Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2014


Roger Clarke's 'Cloudy Consumer Computing'

The Cloudy Future of Consumer Computing

Review Draft of 25 January 2011

Proc. 24th Bled eConference, June 2011

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2010-11

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/EC/CCC.html

The slide-set is at http://www.rogerclarke.com/EC/CCC.ppt


Abstract

Consumers used to run software on their own devices and store their data at home. They are now increasingly dependent on service-providers for both functionality and data-storage. Risk assessment techniques need to be applied to consumer contexts. These are diverse, covering many kinds of consumer devices, many different consumer profiles, and various consumer needs. A preliminary evaluation concludes that consumers who place reliance on outsourced consumer services may be seriously exposed, because the Terms of Service of mainstream service-providers offer very low levels of assurance about features critical to consumers' interests.


Contents


1. Introduction

Consumer computing began in the mid-1970s. For the first quarter-century, the norm was that most of the software on which users depended ran on their own devices, and most of the data that they regarded as their own was on their own devices as well. Since about 2000, however, first the data and then the software have been drifting out of consumers' grasp.

Initially, the reason for this was that ISPs offered services that in the B2B space would be called outsourcing. More recently, wholesalers and some retailers have been offering 'cloudsourcing'. The services most commonly associated in the public mind with the transition to the cloud are the office applications Zoho since 2005 (Smith 20010), Google Docs since 2006 and Microsoft Live Office since 2007.

There are some very good reasons why consumers may rationally choose to use remote services rather applications running on their own device. Access can be facilitated from multiple consumer-devices, software licence costs can be reduced, and aspects such as backup and recovery may be devised more professionally and performed more diligently.

There are, however, downsides with all forms of outsourcing. The purpose of the research reported on in this paper is to investigate the risks that arise for consumers who adopt the new model and who may therefore depend heavily on service-providers for access to services and for storage of their data.

The primary focus of the research is on consumers, by which is meant users in their personal capacity. This encompasses both social purposes and economic activities, including the C end of B2C eCommerce and G2C eGovernment, and hobby-level trading on C2C sites such as eBay. There are also significant implications for micro-business and small business, however, because the individuals who effectively are those businesses use, and may be dependent upon, remote services for the performance of business functions. In addition, employees of many large organisations may depend on them too, whether or not that is their employers' intention.

The study encompasses outsourcing in all its forms, whether the service-provision is performed at a known location, at unknown locations, or 'in the cloud'. The scope of the analysis includes the outsourcing to service-providers of mainstream consumer activities such as messaging, document creation and maintenance, and accounting, and the creation and maintenance of web-sites and personal picture galleries. On the other hand, the analysis excludes the outsourcing of activities such as contributions to public fora (including e-lists, comments on other people's web-sites, and micro-blogging) and on-line banking. Contributions to social networking service sites are also generally excluded, on the basis that they are perceived to be shared and ephemeral rather than personal and long-lived. There is of course a degree of arbitrariness in most of these distinctions.

The following section outlines the research method and the structure of the paper.


2. Research Method

The author has conducted research into impediments to the adoption of consumer eCommerce since the mid-1990s. The current project builds on an accumulated base of research publications in order to investigate the question 'to what extent are the risks faced by consumers in using outsourced and cloud services being addressed by service-providers?'.

This is the first in a series of papers arising from the research. It accordingly commences by clarifying the dimensions of consumer computing, and then reviews the changes that have been occurring in consumer applications and services. Various categories of consumers are differentiated. A framework is proposed for studying consumers' requirements and the risks that they face. This draws on existing literature relating to service requirements and IT risk management for organisations, but re-casts the criteria in terms relevant to consumers.

A range of possible approaches is available to determine the extent to which consumers' requirements are satisfied and the risks addressed. For example, case studies could be undertaken of incidents involving harm, or potential harm, to consumers' interests. Media reports may identify that an incident has occurred, but it is unusual for sufficient information about such incidents to become publicly available. A comprehensive study therefore also needs to include hypothetical scenarios.

