Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2017
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 21 February 2001
These Notes were prepared to accompany an Invited Address to the 5th Biennial Pacific Rim Computer Law Conference - Global e-Business Legal Issues for the 21st Century', Sydney, 22-24 February 2001
© Xamax Consultancy Pty Ltd, 2001
This document is at http://www.rogerclarke.com/EC/PacRimCL01.html
This presentation reviews key problems in e-business, focussing in particular on I-commerce with consumers and small business enterprises. It suggests that lawyers haven't helped much yet.
This 'e-business' word covers a lot of scope, so I'd better narrow it down a bit. I've done papers that address B2B marketspaces, e-publishing, digital property rights, electronic service delivery, and government uses of electronic tools. These topics are interesting, but not as interesting as that very popular graveyard, B2C. I include small business within the definition of 'consumer'. So my primary focus today is on what's needed if companies are to start using the Internet successfully to peddle their wares to the public and 97% of business enterprises.
I differ from a lot of commentators on a lot of aspects of this game. But let's be clear about a couple where I'm dead mainstream. I do think that trust is critical; and that means that we need have to look hard at things that contribute to trust, such as consumer rights and privacy. I'm a pedant, so let's start by defining some terms, beginning with this 'trust' thing.
Trust means a lot of different things. In the context of e-business, the focus is on trust among the parties to transactions conducted using electronic tools. I use as a working definition:
Trust is confident reliance by one party on the reasonableness and reliability of the behaviour of other parties.
Trust can be based on a relationship such as kinship, principal-agent or contract. In the absence of a direct relationship, a relying party might have direct experience of other parties to the transaction, or of the marketspace operator.
But in e-business such confidence-engendering situations mostly don't exist, and a party, especially a consumer, may have little knowledge about the other parties, nor about the tradable item, the trading process or the contingent outcomes, i.e. what happens when something goes wrong.
A proxy for direct relationships or experience is referred trust, such as 'word-of-mouth' recommendations, reputation and accreditation. These are reckoned by most commentators to be even more important in the electronic world than in the physical.
Moreover, e-business typically involves significant risk exposure for one or more of the parties, such as which party delivers or performs first and is hence exposed to the risk of other-party default. And even in intermediated marketspaces, additional risk arises if value handled by the marketspace operator passes into the ownership of that organisation, rather than being held in trust or escrow.
An important focus therefore needs to be on safeguards that address various contingencies, and clear statement of the residual risks borne by the consumer.
As a result of all of these challenges, the quality of an act of trusting may appear to an observer to be reasonable, or not. In particular, trust may be:
If you're trying to encourage trust, there are basically two ways that you can go. You can focus on trust factors, or you can do some something about the causes of the lack of trust. Everyone else wants to talk about 'trust', so I'll be my usual contrarian self, and suggest that maybe that's a good reason we haven't got anywhere yet. Instead, we should take a look at the things that cause people to distrust people and organisations that they consider e-dealing with.
One of those distrust factors is privacy. We need a term that usefully describes the many technologies that intrude into privacy. I reckon that Privacy-Invasive Technologies describes them pretty well, and that leads to the acronym 'the PITs'.
Among the host of examples of the PITs are data-trail generation through the denial of anonymity, data-trail intensification (e.g. identified phones, SVCs, and ITS), data warehousing and data mining, stored biometrics, and imposed biometrics.
During the second half of the twentieth century, public pre-occupations were shaped by Orwell's anti-utopian novel '1984' and the Cold War. So discussions about surveillance techniques tended to focus on government activities such as front-end verification, data matching, profiling, cross-system enforcement and multi-purpose identification schemes. Video-surveillance, despite its very apparent shortcomings, has assumed epidemic proportions, and there are repeated promises and threats that it has been extended by visual pattern-matching and pattern-recognition, most recently at the 2001 Superbowl. In the Internet context, agencies of the State have acquired enhanced powers to undertake surveillance of telephony, email and web-behaviour.
In recent years, there's been a switch of emphasis, as consumer marketing organisations have oustripped the public sector invaders by exploiting the potential to collect and analyse personal data. Consumer profiles are no longer based only on the individuals' dealings with a single organisation, because their data is shared by multiple merchants; and don't let's pretend that last December's legislation will change that. Telephone communications have been used to gather data, through call centre technologies and Calling Number Display (CND, aka Caller-ID and Calling Line Identification - CLI). Internet communications have been intruded upon by such tools as spam, cookies and single-pixel gifs. Commercial transactions that have long been anonymous are increasingly being converted to identified form, by denying cash and failing to implement electronic equivalents.
