An approach for reinforcing trust in an open environment*
Beta version - This paper is intended to be used as input for the 2016 OECD Ministerial Meeting on the Digital Economy: Innovation, Growth and Social Prosperity and other fora where issues of Internet trust are being considered. It may be updated as a result of various dialogues.
> Diminishing trust is a challenge for the Internet. To protect the opportunities of the Internet, we have to counter diminishing trust.
> Large scale data breaches, uncertainties about how our data is being used, cybercrime, surveillance and other online threats are impacting Internet users’ trust, how they use the Internet, and hindering Internet adoption.
> Policymakers are facing an important challenge today: How to fully embrace the digital revolution while, at the same time, ensuring the safety and security of their citizens.
> The Internet Society believes the Internet needs a solid foundation in trust to achieve its full potential. Trust is a cornerstone for all successful connectivity strategies, in developing and developed countries alike. This can only be achieved through collective responsibility and collaboration.
> An ‘open and trusted Internet’ is a globally interoperable Internet that cultivates innovation and creates opportunities for all. Its foundation lies in user trust, technologies for trust, trusted networks and trustworthy ecosystem.
> This policy framework outlines an approach for addressing the complexities of building trust in an open environment such as the Internet. It describes four interrelated dimensions of trust to be considered when developing policies for the Internet, and provides principles to help build a trusted Internet.
* This framework is not intended to address issues of cyber warfare.
The open Internet offers economic and social opportunity for all. However, the Internet’s full potential will only be realized if it has a solid foundation in trust. A recent survey in the US found that 45% of users had changed their online behavior because of their fears. Articles from around the world voice similar concerns. Internet users are anxious about how their data is being used by governments and business. They feel a lack of control, and worry about profiling and discrimination. They also fear that they will become victims of data breaches, identity theft, and other forms cybercrime. For some, this scenario has already become a reality. Internet users are also very troubled about the impact pervasive surveillance has on their privacy and other rights.
Many governments are now assessing the effects of the Internet on society. Some are concerned that the Internet is enabling and amplifying threats from criminals, other states, and even their own citizens. They are responding with stronger government controls, such as restricting access to content and impeding the use of social media channels. Some have imposed data localization measures to keep Internet traffic within their own borders. Others have considered banning key trust technologies (e.g. encryption) or forcing technology providers to create weaknesses in their products because they believe those technologies hamper law enforcement’s ability to combat crime. Yet, without encryption and other trust technologies, there would be no secure banking or communications confidentiality for any Internet users. These policies result in the opposite of what is actually needed: they further damage user trust, remove opportunities and stifle innovation.
Today, policymakers have a choice to make about which path to take in developing Internet policies. One path leads to an open and trusted Internet with all the social and economic benefits it brings. The other path leads to an untrusted and increasingly closed off network that fails to drive growth. One path leads to opportunity, the other to stagnation. The key is trust, and how to sustain the Internet as a fundamentally vibrant and trusted space.
The Internet: trust in an open environment
An ‘open and trusted Internet’ is a globally, distributed, interoperable network of networks that cultivates innovation and creates opportunities for all. Its foundation lies in user trust, technologies for trust, trusted networks and a trustworthy ecosystem. It offers inclusive governance, is built on sound policy principles and strives to put the interests of Internet users at the heart of decisions.
A ‘trusted Internet’ is not an island utopia, shut off from the threats of the world. There will always be risks and downsides to an open network system. Malicious actors will find ways to exploit vulnerabilities. Technologies and capabilities we develop to improve one part of life may negatively impact another. But, threats can be mitigated, risks distributed, weaknesses shared and repaired. The Internet’s openness is also the means to protect it.
All stakeholders have a positive role to play in nurturing a trusted and open Internet. We need to work to secure core aspects of Internet infrastructure, to protect the confidentiality and integrity of the data that flows over it, and to ensure the right policies are in place to support the technologies, networks and actors that make the Internet work. We do this through collective responsibility and collaboration.
A useful foundation can be found in the principles of Collaborative Security: fostering confidence and protecting opportunities; collective responsibility; fundamental properties and values; evolution and consensus; think globally, act locally.
The Internet Society’s policy framework for an open and trusted Internet outlines an approach for addressing the complexities of building trust in an open environment such as the Internet. It is described through four interrelated dimensions of trust that need to be considered when developing policies for the Internet, and provides principles to build a trusted Internet.
This framework for a trusted Internet embraces the important and valuable differences that give our world its rich diversity. There is no ‘one size fits all’ solution to decision-making about the Internet. Pro-Internet policies can take many different shapes, matching each country’s unique needs. But one thing unites them all; their starting point is ‘how do we build trust in an open environment such as the Internet?’
User trust: How and why Internet users – including government, private sector and citizens - trust the Internet, and how to build that trust.
Technologies for trust: The technical building blocks for establishing and maintaining trusted networks, applications and services.
Trusted networks: The Internet’s strength is that it is an ever-evolving collection of interconnected networks with distributed ownership and control. Trust is the glue that keeps networks connected and exchanging data.
Trustworthy ecosystem: How the Internet is governed and how it deals with Internet issues.
This division finds its origin in the layered and modular nature of the Internet. A network of trusted networks provide global reach, while a set of technologies for trust allow applications that use the Internet to provide confidentiality, integrity and the ability to authenticate. With those technical legs in place, a trustworthy ecosystem allows for systemic trust, while user trust is the engine for all the creativity and innovation that we see on the Internet.