The approach selected was to examine the Terms of Service that apply to a selection of services on which consumers currently depend, and evaluate the extent to which the Terms satisfy the requirements and address the risks. This paper reports on three preliminary analyses that have been undertaken, and provides access to the underlying Working Papers. The empirical base is not yet sufficient to draw reliable conclusions, but it already provides considerable insight into the research question.


3. Consumer Computing

From the beginning of consumer computing in 1975 until the mid-1980s, devices were primarily standalone. During the following decade, they were progressively enhanced to achieve communications with other devices, with Internet connection from the mid-1990s providing a considerable spur to developments. Two contrary trends have been evident during the last decade. One is the ongoing increase in device-capacity available for a given price - which enabled the explosion in peer-to-peer (P2P) sharing services during the decade from 2000 (Clarke 2006c). The other trend is toward lower-priced devices, with limited capacity and more portability, but also increased consumer dependency on service-providers and network connections between consumers' devices and remote servers.

The current marketplace is highly diverse. Segments that can be usefully distinguished are outlined in Exhibit 1.

Exhibit 1: Consumer Computing Market Segments

These devices support a variety of user interface types. In 2010-11, these range from QWERTY and telephone keyboards, in both hard and soft (touchscreen) forms, operated using fingers, thumbs, or stylus, with point-and-click capabilities, voice-activation, and/or single-finger and multi-finger gesture.


4. Consumer Applications and Services

Consumer computing performs a range of functions, which have been progressively migrating from application software running on the consumer's own device to services accessed from the consumer's device but running on hosts operated by service-providers. Exhibit 2 identifies categories of function that evidence dependency by consumers on service-providers.

Exhibit 2: Key Functions of Consumer Computing

The migrations from consumer device to service-provider identified in Exhibit 1 occurred at various times from about 1995 onwards. In the case of Email, Webmail emerged in the mid-to-late 1990s, and substantial migration from POP occurred in the early 2000s. Personal picture gallery services date from about 2004. In the document preparation space, the launch of services that were consolidated into Google Docs occurred in 2006-07. File-hosting of the DropBox style dates from 2007-08. Whereas early attempts at Application Service Provision (ASP) in the consumer arena met with limited success, the contemporary term for much the same notion - software as a service (SaaS) - is regarded by the industry with optimism.

Some key factors that appear to have been associated with reduced consumer self-reliance and increased dependence appear to have been the following:

The analysis conducted in this section shows how consumers' proximity to the functionality that they use, and to their data, has been rapidly decreasing. The data used to be 'here', on the consumer's own device. It moved to 'there' as consumers used relatively local Internet Services Providers, with a known footprint. As the dependency came to be on large national ISPs, and particularly on ISPs outside the consumer's local jurisdiction, the footprint became less visible, and the data moved 'somewhere'. To the extent that cloud computing is applied, consumers' data is 'anywhere', out 'in the cloud'.

Some consumer uses of computing are intrinsically ephemeral, and hence quality assurance of the services is unimportant. On the other hand, high value may be attached to the reliability of some categories of service, and the integrity of the associated data. For example, accounting records are subject to requirements of retention for 5-7 years, depending on the jurisdiction, and many people want long-term access to their picture galleries and family history.

The degree of importance of quality is not only a function of the nature of the service. It also depends on the nature of the individual consumer.


5. Consumers

The challenges arising from the enormous diversity of consumer devices and interfaces are compounded by the high degree of variability among consumers. Important, inter-related dimensions of differentiation include the individual's technical capability, the extent of their education about the options available, their awareness of risks, and their preparedness to place trust in the reliability of infrastructure and processes that are beyond their control.

For many decades, a conventional way for advertisers and marketers to segment the population has been according to the range within which a person's date of birth falls. The segments have been referred to as 'Generations' (even though that term has a longstanding meaning rather different from its connotations here). People in any particular Generation are treated as members of a cohort that marches through time, carrying a cluster of characteristics with them. Different Generations had very different sets of formative influences, and as a result are posited to have very different values, attitudes and behaviours. The notion is statistical, i.e. it applies 'generally', rather than being intended to apply literally to every person in the relevant age-group.

