This paper examines the role of internet trust certificates and digital signatures in securing online commerce and building consumer confidence. Drawing on studies from Cranfield University, the London School of Economics, and multiple consumer surveys, the paper reviews the nature of online trust, the mechanics of digital certificates, and the privacy seal programs offered by BBBOnline, TRUSTe, and VeriSign. It evaluates whether these certificates genuinely prevent misuse of personal information, identifies loopholes in current self-regulatory frameworks, and considers consumer attitudes toward online privacy. The paper concludes with recommendations for best practices that Internet trust organizations should adopt to strengthen credibility and protect users.
In every Internet-based transaction, online security is considered a matter of great concern. The susceptibility of internet auction sites to high proportions of deceptive activities has increased the significance of security measures. The emergence of Internet trust certificates and signatures is expected to extensively increase the security of electronic commerce and legal transactions conducted online.
Information and communication technology professionals at two prominent British universities assert that public reliance upon electronic media of communication — including the internet, mobile, and wireless communications — has been at its lowest point in the last decade. Analysts from Cranfield University, Oxfordshire, and the London School of Economics and Political Science (LSE), in collaboration with the Office of Science and Technology, sponsored a study that probed the evolution of the Internet, interactivity, and its influence on the level of trust and confidence among users.
Trust has been defined as a desire to depend upon an exchange partner in whom one has confidence. In a review of marketing literature, two approaches may be detected. First, trust is considered as a faith, confidence, or expectation about an exchange partner's trustworthiness arising from the partner's skill, dependability, or intentions. Second, trust is perceived as a behavioral intention indicating dependence on a partner, associated with vulnerability and uncertainty on the part of the trusting party.
Professor Brian Collins, head of the Information Systems Department at Cranfield University, observed that a primary cause of absent trust is the insecure nature of the technologies presently applied. Such technologies form a complex system of interactions and interdependencies that have not been well planned and are not well understood. Professor Robin Mansell similarly noted that as these technologies evolve, the vulnerabilities and risks confronted by web users also increase. Society's growing dependence on cyber trust systems is not balanced by the resilience or capacity for graceful degradation of those systems, giving rise to very unstable levels of trust among users. Data released by the Consumers' Association in March 2005 supports this view: approximately 20 million adults in the UK reported knowing someone who had been a victim of cybercrime or having had their identity compromised.
A certificate securely connects a public key to the entity that holds the related private key. With a certificate in place, host computers on the Internet no longer need to request passwords from individual subjects who require authentication before gaining access. Instead, the host establishes trust in a certification authority that authenticates individuals and resources linked to private keys. The host can then extend this trust through a certificate hierarchy ultimately anchored in a root certificate — that is, a certificate from a certification authority that establishes a defined level of integrity and security for the entire hierarchy. Practical examples of certificate use include connecting to a website via a Secure Sockets Layer (SSL) session, accepting a certificate during software installation, or accepting a certificate when receiving an encrypted or digitally signed email message.
When understanding public key infrastructure, it is important to understand not only how certificates are issued, but how they are revoked and how information about those revocations is made available to clients. This matters because revocation information is critical for any application seeking to verify whether a particular certificate is currently considered valid. Certificate revocation information is sometimes compiled in the form of a certificate revocation list (CRL), though that is not the only form it can take. Applications associated with a certificate may connect to an intranet or internet site for information about certification authorities and certificate revocation details.
In organizations where servers run Windows Server 2003 with SP1, various options exist for how certificates and certificate revocation lists are handled. The Update Root Certificate component in Windows Server 2003 with SP1 is designed to automatically check the list of trusted authorities on the Microsoft Windows Update website when required by an application. If an application is presented with a certificate obtained from a certification authority that is not directly trusted, the Update Root Certificate component connects to the Microsoft Windows Update website to determine whether Microsoft has added that authority to its list of trusted authorities. If so, the authority's certificate is automatically added to the trusted certificate store on the computer. The Update Root Certificates component is not mandatory and can be removed or excluded from installation.
Researchers have identified several trust models on the Internet that attempt to achieve maximum trust with minimum risk. These include the X.509 Standard Public Key Infrastructure (PKI), Pretty Good Privacy (PGP), the Simple Public Key Infrastructure (SPKI), and the Simple Distributed Secure Infrastructure (SDSI). Such models employ public key encryption techniques, certificates, and digital signatures. A certificate is used as a trust token among parties on the Internet to demonstrate that you are who you claim to be. This area of study surveys prevailing trust models, their certificates, their structures, the manner in which they address transitivity of trust, and Certificate Revocation Lists (CRLs).
Bandyopadyay (2002) stated that emerging markets are "high context" cultures, where generating trust and establishing mutually obligatory relationships are sometimes preconditions for conducting business. He added that an emphasis on building trust and relationships reduces the vulnerability of transactions on the Internet where participants do not meet physically. A Consumer Union Survey conducted in 2002 revealed that Internet users are largely skeptical of websites that sell goods or offer purchasing advice. The survey found that only 29% of 1,500 US Internet users indicated they trust web merchants almost all of the time, while roughly two-thirds trusted web retailers only some of the time or never. A contemporaneous study by NFO World Group, sponsored by TRUSTe, indicated that privacy threats were anticipated to have a significantly negative impact on online shopping during the 2003 holiday season. Approximately 49% of respondents said they would limit their online shopping because they did not trust online retailers with their personal information.
