2.WHAT IS TRUST?

	–  2  – TRUST Ì
	In the province of the mind, what one believes to be true either is true, or becomes true.
	— John Lily.

 

The term “trust” is increasingly used by those concerned with information security and electronic commerce. The most popular domain for its usage has been research regarding authentication and the infrastructure for public key technology in a networked environment [BLNS86, YKB93, BBK94, ZH95, BBC90]. The issue of how to exchange public keys and their certifications over the Internet has been important to the creators and users of public key applications such as pgp. However, the broader, more traditional usage of the word – beyond the specifications of certification formats for public keys – has increased with the rise of electronic commerce.

Even though the term trust is used, it is rarely defined. Trust is defined by the Oxford English Dictionary as:

1. a. Confidence in or reliance on some quality or attribute of a person or thing, or the truth of a statement.

2. Confident expectation of something; hope.

3. Confidence in the ability and intention of a buyer to pay at a future time for goods supplied without present payment.

Each one of these definitions applies towards an understanding of trust that I shall present in my thesis. The first definition speaks to the common sense understanding of trust. If I trust you, I am relying upon a quality or attribute of something, or the truth of a statement. It also hints at a logical treatment that could apply towards understanding trust. The second definition includes the word “expectation” which reflects the strong mapping between the common sense understanding of trust and concepts from decision analysis. The third definition speaks to the driving force behind interest in trust: commerce. The language of markets, credit, risk, and the law may be successfully extended to the digital realm.

2.1    Trust as Truth AnD BELIEF

In the relatively small but quickly growing[5] amount of technical literature regarding trust, a few references are made to the significant amount of philosophical literature on the topic of trust and belief. Zurko and Hallam-Baker [ZH95] refer to modern hermeneutics (the study of knowledge descending from Heidegger's philosophies) as an insightful philosophy into the nature of trust: “A key concept in hermeneutics is the assertion that communication and interpretation are central to the concept of truth.”  By arguing that “much of what we regard as truth is in fact taken as trust”  [ZH95] they consider a Hermeneutic philosophy to be a philosophy that parallels the distributed “webs of trust” found on the Internet.

A formalized logical approach can also be taken. Rangan developed an approach for formalizing trust by constructing a theory based on a  modal logic in which “first-order predicate logics are enhanced by modal operators such as belief.” [Ran88:205]  The approach developed a model in which agents maintain a data-base of beliefs regarding the real world. Associated with each agent is a set of states corresponding to the real world, or his belief of the real world:

An agent's belief arises primarily because of the agent's ignorance about the global state of the distributed system. Thus an agent's state of belief corresponds to the extent to which, based on its local state, the agent can determine what global state it is in.

[Ran88:206]

In a given global state, there are a series of possible-world states which are those worlds that are possible under an agents set of beliefs. An agent believes an assertion if that assertion is true for each of the global states that the agent thinks is possibly the real one. By defining a distributed system in terms that may be related to a Kripke structures (a formal model that relates various propositions, their truth assignments and the possibility of an agent considering one global state to be likely from another) Rangan constructs a formal theory for the evaluation of belief systems of the sort: agent(i) believes agent(j) believes some well formed formula (wff) in the language of the logic. These wff may be operated on or transformed by agents using rules of inference and they may be communicated to other agents. Without following Rangan's theoretical treatment and proofs to their conclusion, I would like to describe some of the interesting characteristics of the theory with regards to trust and their application towards my own understanding of trust:

1.       A believed proposition need not be true in the real world, but it must be true in all the states corresponding to an agents possible states and their possibility relations.

2.       For the global states,  (s,t) “r_i is called the possibility relation according to the agent(i)” [Ran88:206] iff in the global state s, agent(i) can consider the global state t as possible.

3.       A message containing a wff from agent(j) to agent(i) may trigger a belief acquisition in agent(i)'s data-base if the wff is consistent with the other messages from agent(j).

4.       “In the logic, beliefs received by agent(i) will not be inconsistent with each other.” [Ran88:207]. Rangan's interesting example is that of agent(j) telling agent(i) some wff f. If agent(j) then tells agent(k) ^~f, and then agent(k) tells agent(i) their is no inconsistency in agent(i)'s belief data-base. Rather, he believes that agent(j) believes f, and that agent(j) lied to (agent(k) who believes ^~f.)

5.       An agent may send beliefs it does not hold, but only beliefs which are consistent with previous messages from an agent will be accepted by others.

Given these properties and other developments Rangan formally develops a theory of trust where the expression of trust is the addition of a wff that is valid for the axioms of a logic. He is then able to specify various applications by which the chains of trust in a system may be specified formally and proven to be valid by a theorem prover.

