Tuesday, July 13, 2010

It's hard to be confident in unambiguous usage of "trust"

One of the consistent challenges with researching and writing about trust is separating the sociological and economic and organizational meanings of the word trust from the everyday uses of the term, whether in business or social contexts or in media usage. A front-page article in the July 13 edition of The Washington Post illustrates this problem nicely. The article reports on the results of a recent opinion poll, conducted by the paper in cooperation with ABC news, that indicates that public confidence in President Obama is at a lower level than previously seen during the current administration. The details of the poll or the article are less interesting for this discussion than the vocabulary used in the article and its headlines, both online and in print. While the online version of the article runs under the headline "Confidence in Obama reaches new low," in the print edition of the paper the headline for the same story was "6 in 10 Americans lack faith in Obama." The article uses the words "faith" and "confidence" more or less interchangeably, particularly in interpreting response to a poll question that when asked of respondents was worded as follows: "How much confidence do you have in Obama to make the right decisions for the country's future — a great deal of confidence, a good amount, just some or none at all?" The word faith does not appear in the text of this or any other question used in the poll, and the word trust appears in just one question, which asked "Which political party do you trust to do a better job handling the economy?"

While common definitions of the word faith include "complete confidence," "confident belief," and "complete trust or confidence," and the word is derived from the latin fides (which means "trust" as well as "faith"), the general connotation of faith as distinct from trust or confidence is the lack of evidence or concrete basis for faith. There is substantial variation in the literature about the meaning of the word trust, but consensus exists that trust must have some basis in knowledge, whether that knowledge is related to observed behavior, actions, character, morality, or some combination of these and similar factors. Perhaps members of the population do lack faith in the president's leadership, but when asking them about their level of confidence in Obama and his decision-making abilities, their responses should be characterized in terms of confidence as well. Different questions used in the poll asked respondents about their confidence in Congress to make good decisions and about the party they most trust to handle the economy. In this context it seems that trust is used in the sense of an expectation of technical competency (Barber, 1983), as is (presumably) the connotation of confidence in the more general question about Congress' decision-making ability. This parallel usage of trust and confidence is not so much incorrect as it is unfortunate, inasmuch as it continues a legacy (Deutsch, 1960; Coleman, 1990) of failing to distinguish between confidence and trust, despite admonitions from Mayer, Davis, and Schoorman (1995) and various theoretical bases for making such a distinction (Luhmann, 1988; Das & Teng, 1998).

References:

Balz, D., & Cohen, J. (2010, July 13). 6 in 10 Americans lack faith in Obama. The Washington Post, pp. A1, A6.

Barber, B. (1986). The logic and limits of trust. New Brunswick, NJ: Rutgers University Press.

Coleman, J. S. (1990). Foundations of social theory. Cambridge, MA: Belknap Press.

Das, T. K., & Teng, B.-S. (1998). Between trust and control: Developing confidence in partner cooperation in alliances. The Academy of Management Review, 23(3), 491-512.

Deutsch, M. (1960). The effect of motivational orientation upon trust and suspicion. Human Relations, 13, 123-139.

Luhmann, N. (1988). Familiarity, confidence, trust: Problems and alternatives. In D. Gambetta (Ed.), Trust: Making and breaking cooperative relations (pp. 94-107). Oxford, England: Basil Blackwell.

Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of organizational trust. The Academy of Management Review, 20(3), 709-734.

Thursday, July 8, 2010

Security and privacy rules and regulations insufficient to engender public trust in HIEs

A lawsuit filed last month by the Rhode Island chapter of the American Civil Liberties Union (ACLU) against the state Department of Health charges that the rules the state issued regarding its planned health information exchange (HIE) provide insufficient patient privacy protection and, in particular, fall short of requirements contained in a state law, the Rhode Island Health Information Exchange Act of 2008, and also violate the provisions of the state's Administrative Procedures Act because they fail to fully address the implementation and enforcement of the provisions in the HIE Act. This is a relatively unusual instance where it is not the privacy provisions in the law itself that are being challenged, but instead the rule-making process on which the implementation of those provisions depends. In the complaint, the Rhode Island ACLU argues that the Department of Health's rulemaking process was flawed, specifically insofar as questions and concerns raised in detailed comments submitted to the DOH by the RI-ACLU's executive director were not addressed.  Apparently the RI-ACLU also believes that the decision by the Department of Health to issue policies — not rules or regulations — to address some of the HIE Act's provisions, is insufficient to meet the DOH's obligations under the Administrative Procedures Act.

