Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2016
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Working Paper in Support of a Project on Risks in Outsourced Consumer Services
See 'The Cloudy Future of Consumer Computing'
Version of 24 December 2010
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2010
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/EC/IU-SPE-1012.html
Internet users provide data to Internet Service Providers (ISPs), for transmission and storage. Some of that data is private, or intended for use by a restricted group of parties. Users are exposed to the risk that the ISP may take advantage of private or restricted data for its own purposes. An analysis of the Terms imposed by a dozen ISPs showed that none of them satisfy all of the reasonable expectations of users, and that the Terms of two major ISPs - Google and LinkedIn - satisfy none of the expectations at all. The prospects for improvements in the Terms are not good. Internet users suffer serious risk-exposures to their service-providers.
Internet users depend on companies to provide connections to the rest of the Internet, and to deliver services such as the handling of email and the storage of data. Users are confronted by a wide range of risks. Among them is the risk that the companies on which they depend may not act in the best interests of their customers.
One particular set of exposures relates to the exploitation by ISPs of data that users transmit through the ISPs or store on their devices. The purpose of this paper is to examine the nature of this risk, and assess the extent to which the Terms imposed by ISPs empower the corporations to the detriment of their customers.
The paper commences by considering the nature of ISPs and ISP services, and of users and their data. The research question and research design are outlined. An analysis is provided of the relevant Terms currently imposed on their users by a sample of ISPs. The paper concludes by considering the prospects for reductions in users' currently very high exposure.
Internet Services Providers (ISPs), in the most general sense of the term, encompass organisations that provide any form of Internet service. One category of service is the provision of a connection to the Internet, and organisations that focus on this are conveniently referred to as Internet Access Providers (IAPs). Other categories of service include support for particular protocols such as those associated with email (SMTP, POP, IMAP), content hosting services such as web-sites, wikis and drop-boxes, document-sharing facilities such as Google Docs, and application services providers (ASPs) such as Google Apps and Zoho.
Users of ISPs fall into various categories. Many users are individuals, and their purposes may be social, entertainment or economic in nature. Organisational users can be differentiated according to whether they are incorporated or not, whether they operate for-profit or not-for-profit, and their size. It is conventional to distinguish micro-organisations from small, medium and large organisations.
The focus of this paper is primarily on users who are relatively small compared with the ISPs on whom they depend, or who for other reasons have limited market-power and who largely accept contractual terms dictated by their suppliers rather than themselves dictating the terms or negotiating terms with the ISP. Broadly speaking, many large organisations have at least the option of entering into negotiations. On the other hand, few medium-sized organisations have that option, and very few small and micro-organisations, and it is unlikely that any individual user can do anything other than accept the Terms stipulated by the ISP. (Some degree of choice may exist, however, to the extent that Terms differ significantly among ISPs).
Users utilise ISPs to transmit and store many forms of data. Emails and chat/IM services transmit text, but some messaging services also support image, video, audio and structured data such as spreadsheets and databases. Similarly, storage services may carry any of these forms. In some contexts, the terms 'information' and 'content' may be commonly applied. In this paper, the term 'data' is used to encompass all of these forms.
By using ISPs' services, users gain benefits, but they also expose themselves to a wide range of risks. The risks include low quality of service, interruptions to service, failure of service, and access to data by unauthorised third parties. The research reported on in this paper focuses on one particular category of risk - the use and abuse of the user's data by the second party, the ISP.
Some of the user's data is provided to ISPs with the expectation that they will use it for their own purposes. This applies in particular to data commercially necessary for the provision of the service, such as data needed to ensure the reliable collection of revenue and administration of the account. In some circumstances, an ISP may be under a legal obligation to gather and use some kinds of data. For example, some services are age-restricted.
Further categories of ISP activities that are outside the scope of this analysis is uses required by law, or authorised by law. Legal requirements are expressed in statute and in various forms of court order such as search warrants. Authorisation may arise where the ISP has interests that are under threat by the user, and the law provides the ISP with particular rights.
In addition, it may be technically necessary for the ISP to use some of the user's data in order to perform the service. For example, by the nature of the services that they provide, ISPs have access to the content that they transmit and store. Moreover, there are actions that ISPs necessarily take in respect of content, in order to fulfil their function, such as passing the content from one location to another and converting its form in order to achieve transmission or storage. To refer to such actions, this paper uses the expression 'actions technically necessary in fulfilling its obligations under the agreement'.
Other circumstances arise in which ISPs reasonably feel free to exploit the user's data. Where the nature of the service is that of an ePublisher, for example, exploitation is intrinsic to the service that the ISP provides. Further, where the user in effect publishes data under an open content licence, such that the content is available to any party for exploitation, the ISP acquires the same rights as all other parties.