[BAN89] provided a logic (referred to as ban logic) for the analysis of authentication protocols. Often, such protocols are explained by listing a series of messages in the form of

            P à Q : message

where message may be a series of clear-text, encrypted, or signed messages that are interchanged between the principles, P and Q, of the protocol. By enumerating a set of constructs such as belief, once said, sees, and jurisdiction over Burrows, et al. are able to specify a logic with which such authentication protocols can be rigorously tested. While it does not address the characteristics or nature of trust itself, it does allow one to logically examine whether the assumptions and goals of a protocol with respect to trust are self-consistent.

Gong, Needham, and Yahalom extend BAN logic [GNY90] by providing an approach that exceeds the assumptions required for the original logic:

For example, it does not assume that redundancy is always present in encrypted messages – incorporating instead a new notion of recoginizability which captures a recipient's expectation of the contents of messages he receives.

[GNY90:234]

One of the greatest differences is the added distinction one can make for what principles believe in and the information they possesses. Such a scheme allows for a much more intuitive understanding of trust and belief since , "this allows us to separately treat the content of a message and the information implied by such a message. It also makes it possible to separate reasoning about the physical world from the reasoning about other principals' beliefs, so that we can consider different levels of trust in the reasoning." [GNY90:234]  This difference is reflected in the set of statements for the logic: P is told, P possesses, P once conveyed, and a series of different belief statements regarding the freshness of a formula, the recognizeability of a formula, and the beliefs for the suitability of public and secret keys. As such, one can have a different level of trust for beliefs about the real world, and statements sent by other agents.

This distinction is discussed further in [YKB93:152] where the authors, "distinguish between directly trusting some entity in some respect, and directly trusting an entity in some respect due to some other entity's trust."[6]  Given this new distinction, the obvious concern is how does one traverse the network or web of trust (called a trust recommendation path) that develops in an environment in which one trusts an agent, who also can express beliefs about the trustworthiness of others, and the others may do the same?  They accomplish this by presenting a trust derivation algorithm which, "generates, from a given set of [trust] expressions, a set T of all entities in which a corresponding entity, say A, indirectly trusts in respect to x" [YKB93:156], where x can be one of the following functions: identification, key generation, escrow, non-interference, clock synchronization, protocol compliance, and providing information about others' trustworthiness (or reputation.)

In Valuations of Trust in Open Networks[7] [BBK94] the analysis of derived trust is further extended for cases in which, "different entities offer different allegedly authentic data…." [BBK94:3]  A method of resolving these differing opinions is required. A number of interesting concepts are introduced, one of which is the recording of both positive and negative experiences with other agents. I call this record a history,   The concept of direct trust (trust about a direct interaction with another) and recommendation trust (one's level of trust in another as an introducer of strangers) are also defined in the following manner. A direct trust relationship[8] exists if:

all experiences with Q with regard to trust class x which P knows about are positive experiences. . . V is the value of the trust relationship which is an estimation of the probability that Q behaves well when being trusted. It is based on the number of positive experiences with Q which P knows about.

[BBK94:5]

and (v) is computed as follows (where p is the number of positive experiences)

            v_z(p) = 1 – a^P

this value is the probability that Q has a reliability of more than a, founded on the information P possesses about Q.

[BBK94:6]

If r is the actual reliability of an entity, the authors prove that the probability of r being greater than one's "threshold" of a is 1 – a^P+1.

A recommendation trust relationship exists when

if P is willing to accept reports from Q about experiences with third parties with respect to trust class x.

v in this case is the value of the trust relationship with Q which can exist over both positive (p) and negative (n) experiences[9] with the recommended entities and is calculated as follows:

As the positive experiences grow with a particular agent, v will approach 1. If the negative experiences exceed the positive over time, v will approach 0. Given a non-cyclic network with v representing the value of the trust relationships (vertices) between the agents (nodes) a derived trust value can be calculated which includes the strength of the recommendation, and how much one trusts the recommender (solid lines are a direct trust and dotted lines are recommended trust.).

[BBK94:8]

The derived values for the relationship between A and C are:

           

which is equal to

               

A result of this analysis, which I do not show, is that multiple derived values (multiple opinions about, or paths to, one agent) can be combined to form a single, balanced, direct trust. Also, an interesting consideration with regards to the §2.6 is that the valuation is considered in light of economic value.

As mentioned earlier, we assume that the value of each task can be measured in units, e.g. in ECU which are lost when the task is performed incorrectly. Our estimations about the reliability of entities were made relative to tasks consisting of a single unit. If we wish to entrust a task consisting of T units, the trust entity has to fulfill T "atomic" tasks in order to complete the whole task. Bearing in mind, we can estimate the risk when entrusting a task to an entity.