Some tools have been applied by both governments and the corporate sector. Many projects are in train to to impose various identification and authentication technologies on people, including multiple usage of identifiers like TFNs, Medicare Card numbers, and emergent smart-card id schemes. Even highly-intrusive biometrics have been used, and not only on people under close care and in gaols, but also on people merely visiting people in gaols, and on employees of companies that judge the security of their premises to be more important than the privacy of their employees.
Data warehousing and data mining technologies are based on the consolidation of data from multiple sources. Means have been devised to locate and track not just goods, but also vehicles and now people. Intelligent transportation systems include such seriously contentious applications as the use of the the N.S.W. Roads & Traffics Authority's Safe-T-Cam system on cars when it was stated to be expressly and only for trucks, and the denial of anonymous use of the major public thoroughfare Melbourne CityLink.
The drivers for these privacy-hostile applications have been technological determinism ('I can ergo I must'), marketing determinism ('I can imagine they need it, so I must make them need it'), and economic determinism ('everything must cost less tomorrow than it did today'). And the primary players have been corporate and government executives and technology providers.
Lawyers' contributions have been to write lots of authorities for surveillance into statutes, and to prepare and progressively revise customer contract conditions to sneak through pseudo-consent for data capture, storage, use, disclosure and sharing. The public' interests have been signally absent from all of these backroom activities.
The term 'Privacy-Enhancing Technologies' (PETs) has been doing the rounds for some time now. These are tools, standards and protocols that set out to reverse the trend. They directly assist the protection of the privacy interest.
The Editor of Privacy Law & Policy Reporter, Graham Greenleaf, invited me some time ago to provide a series of articles on PITs and PETs, and I've finally delivered the first few of them to him. In deciding what examples to give priority to, it was remarkable the range of choice I was confronted with.
I distinguish three broad kinds of PET:
Note that PETs serve needs not just of individuals, but also of organisations. For example, they protect against competitors conducting electronic traffic analysis in order to draw inferences about marketing activities, and obscure accesses to patents databases that might reveal product strategy.
These positive contributions to personal interests have come from technology providers, particularly in small start-ups and back bedrooms, but also in large organisations like AT&T, Lucent and the U.S. Naval Laboratories. A few, mainly academic lawyers have contributed analyses that consider the public's interests. But most lawyers have been aligned with governments and large corporations, who for the most part are opposed to PETs generally, especially to PIT countermeasures against their treasured marketing weapons, and to savage PETs that deny that lifeblood of marketing: identified data.
Now let's get back to that question of 'trust', and to my contrarian examination of distrust. I'll look at two categories of things. The first comprises activities that actively stimulate distrust. It would seem like a good idea for us to find any of these that are lying around, and get rid of them. Everybody knows that the term 'anti-trust' is used by lawyers, particularly of an American persuasion, in an utterly counter-intuitive way, to refer to monopoly or trade practices law. Bad luck. I'm using it as a descriptor for factors that stimulate distrust.
A week after Herbert Simon's death, it seems appropriate to use language from quantitative methods applied to management. The corporation has a simple objective function: maximise shareholder value. That objective function is subject to constraints, such as the conflicting interests of the corporation's agents, particularly its employees, environmental impacts, and interference from regulators, consumers, and the public generally. But the corporation is required by law, and perhaps even more importantly by economists, to always regards such things as nuisance value. This is summed up by one of my favourite aphorisms: 'business ethics is an oxymoron'.
There are corollaries to the rule about corporations singlemindedly pursuing shareholder value. An important one is that consumers are quarry. The very language of marketing and selling attests to that: campaigns, targets, suspects, prospects. The word 'quarry' is deliciously ambiguous. Consumer data is 'fair game', wherever it may be acquired from. And consumer data is there to be mined, or 'quarried'. The data's purpose is to achieve efficiency in marketing communications - efficiency from the corporation's viewpoint, of course.
Information technology and market power applied to consumer data has been highly evident in such cases as Lotus Marketplace, amazon.com's abuse of its clientele's data, Doubleclick's DoubleCross, the Acxiom / PBL / InfoBase, and ADMA Code of Conduct and the Private Sector Privacy Bill, which is the present government's attemnpt to do what it thought that big business wanted.
Some companies are as naive as the consumers that they hunt, and believe that consumers don't know this, never will know this, and wouldn't care if they did.
Another is what I call 'meta-brands'. A brand is variously a signifier for reputation, and a proxy for reputation. A meta-brand is an attempt to use what I called earlier 'referred trust' to add another layer of reputation, which may have some basis, or be entirely image. In the 'quality game', we had ISO 9000. In the 'privacy game', we have the various 'seals of approval' like Truste, WebTrust and about another eight look-alike competitors that have sprung up.