Many different variants of the Generations Model have been rationalised (Raines 1997, Martin & Tulgan 2001, Tapscott 2008). Exhibit 3 differs a little from the norm. It simplifies the date-boundaries, and for the most recent and as-yet least-understood group it uses the term the 'iGeneration'.

Exhibit 3: The Generations

Generation
Indicative

Birth-Years

Indicative

Age in 2010

Silent / Seniors
1910-45

65-100

Baby Boomers – Early
1945-55
55-65
Baby Boomers – Late
1955-65
45-55
Generation X
1965-80
30-45
Generation Y
1980-95
15-30
The iGeneration
1995-
0-15

The relationships of the Generations with information technologies vary considerably. Baby-Boomers grew up with face-to-face meetings, the handshake and the tethered telephone. PCs came late to them, and were associated with the workplace. They also had to adapt to mobile phones. Gen-X, on the other hand, grew up with PCs, email and mobile phones, for both work and life, and are more capable of multi-tasking than their predecessors. Gen-Y grew up with IM/chat, texting and video-games, with IT intrinsic to both their work and their life, and strong multi-tasking capabilities. Some technology-enabled contexts, on the other hand, came late to Gen-Y as well. For example, widespread uncontrolled self-exposure on social networking sites appears likely to have been a short-term phenomenon that predominantly afflicted Gen-Y, with the currently teenage-and-younger iGens already considerably more savvy in their net-behaviour than their elders were.

A particularly significant basis for segmentation for the purposes of the present analysis is the person's degree of dependency on consumer computing. There are many contexts in which consumer computing deals in fashion, ephemera and optional extras. Voice, SMS and IM messages are 'for the moment', and so are most photographs taken at social events. Under these circumstances, lack of access to archives, occasional outages and delays, are all likely to be tolerated. Such attitudes appears to be particularly common among the younger generations (Gen-Y and iGen), and among people whose primary mode of use is associated with mobile phones.

Baby-Boomer and Gen-X users, on the other hand, tend towards more structured and disciplined use of technology, and are more likely to think of their handheld devices as computers than as telephones. In a number of circumstances, they are likely to be more reliant on key functions that their devices enable them to perform, and to have higher expectations of quality of service. This applies, for example, to their correspondence, to the records of community associations they are involved with, and to family photographs and family-trees (PEW 2010).

It may be necessary to postulate consumer computing maturity-level as a means of understanding and predicting consumers' requirements and attitudes to risk. A potentially useful indicator of that level is a consumer's capacity to appreciate the distinctions among the master-copy of their data, secondary copies of it, and backup copies. The self-service model has been plagued by inadequate backup-and-recovery solutions. Depending on the way in which the service model is implemented, it may satisfactorily address the backup and recovery problems or it may exacerbate them.


6. Consumers' Requirements and Risks

In order to study the extent to which the available Terms of Service satisfy users' needs, a sufficiently structured model is needed of consumers' requirements in relation to computing services, and of the risks associated with their use.

Risk assessment is an established business process, and is described in text-books (e.g. Peltier 2005, Landoll 2005, Slay & Koronios 2006) and industry standards (e.g. AS/NZS 3931-1998, AS/NZS 4360-1999 and ISO 27005-2008, 31000-2009, 31010-2009 and Guide 73). For security risk assessment, the conventional model is described in Clarke (2001), OECD (2002) and ISO (2005). Security risks that arise from outsourcing in general were examined in Loh & Venkatraman (1995) and Kremic et al. (2006). Risks arising from cloud computing in particular were considered in Clarke (2010). That paper then developed a set of requirements for user organisations, building in particular on Avizienis et al. (2004).

