In our last outing about trust (“Who do you trust?”), I concluded:

“In the end, we know that Trust is a binary condition which has attributes – you trust “an entity” for “a task”. Trust on-line can be calculated by doing a risk assessment (amount of loss times probability of loss) and seeing if the product of that assessment is lower than your pre-set “trust threshold”. Calculating the probability of loss involves factoring in experience or reputation. So, when you get to the bottom of it, trust is inextricably tied up with reputation.”
But how can we assess or calculate reputation? And does it matter? Joan Jett sang “An' I don't give a damn 'bout my bad reputation Oh no, not me” but do you?

Pay close attention, this could get convoluted.

There’s an old proverb which says that character is the story you write about yourself, reputation is the story others write about you. Reputation, then, is what other people think about you. And the more people who “think” something - that is, they hold the same opinion about something, such as you - then the stronger the reputation is. It doesn’t matter if it’s true, false or somewhere in between – once that reputation is fixed in people’s minds it’s very hard to change.

The EU’s “Right to be forgotten” does bring up the possibility of at least minimally being able to control our own reputation, but that’s a topic for another day.

One way we use to determine the reputation of something is through reviews. Newspapers and magazines (yes, I know about on-line – we’ll get to that in a moment) often contain reviews of restaurants, movies, music, theater, etc. But can a single review tell us if we would like the thing being reviewed? It could, provided we knew the reputation of the reviewer. That reputation is simply our opinion of the reviewer based on reading numerous reviews by them and comparing those to our personal experience of the thing being reviewed. Knowing the reviewer’s reputation, we can read each review as if through filtered glasses to see it skewed to fit our judgment of what the reviewer likes and dislikes. Can we do that on-line?

Well, yes, Those same reviews are published on-line. But there’s also a wealth of other reviews, by people who aren’t “professional” reviewers and who may review only one or a handful of things. Let’s look at one web site as an example.

TripAdvisor says of itself that it offers “trusted advice from real travelers” – and it enjoys a fairly good reputation among travelers and tourists. If you’ve not used the site, a brief description: generally, you will search for a country, city, town or village. Within each you can find lists ranking hotels, restaurants, attractions and more as well as travel guides and “tips” from locals as well as frequent visitors. The rankings are compiled by ratings and reviews given by people who have been to the particular hotel, restaurant, attraction, etc. If we pick a city, say Munich, Germany, we see that the Mandarin Orientale is the top rated hotel. 264 out of 297 reviews have rated it with 5 stars, 20 with 4 stars, 10 with 3 stars and none lower. Compare with the Hotel Blutenburg which is ranked #361 – it had 2 reviews with 3 stars and 2 with 2 stars. It might be a decent place to stay, but there aren’t enough reviews to draw a good conclusion. This is a result of what James Surowiecki calls “Coordination of behavior” in his famous book  “The Wisdom of Crowds,” and he even includes an example which shows optimization in the utilization of a popular bar. The idea, for TripAdvisor, is that the more people who review a place, the more likely that the sum of their opinions will reflect a true picture of the place – in short, the better formed is that story that is the place’s reputation.

Still, if you read enough hotel reviews and if you know what YOU want in a hotel, then even the minimal four reviews for the Hotel Blutenburg can be telling. For example, one of the 2 star reviews noted that the hotel was downgraded because “My biggest problem was the wifi connection, present but not included and quite expensive.” And “Breakfast included is barely ok, not so many choices.” If wifi and breakfast are important to you, than you should give this review more weight. Otherwise, the reviewer said, “My room was big and quiet enough, with a nice big balcony away from the main road. For the rest, it was a normal room.” So if you don’t need wifi and don’t care about breakfast this could be a good choice for you. I always make it a point to read the reviews to discover, if I can, the reasons behind the ratings. I once read a review of a restaurant by a woman who downgraded the place severely because the waiter placed a dinner roll upside-down on her bread and butter plate!

Besides review sites, such as TripAdvisor, we also consider reputations when we buy things on-line. Amazon, eBay and other retail sites also provide ratings and reviews of their merchants so that we can gauge their reputations and decide on a “trust factor” for them. But what about people – how do those web sites decide to trust us, and how can we decide to trust someone else?

First, some words of caution. Remember that reputation is a factor in assessing risk, and trust is granted when the risk assessment is below our trust threshold, so trust is dependent on reputation. Keep that in mind as we go forward. Also, neither trust not reputation is transferable: if a trusts b and b trusts c, it does not follow that a should trust c simply because b does, a needs to form their own opinion of c’s reputation. Od course, if b has a reputation as an excellent judge of character, then a might rely on b’s trust of c to also trust c – at least in a specific area. Remember, a reputation in one area does not imply a similar reputation in another: I may, for example, be known as an excellent dinner table companion because of my extensive knowledge of wine and my ability as a raconteur to keep you entertained with interesting stories (there’s also my humility!). But that reputation doesn’t mean that you should rely on my statements of directions for navigating the back roads of Manitoba (where I’ve never been). Reputation must be fixed to a fairly well defined and fine-grained area.

In the off-line world we make these judgments about people all the time. How can we do that in cyberspace, though?

At the 2011 European Identity and Cloud Conference, the Privacy award (and, remember, we got to reputation by starting at privacy) was given to connect.me and the Respect Trust Framework for a “new approach to building a personal trust network by layering on top of social networks and using peer-to-peer vouching”. Vouching is, in effect, reputation or trust transference – if a vouches for b as a thoughtful analyst, and a has a good reputation with c as a judge of analysts than c will accord trust to b in an analytical situation. Follow that? That’s exactly how connect.me works. If you are unfamiliar with the service, see “How it Works” for the details. Essentially, it’s a reputation service for the Respect Trust Framework – together they bring reputation, trust and privacy to the on-line world through five principles: A promise of permission, protection, portability, and proof. It is self-described as “a network-wide reputation system with four escalating levels of trust as the primary enforcement mechanism for compliance with the trust framework. This unique form of self-regulation provides a strong incentive for every member of the network to ‘do the right thing’ with personal data and communications.”

Learn more at the framework’s web site.

Recently, the Founding Partners of the Respect Network, the SWIFT Innotribe Incubation Fund’s Digital Assets Grid and our old friend Dr. Ann Cavoukian, Ontario’s Privacy Commissioner all came together in Japan for what could be a breakthrough on the privacy, trust and reputation fronts. See how it all comes together in the next issue.