A trustworthy tech mark

“Those who want others’ trust have to do two things. First, they have to be trustworthy, which requires competence, honesty and reliability. Second, they have to provide intelligible evidence that they are trustworthy, enabling others to judge intelligently where they should place or refuse their trust.”
Onora O’Neil

Doteveryone has been thinking about a trustworthy tech mark to indicate responsible and trustworthy digital products and services, to enable people to make more informed choices when selecting technologies to buy or use. We’re exploring a mark (and the systems around it) that both provides evidence that products or services are trustworthy, and ideally also demonstrates competence and reliability (and honesty as far as possible).

It’s essential to make ethical and responsible digital tech activity not just more worthy, but valuable to organisations too — and so we want to create a mark that offers value to both consumers and creators of technology. For people working with technology, a mark enables them to demonstrate their responsible and ethical credentials and efforts; for consumers, a mark helps them make more informed choices about what technologies to use.

We’ve been learning about successful and unsuccessful standards, marks and certifications, in the digital technology world and in other sectors, and thinking about the challenges and opportunities of the internet in how a mark system might be shaped. Our current plans draw on this, aiming to be lightweight, scalable, flexible, and testable, so we can prototype and learn. Here we’re setting out our ideas about how this might work in practice — ideas we’ll be testing in the coming months.

Why a features-based trust mark won’t work

Doteveryone wants to create a trustmark that works for a variety of different technologies that a consumer might consider using. (The specific features you might wish to see for a smart home thermostat, for example, are probably quite different to those of a connected car, a household tool-sharing app, or a wearable for sleep monitoring.)

However, there would be significant challenges to making a features-based mark. For starters, it’s difficult to imagine a specific checklist of requirements that would make sense for this variety of products, services and systems. Also, technology also changes fast. Even if we had a standard we could hold today’s digital products to, it probably wouldn’t apply to new things entering the market tomorrow.

A systems approach

Instead, we’re using a values-based approach, thinking about responsible and ethical technical choices at a higher level. That means we can encompass standards and best practices which exist or are emerging within specific technology fields (such as unbiased algorithms or privacy and security). We’re interested in trustworthiness of the whole system: not just one facet of technology, but the entire way products and services are built, maintained, supported and used.

So here’s Doteveryone’s idea for how a values-based consumer trustmark could work — the “big idea” which we’ll be prototyping elements of later this year. We welcome your feedback on this, so please send us an email if you want to chat, or comment here.

Trustworthy tech mark concept

We’re envisaging a voluntary mark — one which organisations can choose to adopt — supported by public online documentation to justify the use of the mark and to provide a platform for accountability. Any organisation creating a digital product, service or system could elect to use the mark to indicate how responsible and ethical their practices are. This system would deliver transparency, with anyone being able to access a useful evidence base to find out more about a product and how it is made and maintained. In addition, anyone could reuse the information to motivate change, or as the basis of new services to support consumers, workers and others.

Open evidence repository

To legitimately display the graphic mark on a product or service, the organisation would need to have submitted a set of documentation to a central repository demonstrating how the product/service delivers the 10 aspects of responsible technology. This might include:

  • evidence of compliance with specific standards and other relevant certifications
  • links to other material, real time data or code
  • terms of service, contracts, policies
  • written descriptions of how parts of a system interact
  • test results (and test routines)
  • explanations of choices and tradeoffs made during design and development

The repository would be online, publicly available, and all information in it would be shared as open data (so that it could be reused and shared, for instance, by consumer advocacy groups). The information could also be used by organisations to create new services, such as a ranking of companies based on their employment conditions, or an app which enabled easier access to key parts of the information.

This is a particularly powerful aspect. Consumers have different preferences and tradeoffs they are willing to make, and third parties can use the information in the open repository to create useful, personalised services. These might include an app store which only includes apps which don’t show advertising to children; or a high street retailer only offering connected home products which will continue to operate for at least 3 years without unreasonable changes in terms of service.

Audit information, either commissioned by the organisation which developed the product, or created by other groups such as consumer groups or carried out by individuals, could be added to the repository. This sort of commentary and evidence could help build trust, grounded in the reputations of groups other than the technology provider.

The information logged in the repository would be updated (by authorised people from the organisation which submitted it), so that it could stay accurate and reflect changes in the product or service (supporting software updates and new versions). Consumers would be able to see the history of the information, including what has changed, how and when. Potentially, repository users could also request additional evidence where this was lacking.

The repository might contain both raw information, potentially detailed and complex, and also summaries. Although we’re describing it as a “repository”, it might not be one centralised database but a platform or federated system; we have no particular recommendations on what form this would take yet.

User groups

The graphic mark, backed by the repository of information, would be used by consumers (and retailers, review sites and so on) to better understand the choices available. Consumers would see the mark on a product or use a third party service which is built around information in the mark repository. They may even benefit indirectly — for instance, by shopping at a retailer which only stocks products which meet certain criteria. (Those service providers are another user group, who would work with the repository in deeper ways than most consumers.)

Organisations developing and maintaining technology would work with the repository on a regular basis to update information and possibly respond to questions. We anticipate that sharing and updating information about engineering, design and operational practices would become part of normal business and would not be an unreasonable burden. We already see organisations, particularly small ones, who are striving to be ethical and responsible in their work already “working in the open” and sharing a great deal of what they do through blogs, forums and so on, as this helps them engage ethically-minded customers and the broader community which values responsible practice.

Organisations which supply or purchase technology may also use the repository (or the mark itself) to check whom they are doing business with, and to ensure their supply chains are aligned with their own values and requirements.