In a great many circumstances, however, none of those conditions hold. Two categories need to be distinguished:
A further consideration is the exposure of other people's private and restricted data to a user's ISP. In the case of email and chat/IM, the words of a user's correspondents pass through the network of the user's ISP and are stored for short, medium or long periods on the systems of the user's ISP. The user's correspondents are at risk of use and abuse of their data by the ISP. This may undermine the user's relationships with the people concerned, and may give rise to liabilities such as for breach of confidence. Similar risks arise in respect of other people's files that are provided to the user by transmission through and/or storage on the user's ISP's networks and devices.
Where an ISP takes advantage of private or restricted data for its own purposes, it may breach the law of the jurisdiction in which the act is performed, may represent a breach if it were performed in the jurisdiction of the user, or may breach the ISP's Terms of Service. Such circumstances are not, however, the focus of this paper. The following section describes the method applied in order to undertake an assessment of the extent to which users are exposed to ISPs.
The risk focused on in this research is that the ISP's Terms of Service may authorise the ISP to take advantage of users' private or restricted content for its own purposes. This section provides an outline of the approach adopted to the assessment.
An analysis was undertaken of the expectations that users might reasonably have about the behaviour of ISPs in relation to their private and restricted content, and of the Terms that regulate that behaviour. The outcomes of that analysis are outlined in section 3.1.
A sample of ISPs was selected. The selection method used was stratified, purposive sampling. The rationale and outcomes are outlined in section 3.2.
Each ISP's Terms of Service were sought out. In most cases, a link to the Terms could be readily found on the home-page for the service, or from a readily-located page describing the service. In some cases, a search-engine was used to ensure that the relevant page(s) had been found.
Each ISP's Terms of Service was then examined in order to assess the extent to which the reasonable expectations of users as defined in section 3.1 were satisfied. A summary form was developed to provide an overview of the results, including an indicative mark out of 10 for each ISP's Terms.
[NEEDS SOME LEAD-IN TEXT FROM PRIOR ANALYSES, especially Clarke & Svantesson papers on consumer rights]
There is broad acceptance that non-negotiable terms may be necessary as a basis for efficient provision of consumer services, and that the power to make unilateral changes to the terms may also be necessary; but subject to vital provisos which establish controls over unfair behaviour.
[NEEDS MENTION of the Australian Industry Code - Telecommunications Consumer Protections Code C628:2007]
In summary, users and other parties with which they have a relationship, have concerns about access to, and use and abuse of, their data, for reasons that may be commercial or strategic, or may relate to such factors as confidentiality, privacy or personal safety.
Reflecting all of the above, the following are proposed as user-friendly Terms to address the risk that the ISP will take advantage of users' private or restricted content for its own purposes:
Two categories of ISP were specifically excluded:
Two categories of ISP were specifically included:
The following section reports on the findings from the assessment.
Supporting materials provide the URLs that were assessed, together with relevant extracts from the Terms, and an outline of the analysis that gave rise to the judgements made. Table 1 summarises the results. The text below interprets the results in the Table. It first considers each of the reasonable user expectations (the horizontal dimension of the table), and then the user-friendliness of the Terms offered by each ISP in the sample (the vertical dimension).
[INSERT Table 1 ABOUT HERE]
[NOTE: The Table is in RTF format, and may need to be read in Word]
In 11 of the 12 cases, an assessment can be made with reasonable confidence. In 1 case (Google Apps), the Terms are highly unclear - although it appears likely that the Terms relating to individual services are relevant and hence the other 3 Google cases apply. The paragraphs below accordingly report results in the 11 relatively clear cases.
As regards the right to use the private and restricted data of users, the approaches adopted by ISPs fall into the following groups:
In respect of the private and restricted data of other persons that come into its possession, it appears that each ISP would perceive itself to have at least the same rights as it has in relation to its users' data.
Similarly, each ISP appears to assert its rights not only to use data itself, but also to disclose data to its business partners; and that term appears to be liberally defined.
The right to unilaterally change the Terms is asserted by 10 of the 11 ISPs. The exception is Dropbox, whose Terms appear not to specify a process for making changes.
The 10 ISPs that can unilaterally change Terms adopt the following approaches to changes:
In not one single case are prior versions of the Terms visible, and in very few cases does the sole available version display the date on which it came into operation.
In not one single case do the Terms require the ISP to delete users' private and restricted data on request, and to delete it on termination of the agreement.
