As you may have noticed if you regularly read this blog, it’s not uncommon for me to talk about trust. In fact, one of the earliest articles that I posted – over two years ago, now – was entitled “What is trust?”. I started thinking about this topic seriously nearly twenty years ago, specifically when thinking about peer to peer systems, and how they might establish trust relationships, and my interest has continued since, with a particular fillip during my time on the Security Working Group for ETSI NFV, where we had some very particular issues that we wanted to explore and I had the opportunity to follow some very interesting lines of thought. More recently, I introduced Enarx, whose main starting point is that we want to reduce the number of trust relationships that you need to manage when you deploy software.
It was around the time of the announcement that I realised quite how much of my working life I’ve spent thinking and talking about trust;
- how rarely most other people seem to have done the same;
- how little literature there is on the subject; and
- how interested people often are to talk about it when it comes up in a professional setting.
I’m going to clarify the middle bullet point in a minute, but let me get to my point first, which is this: I want to do a lot more talking about trust via this blog, with the possible intention of writing a book on the subject.
Here’s the problem, though. When you use the word trust, people think that they know what you mean. It turns out that the almost never do. Let’s try to tease out some of the reasons for that by starting with four fairly innocuously simple-looking statements:
- I trust my brother and my sister.
- I trust my bank.
- My bank trusts its IT systems.
- My bank’s IT systems trust each other.
When you make four statements like this, it quickly becomes clear that something different is going on in each case. I stand by my definition of trust and the three corollaries, as expressed in “What is trust?”. I’ll restate them here in case you can’t be bothered to follow the link:
- “Trust is the assurance that one entity holds that another will perform particular actions according to a specific expectation.”
- My first corollary: “Trust is always contextual.”
- My second corollary:” One of the contexts for trust is always time”.
- My third corollary: “Trust relationships are not symmetrical.”
These all hold true for each of the statements above – although they may not be self-evident in the rather bald way that I’ve put them. What’s more germane to the point I want to make today, however, and hopefully obvious to you, dear reader, is that the word “trust” signifies something very different in each of the four statements.
- Case 1 – my trusting my brother and sister. This is about trust between individual humans – specifically my trust relationship to my brother, and my trust relationship to my sister.
- Case 2 – my trusting my bank. This is about trust between an individual and an organisation: specifically a legal entity with particular services and structure.
- Case 3 – the bank trusting its IT systems. This is about an organisation trusting IT systems, and it suddenly feels like we’ve moved into a very different place from the initial two cases. I would argue that there’s a huge difference between the first and second case as well, actually, but we are often lulled into false sense of equivalence because when we interact with a bank, it’s staffed by people, and also has many of the legal protections afforded to an individual. There are still humans in this case, though, in that one assumes that it is the intention of certain humans who represent the bank to have a trust relationship with certain IT systems.
- Case 4 – the IT systems trusting each other. We’re really not in Kansas anymore with this statement. There are no humans involved in this set of trust relationships, unless you’re attributing agency to specific systems, and if so, which? What, then, is doing the trusting, and what does the word actually even mean?
It’s clear, then, that we can’t just apply the same word, “trust” to all of these different contexts and assume that it means the same thing in each case. We need to differentiate between them.
I stated, above, that I intended to clarify my statement about the lack of literature around trust. Actually, there’s lots and lots of literature around trust, but it deals almost exclusively with cases 1 and 2 above. This is all well and good, but we spend so much time talking about trust with regards to systems (IT or computer systems) that we deserve, as a community, some clarity about what we mean, what assumptions we’re making, and what the ramifications of those assumptions are.
That, then, is my mission. It’s certainly not going to be the only thing that I write about on this blog, but when I do write about trust, I’m going to try to set out my stall and add some better definition and clarification to what I – and we – are talking about.
0 – apropos of nothing in particular, I often use pixabay for my images. This is one of the suggestions if you search on “trust”, but what exactly is going on here? The child is trusting the squirrel thing to do what? Not eat its nose? Not stick its claws up its left nostril? I mean, really?
1 – ETSI is a telco standards body, NFV is “Network Function Virtualisation”.
2 – which probably won’t just consist of a whole bunch of these articles in a random order, with the footnotes taken out.
3 – because, if nothing else, you know that I’m bound to keep the footnotes in.
4 – I always hope that there’s actually more than one of you, but maybe it’s just me, the solipsist, writing for a world conjured by my own brain.
5 – or it may do, depending on your jurisdiction.
6 – I think I’ve only been to Kansas once, actually.