These meta-brands pretend to assure appropriate behaviour by web-site operators, but their appeal is only skin-deep. They were treated politely by the Privacy Commissioners' report late last year, but then they're all polite people. The facts are that meta-brands have very limited scope in comparison with the raft of real privacy rights, there are no sanctions of any consequence, there's no ability for the organisation to enforce their terms, and there's already a track record of having virtually no impact on anything or anybody. Esther Dyson didn't like it when I told her all of that when EFF announced Truste in 1997; but it was pretty obvious then, and it's even more so now.
Beyond privacy, there's the question of consumer rights. Where are the carefully designed safeguards, which protect consumers against risks that arise in e-business? Where are the declarations by sellers explaining the residual risks that the consumer bears? Where are the negotiations among industry associations, consumer associations and regulators, firstly to use statutory amendments to adapt current rights to the peculiar context of e-business, and secondly to ensure that the message gets out quickly, and that the substantial cowboy element has the message brought home to them?
It's the role of parliaments to impose regulation and sanctions, and of appropriately resourced government agencies to enforce them. Associations have available to them only contractual terms (which are of course significantly constrained by anti-trust / monopolies / trade practices laws) and moral suasion. TRUSTe conducts trademark lawsuits against companies that display the seal without having made appropriate arrangements to do so; but has not and cannot conduct lawsuits against companies that actually infringe people's privacy.
During the last couple of years, it has become conventional to assume that trust depends on a mechanism for the identification of parties who deal on the net, supplemented by authentication mechanisms to test the assertions of identity.
This is naive. The people who make this assumption think that 'authentication' means 'identity authentication'. It doesn't. Authentication is 'the process whereby a degree of confidence is established about the truth of an assertion'. One possible assertion is that a message originated with or is being received by a particular entity that is thought to be the one that uses a particular identifier. But other kinds of assertion are arguably much more relevant to trust in e-business. One is 'value authentication'. Another is 'attribute authentication', which encompasses the checking of a message-originator's role, of its authority (e.g. power of attorney), of its eligibility (e.g. age compared with some minimum or maximum, or organisational membership), and of its credentials (evidencing some qualification).
The dedication of many blinkered people to 'identity authentication' is itself one of the big impediments to trust. Back in 1997, Graham Greenleaf and myself presented an analysis of the manifold privacy threats inherent in public key infrastructure (PKI). I followed that up with a succession of papers that stated the characteristics needed of PKI that would be appropriate to public implementations such as those between citizens and government agencies, and between consumers and corporations.
The Commonwealth bodies charged with stimulating some progress in the PKI arena, the Government Public Key Authority (GPKA - recently downgraded to the Gatekeeper Policy Advisory Committee - GPAC) and the National Electronic Authentication Council (NEAC), have abjectly failed to heed the warnings. I was a member of GPKA, wasted a year's effort on the inside, and resigned in disgust. Gatekeeper has failed to fulfil the public's needs, time has moved on, and the opportunity to establish a privacy-sensitive framework for PKI in Australia has been lost.
I recently completed a more detailed analysis of the scope for current X.509v3-based PKI to deliver the goods. It concludes that they simply cannot do so, because the narrow concept of trust peddled by Verisign and its ilk is thoroughly inadequate. And if they did succeed, it would be to the serious detriment of all parties to B2C e-business, because it embeds identification and denies multiple personal roles, anonymity and even pseudonymity.
But don't think you have to rely on your lunch-time comedy relief for such information. Check out the arguments of computer scientists like Carl Ellison, Ron Rivest, Bruce Schneier and Stefan Brands, practitioners like Lynn Wheeler, and legal academics like Michael Froomkin and Jane Winn.
So, what about that other theme of this presentation: What have lawyers been doing about these anti-trust factors?
There are a few honourable mentions. My favourite is actually eBay, which measures up pretty well against my detailed checklists. But then eBay is an intermediary in the C2C space, rather than a B2C marketer. It deals with consumers on both sides, so it's logical that it would know twice as much about them as B2Cs do.
But most of the contributions from lawyers have been to implement, to entrench, to reinforce, and to exacerbate all of the problems I've been describing. It's understandable, of course. Lawyers' clients are learning very, very slowly. They are disturbed by their miserable return on investment. And hence they're apt to shoot the messenger. If a lawyer tries to educate their clients on such matters, they might be seen not as a corporate servant, but as <spit> a public interest advocate.
