A popular saying goes: “Trust takes years to build, seconds to break, and forever to repair.”
While I wouldn’t completely agree, the idea isn’t wrong. In real life trust between two parties is established over some period of time, depending on a variety of factors. Have you ever wondered why you initially trust some people more and others less, even if you’ve never met them before? There are a complicated multitude of factors that influence our thoughts: the person’s appearance, tone of voice, title or rank, etc. Trust is established over time but can be lost within a few moments.
This poses a problem in the digital world, though. The factors we rely on for deciding whether to trust someone or something are completely different from the real world. We cannot judge by appearance if we do not see the other person, we cannot judge by tone of voice if we do not hear them, and titles and ranks are deceiving enough in the real world already. Online, we are often forced to decide whether to trust some other party within split seconds. This stands in contrast to real life, where one can take the time to verify whether the other party can really be trusted. The lack of information on which we normally base our trust, as well as the pressure to make a quick decision, leads to frequent errors in judgement. Those errors can be substantial – and costly. For example, you may fall victim to a phishing attack or another form of fraud, something that has emerged in recent years as a very critical issue online.
Figure 1: From the 2019 Proofpoint report "State of Phish.” While we have come a long way in learning to be cautious online, phishing remains an ever-growing problem.
The gravity of the trust issue didn’t elude policy makers and economists. In a 2011 study, the European Union found a lack of trust between merchant and purchaser to be one of the key factors inhibiting the success of eCommerce. Many steps were taken to overcome this issue, including the establishment of a unit called “eGovernment and Trust” and the subsequent launch of the regulation for Electronic Identification, Authentication, and Trust Services (you can read more about eIDAS in a previous blog). eIDAS took effect in July of 2016, so you could say it’s been around for a while. Did it really help in resolving the issues with digital trust?
Before we get further into analyzing the adoption of eIDAS I have say that I haven’t forgotten about the large parts of the world where eIDAS isn’t applicable. There have been many other trust guidelines established across the globe, applicable to specific industries and countries. One example is the establishment of the CA/Browser Forum for public CAs – including GlobalSign – which governs the issuance of publicly trusted SSL/TLS certificates. Another example for regulation, but only applicable to a certain country rather than a global industry, would be the Japanese Certification Authority Network (JCAN), maintaining a list of reliable trust services in Japan. We will later see how the adoption of eIDAS caused ripples in the global network of trust schemes, but first let’s turn to the initial adoption of eIDAS.
What Have We Learned About Trust Since eIDAS?
A report from late 2017, published by the European Union Agency for Cybersecurity (ENISA), details how eIDAS was adopted since its creation in 2016. After only one year with Qualified Trust Services, did it become easier to verify trust online? The answer: It’s hard to say. Sure, 64% of Trust Service Providers (TSPs) came forward and said they planned on becoming Qualified Trust Service Providers (QTSPs). 90% of SMEs and Enterprises also saw eIDAS as an opportunity to grow their business. But the report also identified some barriers, especially the lack of understanding from citizens and businesses about what trust services are. Another issue was the lack of standardization and a lack of exact technical and legal specifications around trust services. Combined with many countries still maintaining different trust schemes on a national level, things get confusing.
On the bright side, eIDAS has proven to be a significant step forward in many areas. eIDAS was primarily meant to bring legal certainty wherever digital transformation would shake things up considerably. Making sure that there’s a standard for electronic signatures that would deliver the same level of confidence as wet ink signatures is the outstanding example but there are plenty of others. Another example could be the authentication with qualified certificates which allows citizens to access government services that otherwise would require them to apply in person, at a physical office. eIDAS also serves as the foundation to other regulations that aim to introduce more flexibility to a variety of processes, while not taking away from the security. One such example would be the revised Payment Service Directive (PSD2), enabling electronic payments to be processed more seamlessly while also regulating how the parties involved are authenticated.
Figure 2: Popularity of different trust services 1 year after the eIDAS rollout. Unsurprisingly, qualified signatures, seals and timestamps are most popular as they are easily implemented in digital transformation processes.
If you’re currently outside of the European Union, largely unaffected by eIDAS, and you’re still reading: I appreciate your curiosity and it shall be rewarded. Earlier I mentioned that we were also going to have a look on the impact that eIDAS has made outside of the European Union. A recent report by ETSI compared eIDAS to other trust schemes around the world. Some of the conclusions:
- While eIDAS does offer some good pointers regarding best practice, supervision, and auditing, it should be reviewed and tweaked with the upcoming 2020 revision.
- eIDAS needs more promotion but also needs to respect other, already existing trust guidelines and closely look at where they may offer solutions to some issues that remain unresolved by eIDAS.
- ETSI standards based on eIDAS may serve internationally as a template for the technical implementation of electronic signatures with a high level of assurance. Once international trust schemes have adapted to those technical standards, they could be added through the EU trust list by bridge certificates or similar means.
So eIDAS hasn’t solved the issue of digital trust quite yet but it is certainly making many processes faster, more comfortable, and more accessible. And that’s a good thing, right? For each and every one of us: The accountant, who can process his invoices much faster. The elderly lady, who can apply for her new passport online. And the enthusiastic young business owner who can now start a business in Germany while working remotely from the US.
This is why we at GlobalSign have dedicated a lot of effort into being able to provide many Qualified Trust Services: Qualified Certificates for Electronic Signatures and Seals, Qualified Timestamps, Qualified Website Authentication Certificates (QWACs) and modifications of seals and QWACs that also comply with the requirements of PSD2. Learn more on our website.