This project is re-examining that set of organisational requirements in the consumer context. All aspects are relevant to consumers, but with qualifications. Whereas a moderate proportion of organisations adopt a rationalist, analytical approach to requirements and risks, few consumers do. In general, consumers are consciously aware of only a very few of the criteria. Most bubble to the surface only when contingencies arise and harm results from them. Moreover, to the extent that consumers are aware of risks, they do not express them in abstract terms (such as Data Security against the Second Party, Third Parties and Environmental Threats), but in informal and concrete terms (such as 'Is my data protected against you? Is it protected against 'them'? And is it protected against the gods?). In Exhibit 4, a set of criteria is proposed, encompassing both requirements and risk factors, expressed in terms that are likely to be familiar to consumers.

Exhibit 4: Requirements of Outsourced Consumer Computing

The Basic Needs

The Basic Protections

More Advanced Needs

More Advanced Protections

On the one hand, consumers can be expected to tolerate lower standards than those required by business enterprises and governments. On the other hand, many of the requirements in Exhibit 4 are of relevance to consumers in at least some contexts. For example, availability of messaging services and mail and document archives can be very important to the management of personal business issues; and data survival and forward-compatibility are vital in the case of personal financial management and for family records.


7. Preliminary Results

The broad research question addressed in this research project is 'to what extent are the risks faced by consumers in using outsourced and cloud services being addressed by service-providers?'. The analysis undertaken above provides an operational definition of the requirements and risks, defined in Exhibit 4. The next step in the research is to evaluate the extent to which suppliers' Terms of Service address those risks.

The selection of suppliers for inclusion in the study is somewhat problematic, because many service-providers appear to be in transition from previous models towards cloud computing arrangements. Three strata have been identified, and different approaches adopted to sampling within each stratum:

The author has previously conducted studies of the Terms of Service of a number of Consumer eCommerce providers (Clarke 2006a), and of their Privacy Policy Statements (Clarke 2006b). This research utilised a checklist of consumers' interests (revised version at Clarke 2008a), and a privacy statement template (Clarke 2005). Building on this prior work, a set of preliminary studies was devised, in order to provide early results, and to establish a platform for the subsequent phases. The following paragraphs report briefly on the key findings of those three studies.

7.1 The Accessibility of Providers' Terms

Studies of suppliers' Terms are dependent on reliable access to the relevant documents. A logical first step was accordingly to seek out each supplier's Terms, and gather some meta-data about them. This was performed in early December 2010. The resulting data is provided within the Working Papers listed at the end of this paper.

All nine providers make their Terms of Service available on their web-sites. However, in not one single case were prior versions of the Terms visible, and in very few cases did the sole available version display the date on which it came into effect.

This would be less of a concern if the Terms applicable to the services were known to be stable. Anecdotal evidence suggest, however, that this is mostly not the case. Moreover, the right to unilaterally change the Terms is asserted by eight of the nine ISPs. (The exception is Dropbox, whose Terms appear not to specify any process for making changes). The eight providers that can unilaterally change Terms adopt two different approaches to changes:

Hence, for at least five of the nine suppliers in the sample, consumers are unlikely to even know, let alone understand, the Terms that are applicable at any given time. Further, no reliance can be placed on what the consumer may have previously read or heard about the Terms, because it may or may not apply to any given relationship, transaction or item of data. The Terms relevant to consumers' dealings with Google are particularly problematical, because the Terms are scattered across about 80 documents, and in many circumstances it is unclear which are applicable.

The findings of this preliminary study have considerable implications for the conduct of the research project as a whole.

7.2 In-Depth Study of a Single Provider's Terms

In order to develop an insight into the current approach adopted to consumer Terms, a single provider was considered in depth. The provider selected was LinkedIn. The reasons it was selected were that it projects itself as being a networking service for professionals, its users could be expected to be better-informed and more demanding than consumers generally, and hence it was reasonable to expect that the company would have taken considerable care to ensure that its Terms addressed its customers' needs, and carefully balanced their interests against the company's own. In short, there was a possibility that LinkedIn might provide something of a benchmark against which other organisations might be compared.

