The volatility of trust: Zero Trust and Distributed Trust as ‘post-trust’ cybersecurity models

This paper examines how trust has been reconfigured in cybersecurity over the past 30 years, arguing that a ‘post-trust’ logic is increasingly shaping both technical architectures and organisational practices. Drawing on a critical historical analysis informed by the Social Construction of Technology, we juxtapose two prominent security models – Zero Trust (as developed at Google) and Distributed Trust (pioneered by the Tor Project) – and contend that a turn toward post-trust cybersecurity is equally evident in a model designed to counter surveillance (Distributed Trust) and one built around its intensification (Zero Trust). By examining historical documents, design specifications, and interviews with key architects, we show how both models converge around a shift away from a static notion of trust. Where earlier computer security approaches treated trust as a stable attribute of designated system components, contemporary frameworks characterise trust as inherently volatile, requiring ongoing management across technical and communicative domains. We claim that this profound rethinking of security – rooted in both intrinsic logical difficulties in reconciling the need to trust with the need for assurance, as well as in broader economic and social transformations of the 1990s and 2000s – has led security practitioners to recast security models as performative artefacts. These models not only depict how secure systems should function, but are increasingly seen as tools with which to shape users’ behaviours and intervene in organisational dynamics.