The results of many of the previous calculation can then be combined in order to demonstrate how many economics units one is willing to risk to trust a given entity:

           

                          

In their example with a = 0.99 and v = .637, if they are willing to entrust a task worth 100 units (T), then they must be willing to risk l(0.99, 0.637, 100) = 49.5 units.

Many of the above schemes have a relatively static approach to authentication and trust relationships. However, in a real network, once trust relationships have been established, a further difficulty – especially for distributed authentication – is how does one establish trust relationships or delegate permissions on a temporary and "cascaded" basis. An example given in [Sol88] is that of a business person making travel arrangements which will be paid for by the accounts payable office. The accounts payable office will only deal with one travel agency, which communicates with the user and acts on a user's behalf to make reservations for flights, cars, and hotel reservations. Each reservation will require a prepaid percentage of the total reservation for their service. The accounts payable office will only approve of charges that the user signs for, and the reservation agency will not make any reservations without the accounts payable office having guaranteed the funs. Sollins solution is to analyze a threat model of cascading authentication in which permissions may derive and cascade from one source through multiple nodes of a network under certain constraints:

As suggested in the example about travel arrangements it is useful in a distributed environment to be able to allow a remote service to act on one's behalf, but retain some degree of control over the actions that the remote service does on one's behalf.… The mechanism proposed here to solve this problem of handing of limited authentication is called a passport. The passport identifies the originator and is digitally signed at each transit point, so that each participating transit point is identifiable.

[Sol88:158]

Sollins then provides a protocol which meets the requirements of unforgeability, accountability, discretionary restriction, modularity, independence, and the combining of identities for the passports.

In An Architecture for Practical Delegation in a Distributed System [GM90] the authors use the word delegation to represent a user’s authorization of a system or agent to act with some of his own permissions. Furthermore, their protocol, "goes further than other approaches for delegation in that it also provides termination of a delegation on demand (as when the user logs out) with the assurance that the delegated systems, if subsequently compromised, cannot continue to act on the user’s behalf. [GM95:10] The authors liken their architecture to that of Kerberos V4 but use public-key technology so as to avoid the necessity of an authentication server. By constructing a protocol and format for the transport of delegation keys (related to Sollin’s passports) which are public/private key pairs that authenticate a delegated system to a server, and which certify the next step of delegation:

This architecture goes further than Kerberos V4 in that it permits a "chain" or cascade of delegations through multiple systems.…  In our chain of delegations the reference monitor knows that all systems in the chain are authorized delegates. In addition, the reference monitor can determine the identity of those systems for auditing and access control purposes.… One additional feature, not known by us to be present in other authentication forwarding schemes, permits the delegation to be explicitly terminated by the user so that the intermediate systems, if compromised subsequent to the termination, cannot make use of the rights attained through delegation.

[GM95:21]

Two recent, related protocols for distributed authentication and cascaded or delegated permissions include [BBS94, SAJ94].

Many of these models use point probabilities in their calculations. However, there is often a great deal of uncertainty in one’s beliefs of the real world. A potential solution to this problem is to adopt a “fuzzy” artificial intelligence (ai) approach. May suggested that ai research on belief systems is relevant to the study of trust. [May96] Particularly the Dempster-Shafer theory, which May quotes [RN95] as follows:

The Dempster-Shafer theory is designed to deal with the distinction between uncertainty and ignorance. Rather than computing the probability of a proposition, it computes the probability that the evidence supports the proposition. This measure of belief is call a belief function, written Bel(X).

[RN95:462]

An added benefit of this method is that it provides a means of combining evidence to derive new Bel values – in a way similar to derived trust in [BBK94]. However, a concern for these computational models, and in some aspects the decision analysis presented in §2.3, is the need for events to be independent:

Further, Dempster-Shafer theory provides rules for combining probabilities and thus for propagating measures through the system. This fourth point is possibly the most attractive, but it is also one of the most controversial since the propagation method is an extension of the multiplication rule for independent events. Since many of the applications involve events that are surely dependent, that rule is, by classical statistical criteria, inapplicable. The tendency to assume that events are independent unless proven otherwise has stimulated a large proportion of the criticism of probability approaches; as it stands, Dempster-Shafer theory suffers the same ill"

[Nut86:846]

Given the above progression of formal models which become increasingly sophisticated, my intent is not to replicate the formal methods, but to provide a general understanding of trust in the most comprehensive manner and to show how that understanding can be used to represent complex interactions on digital networks – and the interactions of trust with economic value. As such, I must be philosophical for a moment and define my terms and discuss my assumptions while avoiding the pitfall of wondering if a user of a network can trust that not only the network exists, but that the user himself exists!

