Feature

posted 4 Jul 2001 in Volume 5 Issue 3

Online trust: The challenge of online trust

Netmarkets Europe (NME) was founded early in 2000 with the aim of helping European B2B practitioners move closer toward real solutions to the problems they face in building their businesses. Chris Bridges from Netmarkets outlines the result of a recent white paper undertaken by the firm and sponsored by bonitrus on the issues surrounding online trust. The second part of this report will be published in the August/September issue.

This white paper utilises the output from two workshops (one in London and one in Munich) a roundtable discussion (held in association with First Tuesday also in Munich) and a networking event in London both of which took place at the end of 2000. It reveals the thoughts ideas problems and potential solutions to developing trust in a B2B environment identified by about 60 European net market practitioners against a background of the issues that are generally agreed are necessary to address if trust is to be developed.

There are many reasons that e-commerce and the net markets which provide much of the structure for it to take place are not thriving in the way predicted by pundits. Many of these reasons are nothing to do with technology that is driving the e-revolution but to do with people who are (or should be) driving the technology. The reality is that human beings while embracing change if they see a direct advantage for themselves are also creatures of habit and they crave the familiar. If we recognise something and associate it with good experiences then we feel comfortable – we trust it.

The problem for businesses operating in the new economy is just that – they are new and as such have no convenient hooks for their customers (buyers and suppliers) to utilise in their search for something they can rely upon. Added to which they promise to take users out of their comfort zone and (in the name of better business) enable them to trade with partners they have never met. In addition the press is full of scare stories about the lack of security on the web so there is another problem: reassuring users that their transactions and other communications will be safe. This is a question of technology but one that must be understood by all users in order for it to provide a real basis upon which trust can be built.

Trust and how to generate it in the ‘online’ world is hence a knotty problem – one that must be solved but for which (as yet) no right answers or standard solutions exist.

Why is trust a challenge?

Trust in B2B is when there is a belief that an acceptable level of honesty reliability and competence exists on the part of the intermediaries the technologies and the other parties involved in the business process such that trade can take place.

A Forrester survey in 2000 found that 51% of companies would not trade with parties they do not already know over the web. The Giga Group also identified a lack of security or trust as a factor stopping 27% of respondents from trading online. And the situation has not markedly changed. A Jupiter report published in February 2001 says a ‘lack of trust is one of the great barriers inhibiting trade between buyers and sellers who are unfamiliar to each other. In spite of its many advantages online trade is especially fertile ground for distrust.” Another survey from ICL released in March this year reported that 95% of UK companies who haven’t used an e-marketplace have been put off because they felt that financial transactions might not be secure. Some 44% are afraid that commercially sensitive information might get into the hands of competitors and only 15% of respondents had participated in e-marketplaces.

All of this should not necessarily surprise us. Humans take time to develop trust. Plus the fact that the number of reported security incidents has grown at a CAGR of 50% over the past 10 years (reaching 15 000 in 2000).

The problem is that traditional approaches are no longer appropriate when one is working in the online world. There is the potential for everything to move much faster but the whole trading relationship can be initiated used and broken before the various checks demanded by businesses have taken place. For instance existing vetting systems are cumbersome and letters of credit are too slow when international business transactions can take place faster with a distant online partner than with a tried and tested partner working offline in your own country. Ensuring payment will always be key in generating confidence but escrow does not scale well while the speed of the legal process means that contracts will not cover the new risks that arise as e-commerce develops.

However other aspects of the traditional world appear to be vital if trust is ever to be achieved. Research shows (i2i Trust in e-commerce December 2000) that “face-to-face interaction promotes the greatest trust followed by the telephone then text chat and last e-mail. E-mail in fact increases the chance that individuals behave in self-serving ways.” This causes a problem since collaboration between companies is the basis for B2B e-commerce yet the overwhelming majority of us are saddled with the least effective tool. We collaborate best with people that we know personally.

A senior researcher at the Australian Institute of Criminology says: “A lot of the discussion that has taken place in recent years has related to business-to-consumer transactions the sorts of traditional consumer frauds that we’re familiar with – advanced fee frauds all sorts of deceptions in selling products consumers defrauding merchants by placing an order and receiving it and defaulting on payment. That’s something that has been increasing and is well recognised. But I think the future will see fraud taking place much more extensively between businesses manufacturers distributors and merchants.’’

The author goes on to say that businesses that take short cuts and fail to invest in and carry out necessary checks could open themselves up to fraud. Not only must net markets try and overcome the perception that they are unsafe places over which to trade they also need to be aware that some of their customers actually will be trying to use them improperly and that without adequate security measures they will be unsafe and not worthy of trust.

