Read related articles on Business and the Internet and Privacy
We live in a world increasingly propelled by technological change. The next big thrust in a quest to make our lives better, simpler and more productive is electronic commerce (or E-commerce). What is E-commerce? Who will use it? What are the barriers to its successful implementation? How will a viable consumer model be constructed?
While I will examine the technology that makes this e-commerce possible, I will also examine the issues of trust and image in e-commerce. It is not possible to separate the issues of technology, security, and trust. The whole image that secure, Web-based commerce needs polishing if it will ever meet expectations. One prediction claims that e-commerce will achieve revenues of $200 billion globally by the end of the year 2000. Considering that in 1995 approximately $131 million of goods were purchased online, the jump to $200 billion is staggering.
The technologies that make the World Wide Web and e-commerce possible have some potentially negative components. Privacy issues are a major concern for many, since there are the means to collect consumer information easily with digital tools. Transaction security is equally important as well. These issues need timely resolution with government and business working together to ensure the privacy of consumers and the fidelity of transactions. Business and government need to develop a set of specific standards that are part of a uniform business code for transacting business on the Internet.
Without cooperation, government agencies will step in and deal in a reactionary mode to abuses that are either taking place or imagined.
ContentsWhat is E-Commerce?
Privacy and Security
Types of Possible Abuses
Trust: Building It and Keeping It
What is E-Commerce?
E-commerce is fundamentally World Wide Web-based buying and selling of goods and services. Most people see it as the ultimate form of removing the intermediary or go-between (also known as disintermediation). The basics of e-commerce can already be found in Electronic Data Interchange (EDI) that many corporations already use in conducting transactions between many of their suppliers. Nevertheless, there are many fundamental differences between EDI and e-commerce. Traditional EDI networks, known as value-added networks (VANs), are virtual private networks (VPNs) run by major well-established corporations. The biggest providers, such as AT&T, GE Information Services, and IBM Global Services, are extremely careful about protecting information that flows across these networks. As these major providers and others offer more Internet-based services, the ability to protect this information may become more difficult. As businesses increasingly choose to conduct EDI transactions over the Internet and develop e-commerce as well, the very nature of the Internet makes security and reliability real issues. With the use of substantially less secure transmission media, there will be many technical issues associated with security and reliability that will need resolution.
Louis V. Gertsner remarked in his keynote address  at CeBIT '98
"This is very exciting stuff, and the greatest changes and challenges aren't in the technology. In fact, connecting to the Net is relatively easy. The big challenge is in the fundamental transformation of the way things get done in the world. That's because networks are great levelers. They dissolve barriers to entry and neutralize traditional assets like physical stores and branches. Networks dissolve the boundaries within and between companies, countries, continents and time zones. It's not hyperbole to say that the "network" is quickly emerging as the largest, most dynamic, restless, sleepless marketplace of goods, services and ideas the world has ever seen."
These remarks reflect only the positive side of the debate. Some consider digital information highly at risk today. Data can be intercepted by organizations or individuals that will sell it to other parties, alter it, or use it for a variety of purposes. The need for fast and reliable information exchange has certainly fueled the growth of the Internet so far. If the integrity and confidentiality of information cannot be protected, than to some there is the potential that the Internet can create a great deal of damage.
Privacy and Security
According to the Tenth Edition of Merriam Webster Collegiate Dictionary, privacy and security mean
- Privacy: 1.a: the quality or state of being apart from company or observation, 1.b: freedom from unauthorized intrusion
- Security: 1.a: the quality or state of being secure, ... 4.b.1: measures taken to guard against espionage or sabotage, crime, attack, or escape
Many individuals discuss privacy and security as if they are the same. Actually, they are different and distinct, sometimes at odds with each another. When individuals conduct private transactions there is an assumption that personal information is not being divulged to others. When a transaction is secure, it is thought to be protected from assault or corruption. In this context, privacy is the ability of an individual to keep his identity confidential in the course of a transaction. An anonymous transaction, using cash as the means of payment, maintains privacy; the transaction, however, is not secure. Credit cards, on the other hand, offer security, but not privacy.
There is a balance struck in the need for both privacy and security when using different methods of payment. Individuals are willing to give up privacy for additional security or to gain more privacy, will risk some of their security. Consumers usually desire increased security when they purchase expensive items, such as a home or car. In contrast, transactions requiring personal information mean that consumers demand more privacy.
