Privacy-enhancing technologies (PETs) can provide organisations with enhanced security and confidentiality of data and code, but several challenges and barriers stand in the way of their adoption. One such barrier is a lack of trust: sceptical, privacy-aware individuals find it difficult to trust that PETs will effectively keep their sensitive data and code protected and safe.
In this research, we sought to understand trust in PETs and the factors that motivate and dissuade their adoption. We aimed to analyse different transparency measures that PET providers can use to increase trust, and the extent to which they do so in practice.
We focused on the context of trusted execution environments (TEEs), a type of PET with undeniable benefits for organisations looking to use confidential computing. TEEs also present particularly interesting dynamics around their trust and adoption, and we used Google’s Project Oak, an in-development piece of TEE infrastructure designed with a number of transparency measures, as a framework to explore them.
Using qualitative data collected from three activities, we employed thematic analysis to determine: (i) transparency measures only motivate trust when they are meaningful; (ii) when it comes to trust in PETs, principles often trump efficacy; (iii) Google’s Project Oak’s transparency measures have strengths and limitations; and (iv) technical transparency measures only address certain concerns for certain actors.
We found that the onus on PET providers to make trust decisions easier, which requires both transparency and the use of socio-technical measures, was an overarching theme. We briefly explored how these findings can be broadened to other types of PETs and proposed a set of recommendations for further research and future work.
