Archived website

This online community was active in conjunction with the Digital Agenda Assembly 2012 and is now archived and available for institutional memory. You can now join the discussion at https://ec.europa.eu/digital-agenda/en/community

Towards the creation of a stakeholder platform on EU online trustmarks

The Digital Agenda for Europe foresees to "create a stakeholder platform by 2012 for for EU online trustmarks, notably for retail websites". (Action 17). In support of this action, the Commission has launched a study on European online trustmarks in e-commerce, addressing amongst other the possible approach and missions of the referred platform. The preliminary findings of the study are presented here.

Key issues and questions identified in the study are presented in the form of a commentable paper below. You can provide your inputs directly in the document, elaborating on the assumptions and replying to the questions, as well as commenting on the contributions from others.

The comments will be discussed at the Digital Assembly workshop on e-commerce, on 21 June. The persons who have provided the most valuable online contributions will be invited to present those contributions at the workshop.

The Commission will consider this feedback, together with the results from the study mentioned above, for the future policy steps regarding trustmarks, notably regarding the stakeholders platform.

If you have specific comments, just select the relevant sentence and click on the "comment" button. Alternatively, just add your comments at the bottom of page as usual. See this video for explanation.

Deadline: June 11th.

Comments

griff's picture
Submitted by griff on Thu, 2012-05-31 17:41

I want to reference two Trustmark discussions that have already been started on the DAA12 Have Your Say website referenced below. It would be good to continue the combined discussion here. AnkaL notes the need for a pan European Trustmark so that consumers know they are dealing with a legitimate online merchant. But how to police this? EMOTA notes the use of Trustmarks more for service level flagging, which in itself can lead to increased trust.

From EMOTA: we would like to encourage a dialogue around the core elements of trust online based on the experience of traders and consumers.
http://daa.ec.europa.eu/content/boosting-trust-e-commerce#comment-1150
From AnkaL: I'd like add on trustmarks which are used on websites to increase sales. We all need some regulation in this area.
http://daa.ec.europa.eu/content/trustmarks#comment-1151

griff's picture
Submitted by griff on Thu, 2012-05-31 17:47

The case against trustmarks is that online shoppers are by definition less worried about trust as they are already giving their credit card or other payment details to unknown websites.

But surely (a) we want to attract more citizens to shop online (better choice, therefore a more open market, and lower prices) and (b) I wonder if the larger ecommerce sites are the main beneficiaries of any lack of trust. I understand that about half of Amazon's revenue [comment below and correct me if i'm wrong] now comes from independent retailers using their platform. eShoppers know that they can complain to the platform, Amazon, if things go wrong. But is this fair on smaller retailers who might not want Amazon to know their pricing and sales?

Policybloggers's picture
Submitted by Policybloggers on Sat, 2012-06-09 07:27

excellent discussion and great to see you here Andrew. I agree with the comment - when the platform is a company - there will always be some conflict. The trustmark idea is interesting and I am following it to see where it evolves. My only concern is - if every region starts its own 'trustmark' ecommerce no longer becomes gloabl. whcih would be sad ..

Engberg's picture
Submitted by Engberg on Sat, 2012-06-09 08:47

This quest for trustmarks is nothing but placebo for lack of focus on quality and value. It is an act of desparation addressing symoptoms instead of problems.

3rd party services have functions that can add visibility and process support in trade relations.

But this massively oversold without substance or causal justification.

E.g. trying to claim trustworthiness to an identifed transaction is senseless. Control as unnecesarily transfered and thereby security and trustworthiness is an impossibility.

Not least because the 3rd party service provider are most likely to be part of a scheme based on network effects and some secondary use of data involved.

Instead of tryng to build trust through "branding" the untrustworthy, e.g. gatekeeper payment systems, what aboit consisdering actually making services trustworthy, e.g. using Digital Cash for payments and empowering Ctiziens and companies to control secondary use of data.

Instead of branding "compliance" to a regulation that dictate surveillance and Command & Control, what about ensuring regulation and solutions actually enable trstuworthiness.

If you want a brand associated with better trustworthness, then do it instead of claiming it. This goes for government as well as for companies.

pgezerlis's picture
Submitted by pgezerlis on Sun, 2012-06-10 18:18

Congrats about the initiative. I just finished reading the Draft Interim Report of SMART 2011/0022 on EU online trustmarks. I had no idea that 54 European trustmarks for eTailers exist! And some countries have more than 3.

I also read that 20 trustmarks are set up by Industry Organisations, 15 by private firms and only 3 by goverment bodies.

My opinion is that the European platform should be available to any of those trustmarks, publicly or privatly owned. As eCommerce is booming in Europe and intra-country on-line sales should increase, I believe that specific guidelines should be set by this EU platform and those should be adopted by respective national trustmarks.

I 've also noted some things in the commentable document above.

thanks for the opportunity to discuss here.

griff's picture
Submitted by griff on Tue, 2012-06-12 20:24

After chatting with some e-commerce professionals I posted a summary of small e-tailers worries about their perceived need to trade through big trusted marketplaces like Amazon and eBay on the main DAA discussion site here http://daa.ec.europa.eu/content/de-facto-trustmark-amazon-or-ebay-fair. I just thought I'd flag it though this audience is likely already well acquainted with this argument for a non-aligned international trustmark.

