Evaluating technical tools and services as an exercise in trust

People often seek tools and technology services to help protect security and privacy of information, but when evaluating such technical tools, it can be equally important to consider the source of the tool to determine whether you can have sufficient confidence that the tool will do what it purports to do with respect to security, and not expose vulnerabilities of its own. This sort of thinking is seen in the recommendation (reported last week in The Washington Post) received by AT&T from the National Security Agency (NSA) to avoid sourcing telecommunications equipment from Chinese manufacturer Huawei, due to concerns the company might embed capabilities that would enable the equipment to be used for eavesdropping. Chinese companies in general and Huawei in particular have established successful market presence internationally, including in the U.S., but at least with the prospect of equipment from the company being deployed by AT&T in support of its government infrastructure operations, being an established provider apparently does not translate into being trusted.

On a somewhat smaller scale, some initial excitement in the blogosphere over email address shortener scr.im was quickly tempered by a realization that the online service had some flaws in the way it implemented security features like captchas that left it quite vulnerable to attacks that would compromise the psuedonymity of its users. Reactions to the service, which offers users a way to “share your email in a safe way,” were cited as an example of the need to “trust, but verify” when it comes to technology, including security technology. The underlying message may be appropriate but the invocation of the phrase popularized by Ronald Reagan when applied to computing systems results in an overly narrow connotation of the word trust, in this case to mean confidence that a system will perform as expected. As I have argued previously in this space, substituting the word trust where “reliability” or specific functionality is all that can be expected stops far short of the criteria that might actually need to be satisfied to establish the trustworthiness of a system, a service provider, or the parties behind them.