Where to start on this one?
Trust as we use it means so many things. Then there’s the word trusted. Beyond that, there is trustworthy. A bullet point on a slide I recently saw said, “Trusted computing is not trustworthy computing.” Oh, how nice. Even better, “Trusted Computing does not mean trustworthy or secure.” I must ask in what sense is trust anything but jargon (at best) or newspeak (at worst), with hyperbole being a middle interpretation?
Isaac Newton said that for every hyperbole, there’s an equal and opposite hyperbole. Confirming this law of nature, Richard Stallman has declared that trusted computing is actually treacherous computing. Thus we have Orwell satisfied. War is peace; freedom is slavery; trust is treachery.
A good deal of the problem is that trust is transitive. No, not that way. Not in the sense that if Alice trusts Bob and Bob trusts Carol, then Alice trusts Carol. Transitive as in verb that takes a direct object. Of course we all trust our mothers. But if you “trust your mother with your life,” does that mean you trust your mother to change a firewall rule in your router? Trust is not only a transitive verb, but it is a situational transitive verb.
We in security use trust not as a transitive verb, but as a noun, and worse, an adjective. This leads to many strange things. Among them:
- “Trust is willingness to do something risky on behalf of another human.” I wish this were merely a typo because this is the opposite of trust. I might be willing to let you do something if I trust you, but your willingness is not trust, it is willingness. Trust may be a precondition for my willingness, but it may be that my willingness is thin because I have no choice. I trust Bill Gates, Steve Jobs, and Linus Torvalds, but it’s not like I have an alternative.
- “Trust is risk.” Not bad. But as we know from economics, risk is money. Therefore, through transitivity, trust is money.
- “A trusted system is one that can screw you.” Yup, and precisely my point. When I trust my OS, I trust it in the sense that I just have to take a deep breath and hope.
Let’s stop using the word trust. Don’t say trustworthy metadata if you mean believable metadata. Don’t say trust if you mean control, risk, willingness, confidence, or reliance. Use those words. Trust is stale and vague. It would be best if we stop using it.
That is easier said than done, given the way we habitually use it. Nonetheless, we should fight new uses of the word, if for no other reason than a smart consumer will run screaming if they hear you use it, because when trust is used with security, it means something bad is going to happen. It means exactly what “This won’t hurt a bit” does. The faster you flee it, the faster the irony becomes apparent to all.