LinkedIn's Terms and Privacy Policy Statement were assessed against the previously-developed Checklist and Template, referred to earlier in this section. Access to the data is provided in the Working Papers. The Terms address some aspects of consumers' needs, but many other aspects are not appropriately handled. Examples of serious deficiencies include denial of responsibility to actually provide the service, to provide it reliably, and to sustain data stored in it; the requirement that subscribers disclose their physical location, even if it is not relevant to a transaction; absence of any internal complaints process; denial of any rights to restitution, including any liability for identity fraud; and the granting to LinkedIn of rights in relation to customers' data that are almost equivalent to the rights of the customers themselves.

Similarly, there are several aspects of the Privacy Statement that approach best practice, and others that are privacy-positive. On the other hand, those features are undermined by an asserted right to make unilateral changes to the Privacy Statement, without notice. Moreover, there are many features that are privacy-hostile, including data-storage in the USA under laws that are very lax in comparison with those normally enjoyed by the perhaps 50% of subscribers who live in countries with much more substantial data protection laws; the absence of undertakings in relation to control of the behaviour of staff; enforced 'permission' to disclose personal data, without legal authority, merely "to assist government enforcement agencies"; and inadequate access and correction rights.

Far from representing a benchmark, LinkedIn's Terms and Privacy Policy proved to be a source of considerable concern.

7.3 A Comparative Study of a Particular Area of Risk

The third preliminary study was an assessment of a particular category of concerns across all nine selected service-providers. Consumers are exposing a great deal of personal data to their service-providers, and there is a risk that the self-interests of providers may lead them to exploit that data. This may be seen as entirely reasonable in the case of data that is intended for widespread availability, but not necessarily in respect of other categories of data. The study therefore focused on second-party risk exposure, and specifically:

The study was not concerned with data that is relevant to the commercial relationship between the consumer and the provider, nor on uses of data that are necessary as part of the service being provided. The focus was on what was referred to as 'private data' intended for use by the consumer only, and 'restricted data' that was intended to be accessible by some other parties, but not by parties generally.

Access to the data is provided in the Working Papers. The general findings were that none of the nine providers satisfy all of the reasonable expectations of users, and that the Terms of two major ISPs - Google and LinkedIn - satisfy none of the expectations at all. The approaches adopted by the nine providers fall into three groups:

Similarly, each ISP appears to assert its rights not only to use data itself, but also to disclose data to its business partners; and the scope of that term appears to be capable of very liberal interpretation.

Private and restricted data of other persons comes into the possession of service-providers, because many services to customers involve other parties. For example, email is exchanged with correspondents, and stored data is accessed by friends, collaborators and workmates. It appears that each ISP perceives itself to have at least the same rights in relation to this data as it has in relation to its customers' data, despite the absence of any contractual relationship with the people concerned.

The switch of consumer computing to the service model has been shown to bring with it very serious risk exposures to service-providers and to organisations that have even quite loose associations with them.


8. Conclusions

The work reported on in this paper has established a basis for the project as a whole. The main body of the work is continuing, but, even at this stage, a number of interim conclusions can be tentatively expressed.

Consumers are increasingly dependent on services and data remote from their own devices. They accordingly have a significant number of requirements and face a range of risks. Consumers are at best only vaguely aware of those requirements and risks, are in most cases incapable of conducting an evaluation of the Terms and Privacy Policies of their providers, are driven by fashion and encouraged by the excitement induced by viral marketing, and in any case have very limited market-power and hence are forced to accept whatever fixed Terms providers dictate.

Prior studies of Terms, supplemented by the preliminary analyses that have been reported in this paper, indicate that consumers are at dire risk of service malfunctions, loss of data, and provider exploitation of their data. Further serious concerns include low standards of accessibility and clarity of Terms, and largely unfettered scope for providers to change the Terms, in most cases without notice and with immediate effect.

Given the power imbalance, and the increasing importance of consumer services, consumer protections would appear to be essential. There is, however, an almost complete absence of effective regulation. This arises from the transnationality of Internet commerce, the dominance of US marketing mores, the pro-corporate and anti-consumer stance of US regulators, the meekness of regulators in other countries, and the lack of organised resistance by consumer representative and advocacy bodies. Serious consumer disappointments and recriminations against outsourcing and cloudsourcing providers would seem to be inevitable.