2.2    A Theory of Trust

In keeping with Rangan's treatment, I posit that there is in fact a real world. However, each agent can consider potentially contrary beliefs about that real world, each which is expected to be true with some probability. In an abstraction of  the direct trust and recommended trust of [BBK94], I only consider one form of trust which is the trust one extends about various assertions. An assertion is a statement which asserts an attribute of the real world. The abstraction here is that one can place a variable amount of trust on both first and second hand perceptions and stimuli. Trust is the degree to which an agent considers an assertion to be valid for the real world. There is an associated risk of the assertions being wrong.[10] Experience is the creation of a history that contains mappings between various assertions about the real world. For instance,  someone may predict (assert) that the sun will rise tomorrow, and when my eyes have told me (assert) that it does, I have gained experience. A belief or assumption is a strong assertion that is innate to an agent's intelligence, or perhaps common to many agents (similar to direct trust in [BBK94].) Assumptions are rarely challenged and are considered to be (1) a seed for the evaluation of all other assertions, (2) a common basis for the creation of histories between agents. For instance, the assertion:

- “I exist” is considered to be a very strong assumption. (~99.999%)

- “I believe what my eyes tell me about the real world” is considered to be a relatively strong assumption. (~99%)

- “I believe what other agents tell me the real world” is not an assumption. (~75%)

For instance, an agent may tell me that I may find $5 under the blue stone. If $5 is found under the blue stone, an experience relative to the assumption that I indeed saw it for my own eyes becomes part of my history – experience is created. In this case:

assertion of $5 under blue stone

Û

assumption of I may believe my eyes that $5 was found under the blue stone

So as to not to always have to question an agent’s first hand knowledge, I define an event to be the eventual result or determination of an assertion based on first hand knowledge or an equally strong assumption. The mapping between two assertions (one often being an assumption) is similar to  Rangan's belief acquisitions.

Unlike Rangan's (3) of §2.5, I assume agents may accept new assertions which are contrary to previous assertions. (This seems to place undo weight on the significance of early assertions.)  Also, Rangan's discussion of possible worlds is useful, but requires that, “an agent believes p, denoted by B_ip, iff p is true in all the global states that the agent considers possible.” [Ran88:26]  Since in real life may people consider a wide range of possible beliefs, including p, ^~p, and p probabilistically,[11] I assume otherwise.

In place of Rangan's (3)[12] in which only assertions consistent with previous assertions in the belief-database are accepted, I consider a more complex trust algorithm akin to the derivation algorithms of [BBK94] which generates the probability with which an agent feels an assertion is likely to pertain to the real world.  As an example, an agent may see a ball drop 100 times after being released and have a lot of trust (a high expectation) in the assertion that the ball will drop again if released in the future. Trust algorithms can be considered to be function which describe personal behavior, or a deterministic algorithm of an agent, both of which will have some of the following characteristics:

Table 2-1
Characteristics of Trust Evaluations

C1.   Closeness – given an experience of the form A1ÛA2, if A2 is an assumption, the strength of the mapping between A1 and A2 will be greater.  Hence, seeing the $5 dollars under the blue rock is closer (and in this case more likely to be believed) than reading about it. This strong mapping may then be used as a basis for believing other assertions about the world. Also, if no money is found under the blue rock this negative experience is closer than having read about the money not being found under the blue rock. C2.   Accuracy  – the degree to which an assertion matches another. Finding $5 under the blue rock, rather than $4, $3, or no money under the rock leads to a stronger experience. There are also a number of variables which take into account multiple actions from agents over time. C3.   Sample size – the number of times (or samples) an assertion about the real world is taken (seen). (The amount of experience, similar to the relationship between the number of p and n in [BBK94].) C4.   Variance – the degree to which an assertion varies from aggregated experience. (For instance, an assertion may be “too good to be true.”) And amongst the above variables are the demographic categories with which they are compared to or correlated with: C5.   Expertise – Proclamations by an agent that is known to be a doctor (perhaps he has a digital certificate from the AMA to prove it) is trusted with regards to assertions on medical information, but not with regards to automotive information. C6.   Deferral  (Accreditation) – The example above of the AMA asserting that a doctor is a good doctor is an example of an agent trusting an assertion about another agent. C7.   Threshold (Group) – One many not trust the individual assertion of Larry, Shep, or Moe; but, if all three assert the same thing, one may have a higher opinion of that assertion. Furthermore, one may examine the above components with respect to a specific individual or demographic group: C8.   Individual History – The history of that particular individual (or threshold group). C9.   Category History – The history of similar individuals (or threshold groups). Finally, there could be any number of initial conditions and assumptions for the algorithm itself. C10.An agent is generally (dis)trusting in believing assertions. C11.An agent does (not) give people the benefit of the doubt initially.