The provisions of the HIE Act that the RI-ACLU deems insufficiently covered in the rules the DOH issued relate specifically to "adoption of regulations on certain specific issues to further promote the confidentiality, security, due process and informed consent due the affected patients." The RI-ACLU has criticized the state DOH for suggesting that general policy statements are enough to satisfy the law's requirements, and for excusing the lack of more specific regulations on the difficulty it has encountered in working to resolve privacy, security, and consent issues associated with health information exchange. Stressing the importance of patient health data privacy and confidentiality protections in order to garner public support for the state's HIE initiative, the RI-ACLU echoes a frequent refrain among policy makers that public trust is essential for the success of health IT initiatives such as electronic health records and HIEs, and that strong security, privacy, and consent provisions are the best way to engender that trust. Writing specifically about the Rhode Island lawsuit, HealthcareInfoSecurity's Howard Anderson noted: "To succeed, any HIE in any state needs to build public trust that the information it exchanges will remain private. And if states or HIEs fail to spell out detailed privacy rules and regulations, it will be difficult to develop that trust."  While it's hard to argue with that logic, it is vitally important for states to realize that no matter how strong the legal requirements they enact to protect patient privacy, security and privacy regulations and controls alone are insufficient as the basis for individuals to establish the trustworthiness of EHR's, HIE's, the entities that provide these services, or the people that use them to get access to personal health information. While states focus on transparency, they should ensure that consumers are provided complete and accurate information about the parties to whom they are asked to entrust their information, including details about their intended uses of health information, their business or mission interests, and their current and past behavior with respect to protecting data under their control.

Sunday, July 4, 2010

Success of government "identity ecosystem" depends on trust in government

It's not without some irony that some of the most stringent early objections to the administration's recently released draft National Strategy for Trusted Identities in Cyberspace (NSTIC) focus on the extent to which the government itself can be trusted to hold a central repository of identity information on citizens. Quite distinct from the standards by which individuals and organizational entities determine the trustworthiness of others to whom they disclose personal information, to realize the purported benefits from a system that promises to obviate the need for individual users to keep track of many passwords and versions of digital identities online, people have to be willing to cede the maintenance of those digital identities to the government (or whatever entity might operate the "identity ecosystem" on the government's behalf). Part of the point of using any user-centric system of claims-based identity management is affording users the ability to disclose only the minimum information necessary for a given purpose such as completing a specific transaction, increasing privacy protections and placing control over disclosure in the hands of users.

To make such a system work, it is important not only that the entities relying on claims information provided to them are able to specify exactly what assertions they need, but also that the assertions, when provide to the entities, are valid and in some way certified or augmented with information about the issuer of the claim (especially where the issuer provide the claim is not the user that is the subject of the claim). An entity can only rely on claims presented to it if those claims are credible, a problem the NSTIC intends to address through the use of an accreditation process by which claims issuers would be designated as trustworthy (although the details for the basis of such a determination are not part of the draft Strategy document). It seems most likely that some government authority will serve as the root of trust in the identity ecosystem, which if true would mean the integrity (and ultimate success) of the whole concept depends on the government being seen as trustworthy. This assumption may prove more problematic than the Strategy implies, given the relatively low and declining levels of trust citizens report having in government in general (cf. Hardin (2006), Putnam (2000), among others), although perceptions vary quite a bit with respect to specific agencies or institutions.

References:

Hardin, R. (2006). Trust. Cambridge, England: Polity Press.

Putnam, R.D. (2000). Bowling Alone. New York, NY: Simon & Schuster.