Solutions are developing to help provide a structure around which trust can develop and the elements of what we have called the ‘trust continuum’ are discussed later. What emerges is a problem that impinges on all stages of the trading process and it is complicated precisely because it does affect everything that a business does – fail at one point in the chain and you have failed all along the chain.

The net markets hence have a problem: they require customers and suppliers sending transactions across their applications but they require trust to enable this. And trust is built most easily when there is already a community in place that is trading. There is no liquidity without trust but no trust without liquidity.

As mentioned above despite the requirement for a system to claim to be trustworthy it needs to demonstrate real trade taking place the technology foundation is a key enabler in providing a system that can be trusted. There are a number of deliverables a system must deliver to be considered ‘trustworthy’. The three key ones are:

Who am I trading with?
Will they deliver the goods?
Will they pay me?

Trust is a concept that everyone agrees is necessary to enable trade to flourish over the web but it is difficult to quantify. This is why there is also much discussion about risk – a concept that is once again universally understood but has also been very successfully (and profitably) quantified over the centuries. Despite this history there is a challenge centring around trying to quantify the risk of any potential losses which could arise from the need to engage trading partners more quickly that is with less traditional ‘courting’.

Much of the hype about the dangers of trading over the web has come from press coverage of the B2C arena. Despite the expectation that a strong brand engenders trust the massive advertising campaigns of some B2C companies have not led to the expected levels of trade and security/trust is a key excuse offered by buyers. One of the charges laid against them is that they over promised they violated trust in order to build mind share. There are lessons here for B2B practitioners since business customers also value brand but it is not the whole story – to support the brand they need to demonstrate experience in the market in which they operate and an empathy with that market.

Still looking at the B2C arena MIT research has shown that only about half of the shoppers for an item pick the lowest price offered; the rest prefer to shop at a site they have come to trust or that gives them trusted advice. Some basic reputation systems are offered on auction sites and a need to feel comfortable with other members of the trading community exists clearly in the B2B environment.

For both B2C and B2B the question is: “How do you support the human touch?” As an Arthur Andersen report says: “Without trust the development of e-commerce cannot reach its potential. An understanding of trust would allow an easing of customers’ concerns and could hasten the maturation of online trade and marketplaces.”

So trust is a cultural issue but technology will underpin it. As people become more educated they will challenge the technological solutions more and more but they will also demand other elements of reassurance that reinforce those that they have used in traditional business. Net markets are now adopting solutions to provide this comfort.

The trust continuum

At first glance many people would say that security is synonymous with trust – if a website is secure I will trust it. But trust can only be achieved by delivering far more than a secure website. That is not to belittle the importance of such things but just because an order has been securely transmitted it is not possible to guarantee that delivery (of the correct product) will be made or that the person who placed the order was authorised to do so.

There are many facets to providing a business solution that covers all eventualities and can satisfy even the most doubting customer or supplier. As ever with such a chain of activities it is only as strong as its weakest link so (even though new solutions are being created and old ones are being improved) it is necessary for a business to assess where it needs a robust solution and where it can afford to take some risks. Net markets need a variety of ways to help reduce risk for themselves and their users and these may differ according to the market in which they work. Analysis of where the risk lies in their market is key to controlling the cost of security and the foundations for developing trust.

Marketplace assessment

The first thing that a potential user of a net market is going to ask himself is: is this marketplace up to the job? Are they a serious player that is going to be around in the future? Due to the fact that most net markets are very new these are questions to which it is almost impossible to get unequivocal answers. SGSonsite is developing some tools in this direction and as net markets consolidate there may be a need for an ISO-type standard that guarantees the accredited markets can meet certain requirements. In the meantime concerned net market users (or groups of users) can commission independent audits on the practises and procedures of the partners they (wish to) use. One area that will have a bearing on a decision of whether or not to participate will be ownership. Is the market neutral or does a consortium of industry players own it? Do I believe that the market will lead to win-win situations that involve all participants or do I perceive a risk that I could lose more by joining than by refusing to participate? Other key factors in an assessment will be the financial backing the marketplace has key participants functionality fit with the vertical market they are serving and the management team.

Identification and authentification

This is probably the most fundamental question. Who are you trading with and can you trust them? The NME workshop participants called this the ‘virtual handshake’.

The membership of the trading community is controlled in one of two ways – either the members are adopted verified and controlled by the net market or a third party authentification service can be used. The advantage of the latter method is that it can cross market and geographical boundaries (although at a cost) while the former provides the basis for a self governing trading community.