Many believe the Internet is private. Since the Internet may be used in the privacy of homes or offices, there is an illusion that transactions are private. In most cases, however, some form of record is created, whether in the course of an electronic mail message to a friend, or in trading stock or reading the latest news online.
Let's focus on disintermediation, which I mentioned earlier. For some, disintermediation is the driving force behind e-commerce. Disintermediation assumes there is nothing between the merchandiser and a customer, except a direct and personal connection from one computer to another, from one browser to another. Is there really a direct and personal connection? What are the implications for security and privacy?
Mr. Gerstner at CeBIT '98 reflected on the current state of electronic business, by examining the increasing computing power of systems ("Deep Computing") and the sophisticated algorithms that permit powerful levels of data mining. He spoke about the rise of global networks that create in turn a networked economy:
"The next milestone is what we call "pervasive computing." Fifty years ago, where did you find electric motors? In factories and power plants. They were big and expensive. Today, you might find 100 electric motors in the typical home. They're in appliances, the heating and ventilation system, the CD player, the VCR, and if you're fortunate enough, the electric toothbrush. We don't buy electric motors. They come inside all the things we use every day.
The same thing is happening with computing devices. Chips are getting so small and inexpensive, they're being embedded in everything: cars, appliances, tools, doorknobs, clothes. Most significantly, all these tiny intelligent devices will be interwoven in the global fabric of computing and communication.
And soon we'll see this hyper-extended networked world - made up of a trillion interconnected intelligent devices - intersecting with the data mining capability I spoke of earlier. "Pervasive computing" meets "Deep Computing." Companies and institutions will amass more data, more information than ever in history - and for the first time be able to do something productive with it - turn raw data into knowledge and move that knowledge to the right people instantaneously. Personally, I believe that future leadership institutions of all kinds will be those that know how to compete and win on the basis of knowledge - learning, adapting and improving using this vital asset we know as information.
"Pervasive computing" meets "Deep Computing" - trillions of interconnected intelligent devices - sounds frightening. The ability to track peoples movements, their likes and dislikes, all while being able to store and manipulate the data is comparable to being filmed and recorded 24 hours a day. While the benefits to be gained are immense, the potential pitfalls are just as large. The security of e-commerce decreases as its functionality requires the use of distributed applications that execute many transactions against multiple databases. Not to sound Orwellian, but the possibilities for abuse are enormous.
Given the potential for abuse, it is only a matter of time before legislation will mandate privacy and security mechanisms. There is some evidence to indicate Internet community will welcome government intervention on this matter. In a recent Business Week/Harris poll , the majority cited privacy concerns as the number one reason they are not using the Internet. In the same poll, 78% of extremely active Internet users said they would use the World Wide Web more if there was a guarantee of their privacy. Another 50% of those polled were of the opinion that the U.S. government should pass laws immediately addressing the issues of digital collection of personal data .
To understand the importance of these security concerns, understand that 57% of those surveyed by Business Week and Harris who use the Internet said that their decision to buy online is clearly influenced by those Web sites that have policies that guarantee security. According to Alan F. Westin of Columbia University who helped conduct the Business Week poll: "It's clearly a signal to business that they have to be more aggressive in forming privacy controls." To understand the shift that is taking place, many early backers of self-regulation are having doubts and starting to press for government intervention. Christine A. Varney, a former Federal Trade Commission (FTC) member, herself an early supporter of self-regulation remarked that "for self-regulation to make it, it has to exist - I don't think we're seeing it ."
Many Web sites do not post their policies governing privacy and the use of garnered information. Business Week examined the 100 top Web sites and discovered that only 43% posted privacy policies. Some of these policies were not only difficult to find but inconsistent in their explanations of how information is tracked and utilized. Also troubling, is the fact that TRUSTe, the non-profit organization providing a means to verify that sites are meeting certain standards for disclosure of privacy policies and independent outside auditing practices, has not met its goals. As of March 1998, they have only signed 75 sites that can display their "trustmark", well below their goal announced in June 1997, to have 750 Web sites signed on.