An analysis of the reasonableness of the Terms imposed by each ISP shows three broad approaches. For simplicity, an indicative score out of 10 is provided for each ISP:
The question investigated in this study was the extent to which users are exposed to ISPs in respect of their own private and restricted data and that of parties that they deal with. In not one single case among the sample of ISPs do the Terms that they impose satisfy users' reasonable expectations. About of ISPs scored reasonably highly, and about a third quite badly; but, in the cases of Google and LinkedIn, not one of the reasonable expectations of users is satisfied.
Improvements might come about in three broad areas - organisational reform, technical measures and legal action.
The organisations concerned might perceive benefits in voluntarily adapting their Terms to be less consumer-unfriendly. The analysis in this paper would provide a basis for such actions. It is unclear, however, what incentives exist to encourage corporations to do such things.
Technical measures could be implemented by consumers in order to greatly reduce the risk exposure. Data that is transmitted via ISPs to other parties can use protocols such as https and sftp which use encryption to ensure that the ISPs do not have access to the data. Private and restricted data that is stored on ISPs' devices could be encrypted and key management schemes could be applied that preclude the ISPs from gaining access to the decryption keys. However, this requires either a level of productisation of secure transmission and storage that has not to date emerged, or a level of maturation and sophistication on the part of users that remains as yet highly uncommon.
[SHOULD THE REMAINDER BE MORE AUTHORITATIVE, AND AIMED AT A LEGAL POLICY JOURNAL?]
Alternatively, legal measures could be used. In many countries, there is recognition that consumers have very little market power in comparison with suppliers, that some suppliers will inevitably take advantage of their market power to impose harsh terms on consumers, and hence there is a need for consumer protection laws of some kind to ensure that contracts are reasonably balanced.
In the case of the three Australian companies, the indicative scores were 4.5, 8 and 8.5 / 10, a mean of 7 / 10. In Australia, consumer protection laws of some consequence exist, and have been recently consolidated and refined. Those companies' Terms are not conformant with the Telecommunications Consumer Protection Code, and may not be conformant with consumer protection law more generally. The Terms might therefore be overridden by the courts, should a case ever be brought. The vast majority of consumers would never contemplate bringing a case, and indeed the vast majority of them are unlikely to ever be aware of the unreasonableness of the Terms and the harm that may be arising as a result of the risk exposure. Hence, even in jurisdictions where substantial consumer protection laws exist, they are clearly failing to provide any actual protection against misbehaving ISPs.
In the case of the six international companies, the indicative scores were (0, 0, 0, 0), 0, 4.5, 4.5, 7 and 7.5, a mean of 2.6 / 10 for the services or 3.9 / 10 for the companies. All six companies take advantage of US laws. These are far less consumer-friendly, and far more permissive of corporate abuse of market power in relation to the terms of consumer contracts. As a result, it is far less likely that US courts would override unfair terms. In addition, consumers outside the US are even less likely to bring test-cases in US jurisdictions than they are in their home jurisdictions. The result is that the customers of these ISPs are largely unprotected against misbehaving ISPs.
There are several ways in which the current, highly consumer-unfriendly situation might be rectified. WIthin individual countries, statutory law or codes could be negotiated or imposed, audits undertaken, civil or even criminal lawsuits mounted against recalcitrant ISPs. Even in a nominally consumer-protective nation like Australia, however, active measures of these kinds are uncommon. Even the Codes that include apparently consumer-friendly provisions are commonly ignored and seldom enforced, as was apparent from the analysis undertaken in this project.
The international arena is much more challenging. US legislatures might recognise the problem, and correct the imbalances through consumer protection laws. This would require enormous efforts by consumer advocacy organisations in order to overcome the prevailing dominance of corporate values over social values. The slow recovery of the US economy makes it much easier for industry lobby-groups to convince legislators to maintain the status quo. Another possibility would be for international pressure to be brought to bear on US legislatures. The only bloc that has potential power is the European Union, and it has a poor record in achieving change in US laws. The other possibility is multilateral fora, but these have mostly been channels for the spread of US government policy to the rest of the world, and have seldom imposed change on US domestic laws.
Realistically then, the most likely future path is that international ISPs will continue to take advantage of the laxity of US laws, and will continue to use their market power to impose unconscionable Terms on their users. In the absence of even consumer protection laws, let alone enforcement of those laws, it appears unlikely that international ISPs will be able to resist the temptation to take advantage of their self-declared rights to use the private and restricted data of their users and parties that deal with their users. Google is well-known to have been particularly active in this regard, and Google is widely perceived to be a market-leader in behavioural targeting, and an organisation whose techniques should be emulated. Further exploitation of users' private and restricted data can be predicted with considerable confidence.
Provided below are the following detailed analyses, relevant extracts from the Terms of Service, and mirrors of the Terms available in early January 2011:
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 13 December 2010 - Last Amended: 24 December 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/IU-SPE-1012.html