Further work is being undertaken within the current project, including comparative analysis of other clusters of requirements and risks identified in Exhibit 4, such as service quality, data compatibility, and security and privacy controls with respect to third parties. Clarifications are also being sought from suppliers.

Complementary research is needed. One important approach is in-depth studies of actual cases of harm to consumers, and of scenarios that would be likely to lead to harm. Studies are also needed of different categories of service, and different categories of consumers, particularly across the Generations and across different levels of consumer sophistication. By combining the results from these various threads of research, it will be possible to feed forward into the designs adopted by service-providers.

One aspect alone is sufficient to indicate the gravity of the situation. Prognostications about failures in cloud computing services have been made by a few writers, including this author. A more compelling expression is provided by a longstanding industry commentator (Cringely 2011): "These are startups, remember, and a good percentage of startups fail.  Some cloud computing outfit is going to quickly and quietly shut down, taking with it the data (business, photos, video, memories, etc.) of tens of thousands of users.  Once we're storing everything in the cloud, what's to keep us from losing everything in the cloud?".


References

AS/NZS 3931 (1998) `Risk Analysis of Technological Systems - Application Guide' Standards Australia, 1998

AS/NZS 4360 (1999) `Risk Management' Standards Australia, 1995, 1999

Avizienis A., Laprie J.C., Randell B. & Landwehr C. (2004) 'Basic Concepts and Taxonomy of Dependable and Secure Computing' IEEE Trans. Dependable and Secure Computing 1,1 (2004) 11- 33

Clarke R. (2001) 'Introduction to Information Security' Xamax Consultancy Pty Ltd, February 2001, at http://www.rogerclarke.com/EC/IntroSecy.html

Clarke R. (2005) 'Privacy Statement Template' Xamax Consultancy Pty Ltd, December 2005, at http://www.rogerclarke.com/DV/PST.html

Clarke R. (2006a) 'A Pilot Study of the Effectiveness of Privacy Policy Statements' Proc. 19th Bled eCommerce Conf., Slovenia, 5-7 June 2006, at http://www.rogerclarke.com/EC/PPSE0601.html

Clarke R. (2006b) 'A Major Impediment to B2C Success is ... the Concept 'B2C'' Invited Keynote, Proc. ICEC'06, Fredericton NB, Canada, 14-16 August 2006, at http://www.rogerclarke.com/EC/ICEC06.html

Clarke R. (2006c) 'P2P's Significance for eBusiness: Towards a Research Agenda' Journal of Theoretical and Applied Electronic Commerce Research 1, 3 (December 2006) 42 - 57, at http://www.jtaer.com/portada.php?agno=2006&numero=3#, PrePrint at http://www.rogerclarke.com/EC/P2PRes.html

Clarke R. (2008a) 'B2C Distrust Factors in the Prosumer Era' Proc. CollECTeR Iberoamerica, Madrid, 25-28 June 2008, pp. 1-12, Invited Keynote Paper, at http://www.rogerclarke.com/EC/Collecter08.html

Clarke R. (2008b) 'Web 2.0 as Syndication' Journal of Theoretical and Applied Electronic Commerce Research 3,2 (August 2008) 30-43, at http://www.jtaer.com/portada.php?agno=2008&numero=2#, PrePrint at http://www.rogerclarke.com/EC/Web2C.html

Clarke R. (2010a) 'User Requirements for Cloud Computing Architecture' Proc. 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing, Melbourne, Australia, 17-20 May 2010 (eds. Parashar M. & Buyya R.), pp. 625-630, PrePrint at http://www.rogerclarke.com/II/CCSA.html

Clarke R. (2010b) 'Computing Clouds on the Horizon? Benefits and Risks from the User's Perspective' Proc. 23rd Bled eConference, 21-23 June 2010, at http://www.rogerclarke.com/II/CCBR.html

Cringely R. (2011) '2011 prediction #8: Cloudburst' I. Cringely, 6 January 2011, at http://www.cringely.com/2011/01/2011-prediction-8-cloudburst/