The lack of urgency displayed by this emerging industry to assuage the fears of consumers have raised the concerns of various agencies in the U.S. government. The Federal Trade Commission will issue a conclusive report in June 1998, detailing its findings and remedies after roughly a year of investigation. To understand the growing annoyance at the lack of effort on the part of the industry to police itself, there are now approximately 32 bills before the U.S. Congress that seek to address the issue of privacy on the Internet. These bills are running the gamut from unsolicited e-mail to placing restrictions on the disclosure of information about subscribers by online service providers.
Types of Possible Abuses
How do digital abuses manifest themselves? Let's first look at how Web sites can collect and use data. This information is gathered by Web sites with and without the consumer's knowledge. The commonest method is by using clickstream data. This method tracks where individuals travel in a site and which advertisements and content they examine and use. Cookies are one common tool; these are small files that are transferred to your computer by some Web sites when you first log on. This file allows the Web server to track preferences and usage of information; it then can be employed to target advertisements or specific content. Though cookies will allow a site to brand users, they do not disclose real names and addresses unless this information has previously been secured by other means. Some browsers allow you to determine if you want cookie files located on your computer .
More personal information, such as, e-mail address, postal address, name, sex and age are assembled when a user registers at a site. This information is also gathered from promotional "swebstakes," allowing you to enter a contest to win prizes in exchange for personal information. One firm involved in these campaigns is Matchlogic, a subsidiary of Excite, Inc. Matchlogic posts advertisements and marketing campaigns on various Web sites for approximately 65 customers.
The transfer of inaccurate data, loss of identity, stolen credit card numbers and other possible transgressions are very difficult to deal with in the real world where it is possible to determine a starting point. In the new world of electronic commerce it may become impossible to resolve problems unless all of the right tools find wide implementation .
Trust: Building It and Keeping It
Trust is defined as "the assured reliance on the character, ability, strength, or truth of someone or something, or one in which confidence is placed."
When conducting a transaction in the 'real' world as opposed to the virtual world, there is a level of trust at work gained through experience. Any system using currency has deep-seated trust. When someone purchases any merchandise and pays for it by cash, the merchant trusts that these bills are legal tender, not counterfeit, and will be accepted when he tenders them for deposit or purchase. For some, the currency of the United States is considered the safest in the world because a majority trust that the United States government will always fully back it.
This level of trust has not yet reached e-commerce. For e-commerce to flourish and reach its full potential, the same level of trust in the real world must be developed, so that the consumers, merchants and banks will have faith in the new system.
Merchants, consumers and financial institutions all need to be confident of the identity with whom they conduct business. Only when all of the above parties are truly able to trust who they are dealing with online will this business model really take off. These concerns are in the areas of:
- Identification: the method that provides the means to recognize a user to a computer system.
- Authentication: the act of positive identification, coupled with a level of certainty before granting specific rights or privileges to the individual or station that has been positively identified.
- Authorization: the act of granting a user or program the requested access.
Encryption technology is going to play a critical part in protecting confidentiality, authenticity and security. Trust online is going to be created when security issues have developed along these lines. The customers, merchants and financial institutions must trust that it is safe to conduct business online. The industry must reassure all parties by actually developing technologies that essentially substantiate trust.
There are tools and solutions addressing e-commerce security, promoted by various manufacturers, standards bodies and industry associations. This development has been quick and uncoordinated. If there is to be a greater interest in e-commerce by the public, this development needs coordination among various industry leaders, major governments, privacy and security advocates. This is the smart approach, because if there is not a coordinated effort with government involved from the beginning, there is the potential for regulations that could hinder future developments.
There are many possible solutions to attack the problem. There are standards for branding sites in compliance with privacy policies that allow potential consumers to determine where to conduct their business. There are several electronic cash and digital certificate schemes that permit authorization for purchases with differing levels of consumer privacy. Different methods allow consumers to substantiate their identity and then proceed to shop digitally without further confirmation of their identity.
The ability to ensure privacy and security online may be best carried out using sophisticated encryption algorithms. Different initiatives in the area of providing secure e-commerce fall under the different banners of privacy, identification, authentication and authorization. Let's examine a few of these initiatives.
- Secure Sockets Layer (SSL): Netscape Communications Corporation developed this security protocol, designed to reduce the chances that information being sent through the Internet would be intercepted. It does not offer a means to confirm the customer, merchant or financial institution involved in a given transaction.