User verification is necessary to ensure that the person generating the transaction is authorised to do so. The beauty of e-commerce is its speed and ease of use however this can mean that without proper security purchase orders can be placed and payments can be released by those not authorised to do so.

The whole area of user verification becomes even more important when we consider the attractiveness of anonymity to users of net markets in certain situations. A manufacturer may not wish his major customers to know that it is he who is offering his overproduction cheap via an auction but he will want to be visible when that customer places an RFQ for his products. This demonstrates the need for flexible and customisable solutions. However as the NME workshop participants pointed out just because a participant in a net market is anonymous to other participants this does not mean that they are anonymous to the net market which will still be responsible for vetting the participants in its own community.

Comments from the NME workshops

The NME workshop participants' responses highlighted that the approvals process is one that often relies very much on traditional methods - ones that cannot be digitally forged. The approach suggested was that net markets should establish the bona fides of their members using techniques that are well established, so as to leave no doubt as to the validity of the results.

This gives a solid position from which then to build the e-business processes that are perceived as woollier.

The net markets suggested ensuring that a letter backs up online registrations and that telephone checks are made although the development of biometric devices (iris recognition for instance) is expected to reduce the need for such offline checks.

Reference was made to the opportunity that exists for net markets to add value by establishing a quality guarantee mark (not unlike the ‘eBay approved users’ scheme) which especially if linked to a users’ rating scheme (see below) could add significantly to the level of protection that a net market appears to give its members. It is important to note that net markets have both buyers and sellers and both sides need to experience the same level of rigour when they are checked. If this is not balanced the perception of the approval process used for other parties could be very inaccurate. bonitrus is building its TrustedTrader community in an attempt to provide this service. An organisation can receive a ‘seal of approval’ that guarantees their identity and creditworthiness to potential business partners as well as providing PKI-based authentfication. The references are continuously updated and the ‘seal’ is designed to be used both on and offline as a means of giving potential partners the confidence to trade.

The tool that supports digital authorisation and certification is usually public key infrastructure (PKI). The requirement for technology such as PKI has developed as trade between parties who are known to each other (either using traditional means or over intranets and customer/supplier extranets) has evolved towards a situation where the parties are unknown to one another – the situation encouraged by Netmarkets. In this sense electronic commerce has caused a paradigm shift – security has moved from keeping outsiders out to letting outsiders in.

This is a challenge to e-markets as they must be secure but access to their functionality must also be simple. For instance any additional login steps for users (in the name of enhanced security) will detract from the user experience.

The solution works in the following way: a digital certificate plus a digital signature provides the identity of the other party plus a guarantee of the integrity of the data (ie that the other party is who he says he is and the information has not been altered in transit). This is necessary for legal non-repudiation which is the fact that the transaction has taken place and this fact will stand up in a court of law. You can find white papers on this subject at www.trustwise.com

The insurability of web commerce is essential and this will drive the need for security. For instance providers such as Equifax.com and beTrusted.com will guarantee a certificate with a public key secure. Without high quality providers able to make such guarantees the recipient would have to check that the certification authority that issued the certificate had an identity certificate and was not in any trouble with revocation. This process would have to be continued down the issuance hierarchy so the only solution for a user is insurance.

There are many security protocols that exist to ensure that transactions take place in a tamperproof environment. The best known is Secure Sockets Layer (SSL). This offers ‘session level’ security which means that all information is encrypted once a secure session is established – this also means that it is slow. Another example is SET (secure electronic transaction) which was developed by the credit card companies. This is much more secure than SSL (using a 1024 bit key as opposed to a 128 bit key) and it permits non-repudiation. It is however correspondingly more complicated to set up and is so less popular.

Trade between multiple parties inevitably means that multiple trading and security platforms are being used. PKI standards exist to allow these applications to talk to each other seamlessly and they cover such areas as enrolment procedures certificate formats digital signature formats and challenge/response protocols.

There is broad agreement that standards are important in enabling e-commerce to spread quickly and efficiently but they are proving very difficult to set in many areas. An initiative by 12 security vendors called OASIS aims to develop an XML-based standard that will allow web-based security systems to seamlessly exchange transaction and session details across multiple web sites. You can find more information at www.oasis-open.org

One of the challenges to security is ensuring that only the correct person is actually performing the activities allowed by his authorisation. This highlights the need for very stringent validation processes when new user profiles are established and enabled. To be certain that an applicant is bone fide requires the rigorous use of traditional ‘physical’ checking procedures – these then act as the foundation for the e-security.