Eddy N. (2008) 'Notebook Sales Outpace Desktop Sales' eWeek, 24 December 2008, at http://www.eweek.com/c/a/Midmarket/Notebook-Sales-Outpace-Desktop-Sales/

Friedman W. (2011) 'Send in the Clouds: Ultraviolet Stores Content Forever' Media Daily News, 7 January 2011, at http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=142561&nid=122472

Gartner (2010) 'Gartner Says Android to Become No. 2 Worldwide Mobile Operating System in 2010 and Challenge Symbian for No. 1 Position by 2014' Gartner, 10 September 2010, at http://www.gartner.com/it/page.jsp?id=1434613

ISO (2005) 'Information Technology - Code of practice for information security management' International Standards Organisation, ISO/IEC 27002:2005

ISO (2008) 'Information technology -- Security techniques -- Information security risk management' International Standards Organisation, ISO/IEC 27005:2008

ISO (2009a) 'Risk management -- Principles and guidelines' International Standards Organisation, ISO 31000:2009

ISO (2009b) 'Risk management -- Risk assessment techniques' International Standards Organisation, ISO/IEC 31010:2009

ISO (2009c) 'Risk management -- Vocabulary' International Standards Organisation, ISO Guide 73:2009 

Kremic T., Tukel O. & Rom W.O. (2006) 'Outsourcing decision support: a survey of benefits, risks, and decision factors' Supply Chain Management 11, 6 (2006) 467 - 482

Loh L. & Venkatraman N. (1995) 'An Empirical Study of Information Technology Outsourcing: Benefits, Risks, and Performance Implications' Proc. ICIS 1995, Paper 25, at http://aisel.aisnet.org/icis1995/25

Martin C. & Tulgan B. (2001) 'Managing Generation Y: Global Citizens Born in the Late Seventies and Early Eighties' HRD Press, Amherst, MA, 2001

Nakashima N. (2010) 'Apple shutting Lala; 'Cloud' music on horizon?' Business Week, 30 April 2010, at http://www.businessweek.com/ap/tech/D9FDLIV00.htm

OECD (2002) 'OECD Guidelines for the Security of Information Systems and Networks: Towards A Culture Of Security' Organisation For Economic Co-Operation And Development, July 2002, at http://www.oecd.org/dataoecd/16/22/15582260.pdf

Peltier T.R. (2005) 'Information Security Risk Analysis' Auerbach, 2nd Edition, 2005

PEW (2010) 'Generations Online in 2010', PEW Research Centre, 16 December 2010, at http://pewinternet.org/Reports/2010/Generations-2010/Overview.aspx

Raines C. (1997) 'Beyond Generation X: A Practical Guide For Managers' Crisp Publications, 1997

Slay J. & Koronios A. (2006) 'Information Technology Security & Risk Management' Wiley, 2006

Smith N. (2010) 'Zoho: The Startup That Took on Google and Microsoft' Business News Daily, 16 August 2010, at http://www.businessnewsdaily.com/zoho-the-startup-that-took-on-google-and-microsoft-0458/

Tapscott D. (2008) 'Grown Up Digital:How the Net Generation is Changing Your World' McGraw-Hill, 2008


Working Papers

Clarke R. (2010c) 'An Evaluation of the Terms of Service and Privacy Policy of the LinkedIn Professional Networking Service' Xamax Consultancy Pty Ltd, 6 December 2010, at http://www.rogerclarke.com/EC/LinkedIn-1012.html

Clarke R. (2010d) 'Internet Users' Second-Party Exposure' Xamax Consultancy Pty Ltd, 24 December 2010, at http://www.rogerclarke.com/EC/IU-SPE-1012.html, supported by detailed materials re:

  1. Dropbox
  2. Google
  3. iinet
  4. Infinite
  5. Internode
  6. LinkedIn
  7. Microsoft Live
  8. Yahoo!
  9. Zoho

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 40 million by the end of 2012.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 5 October 2010 - Last Amended: 25 January 2011 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/CCC.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2013   -    Privacy Policy