By Ajay Singh,
Author of CyberStrong: A Primer on Cyber Risk Management for Business Managers
In recent years we have seen a rapid erosion in digital trust. A combination of several issues has brought us to a point where digital trust faces a major crisis. The World Economic Forum (WEF) has observed that ‘we stand at a critical inflection point with a new imperative to restore the digital trust needed to drive business growth and shared prosperity in the communities where we live and work. By innovating responsibly and demonstrating ethical leadership, we can make a meaningful difference in two specific areas: building a more resilient and secure internet, and using data in a trusted and transparent way to improve workforce performance.’
This WEF statement reveals that we need a change in mindset, approach, standards, and regulation to restore and reinforce trust in digital systems in such a way that ‘trustworthiness’ becomes a fundamental aspect of our digital experiences. Digital trust is a multisided issue. It involves securing the confidence of all stakeholders and retaining it through measures that ensure the safety, privacy, security, reliability, and data ethics with their online programs or devices. From a technology standpoint, to be trustworthy, technology must be secure (ensuring connected systems’ confidentiality, integrity, and availability) and must be responsibly used. The lack of assurances regarding these basic facets has inevitably led to a digital trust deficit.
There are multiple factors contributing to the ‘increasing trust deficit’ or ‘widening trust gap’ that poses a challenge to the growth and prosperity of the digital economy. If not fixed immediately this does not augur well for any of the stakeholders and could even lead to a ‘complete breakdown of digital trust.’
Factors contributing to the erosion of digital trust
- Increasing misuse/exploitation of Personal Information by third parties for profit
- Unauthorized access & Privacy intrusion
- Incessant cyber threats and attacks
- Lack of transparency
- Misinformation & disinformation
- Security Lapses
- Unverifiable Claims by marketers
- Data Breaches
- Introduction of insecure innovations in organization systems
- Inadequate cybersecurity measures
It is perhaps too late in the day to figure out who is responsible for this crisis developing. Again, there are other fundamental factors starting from the basic architecture and technologies that form a part of Web 1.0 and Web 2.0 as they are known today, the willingness of users to part with sensitive personal information, the holding and (mis?) use of large amounts of personal information of users by Big Tech and data brokers and a regulatory regime that is still waking up to the realities of how digital trust can be abused and exploited by some of the stakeholders to further their own interests at the expense of others.
The Organization for Economic Co-operation and Development (OECD) in a recent report observed that “Trust is the foundation upon which the legitimacy of public institutions is built and is crucial for maintaining social cohesion… public trust leads to greater compliance with regulations… trust is necessary to increase the confidence of investors and consumers.”
Fixing the crisis of digital trust
A multipronged approach is required to fix the crisis of digital trust spanning new trust assurance mechanisms, building on regulations such as General Data Protection Regulations (GDPR), California Consumer Privacy Act (CCPA), regulatory oversight on the protection of individual data, and privacies, generating awareness across sectors as well as the general public about digital trust issues. Users must also be able to judiciously exercise the trade-offs and choices they are prepared to make while adopting new technologies.
Organizations must leverage next-generation technologies (Web 3.0) to make transformational changes to the way information is stored and used. Reports suggest that in order to regain digital trust users need to be assured that the digital technology-based solutions that they use ensure that their rights and privacy are protected, that the technology is reliable and secure, and, that service and product providers are truthful, transparent, and trustworthy.
While the use of technology and of data can be hugely transformational, it raises important and new questions about the kind of society we want to be. Thus far we have depended upon minimal regulations combined with expectations of large amounts of social responsibility, ethics, and self-regulation by vendors which has led to our privacy, safety, and security being compromised in multiple ways.
The time is right for all stakeholders to get together to create a new trust regime that is based on fairness, freedom of choice, and transparency that balance the needs of the individual, society, and the market taking account of rights and responsibilities. To address the various dimensions and issues related to digital trust, we can look at the following guiding principles for establishing digital trust:
Principle 1: Legitimacy & Ethics
The legitimacy of the use of information is an essential element of building digital trust. There are several regulations today that emphasize the use of information for stated legitimate purposes and obtaining consent wherever the use of such data goes beyond the stated purpose.
The digital economy is built around the use of data. Massive amounts of data are being generated, collected, combined, analyzed, and shared every day. Traditional governance systems, laws, and risk-mitigation strategies are grossly inadequate. The use of big data and artificial intelligence for gleaning insights can enhance the effectiveness of strategic business initiatives and marketing campaigns while providing marketers with huge benefits and has also introduced entirely new categories of risk. Slowly but surely the lines between ethical and unethical or even illegal use of insights have resulted in eroding trust. To rebuild stakeholder trust, the first principle calls for organizations to establish assurance regarding the legitimacy and ethical use of data.
Principle 2: Transparency & Verifiability
Greater transparency is a strong way to demonstrate and promote trust. When data is gathered, analyzed, and used organizations must act in a socially responsible manner and demonstrate their intent to be trustworthy. When trust is based on facts that are verifiable it fosters a greater degree of confidence and trust. There is an urgent need for organizations both public and private to invest in systems and technologies for the verification of products, services, and identities (both human and non-human) by consumers.
Principle 3: Privacy, Security & Protection of personal data
Unifying standards with regulations are highly effective in establishing privacy protection and raising security standards. Regulations such as the European Union’s General Data Protection Regulation (GDPR), or The California Consumer Privacy Act of 2018 (CCPA) have given individuals greater control over the personal information that businesses collect about them. Similar regulations have been enacted around the world that clearly define responsibilities for all parties. Compliance with these standards and regulations combined with enforcement mechanisms can ensure that organizations provide requisite assurance and develop greater trust among their stakeholders. The challenge is to put people in control of their own personal data which needs the support of regulatory authorities.
Principle 4: Resilience & Safety
The introduction of new technologies and their faster adoption have added several new security challenges. A good example of this is the introduction of 5G and IoT devices which have spun off a revolution towards ’smart everything’. All this, without a unified set of technical standards for security, as well as systems for verification. With devices taking over the activities of humans, the threat from cybersecurity has never been greater. Aspects like resilience and safety have become a matter of increasing concern.
There is still no collective understanding of what level of cybersecurity is essential to ensure survival in a dynamic threat environment. Consequently, different stakeholders have different expectations, and therefore there is no alignment of responsibilities. This further exacerbates the trust deficit. Organizations would do well to adopt what Huawei calls their ABC principle for security:
- Assume nothing.
- Believe nobody.
- Check everything.
Leveraging technologies to establish digital trust
Fortunately, there are new and emerging technologies and concepts like Blockchain, Zero-trust, Self-Sovereign Identity, Online claim validation, and verification platforms, which not only can help design and deliver products and services that use data and digital technologies in transparent, fair, and inclusive ways but also establish trust by empowering people to be informed users and to control their personal information.
Organizations across industries too can adopt a strong stance in promoting digital trust through the deployment of policies, technologies, and processes that support the above principles. Hence, the best way forward is to make every organizational system more trustworthy by investing in establishing trust by implementing new business and technology architectures that are oriented toward building a trust-based digital economy. In a rapidly changing technology landscape, it is also important that standards and frameworks evolve quickly and are widely adopted to support the transition to a new generation of trusted digital architectures. Technology can play a crucial role in this transition to a new trust regime, the bigger challenge is to get all stakeholders on board with the urgency of creating a new digital trust regime.
Information Technology has empowered us in innumerable ways to build a new digital society that would not even have been conceivable a few decades ago. Control over information is power in this new digital world and the stakes are high. The crisis of digital trust has already set in and can cause great harm if not fixed post-haste.