Faced with an elusive digital trust, are qualified trust services a solution?
There is a popular saying: “It takes years to build trust, a few seconds to break it and an eternity to restore it.” ”
Even though it may seem rather simplistic, this conception is not false. In “real life”, it takes time to build trust between two parties – the length of time varies depending on several factors. Why do we trust certain people more than others without even having met them? The factors that influence our perception are multiple and complex: the person’s appearance, tone of voice, title or rank, etc. Confidence builds up over time, but can be lost in a matter of moments.
However, in the digital world, this poses a problem. When you decide to trust someone or something, the factors involved are not the same as in the real world. You can’t judge by appearance if you can’t see the other. And you can’t judge by voice if you can’t hear it. As for titles and ranks, they are already deceptive enough in the real world. Online, we are often forced to decide in seconds whether to trust the other. This contrasts with real life, where you can take the time to check if the other party is really reliable. The lack of information – compared to the information normally available to build trust – as well as the pressure to decide quickly often leads to errors in judgment. Mistakes that can be substantial … and costly. This is particularly the case if you are the victim of a phishing attack or other form of fraud – which in recent years has become a critical problem online.
Even though we have come a long way and learned to be cautious online, the phishing problem persists and continues to grow.
Presentation of eIDAS
The issues surrounding the issue of trust have not escaped the attention of political decision-makers and economists. In a 2011 study, the European Union found that the lack of trust between traders and buyers was one of the main obstacles to the growth of online commerce. Several steps have been taken. The “eGovernment and Trust” unit was thus created with the introduction, in its wake, of the regulation relating to electronic identification, authentication and trust services – called eIDAS Regulation (electronic identification, authentication and trust services) , cf. our previous post on the subject. Coming into force in July 2016, eIDAS has therefore been in existence for some time. Did it really help solve digital trust issues?
Before analyzing in more detail the adoption of eIDAS, let’s remember that the regulation does not apply everywhere on the globe. Numerous other confidence-related directives have thus emerged around the world and apply to certain sectors and countries. This is particularly the case for the CA / Browser Forum for public CAs – of which GlobalSign is a part – which governs the issuance of trusted SSL / TLS certificates. Another example from a regulatory point of view and applicable to a country, more than to a global sector: the Japanese network of certification authorities (JCAN, Japanese Certification Authority Network) which maintains a list of reliable trust services in Japan. We will return to the impact of eIDAS on the global network of trust mechanisms later. Let’s first look at the adoption of eIDAS.
What have we learned about trust from eIDAS?
A late 2017 report published by the European Cybersecurity Agency (ENISA) details how the eIDAS has been adopted since its creation in 2016. Barely a year after the establishment of qualified trust services, is- it easier to check trust online? Hard to say. Of course, 64% of trust service providers (PSC) have made themselves known and have announced that they plan to become qualified trust service providers (PSCQ). 90% of SMEs and large groups have seen eIDAS as a means of developing their activity. But the report also highlighted a lack of awareness of trust services among citizens and businesses. Another problem is the lack of standardization and precise technical and legal specifications around trust services. Added to this is some confusion that many countries continue to maintain multiple trust mechanisms at the national level.
EIDAS has made progress in many areas, however. EIDAS was originally intended to provide legal certainty where the impact of digital transformation would be particularly destabilizing. How? ‘Or’ What ? In particular by ensuring the existence of a standard guaranteeing an equivalent level of trust between electronic signatures and handwritten signatures. Great. Another example: the introduction of authentication based on qualified certificates allows citizens to access public services which, in other circumstances, would require them to travel physically to carry out their procedures in person.
EIDAS also forms the basis for other regulations aimed at improving the flexibility of several processes, without compromising on security. This is particularly the case of the revised directive on payment services (DSP2) which streamlines the processing of electronic payments while regulating the authentication methods of the parties concerned.
Unsurprisingly, qualified signatures, seals and timestamps are most appreciated for their simplicity of implementation in digital transformation processes.
A recent ETSI report compared eIDAS to other trust mechanisms around the world and drew some conclusions:
• Despite the relevance of advice on good practices, supervision, and audits, eIDAS should, in its next version scheduled for 2020, be subject to corrections and adjustments.
• If more eIDAS is to be promoted, the regulation should also respect other existing confidence directives and identify areas where these directives provide solutions to certain points not covered by eIDAS.
• ETSI standards based on eIDAS can serve as a model at international level for the technical implementation of electronic signatures with a high level of reliability. Once the international trust mechanisms have adapted to these technical standards, they could be added via the EU trust list using gateway certificates or similar means.
EIDAS has therefore not yet solved the problem of digital trust, but it does help to improve many processes in terms of speed, practicality and accessibility. Pretty positive, right? And this concerns us all: the accountant who can process his invoices much faster. The elderly lady who can apply for her new passport online. And the enthusiastic young entrepreneur who can now start a business in Germany while working remotely from the United States.