In addition to examining activities that actively stimulate distrust, we need to consider what the pre-conditions for trust are, and check whether the foundations are in place on which trust can be built.
If self-regulation will never do anything except convince people how untrustworthy marketers are, could a co-regulatory scheme achieve some credibility? Anything would be better than being subjected to the worst of black-letter-law regulation. I've defined what co-regulatory means in the privacy context, and there are some reasonably workable models in existence in Australian consumer rights law and practice.
American corporations, directly, and through the DMA and some other industry associations, have a seriously bad track-record in trying to hold off meaningful regulation of the private sector. And they are being successful in that endeavour at serious cost to themselves. I argued in Communications of the ACM in February 1999 that the Internet had made generic legislation inevitable in the U.S. A variety of CEOs have come over to that way of thinking, and now the only question is the extent to which business interests are able to castrate the legislation's contents.
Australian corporations, through ADMA, have been even more self-damagingly successful. They have managed to get into the recent Anti-Privacy Bill clauses that give them carte blanche - an actual authority to ride roughshod over privacy concerns. The amendments to the Privacy Act 1988 relating to the private sector are the most seriously privacy-hostile provisions ever enacted in what we used to call 'the free world'. The reputations of even relatively well-behaved Australian companies will suffer for a generation.
Quite some years ago, in a paper on 'Direct Marketing and Privacy', I enunciated a set of principles that I believed would lay the foundation for trust-based consumer Internet commerce, and I still think they hold. And from a consumer rights perspective, I provided some very simple guidelines that can make consumers a great deal more comfortable. They are considerably more extensive than the Government's meagre official guidelines. Given how little they cost, it's remarkable that so few sites feature them.
The conditions precedent for trust have to do with laws, detailed codes of conduct, sanctions, and enforcement mechanisms, and they are needed in relation to privacy just as much as consumer rights. Trust has to be based on infrastructure that the consumer has, is familiar with, and is confident in. Assurances of security have to be built into that infrastructure, and not just technical security, but also commercial security and data security. And there must be relatively few 'bad news' stories, and rapid action to address not just the instances, but also the root causes.
And, one more time, what have lawyers ever done to address these things?
Most lawyers are not professional, in the important sense of having a perspective broader than what their current client perceives to be the immediate need. Lawyers are emphatically client-centric, and their client-base is overwhelmingly big business, and not small business enterprise, micro-enterprise or consumers. They fail to temper their advice with public interest considerations, and let their preoccupation with big business's needs dominate the agenda and the content of nominally professional conferences. Funding law school activities, and performing occasional pro bono work, are good; but such activities underline how the public interest has been marginalised.
Lawyers aid and abet PITs. Lawyers assist their clients to work against PETs. Lawyers help implement the commercial aspects of anti-trust measures, and they do far too little to establish the pre-conditions for trust by consumers in B2C e-business.
I bemoan the aspects of this conference that have assumed the primacy of government and corporate interests, and those that have operated on an abstract plane, removed from the day-to-day world of social and economic activities. And I welcome those all-too-few aspects of this conference that have been alive to the public's interest, and to the realities of trust in cyberspace.
Clarke R. (1988) 'Information Technology and Dataveillance' Comm. ACM 31,5 (May 1988) Re-published in C. Dunlop and R. Kling (Eds.), 'Controversies in Computing', Academic Press, 1991, at http://www.rogerclarke.com/DV/CACM88.html
Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues', Information Technology & People 7,4 (December 1994) 6-37, at http://www.rogerclarke.com/DV/HumanID.html
Clarke R. (1997a) 'Cookies' February 1997, at http://www.rogerclarke.com/II/Cookies.html
Clarke R. (1997b) 'Spam' February 1997, at http://www.rogerclarke.com/II/Spam.html