For people, this algorithm is most likely not monotonic, and may non-deterministic (seeming irrational), for instance, a favorite saying of mothers with regards to C7 is, “if everyone jumped off the cliff, would you do it too?” This ambiguity with respect to the rationality and expectations of the agents leads one to consider the realms of risk perception and decision analysis.

2.3    Decision Analysis

A field other than philosophy and logic which may provide a means for understanding trust in the digital realm is decision analysis. Such a mapping seems particularly appropriate since there is a wide body of literature on preference functions, expected values, and risk assessment – all of which are concepts we are attempting to understand in relation to a networked environment. In such an environment, a number of complex interactions may be possible with the development of electronic cash or other monetary instruments. However, simple cases where one user (agent) is in a risky transaction with another agent of the Internet have existed for years – for.sale boards. Be it a mailing list, conference, or bulletin board people frequently trade or purchase materials without a clue of the identity or trustworthiness of the other person – such a market will be termed a networked market.[13]  In such as example, trust is the assessment of ones risk in a certain situation. This example of two users attempting to decide if or how to conduct transactions in such a market shall be a common example of my analysis of trust.

2.3.1     The Value of Credit Information

A common-place occurrence on the Internet is that of a user wishing to buy a product from another. There is risk for both the seller and buyer in such a scenario depending on the arrangement chosen. A buyer needs to be concerned about receiving the product in working order in return for the money he spends. The seller in turn, needs to be concerned with the quality of payment for his product: will it be the right amount and on time?  The concerns of the buyer and seller often take the form of negotiation regarding whether the product is paid for by check, cash, or credit card; whether the transaction is cod, or prepaid. This negotiation shifts the amount of risk between the parties and the level and direction of trust required in the transaction, and is dependent on the economic properties of the supply and demand elasticities for the product.[14] For instance, tenancy places the land-owner at risk since the tenant may ruin the property, but because the owner often has a stronger position in the market (a take or leave it deal) he can force the transference of risk unto the tenant with a security deposit.

Often, the buyers and sellers in such a situation are faced with a decision: to purchase the item, or forgo the purchase. In a more sophisticated case, a user also has an option to purchase information concerning the expected result, this is likened to buying credit or rating information regarding the trust worthiness of the other principal. Decision analysis provides one a way to analyze such a scenario. While it probably would not be a plausible nor efficient exercise for conducting transactions over the Internet,[15] it does provide an understanding of the concepts involved. Consider the following example from a buyer's point of view.

2.3.1.1     Expectation with No Information

The buyer has been offered 1 megabyte of computer ram for $30 prepaid. 1m of ram is worth approximately $40, the buyer has never done business with the seller before and is not very trusting – he expects the seller will cheat him with a 50% probability. The decision the buyer is then presented with is as follows:

 

The expected value for the PrePay decision is (.5)10 + (.5)(-30) = -10. The expected value of the ^~PrePay (and as such no transaction) is 0. Since,  -10 < 0 the buyer would not proceed with the transaction. A useful extension to this scenario is the expected value of information. (EPVI)  This corresponds to the information about a market, the credit history of a user, or the certification a third party could provide to vouch for the level trustworthiness of another user. Assuming that the third party (referred to as a credit agency) is trust-worthy, what service and increased benefits could be provided? 

2.3.1.2     Expectation with Extended Information

deNeufville defines the value of information in decision analysis as, “The increase in expected value to be obtained from a situation due to the information, without regard for the cost of obtaining it.” [deN90:330]  In this example, assume that the credit agency has aggregate market information that shows that prepaid transactions for ram are honestly completed 80% of the time.

The revised expected value for the decision is (.8)10 + (.2)(-30) = 2. As such, over a significant number of transactions, on average this information provided the buyer with a benefit of $2 –some of which can be collected by the credit agency.

2.3.1.3     Expectation with Perfect Information

The credit agency would be remiss if it was not able to provide specific information about the seller. In such a case, the buyer could attain information about the character of that seller, or it could procure the results of a test in which the credit agency would either “approve” or “disapprove” the transaction on a basis of its own models (perhaps it has a “better”, more sophisticated trust algorithm and with the specific information it has on agents it is able to make recommendations regarding a transaction.)