Approximately 5.6% said they would not shop online at all due to privacy concerns. The three most significant reasons cited for reducing or stopping online shopping were fear of receiving spam after making a purchase, the threat of identity theft, and the possibility of credit card information being stolen. Such figures warn online retailers of the necessity of building trust with online consumers. Developing consumer trust is crucial for success in any business environment, and arguably even more critical in the online context.
Luo (2002) noted that trust plays a key role in the electronic marketplace, which is associated with high uncertainty and limited legal protection. Building online trust is put forward as a remedy for consumer privacy concerns. Trust is considered not merely a short-term problem, but the most important long-term obstacle to realizing the potential of e-commerce for consumers. A higher degree of trust is necessary in an online shopping environment than in a physical store. Trust alleviates concerns about insecurity that arise when the retailer is unknown, or when the consumer is uncertain about how a company will deliver purchased goods or services. Building trust in e-commerce requires a clear demonstration of rigorous security standards, data protection, and transparency of data use.
Morgan and Hunt (1994) indicate that trust can be generated when firms produce superior resources, uphold high standards of corporate values, communicate information about expectations and market intelligence, and refrain from maliciously exploiting their trading partners. Research dealing with trust from a conventional marketing perspective focuses on experience-based outcomes. In the online environment, however, trust must be established before the online shopping experience can occur. One major area of concern for consumers in developing trust is privacy. As Luo (2002) noted, in the context of internet marketing, invasion of privacy refers to the unauthorized collection, disclosure, or other use of personal information. Given the high priority consumers place on privacy, the FTC has been actively involved in establishing guidelines for online marketers in addressing and meeting privacy requirements.
The FTC has relied on fair information principles to guide privacy regulations and industry practice in the United States. These principles include "notice/awareness, choice/consent, access/participation, security/integrity, and redress/enforcement." Despite industry dependence on self-regulation, Milne and Boza (1998) found in a study of approximately 365 organizations that only about 38% notified consumers about personal data collection, 33% disclosed how the information would be used, and 26% requested permission to use that information. Many organizations use the Internet to collect information through cookies or other tracking software without the knowledge of consumers, adding to privacy concerns. Building trust may be a solution to these consumer anxieties.
When consumers provide information online, they want their transactions secured. Consumers therefore need some form of indicator on a website that serves as a surrogate for trust. Warrington and others (2000) identified several cues that consumers use when shopping online. These include privacy, return, and security policies, as well as the presence of a company address and telephone number for alternative ordering procedures. The researchers also noted that the overall professional appearance of a site promotes consumer trust. Turban and others (2002) echoed this and identified privacy and product return policies as components of a model that builds consumer trust in the online merchant. This model incorporates the presence of trust certificates and seals such as VeriSign and TRUSTe, along with vendor evaluation mechanisms like the Better Business Bureau logo. Of the various seal-of-approval programs available, two are most prominent: TRUSTe and BBBOnline.
In a review of the top 500 Internet consumer websites as ranked by Media Metrix in 2000, approximately 23.9% of sites displayed some form of seal emblem, symbol, or endorsement. The TRUSTe program addresses fair information principles: its authorization covers notice, choice, security, data quality, and access. Sites carrying the TRUSTe seal are evaluated through an initial inspection, seeding, and external audits. The BBBOnline program aims to assure consumers that their personal information will be protected by participating companies. Both TRUSTe and BBBOnline intend to increase consumer confidence in and trust of the online companies displaying their seals of approval.
Zemke and Connellan (2001) reiterated the importance of several such indicators in their publication Keys to Build Trust from the First Click. In particular, the presence of seals of approval — including BBB Online, TRUSTe, and VeriSign — along with Visa or American Express logos, is identified as a significant trust signal. The importance of consumer privacy and security policies, third-party seals of approval, return guarantees, and telephone and email support is also endorsed by Urban, Sultan, and Qualls (2000). By the end of 2002, five online privacy seal programs were available to website operators: BBBOnline, CPA WebTrust On-Line Privacy, the Direct Marketing Association's Privacy Promise, SecureAssure, and TRUSTe.
Additional analysis of seal-of-approval programs was provided by Miyazaki and Krishnamurthy (2002). These authors found that the mere display of an Internet seal of approval logo increases consumer perceptions of the favorableness of a site's privacy policy. The presence of such logos was found to enhance anticipated disclosure and patronage rates among consumers with comparatively high online shopping risks, but had no impact on consumers with low online shopping risk perceptions. Notably, the FTC found after surveying heavily trafficked websites that only 8% displayed a seal, and that nearly half of the sites displaying seals did not meet the standards set for fair information practices. It is evident that establishing trust is significant for retailers in the online environment.
"Organization histories, seal types, and service offerings"
"Certificate guidelines evaluated against known violations"
"Survey findings on privacy concerns and trust development"
It is clear from all discussions that consumers did not mind passing on certain types of information to a website, but these types are what they do not consider personal information. They are unwilling to pass on financial information such as credit card numbers or social security numbers. Some data types are superficially similar, but consumers are far more sensitive about certain categories. For example, postal mail addresses, phone numbers, and email addresses are all methods of contacting individuals, but consumers are generally comfortable sharing their email address while reluctant to share their phone number. Sensitivity to postal mail addresses falls between these two extremes.
You’re 34% through this paper. Sign up to read the remaining 3 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.