Trust and the Future of the Internet

Originally published Monday, 25 August 2008 

The Internet Society recently published a report on the issue of Trust and the Future of the Internet. Within the context of trust, ISOC has elected to focus on three areas it deems critically important:

• "Advancing Internet architecture by supporting the implementation of open trust mechanisms throughout the full cycle of research, standardization, development, and deployment
• "Strengthening the current Internet model by focusing on the mitigation of social, policy, and economic drivers that could hinder development and deployment of trust-enabling technologies, and
• "Facilitating end users’ ability to manage personal data and ensure personal security by elevating identity to a position as a core issue in network research and standards development".

The report is a nicely prepared summary of the discussions among industry experts during an ISOC-sponsored retreat. The experts considered technology, sociological, and economic issues. One discussion I would have dearly loved to attend attempted to define trust and trustworthiness. During this discussion, it was suggested that “behaves as expected in a given context” might be a useful formulation for what it meant to be trustworthy.

Behaves as expected in a given context...

If this is a principle of trustworthiness the ISOC truly seeks to embed in the future Internet, there are possibly no two areas more desperately needing attention and redress than the following:

Informed consent. A short list of actors who do not behave as expected in their particular contexts includes:

1. ISPs who modify DNS name error responses "on the fly" and substitute self-serving ad or search pages. I know of no circumstances where ISPs who engage in this behavior explain what they are doing nor do they seek consent.
2. Registrars and DNS operators who add synthesized DNS responses to zone files of domains they manage on behalf of registrants and customers. An obscure clause in a terms of service web page that claims a right by default to perform so-called error resolution is hardly an adequate means of providing notice and seeking consent. Moreover, in both this case and (1), I have yet to find any terms of service agreement that mentions the unintended consequences of such practices (read SSAC's Preliminary Report on DNS ResponsModification for the ugly details).
3. Spyware, adware, and 3^rd party cookies: need I say more?
4. Domain name front runners and so-called customer protection services. The former is just wrong and the latter is just as wrong when the details of the practice are not readily displayed and when the target audience is not technically astute enough to appreciate the implications of this behavior when they opt-in.

Opt-in versus opt-out. No behavior on the Internet today is more frequently associated with suspicious or often reprehensible behavior than Opt-out. Opt-out puts the decision in the hands of someone who is offering a service. The provider chooses rather than the customer. This might actually be desirable in some situations except for the small fact that the details and consequences of the provider's actions are rarely fully disclosed and easily acquired. This is especially true at the moment the service is performed. Ask yourself, "why is this so?", you have to wonder, "what are they hiding?".

Perhaps it's because they aren't behaving as expected in a given context. Perhaps they aren't trustworthy.

The report concludes with a list of directives for ISOC's Trust Initiative. The first directive is "Promote the stand that trustworthiness is crucial for the long-term growth and success of the Internet." Now, ISOC speaks for the Internet users, and in addition to promoting trustworthiness, I'd dearly love to have ISOC say, "don't do business with parties who don't behave as you expect in a given context" and "help us by calling them out".