Time to get serious about e-trust

COMMENTARY--In 1780, a British spy disembarked on the bank of the Hudson River near West Point. Captain John Andre was carrying confidential American military papers to the British Military command in New York City. He also had a document identifying him as an American by the name of John Anderson. The pass was certified by one of General Washington's trusted authorities, Benedict Arnold.

More than 200 years later, the challenges of trusted identities and authenticated documents have resurfaced with glaring intensity. But today, the battle for trust has been recast on a landscape of global dimension with millions of participants conducting business electronically.

The stakes are indeed significant.

Today, in the United States, less than 1 percent of the GDP is transacted through the digital channel. In addition, many commercial and government enterprises have yet to realize the potential lift in their operations by transforming points of customer interaction through the Internet.

However, without fundamental trust among parties in the process, the use of the Internet for complex transactions will continue to be impeded.

Political and legal conditions
Governments and consortiums around the world have actively led a dialogue on trust in electronic commerce since 1996. The goal of new legislation is a more predictable legal environment for electronic commerce. Model laws have been published (uncitral.org), resolutions adopted (oedc.org) and market-driven principles embraced (ecommerce.gov). Federal legislation recently passed on digital signatures (e-sign) underscore the legal framework to which all companies will need to adhere.

It is against this backdrop of fluid political and legal conditions that executives must strike with surety--creating trust processes that build enduring electronic relationships.

What is a trust process? In today's crush of daily commerce, trust flows from relationship. It is earned over time, triggered by reputation and evoked by brand.

It provides certainty, clarifies intent, maintains confidence and protects interests. It includes protocols to test identities, to verify authority levels and privileges, to ensure privacy and to validate approvals. It helps to authenticate documents and establish with certainty the date, time and place of a transaction.

Such protocols have evolved over the centuries for today's commerce--from time-tested practices such as embossed seals, 'pen and ink' signatures and letters of credit, sealed envelopes and registered notaries.

The challenges that loom
In e-commerce, however, these dynamics change radically.

Consider the challenges: the digital economy is a world where electronic identities can be assumed and abandoned at lightening speed. Electronic documents are a complex array of data types, including audio, video, text and images.

Original messages can be modified without detection. Electronic copies of documents seem original. Methods for authenticating identities or documents are not widely or uniformly embraced. It is a world where symbols, sounds and 'click through' processes constitute a signature.

So how do you win the battle for trust for your customers? Get started now in adopting practical methods and technologies to promote trust at your commerce site: Provide trusted mechanisms to vouch identities: Commerce sites tend to rely on security techniques like passwords to test access privileges and validate approvals.

Through the use of 'digital certificates', which may be issued and maintained by independent 3rd parties, a more natural interchange is effected between a customer and a commerce site. You and your customers effectively exchange 'letters of introduction', validating credentials.

Promote a 'trust zone': Not every message exchanged with customers needs to be vouched, but where authentication is important, such as bank transactions or high-value orders, use Public Key Infrastructure (PKI). Messages are 'signed' by the author using a mathematical key, which is uniquely assigned to and securely held by that individual or organization.

The recipient tests and verifies the identity of the originator using an associated key. Simple and secure. Authenticate electronic files: Contracts, receipts, surveys, inspection reports, and other key documents that are digitally signed effectively bear the mark of a 'raised seal'--allowing recipients of the document to detect tampering. Implement process to routinely authenticate key documents. It is trusted discipline.

Appoint a Chief Privacy Officer: The battle for trust among customers in the emerging digital economy is just getting started. The commitment of executive attention to the matter of trust in your enterprise is a signal of a trust to your customers as well.

So what happened to Captain Andre? He encountered some patriots on his way to New York, who exposed the fraud. Captain Andre was arrested, tried and hanged. The trust process was preserved. And the rest is history.

Pat Howard serves as IBM's executive responsible for multi-industry practices of business innovation services in the eastern United States.

Paul Racioppo of IBM contributed to this piece.