In this case, the credit agency’s service is to provide specific information which the user can than apply towards his own preferences, or the agency can give a simple recommendation for conducting the transaction.[16] (Or in a similar example, the acceptance of a credit card ­– every store can not process all the trust information regarding every transaction, hence they defer such decisions to credit card agencies.)  Since this recommendation is an assertion (even if it is an assertion about another's assertion) it too is subject to the exercise of trust – or in other words has a probability of being an accurate assertion. The credit agency may be able to assert that it's predictions are accurate 85% at the time, or perhaps one has enough experience with the credit agency to come to this conclusion on one’s own. So as to not get too complex, the buyer will continue to trust the assertions of the credit agency, and as such will not worry that the agency is lying about it 85% accuracy rate. In this situation, the user could calculate the expected value of perfect information and assume the credit agency is always accurate. In such a case, the new calculations would be correspond to the following:

First, every test result, Tr_k, from the perfect test will tell us exactly what will happen subsequently, and its associated outcome, O_ik, will have probability one in the revised decision tree following the test result. [deN90:337]

In our case, we would conduct the calculation taking the branch of each decision with the best outcome. Since we have perfect information and know exactly when to conduct a transation, the decision tree and expect value is simple: (.8)10  + (.2)0 = 8.

The expected value of perfect information is then our new result less the old: 8 - 2 = 6.

2.3.1.4     Expectation with Sample Information

Calculations for the expected value of sample information are more complex and require one to consider the fact that predictions are incorrect 15% of the time. Such errors will decrease our benefit because of the good business we lost, and the bad risks that we needlessly took. The calculations are shown for completeness:

Cheating = “C”; Playing Fair = “F”; CheatingPredited = “cp”; FairPredicted = “FP”;

                  P(C) = .2          P(cp/C) = P(FP/F) = .85

                  P(F) = .8           P(cp/F) = P(FP/C) = .15

The probabilities for the actual predications are as follows.

P(cp) = P(cp/C)*P(C) + P(cp/F)*P(F)

              (.85)(.2) + (.15)(.8) = .29

P(FP) = 1 - P(cp) = .71

The revised prior probabilities are calculated using the probabilities of the predictions and Baye's Rule.

         P(C/cp) = P(C) *    =  (.2)[(.85)/(.29)] = .5862

         P(F/cp) = 1 - P(C/cp) = .4138

 

         P(F/FP) = P(F) *    =  (.8)[(.85)/(.71)] = .9577

         P(C/FP) = 1 - P(F/FP) = .0422

Now, choosing the best decision for each of the given test results:

EV(Prepaying)cp = (.5862)*(10) + (.4138)*(-30) = -6.5552

EV(~Prepaying)cp = 0

 

EV(Prepaying)FP = (.9577)*(10) + (.0422)*(-30) = 8.3110

EV(~Prepaying)FP = 0

Then, “We can calculate the expected value after the test as the sum of the probability of each test result times the value of the best decision after the test result.” [deN90:341]

EV*= (.29)(0) + (.71)(8.311) = 5.9008

Hence, the value of the sample information in this case was (5.9008 - 2) » 3.9.

2.3.2     Trust Algorithms as an Expression of Preference

We have already mentioned the trust algorithm as an expression of the phenomena in which users gauge the probabilities of various events. We defined it as such because while a computer agent could be programmed to calculate the level of trust it will extend towards another (and the risk it will take upon itself), humans generally do not make such explicit calculations. Rather they indicate preferences about various risky situations without the benefit of knowing all of the probabilities. However, even when people are presented with cases in which they can explicitly calculate an optimum outcome, people behave in an unexpected manner in order to accept or avoid additional risk.

Decision analysis attempts to measure preferences by assuming that the probabilities are relatively straight-forward and it is upon these simple probabilities that people express different preferences. While expressed preferences differ for people over the same probabilities, I would argue that the probabilities for the same situation may be perceived very differently; however, it is useful to consider trust in the terms of preference functions for the sake of completeness.

