Consumer Trust and the Internet

Trust is probably the most important element in commerce and marketing. It builds relationships and expectations, reduces anxiety, paves the way for acceptance of new products, and clears communication pathways between companies and their customers. Trust is key to everything marketers do, from getting consumers to give out their credit card numbers or sign up for newsletters to creating long, satisfying, loyal relationships with our customers.

And it’s rapidly being destroyed.

It’s been a tough summer for trust on the Net. Blackouts, increased spam, and a virtual menagerie of worms, viruses, and Trojan horses have made it pretty difficult to trust anyone on the Web, especially for consumers without much online experience. Consumer confidence in e-commerce is pretty dismal thanks to fraud, increasingly clogged inboxes, the Do Not Call Registry, and identity theft.

A recent Consumer WebWatch report found only about a third of consumers had high levels of confidence in e-commerce sites. Unscrupulous marketers are spoofing legitimate brand names to trick users into opening spam, driving down trust in legitimate companies by association. Even worse, CyberAtlas reports almost 63 percent of consumers claim they’ve opened email they thought was legit and discovered it was fake.

The scary fact for online marketers is we’re close to the tipping point where ham-handed legal remedies are going to be suggested. According to the same CyberAtlas article, almost three quarters of consumers favor legally limiting spam and creating a national “do not email” list. Spam makes up over 50 percent of email (according to Brightmail). Something’s going to happen soon, and you can bet it’s going to be expensive, cumbersome, ultimately unenforceable, and incredibly complicated.The worst part is legislation is only going to hurt legitimate marketers. Spammers will continue what they’re doing from offshore or hacked servers. The government will be powerless to stop them. Consumer trust will continue to erode, and the effectiveness of online marketing and sales will plummet.

The answer lies not in legislation but in addressing one of the Net’s central problems (and features): anonymity.

The basis of trust is a relationship, and a relationship can only occur between two parties that know one another. If one party doesn’t know the other, there’s no basis for trust other than superficial appearance. That’s how email works now. When you decide to read an email, you go through a brief “trust” equation in your mind: Do you know the sender? If so, open the email. Spammers know this and often forge headers to hide their real identities. Virus writers know it, too. The current “Wicked screensaver” email takes full advantage of this property by using address books to propagate itself.

A similar situation happens when we open files, install software, or give out our credit card numbers. This need for trust is what formed the basis for the systems that allow e-commerce. Digital certification of content has also allowed us to decide about downloading software from the Web. Content with a digital certificate makes us feel safer.

On the other hand, the Internet was designed to allow relatively anonymous communications. SMTP and HTTP, in particular, don’t require any sort of authentication. Outgoing mail servers require authentication to forward mail (in most cases), but incoming mail servers don’t. Anybody with a valid receiver address gets his message through. And therein lies the problem.

Upgrading the SMTP protocol to deal with this problem treats the symptoms rather than the problem. To deal with all the Net’s problems — viruses, spam, worms, scams — we need a reliable system of digital signatures for everyone.

The advantages are obvious. If you know the email sender, you’re protected from “unsigned,” anonymous, possibly malicious content. If email clients could confirm the identity of every message, messages could be easily separated into “whitelist” and “suspected” folders. Lots of people do this already by filtering based on their address book, but it fails when headers are spoofed.

A working digital signature system would eliminate unsolicited email because spammers would be filtered into the trash folder. Legitimate marketers that provided a digital signature to users at the time of subscription would get through. No Internetwide protocols would have to be modified. Such a system would be backward compatible with old email clients, whose users would merely set up rules by hand to check for signatures in headers.

Best of all, such a system would protect the anonymity that’s so important to the Internet’s culture. Nobody would be required to sign messages. They’d still get through but would be flagged as “anonymous” and possibly suspect. Civil liberties would be protected. Legitimate marketers would not have to deal with undue legislation.

Solving the problem through code rather than legislation would have some immediate drawbacks. Users would have to add signatures to their clients the first time they did business with a company, though this procedure could possibly be automated. Users would also have to spend time adding new information to their email address books.

Digital signatures would take a little work to implement but could reap big rewards. What’s the alternative? If we keep going down the path we’re on, the system isn’t going to work for anyone.

Related reading