Smart cards plastic cards with embedded microprocessors are used as ‘keys’ for users to unlock access to their chosen data input device (PC terminal etc). The chip ensures that smart cards are much more secure than traditional magnetic strip cards. Developments in the field of biometrics are increasing the certainty with which identity can be established. There are now biometric devices for recognition of characteristics such as voice face retina and fingerprints as well as the recognition of typing idiosyncrasies for instance.

Business information

There has always been a requirement to check the financial health of business partners and Dun and Bradstreet and Equifax provide these services. As with the assessment of an e-market the buyer or seller can then be reassured that their potential partner has the potential to be a long-term one.

Comments from the NME workshops

This area was defined by the NME participants as ensuring that 'what you see is what you'll get'. It was felt necessary to understand where the buyer and seller wish to position themselves, since there are costs involved in this type of quality control and if the buyer is happy to take the risk that the product or service he is purchasing does not meet specification (maybe because the price was very attractive), he should not be forced into bearing such costs. Unnecessary testing can be avoided by ensuring that the market defines explicit descriptive criteria that must be used by sellers to list their products. This can amount to an initial quality check on the product (especially as the requirements will be very market specific), which can then be backed up by user ratings or third party testing. The establishment of an easy-to-use product sampling service can help in some instances, but this can only work when both the products and their suppliers are able to 'comply'.

It was in discussing this area that the NME workshop participants really homed in on 'brand', arguing that the best guarantee of product quality is often the brand recognition factor. However, one of the opportunities that the web supplies is the ability to procure products from new sources - brand recognition favours established players. There is an opportunity for the net market to develop its brand as a trusted third party that only sells 'quality' product; in this case the net market is imitating the strategy of a traditional distributor and may find it difficult to square this approach with a 'vendor neutral' stance. One suggestion was that the best a net market can do is to facilitate a user forum to define expected standards and then present the results of this to the suppliers. The users have a voice, the sellers know what is expected of them and the net market has (partly) discharged its responsibility for product quality.

GeoTrust has established itself as an online aggregator of business information with the aim of providing a broader range of data than the traditional players. The information can include the authentication of a company its business representatives and authorisation levels as well as trade references and even business policies and standard practices. The data is provided as a one page ‘snapshot’ of the business.

Quality across many different facets is increasing in importance. Not only do customers want to be sure they receive goods they ordered to the quality they ordered but also if the correct product is shipped will it ever arrive. The final area that is now challenging the buyers and sellers is whether or not the net market over which they are trading is ‘up to the job’.

Once again net markets have a choice – do they monitor the membership themselves perhaps utilising user feedback or do they pay a third party to do this for them? The third party services are still in development with organisations such as SGSonSITE.com promising buyer services (including vendor rating the provision of an independent samples service) and offering vendors the opportunity to become certified by SGS as being competent in certain business and internet transactions. Other providers are Bureauveritas and worldwidetesting.com both of whom already provide a service that checks the quality of goods ordered before they are shipped.

Comments from the NME workshops

When it came to a discussion on managing and mitigating credit risk at the NME workshops, the trade-off between the cost of avoiding risk (credit checking) and the cost of dealing with bad debts, it was decided that this could be seen as a balance between short-term contracts or long-term liquidity. Despite the unwillingness of some participants to fund the credit checks (especially since credit is dynamic and should ideally real-time for new business partners) another saw the revenue making opportunities (ever more important as transaction fees go out of fashion) of partnering with a third party risk management business, taking a discount and passing some of this on to the net market participants as an incentive for working with them. One participant suggested that as long as percentage transaction fees remain, there would always be an incentive to cheat; either that or the trade would be completed offline.

These new services are becoming progressively more important as suppliers are tempted to trade in remote markets. Although the suppliers may be very honest and willing to ship anywhere in the world this is not a guarantee they are able to ship anywhere since paperwork tax and customs requirements can be extremely onerous.

How to ensure that I get paid for the goods is a major concern for anyone selling over the web.

Dun and Bradstreet remains a major source of information on creditworthiness and traditionally mechanisms such as letters of credit have been used when international trade takes place between unknown parties but these are slow. Other payment options such as escrow and credit or purchasing cards are either not scaleable or not suitable for large purchases.

There are some new solutions being developed by organisations such as Coface and bonitrus designed to take the risk and friction out of ad hoc transactions whereby real time information on creditworthiness is approved and delivered online.

Originally published in e-mmerce