One of the main goals of the study of preference is how to evaluate non-linear valuations of costs and benefits. This is accomplished by expressing these valuations in terms of a value or utility functions. A value function “(V(x) is a means of ranking the order of relative preference between sets of consequences. It assigns a number to every X such that for any two sets, X₁ and X₂, one is preferred to the other only if its value is greater than the other's.” [deN90:360]  Value functions are dependent on three basic axioms[17]: (1) completeness - for every pair of possible consequences a user will prefer one to the other or be indifferent (2) transitivity - if X₁ > X₂ and X₂ > X₃ then X₁ > X₃ and (3) monotonicity – more of a good thing is better. Utility functions differ from value functions in that the utility function's units have meaning relative to each other. The result being “provided always that the axiomatic assumptions are valid, it is possible to evaluate choices analytically, even when people have nonlinear preferences.” [deN90:365]  The axioms necessary for the utility function[18] are the same as that of the value functions plus three additional ones (1) existence - probabilities exist and can be quantified (not always the case in every day life) (2) monotonicity for probability - the higher the probability of a good thing the better, and finally (3) substitution or independence axiom - “a person's preferences for an item should vary linearly with the probability of its occurrence.” [deN90:366]  The result being that a person's preference may be non-linear with respect to the benefit (when conducting a transaction for $10,000 rather than $1 a user is much more likely to be risk averse), but not in probability (the preference of getting $1 with probability = .5, should vary linearly with the preference of getting $1 with the probability = .6.)

The question then is, is trust an expression of a utility function?  Utility functions are often measured with a lottery which is similar to our example of a transaction over the Internet. A lottery is a set of possible outcomes each with a separate probability of occurrence. Utility is then measured by offering a series of lotteries to the user, each converging closer to a point where the user is indifferent between the two lotteries. A series of these exercises can approximate a person's “utility function.”  It is unlikely that such calculations would be of use when measuring the preferences of users on the Internet other than to describe the general behaviors of an aggregate number of these users. Also, some of the axioms above, particularly the existence and substitution axiom, may not hold for some transactions, but deNeufville states:

As a practical matter, recent research we have conducted indicates that the substitution axiom holds, at least as a first-order approximation, except when the probability of some greater consequence is either very small or close to certain.

[deN90:368]

Regardless of the contentious questions of this discipline, we have come to an understanding of trust which is reflected in the following three definitions.

trust - the expectation of an assertion being true.[19]

trust algorithm - an algorithm that determines/explains the creation of the expectations.

trust-utility function - the way in which agents will exhibit non-linear preferences with regards to risk (i.e. amount of trust.)

2.4    Trust as Commerce

The third definition of trust was given as follows, “Confidence in the ability and intention of a buyer to pay at a future time for goods supplied without present payment.”  This definition allows one to consider aspects of trust not given in the straightforward treatment of the previous sections. For while it may seem intuitive to consider trust in light of decision analysis, the expected value and probabilities in such an analysis are considered to be phenomena of the real world and not interactions with competitive agents. For instance, consider the case where agent(B) – who plans to cheat – offers agent(A) $20 for a 1M of ram. Agent(A) may be suspicious and not accept the offer based on his expectations (level of trust) of agent(B). Knowing this beforehand, perhaps agent(B) would offer $100 for 1M of ram. If this were a very simple expected value calculation, in which the probability of the $20 and $100 deals were the same, a cheating agent could inflate the outcome so as to turn the decision to his favor. However, one of the variables considered in the treatment of the trust algorithm was the consideration for outcomes which seemed “too good to be true.”  This section will deal with such topics more specifically and shall refer to concepts from micro-economics and game theory.

In [FD95] Hal Finney and Wei Dai discuss a concept related to trust, that of reputation. Reputation is the amount of trust an agent has created for himself through interactions with other agents.[20] Hence, if one's assertions consistently meet the expectations of other agents, they will have higher expectations of later assertions being valid. Reputation is valuable for three main reasons.  A user may prefer to conduct transactions with users he trusts. The costs of transactions between trusting users may be smaller because third party reputation services need not be consulted.  Finally, if the conditions are right, one can betray one's reputation for a very large gain.

The exact economic nature of reputation and trust is not often addressed with regards to transactions over information networks aside from discussions on the cypherpunks list. In [FD95] Dai wrote:

In a reputation based market, each entity's reputation has three values. First is the present value of expected future profits, given the reputation (let's call it the operating value). Note that the entity's reputation allows him to make positive economic profits, because it makes him a price-maker to some extent. Second is the profit he could make if he threw away his reputation by cheating all of his customers (throw-away value). Third is the expected cost of recreating an equivalent reputation if he threw away his current one (replacement cost).

In more traditional economic terms, reputation could be viewed as an asset: “something that provides a monetary flow to its owner. For example, an apartment can be rented, proving a flow of rental income to the owner of the building.” [PR95:157]  It probably cannot be considered a product in that concepts of supply, demand, marginal cost and other costs associated with production do not generally hold. For instance, consider how trust can be created:

·         Trust is created through the development of experience with other agents. Hence, it is a relation rather than a product. For instance, if agent(B) successfully completes a transaction with agent(A), agent(B)'s reputation is still a product of the “arbitrary” trust algorithm agent(A) employs. (Agent(A) may be distrustful no matter how many satisfactory transactions occur.)

