The collection and compromise of users' personal information is increasingly a goal of attackers who can use the information for unauthorized (and oftentimes fraudulent) purposes. One way that attackers obtain this information is by perpetrating phishing scams. For example, by creating a phishing site that mimics a genuine site, an attacker may be able to confuse a victim into providing a login and password that can later be used by the attacker to impersonate the victim and gain admission to the genuine site. Attackers can also use phishing techniques to solicit and obtain financial information (such as credit card or bank account numbers) and/or other personal information (such as home address, phone number, or email address) directly from an unsuspecting user.
One approach to combating phishing is to educate users to check the sites they visit for valid digital certificates. As users become more sophisticated, however, so too do the attackers who then obtain certificates (issued, for example, with a domain name similar to the genuine site). Another approach to protecting users is the use of tools that act as intermediaries to authenticate users to third party sites. Unfortunately, one result of using such a tool is that users can have less control over when and what information is submitted, and less visibility into how their personal information is used than if they manually entered that information into the third party site.
Legitimate sites may also inappropriately leak personal information about users. For example, while a site may have a stated privacy policy of not disclosing user email addresses to third parties, the site may ignore that policy. Similarly, while a site may claim to guarantee the safety of submitted customer payment information, the site may be compromised by a hacker and expose personal information in an unauthorized manner.
Therefore, it would be desirable to have a better way to inform trust decisions.