blamed the Internet for the “pandemic” of identity theft–especially lax security.

He proposed five solutions:

1) Biometric ID cards–we need 2 factor authentication online

2) We should ask the government to regulate. He thinks the FCC has the authority to regulate the Internet, and the FCC could instruct ISPs to take specific actions that would reduce risks. He acknowledged that when a person suggests the government should regulate the Internet, others want to take the person away in shackles. That pretty much summed up my reaction to this proposal!

3) We should keep critical infrastructure from being Internet-connected.

4) Industry should improve the security of its code.

5) We should form a government entity that people could trust to safeguard their privacy and civil liberties concerns

Next was a panel on Enforcing and Enabling Trust, moderated by Lise Buyer (one of the star Internet analysts from the dot com boom). Panelists: Scott Charney of Microsoft, Mozelle Thompson (a former FTC Commissioner who is doing a lot of consulting work for Facebook) and Jim Ransome from Cisco. Some notes I made during this panel:

* Charney: consumers need just-in-tirme, actionable information to make trust decisions

* Thompson: people are clamoring for context

* Charney: security and privacy are conflated in the concept of “safety.” People just want to feel safe.

* Thompson: people don’t want anonymity, then want control over their data (Eric’s comment: this makes sense in a Facebook context; not sure if it is more broadly extensible)

* Charney: goal should be risk management, not risk elimination

* Charney: we think of security as binary (is it secure or not), but privacy is a continuum

* Charney: we accept the fact that people may die in the name of privacy (examples: anthrax mailed without a return address; disposable cellphone to make bomb threat)

* Charney: we need to marry authentication with reputation

Next was a panel on Branding and Building Trust. Lise also moderated. Panelists: Alessandro Acquisti of Carnegie Mellon, Chris Hoofnagle of UC Berkeley, and Fran Maier of TRUSTe. Some notes I made:

* [not sure who made this point]: there is a positive correlation between good business practices and consumer perceptions that the company has good privacy practices (Eric’s comment: this would certainly explain sentiments towards Google)

* Acquisti: a study showed that stock prices drop after companies announce a security breach, but they quickly rebound after a few days

* Q: what is trust worth? Acquisti: according to his study, people will pay extra for privacy in some cases. Maier: TRUSTe has a case study showing that their logos improve consumer willingness to provide data (Eric’s comment: I’d need to look through this case study to see how it regresses possible co-variables)

* Hoofnagle: consumers erroneously believe that companies’ ability to use their data is regulated

* [not sure who made this point]: we should give kids amnesty for their youthful postings. i.e., we need to forget some information

* Maier: 15-20% of TRUSTe applicants don’t get certified.

The day ended with a keynote by Dave Cullinane, eBay’s Chief Information Security Officer who recently joined the company from Washington Mutual. A few notes from his talk:

* eBay employs 2,000 people in its trust & safety department

* eBay/PayPal investigators currently assist in over 2 arrests per day

* He implied that the Department of Homeland Security was trying to get a dataset from eBay to see if they can crunch the data to identify patterns that look like terrorism. I’d like to know more about this!

* Rootkitted Linux boxes–not (as commonly believed) Microsoft boxes–are the vast majority of security threats

Other comments on the event:

* SCU Law student Erik Schmidt at TechLawForum on Richard Clarke’s talk

* Cade Metz at the Register on Richard Clarke’s talk

* Cade Metz at the Register on Dave Cullinane’s talk

* Robert McMillan at InfoWorld on Dave Cullinane’s talk

UPDATE: Listen to the podcasts!