·         The only relevant cost in the creation of trust seems to be the opportunity cost of betraying that cost. (Any costs pertaining to the transaction itself (i.e. the cost of being on the network) would be accounted for in the cost of the transactions.

·         There is an bound on both how much (100%) and how little(0%) trust can be generated.

·         Agents can transfer trust by certifying another agent.

·         The creation or destruction of trust is not a zero sum game. The net sum of trust may increase or decrease.

However, perhaps these two general rules could be applied in decision making regarding reputation creation as asset creation:

1.       An agent should maximize profit over its planning horizon, where profit is defined in the economic sense as revenue less costs, including opportunity cost.  The opportunity cost of reputation is the excess revenue that could be generated from the exchange of the reputation (and its revenue over the planning horizon) for immediate revenue (by cheating) over ones planning horizon.

2.       The decision as to whether to invest in building reputation is subject to the NPV Criterion which states: Invest if the present value of the expected future cash flows from an investment is larger than the cost of the investment” [PR95:532] or if the following equation is positive for cost C, discount rate R, and time horizon n.

The important consideration here is that C is a function of an agents reputation algorithm and the trust algorithms of agents with which he will interact.

Clearly, the defining and characterization of trust and reputation in such a scenario soon becomes very complex, however, in having brought trust to the field of economics there are a number of sub-disciplines with which trust can be considered. The first is thought regarding markets with asymmetric information.[21] The most common example is that of the used car market where the buyer has very little knowledge regarding the quality of an object being purchased.[PR95:594]  Such a market is characterized as failing because of asymmetric information (or the lack of trust). The example of the used car often fails because the market is perceived as being one of low quality cars, which exacerbates the removal of high quality cars from the market, which in turn exacerbates the perception of their being a disproportionate amount of “lemons.”

Also, there is a fair amount of economic literature pertaining to product quality and asymmetric information particularly in the field of insurance and credit. Another field where this is an issue is for a temporary good or service. An example of which is a highway motel or restaurant that is not likely to have repeat customers and cannot build a personal reputation. The solution may have an interesting application in the network world and consists of creating a reputation – market brand – through standardization. For instance, all McDonald's have relatively the same color schemes, foods and prices and attract customers that may have never eaten in that particular restaurant. [PR95:598]  Hence, brand in the form of logos, seals, or labels on the web may be of great importance. Other common economic concepts are that of market signaling, particularly guarantees and warranties. [LMN94]

The second field of economics which is of interest is competitive strategy and game theory. In [WD95] Dai mentions a reputation algorithm (the counterpart of the trust algorithm) which determines the optimum conditions for increasing utility, be it through creating a strong reputation, or exchanging it for some other value. Dai posits that a good reputation algorithm (1) need be efficient (I assume this ranges from optimal efficiency to at least a “competitive” efficiency), (2) not too costly to evaluate, (3) and relatively stable in an evolutionary system. Such characteristics apply towards trust algorithm as well. In fact, trust algorithms and reputation algorithms can be thought of as competitors in a networked market where information and one's algorithms determine one’s success over time.

Already we have seen that agents are employing both their trust and reputation algorithms so as to make the best choice against potential competitors. In [FD95] Finney refers to the Prisoner's Dilemma (PD) game as an example of a simulation of agents concerned with reputation. In the PD game two prisoners are each accused of having committed a crime. They are in separate jail cells, and cannot communicate with each other but are familiar with the rules of the game and the consequences of their own and the other’s actions. Each has been asked to confess. They both know if neither confesses (they have “cooperated” to their mutual benefit), the prosecutor's case is difficult and each prisoner goes to jail for only one year. If both confess, they will both receive a five year sentence. However, if one confesses (defects), and the other does not, the one who confessed will go to jail for only one year still, and the one who did not will go to jail for ten years. The dilemma is then does one risk a ten year jail term by not confessing, or does one confess and only have a one year jail term if they other guy cooperated (his ten year jail term is tough luck) or a five year term for the both of you if he confesses as well. The dominant strategy in this game is to confess (defect) since confessing betters ones position regardless of the others’ actions:

if the other guy defects, you get five years instead of ten.

if the other guy cooperates, you get one year instead of ten.

Such games can be played multiple times, over which the agents playing have a fixed amount of memory with which to hold a grudge or to preen their reputations. In 1984 Axelrod conducted a tournament [Axe84, Axe87] in which algorithms programmed by humans competed against each other in the iterated PD game. Interestingly, such games also lend themselves to the employment of  “genetic algorithms” [Hol75] in which competitive algorithms evolve by promulgating the “fit” strategies through the lifetime of the game by the reproduction of wi