Clarke R. (1997c) 'Regulating Financial Services in the Marketspace: The Public's Interests, Conference of the Australian Securities Commission Conference on 'Electronic Commerce: Regulating Financial Services in the Marketspace', Sydney, 4-5 February 1997, at http://www.rogerclarke.com/EC/ASC97.html
Clarke R. (1998a) 'Direct Marketing and Privacy', Proc. AIC Conf. on the Direct Distribution of Financial Services, Sydney, 24 February 1998, at http://www.rogerclarke.com/DV/DirectMkting.html
Clarke R. (1998b) 'Platform for Privacy Preferences: An Overview' (April 1998), Privacy Law & Policy Reporter 5, 2 (July 1998) 35-39, at http://www.rogerclarke.com/DV/P3POview.html
Clarke R. (1998c) 'Platform for Privacy Preferences: A Critique' (April 1998), Privacy Law & Policy Reporter 5, 3 (August 1998) 46-48, at http://www.rogerclarke.com/DV/P3PCrit.html
Clarke R. (1998d) 'Public Key Infrastructure: Position Statement', May 1998, at http://www.rogerclarke.com/DV/PKIPosn.html
Clarke R. (1998e) 'Ad Code Must Respect Web Culture', The Australian, 15 December 1998, at http://www.rogerclarke.com/EC/ACS981215.html
Clarke R. (1999a) 'Key Issues in Electronic Commerce and Electronic Publishing' Proc. Conf. Information Online and On Disc 99, Sydney, 19 - 21 January 1999, at http://www.rogerclarke.com/EC/Issues98.html
Clarke R. (1999b) 'Internet Privacy Concerns Confirm the Case for Intervention', Communications of the ACM 42, 2 (February 1999), at http://www.rogerclarke.com/DV/CACM99.html
Clarke R. (1999c) 'The Willingness of Net-Consumers to Pay: A Lack-of-Progress Report' Proc. 12th International Bled Electronic Commerce Conference, Bled, Slovenia, June 7 - 9, 1999, at http://www.rogerclarke.com/EC/WillPay.html
Clarke R. (1999d) 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice' Proc. User Identification & Privacy Protection Conference, Stockholm, 14-15 June 1999, at http://www.rogerclarke.com/DV/UIPP99.html
Clarke R. (1999e) '"Information Wants to be Free"' August 1999, at http://www.rogerclarke.com/II/IWtbF.html
Clarke R. (1999f) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Proc. 21st International Conference on Privacy and Personal Data Protection, Hong Kong, September 1999. Revised version forthcoming in Information Technology & People, at http://www.rogerclarke.com/DV/PLT.html
Clarke R. (1999g) 'Freedom of Information? The Internet as Harbinger of the New Dark Ages' First Monday 4, 11 (November 1999), at http://firstmonday.org/issues/issue4_11/clarke/ and http://www.rogerclarke.com/II/DarkAges.html
Clarke R. (2000a) 'Privacy Requirements of Public Key Infrastructure' Internet Law Bulletin 3, 1 (April 2000) 2-6. Republished in 'Global Electronic Commerce', published by the World Markets Research Centre in collaboration with the UN/ECE's e-Commerce Forum on 'Electronic Commerce for Transition Economies in the Digital Age', 19-20 June 2000, at http://www.rogerclarke.com/DV/PKI2000.html
Clarke R. (2000b) 'Conventional Public Key Infrastructure: An Artefact Ill-Fitted to the Needs of the Information Society' November 2000, at http://www.rogerclarke.com/II/PKIMisFit.html
Clarke R. (2001a) 'DRM Will Beget DCRM' Position Paper for the W3C DRM Workshop, Sophia Antipolis, France, 22-23 January 2001, at http://www.rogerclarke.com/II/DCRM.html
Clarke R. (2001b) 'Introducing PITs and PETs: Technologies Affecting Privacy' Forthcoming in Privacy Law & Policy Reporter, at http://www.rogerclarke.com/DV/PITsPETs.html
Clarke R. (2001c) 'P3P Revisited: A neutered PET' Forthcoming in Privacy Law & Policy Reporter, at http://www.rogerclarke.com/DV/P3PRev.html
Clarke R. (2001d) 'Meta-Brands' Forthcoming in Privacy Law & Policy Reporter, at http://www.rogerclarke.com/DV/MetaBrands.html
Clarke R. (2001e) 'Towards a Taxonomy of B2B e-Commerce Schemes', Forthcoming, Proc. 14th Int'l EC Conference, Bled, Slovenia, 25-26 June 2001, at http://www.rogerclarke.com/EC/Bled01.html
Clarke R. & Dempsey G. (1999) 'Electronic Trading in Copyright Objects and Its Implications for Universities' Proc. Conf. Australian EDUCAUSE'99 Conference, Sydney, 18-21 April 1999, at http://www.rogerclarke.com/EC/ETCU.html
Clarke R., Higgs P.L. & Dempsey G. (2000) 'Key Design Issues in Marketspaces for Intellectual Property Rights' Proc. 13th International EC Conference, Bled, Slovenia, 19-21 June 2000, at http://www.rogerclarke.com/EC/Bled2K.html
Greenleaf G.W. & Clarke R. (1997) `Privacy Implications of Digital Signatures', IBC Conference on Digital Signatures, Sydney (March 1997), at http://www.rogerclarke.com/DV/DigSig.html
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 19 February 2001 - Last Amended: 21 February 2001 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/PacRimCL01.html