Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2016
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Roger Clarke **
Notes of 5 June 2007 for the closing Plenary Panel Session at the 20th Bled eCommerce Conference, 4-6 June 2007
© Xamax Consultancy Pty Ltd, 2007
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/EC/eCollab-0706.html
The closing session of the conference considered key topics that should be considered for the 21st Conference. The theme will be eCollaboration. I was specifically requested to address the Legal, Security and Privacy aspects, and suggest topics that need more and better attention from researchers, both generally and specifically at Bled'08.
Other panellists are considering B2B, and hence my focus here is restricted to the B2C and G2C segments. The 'C' includes not only human consumers, but also micro and small business. What they have in common is substantially less power than the corporate and government organisations at the other end of the transaction.
The use of information technologies to enhance collaboration of course holds a great deal of promise. But my comments are cautionary, because the Legal, Security and Privacy aspects of eCollaboration are more about the cloud than about the silver lining.
When people in business and government use 'up-beat' expressions such as 'binding a digital signature key to a person' and 'identity provision', they mostly overlook an important facet: to consumers and citizens, such expressions have sinister overtones. In B2C, they involve the exercise of market power over consumers in order to impose identity, collate data, and manipulate behaviour. And, in the G2C field, the term 'Joined-up Government' can signify the subversion of privacy protections (which are mostly quite weak and easily got around) in order to exercise social control.
As the other panellists have pointed out, the present phase of e-activity sees corporations relying on gratis input from consumers. They are leveraging and 'monetising' what people do, and continuing their collation of consumer profiles. So, to people inclined to be sceptical, 'eCollaboration' can mean that 'a bunch of powerful organisations are ganging up on me'.
I'll draw one general point to attention, and then outline four areas that fill out the general point and indicate topics in need of the attention of researchers.
There has been a lot of focus in recent years on trust, and it has been the subject of much theorising and behavioural research. But trust is a human matter that's extremely difficult to replicate in the context of B2C and G2C; and in many cases, nice as it might be, it isn't needed anyway.
There are plenty of incentives for people to engage in eCommerce and eGovernment - such as accessibility, savings in time, cost and effort, and out-of-hours availability. So the positive incentive of trust is mostly not critical.
What is important is that the positive incentives not be undermined by impediments. In short, our focus should be on addressing the impediment called distrust. Here are four important problem-areas that generate consumer distrust.
The entire undertaking that has gone under the names of 'access control', 'digital signatures' and 'identity management' has appeared to consumers and citizens to be aggressive and authoritarian, and designed by big organisations for big organisations, with little attention paid to the interests of the people who are expected to submit to the dictates of the scheme.
There's a need for much greater understanding, and balance. The collection of any form of identification needs to be justified. And frequently the assertions that need to be authenticated don't relate to identity. The kinds of things the organisation needs to be confidence about are assertions of fact (or the accuracy of data), assertions of value ('Here's the money. Check it now'), and attribute assertions ('I am over 18'; or 'I'm a plumber and I get the trade discount').
Meanwhile, we're still stuck with a choice between fairly primitive and subvertible identification approaches and Privacy-Enhancing Technologies (PETs) that support anonymity. In order to overcome the impediment of distrust by individuals of organisations, we need to mature beyond the 'savage PET' of anonymity to the 'gentle PET' of strongly protected pseudonymity. One of my disappointments has been the lack of interaction between the PETWorkshops community and the Bled conference.
Security has been a recurring focus, but the majority of the work in recent years has been in Critical Infrastructure Protection (CIP). Meanwhile, consumer devices have been inherently insecure, and there's been no movement to address the problem, and even now, no-one's doing anything about it.
It's been bad enough with desktops and portables, but it will get very nasty as we move to handhelds, and will be a serious impediment for MCommerce.
What's more, banks are trying to have responsibility for losses arising from insecure consumer devices imposed on the user. Even though the user has no capability to overcome that insecurity. I address these issues in a current working paper.
I'm involved in a program on Malware at UNSW, where we're considering technical and regulatory measures. Examples include standard operating environments (SOEs) for consumers, open source device-hygiene checkers (beyond virus and spyware protection), adaptations to existing laws, and the creation of new laws, such as the imposition of quality and security standards on software producers - i.e. product liability for software.
To the Scandinavians and Germans in the audience, socio-technical perspectives, soft systems methodologies and participative design are mainstream; but in many countries they have not become embedded.
In the late 1980s and early 1990s, I worked on what I called 'extra-organisational systems'. These are characterised by having nodes in the network that have no IS manager, such as boutique shops and consumers. During the last 15 years of the Internet and mobile phones, the early schemes (ATMs and EFTPOS) have been swamped by a vast array of such systems. But we haven't adequately adapted our system development processes to cope with the enormous differences between simple internal systems, more complex inter-organisational and multi-organisational systems, and the very different patterns of extra-organisational systems.
During the same period, the IFIP WG9.2 community drew to attention the distinction between 'users' and 'usees', i.e. people who are affected by a system but who are not direct users of its facilities (e.g. police intelligence systems, consumer profiling, data mining).
Many applications in the B2C and G2C segments ignore the people affected by the design, because the stakeholder definition is too limited, and hence there is not even adequate consultation, let alone participation. Schemes are rejected, or not adopted, or under-used, or abused, or at least resented. We're failing to address the impediment of distrust. Instead, our ignorance of the interests off key stakeholders is triggering negative responses.
Techniques are available to enable organisations to appreciate the needs of users and 'usees'. Privacy Impact Assessment (PIA) is well-established in Canada and Australia. The impacts can be broader than privacy alone, and some schemes demand social impact assessment.
Examples of systems for which such techniques are important include applications of identity management, RFID, biometrics, surveillance-based data collection, and almost anything done by the new Google that "knows more about you".
Many of the promises of eCollaboration are at great risk of not being realised, because eCommerce and eGovernment practitioners have failed to appreciate the enormity of the threats that their schemes represent to human interests, and the capacity of 'users' to choose to be 'non-users'.
It is important that eCommerce researchers lead eCommerce practitioners in these areas.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 5 June 2007 - Last Amended: 16 June 2007 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/eCollab-0706.html