Everyone who uses the Internet is an ‘Internet user’, whether they are a government official, an advertiser, a school teacher, a travel agent, a student, an artist. Everyday we decide how much we trust (or distrust) the Internet for our social, professional, financial and other interactions.
User trust is important to the future success of the Internet because if users do not trust the Internet, they will restrict their use, and may even cease using it for certain activities. This could have a serious impact on the evolution of the Internet, its use and growth.
As far back as 1996, the Internet Architecture Board, the organization overseeing development of the Internet’s technical protocols, recognized that the growth of the Internet depended on users having confidence that the network would protect their information and communications (RFC 1984).
However, building user trust does not mean simply reassuring people and hoping for a positive outcome. Building user trust means putting in place the right infrastructure (trusted networks), empowering users to protect their activities (technologies for trust), setting the right policies, and providing a responsive environment that properly addresses users’ wellfounded concerns (trustworthy ecosystem).
The policy principles for enhancing user trust enable individuals and organizations to make informed and rational decisions about how they use the Internet.
Technologies for trust
Technologies for trust are the technical building blocks for establishing and maintaining trusted networks, applications and services. They are the technical foundation for a trusted Internet.
One commonly used trust technology is Transport Layer Security (TLS), a cryptographic protocol used to provide communications confidentiality and integrity, e.g. between a user’s device and a website server. TLS was developed through an open process in the Internet Engineering Task Force (IETF). Today, virtually all banks and government online services use TLS.
Trust technologies are important for reinforcing trust on the Internet because they are the technical tools that enable Internet users to communicate privately (confidentiality), know who they are communicating with (authentication), know that the information they are sending or receiving has not been altered in transit (integrity), to restrict access to their data or communications (authorization), and know whether their device or technology has been tampered with (tamper-detection and resistance).
Technologies for trust are used to secure the networks, applications and services that we use everyday. Without trust technologies such as TLS and its predecessors, we would never have seen the explosion of online commerce that drives GDP growth and spreads opportunities globally. Without communications encryption, governments, companies and individuals would not be able to keep their communications confidential and their information secure.
Technologies for trust evolved thanks to a key characteristic of the open Internet – innovation that does not require prior permission or special approval from an authority. Permission-less innovation built the Internet and is essential for the future health of the Internet and the economies that depend on it.
As threats continue to emerge and grow, we must ensure we all have the necessary tools for privacy, security, and, ultimately, economic and social opportunities.
We need policies that support rather than hinder the development, availability and use of trust technologies.
The Internet is an ever-evolving collection of interconnected networks with no common ownership or centralized control. Trust is the glue that keeps networks connected and exchanging data.
There is no such thing as one single, global network – the Internet is a ‘network of networks’. The communications path is not decided in advance, and it does not follow national borders. Internet users do not decide how their communications are routed: they simply “trust” that network operators will deliver the data where it needs to go. It is a transport strategy that may seem chaotic, but it provides resilience and speed on a scale that humanity has never achieved before.
Trust in this context is not a hope or a feeling; it is a practical and reciprocal way of ‘doing business’. Network operators trust that their peers will carry out the operations needed to provide end-to-end communication. If an operator fails to live up to this trust, its peers will find other ways to route their traffic and simply cease to deal with it. This approach is important because it provides workable options and it does not allow the system to break down.
The keystone of trusted networks is collective responsibility and collaboration. This is the notion that all stakeholders must collaborate and share the responsibility for addressing Internet issues.
Adopting these core elements as the foundation for decision-making creates an environment in which trusted networks will continue to evolve and thrive.
When governments make policies for the Internet, they think about more than just ‘do we trust the Internet for our own use?’. They also think about the impact the Internet may have on their citizens’ safety and well-being, their economy, their sovereignty, as well as ‘who has control’. Balancing all these interests, is a much more complex trust equation than user trust. But, it is critical to address because this is why governments focus so intently on the trustworthiness of the Internet ecosystem and its governance.
The trustworthiness of the Internet ecosystem stems from how it was developed and its multi-stakeholder governance processes, where those affected by decisions have the opportunity to be part of them.
The Internet became a global platform for innovation and economic growth through participatory bottom-up processes, prioritising the stability and integrity of systems, and maintaining the open nature of the underlying technologies. These principles are part of the Internet’s ‘DNA’.
At its core, multi-stakeholder governance embodies transparency, inclusiveness, shared responsibility, embraces accountability, and is effective at solving common Internet issues.
Additionally, in the technical community, we share a sense of collective stewardship towards the public core of the Internet and the open standards on which its technologies and networks are based.
These characteristics fortify stakeholder trust in the way that the Internet ecosystem is operated and governed.
To ensure the benefits of the digital economy reach everyone around the world, and that innovation thrives, we need to build an open and trusted Internet together. We believe this policy framework provides an approach for addressing the complexities of building trust in an open environment such as the Internet.
We ask you to think about these different trust dimensions, and how they are all inter-related, as you consider policies related to the Internet. We also encourage any feedback you may have about this policy framework for an open and trusted Internet. Please send your comments to firstname.lastname@example.org
An open and trusted Internet is vital to the success of the digital economy. We need to work collaboratively to make this a reality.