Establishing Trust Online

No, this post is not about certificates :-))

We want to make Mozilla as open a project as possible, which means that ideally there would be no parts of what we do which were closed to input from particular sections of the community. Question: how does Mozilla acquire sufficient trust in a potential community member that we could let them work in sensitive areas? Sensitive areas might include ones where they were working with confidential data belonging to users or employees, or working with partners under NDA, either temporary or permanent. We would not want someone untrustworthy in such a position.

Here is a (probably incomplete) list of ways to establish trust between a truster and a trust-ee:

  • A) Recommendation from 3rd party already trusted by truster
  • B) Trust-ee putting something at risk (deposit)
  • C) Legal contract with penalties
  • D) Demonstration of bona fides (e.g. by being faithful in small things)
  • E) Gut instinct
  • F) Trust-ee revealing verified identity information
  • G) Default to trust; remove trust if trust broken

When Mozilla employs someone, we have sufficient trust in them because of B) (their job is the thing at risk if they violate trust), C), F) and perhaps a little of A). How do we go about establishing similar trust with someone we don’t employ?

Here are some comments on each:

  • A) doesn’t scale well to a globally-distributed organization, where we regularly get new people who know no Mozillians in real life.
  • B) This is a difficult thing to ask of new community members. What options are there? Money? Something else?
  • C) IT went for this one, but it might be too heavyweight for some. (Of course, it might be required by law in some cases.)
  • D) This is how things work normally; we are looking for a way to speed this process up.
  • E) This works right up until it doesn’t…
  • F) We could investigate this; obtaining such identity proof might involve a time and/or money cost for the contributor.
  • G) Possible in some circumstances, but not the difficult ones. Perhaps involves an overly-rosy view of human nature.

Thoughts and further comments?


One thought on “Establishing Trust Online

  1. Glad to see a conversation about this.

    There are some examples, such as with the security group, where we’ve figured this out as a community.

    As David Eaves’ recent contributor audit shows though, most things we’ve done around community building to date have been ad hoc and that makes it difficult to scale.

    It would be great to take an example of what has worked in the past in one area and turn that into something usable for other groups so we can scale more efficiently.

    The ways to build trust you mention in your post seem like they might be a great base for something that other teams can make use of. Also highlighting what the Security team has done here could be a good example. Right now you’d have to dig pretty deep to come across their policy around how to build and gain trust.