Meanwhile, as one professional put it to me, today you usually see the largest number of "trustmarks" on the least trustworthy sites! This is definitely an area for policy intervention and it's good to see the EC wanting to fix this.

Engberg's picture
Submitted by Engberg on Fri, 2012-06-15 09:06

There are 2 sorts of Trust - Validation and Risk-centered

1) Trustmarks can have a positive function as in verifying something that is fundamentally true.

Someone needs to tell me if a certain technology is designed to work as xx - e.g. PKI and and especially blinded cryptography where the group of people able to verify the mathematics is very small. Their scientific claims and linkage to validation that a certain technology operate like this are vital in order to VALIDATE a truth.

This trustmark is something that is sccentifically verifiable as true, but somebody needs to verify to me that this is so.

This kind of Trustmark is critical for separating Empowering technologies from Fake trust with backdoors and open to fraud. E.g. the Difference between Digital Cash based on blinded cryptography and merely a dis-empowering online Account-to-Account transfer where control are in infrastrcucture.

2) The problem emerge, when trustmarks is used as a security replacement in the meaning something, Citizens have to trust, even though Citizens have no control (they are exposed to a real non-mitigated risk).

E.g. the entire "consent" security replacement which means that some trustmark claims I should "trust" (accept the risks rtowards) a site even we all know that control of identity and personal data is exponentially rising for commercial and other purposes.

This kind of Trustmarks are in the same group as e.g. Standard & Poors evaluation of the Greek Economy stating "a statement of risk", even though everybody should know that this is just their view.

Similar if some Trustmark is used to convince citizens they are not tracked in Public Transportation using RFID, the Trust is PR/marketing rather than something creating trust.

I would suggest to raise the quility of discussion from that of assuming all Trustmarks create confidence to the process of upgrading trust as in promisses/required risk acceptance to something that can be validated as a pre-requisite for Empowerment and confidence.

Nuances

a) There are greyzone between the two as no Trustmark can gurantee perfect security/implementation just as no Trustmark are only based on subjective elements.

This is why we need "Assurance Providers" where everybody can subscribe to their technology-support nuanced and DYNAMIC evaluation of elements. I.e. we need someone to provide Digital Agents with semantic knowledge that "B is 3 in our rating", in order to resolve runtime that "A is better then B" or that "X technology/security credential is suffient to abity to Stakeholder Y's Requirement" in order to proceed with the transaction.

I am talk about about creating a new dynamic standard - suggestively an upgrade of XACML with Security onthology support and dynamic two-way resolution of model-driven and upgradeable credential-based access control.

b) They have to be responsible.

E.g. When MiFare RFID chips used to track people in public transportation was cracked, this trustmark should ensure the MIFARA Authentication security-wise was downgraded from medium to junk (but not changing that MIFARE is "Identifying" and thereby dis-empowering both before and after the downgrade) .

c) They have to push true security by design and Empowerment in order to facilitate confidence and security.
Today "trust" in e.g. Cloud is 100% "We want you to trust cloud because we want cloud" - even though from a scientific perspective no such statement can be validated, on the contrary, it can be validated as untrue in the sense there will always be backdoors and scaling security failures in cloud.

Cloud-structures are never to be trusted, so instead there should be a shift to designing security in a the identity and application levels in the sense you ensure you do not have to trust cloud technologies. See e.g. this
http://digitaliser.dk/resource/896495

e) They have to be dynamic.

I.e. to build trust in Public Transportation, we need to have CHOICE, so Citizens can evaluate and choose an Empowering model based on e.g. Digital Cash one-time-only "tickets" instead of tracking technologies such as RFID or NFC.

e) They have to distinguish clearly between empowering and dis-empowering elements.

E.g. the difference between validating Age through blinded cryptographic "Proof of membership of the Group of Citizens aged about 18" and some tracking method like WAYF, SAML or PKI have to be clear.

f) They have to work on both element and "system" level

Validation on single elements, e.g. "This site use SSL model x.x". which according to the NRL-onthology "SSL x.x. provide transport-layer Encryption" which according to the BEUC Assertion Provider is "SSL xx.-Transport Encryption is Class 2" making it "likely unbroken"

should be supplemented with Validation on Systems, e.g. "This System operate with identified personal Data" which according to the NRL-onthology classifies it as "Perimeter Security Only towards Unsecure Data" which both the GovCert and BEUC Assertion Providers would classify as "Dis-empowered" and "Not Cloud-ready"

If the citizen evaluation subscribing to BEUC Assertion Provider or a Government service evaluation subscribing to the Govcert Assertion Provider then got the additional information that the system was running in cloud, a full stop warning would follow by her Security/trust-evaluation.

In summation, the "Trustmark" discussion - in my view - should shift from naive assumptions on building "Confidence" towards the untrustworthy towards facilitating dynamic and technology-supported choices as run-time based on a much more nuanced and scientifical valiated statements.

And with the MAIN objetive to faciitate a shift towards Empowering technologies and systems visualizing a true difference between sites and especially infrastructure components where Citizens are in control of their Identity/data and there they are not.

Digital Agenda Assembly engagement
glqxz9283 sfy39587stf02 mnesdcuix8
glqxz9283 sfy39587stf03 mnesdcuix8
glqxz9283 sfy39587stf04 mnesdcuix8