A further user group would be organisations offering audit or checking services, which would be validating that technology providers were following the practices they say they do, checking the information in the repository was correct and complete and providing certifications to demonstrate this.

Trustworthy tech at different scales

A simple, low-risk product from a small company would need only a modest amount of documentation to set out the ways in which the technology and organisation around it were responsible and ethical. A large corporate with a highly complex service, perhaps in a regulated sector such as health, would likely need to offer much more information (and would likely have this available in any case). So the burden of providing the evidence of trustworthy actions would remain proportionate (although the complexity of the information may be much greater in the latter case).

Accountability

A well-designed repository could also support very lightweight accountability, even for unaudited technology providers (or whilst we are prototyping the idea!). Declarations which are suspected to be untrue can be marked up as such, and anyone can post or answer a question alongside the information. This would enable the “crowd” — including consumers themselves, consumer rights organisations, advocacy groups, whistleblowers and developers — to be involved in reviewing and calling out problematic areas. A product whose use of the mark is questioned could be seen to have its status in doubt, and evidence-backed challenges could be used as the basis for public campaigns for the mark to be removed. If the trustmark graphic design was trademarked, this might provide a basis for prosecution for improper use (for instance, using it on a product which demonstrably did not meet the “soft” expectations of the mark).

This sort of accountability is possible now as it was not before the internet. It means that the trustmark system could start to operate on a small scale at very low cost, and could be iterated and improved, without needing a formal institution to support it. If, later on, it seems that an institution would offer value to help the mark grow or be effective, we can either seek an existing trusted independent organisation to support the mark, or look to set up a new one to act as the home of the trustworthy tech mark. Similarly, we can prototype the ideas around the mark without needing a formal audit system or provider in place.

Driving change

Our goal in this work is to increase the amount of responsible and trustworthy technology available. The trustworthy tech mark is one potential tool for change, which — if it works — could offer organisations a way to demonstrate their good practices and build consumer trust and interest, empower consumers with usable information about complex products, and provide a platform for campaigns and activism around ethical and appropriate technology development.

To be effective in achieving our goal, however, a future full trustmark program would need partners and community. This could include media partners to raise awareness, other groups interested in ethical tech who might create rankings based on the mark to showcase and motivate organisations who adopt the mark early, and so on. The trustmark itself is not sufficient, and the repository isn’t sufficient either — people must know of it, be able to find value in it somehow, and be motivated and supported to do so.

Enforcement

Any mark system needs some method to stop malicious companies using the mark on their products without being actually certified or adhering to the required standards. This is often either regulated (only products meeting defined standards may use a mark, and enforcement is by official bodies), or done via trademark (a registered trademark is owned and controlled by an organisation which takes legal action if the mark is used for products not tested or not meeting the standard). The latter is easier to set up and would be feasible for this sort of mark; in the near term, whilst the mark is in prototyping or early development, an ‘honour system’ should suffice.

In this model, we assume that someone would likely look up the evidence base for most uses of the mark and, if it is inappropriate, would both flag it in the repository and also potentially use social media or other channels to alert others to the problem. (We’ll be working more on enforcement, trademarking, checks and audits, potential issues with fraud and deception, along with business models which would enable a mark system to sustain, once learnings from our early prototyping are available.)

Future developments

If such a system proved viable and useful, it is possible to imagine extensions to it which build off advances in technology. For example, evidence from a company might have provenance demonstrated by use of a blockchain. Instead of a simple graphical mark on a product, part of the mark could encode information, such as the URL of the evidence base for that product. Online services could use a form of cryptographic signature to confirm the validity of the mark. A smart system could analyse documents and data in the repository automatically, to derive information about practices, within a given product filing, and comparatively.

Next steps

We’re shortly going to start testing how a values-based trustworthy tech mark might work in practice, working with two cohorts of prototyping partner organisations who are building digital products and services. We want to find out if we can create something which can work for a range of products and services, and which also respects the pace of change and complexity of digital technologies. Our initial focus is on organisations already interested in working ethically, and we’ll be extending to consider how to ‘raise the bar’ for lower performers in a later phase, along with thinking about how auditing might operate (assuming our prototyping suggests that this concept is worth developing further!).

The cohort work will explore how organisations can demonstrate their practices across the 10 aspects of responsible and trustworthy technology we’ve set out, finding out what is practical and useful, and building a community of organisations who are working responsibly around technology for peer support. The cohort will be supported through a very lightweight process with documentation and guidance around what sort of practices and choices they might want to document and how to do so, and we’ll be learning from and with them throughout.

We’ll very lightly prototype an open documentation repository and explore what features this might need, and also create a simple website about the mark idea. We’ll also be developing experience maps for the consumer experience, to explore the motivation of consumers around technology selection, and creating design concepts for the graphical mark.

One particular area we’ll investigate is whether the mark should have a scale (eg. 5 stars, or a percentage rating), or different grades of compliance (eg. bronze, silver, gold). This could support organisations in increasing their performance over time, and would also allow consumers to differentiate more clearly between products and services.

We’d be grateful for feedback on this concept, as well as ideas which could enrich it. A commentable version is available here. If your organisation is interested in working with us on further development of the trustworthy tech mark, please email us. If you develop a digital product or service and would be interested in helping prototype the mark in a later phase, or potentially adopting it, please let us know here.

Particular thanks to the IOTMark, whose 2017 event gave me space to think through some of these ideas. (You can see a somewhat related concept emerging for the internet of things here.)