- Platform for Privacy Principles: Known as P3, it supported by the World Wide Web Consortium, the Direct Marketing Association and, in the beginning, Microsoft. This developing standard tries to define and describe limits on the culling and use of users private information garnered from Web sites.
- Tokens: Small devices, usually the size of a credit card or calculator that the remote users physically carry with them. Based on a challenge-response system, when the remote user tries to log on a given authentication server a challenge is issued. The user keys the challenge into the device which then generates the correct reply. The user then sends this response to the remote server to gain access.
- Secure Electronic Transaction (SET): Developed by MasterCard and Visa, working in conjunction with partners including IBM, Microsoft, GTE, Netscape and others. It is an open, multi-party protocol, transmitting bank card payments via open networks like the Internet. SET allows the parties to a transaction to confirm each other's identity. Employing digital certificates, SET allows a purchaser to confirm that the merchant is legitimate and conversely allows the merchant to verify that the credit card is being used by it owner. It also requires that each purchase request include a digital signature, further identifying the cardholder to the retailer. The digital signature and the merchant's digital certificate provide a certain level of trust. SET is important because it offers protection from repudiation and unauthorized payments.
- Digital Certificates: Purchasers and retailers generate these certificates through the bilateral use of secret keys that authenticate the legitimacy of each party to the transaction. The majority of digital certificates conform to the CCITT (ITU) standard X.509v3. Many major companies that develop GroupWare products, such as Lotus, Novell and Microsoft, have decided that the X.509 standard is the best choice for the securing of information on the Internet. Also employed by GTE Service Corporation and VeriSign, digital certificates that are X.509 compliant are thought to strengthen both simplicity and interoperability.
- Open Profiling Standard for Authorization and Single Sign-On (OPS): Supported by Firefly, Netscape and VeriSign, it obviates the necessity for customers to reenter information that identifies them more than once at a Web site.
These are just a few of the many competing schemes vying for leadership in order to bring security, privacy and trust to the world of Internet commerce. Interoperability is crucial so that various solutions, competing for their place in the market, can work together to provide a seamless fabric for the e-commerce paradigm.
The issue of trust in e-commerce is fundamental to its eventual success. If consumers cannot trust that personal information is safe and secure, the Internet will never reach its economic potential. Guidelines like those outlined by TRUSTe, in conjunction with independent auditing, are a start. Government agencies, in conjunction with the industry, should consider establishing an 'Internet' consumer's bill of rights. This bill would categorically outline the legal policies that Web sites must follow and the remedies for redress available to consumers or visitors to the sites who have suffered harm. There should be substantial penalties for those sites and their owners who fail to address the fundamental issues described in this bill.
Computer-based crimes are on the increase; in the past two years the Federal Bureau of Investigation has recorded an increase over 250% in computer crimes. In one case, an intruder was able to break into an Internet Service Provider's network, connect a sniffer and collect numerous IDs and passwords. When this intruder was finally apprehended, the FBI retrieved 86,270 credit card numbers from 1,217 financial institutions . Another study published in April 1998, noted that a majority of Fortune 1000 firms have had their systems successfully accessed by hackers in the last year. Almost 60% of the firms admitted to losing $200,000 or more because of each computer break-in .
Government and industry must work together on encryption, resolving not only the power of the tools themselves but government access to keys necessary to decipher encrypted information. By working together with government agencies the industry can influence the type of safeguards that are put into practice. If there is resistance to cooperation with government agencies and the incident of fraud, crime and privacy continues to rise, legislative and other political solutions will be potentially more rigid .
The Internet and the World Wide Web offer enormous potential but measures need to be developed to prevent abuses from occurring in this environment. These issues need swift resolution now in a cooperative climate of industry and government working together. If action is postponed, both the industry and consumers will have to deal with the consequences of reactionary regulation in the very near future.
About the Author
Anthony Ferraro is a graduate student in the Executive Management Degree Program, Telecommunications and Computing Management at Polytechnic University, Hawthorne, New York. His degree will be conferred on June 7, 1998.
1.Lou Gerstner at CeBIT '98, http://ww w.ibm.com/tradeshows/cebit98/e/keynote_transcript.html
2. H. Green, C. Yang, and P. C. Judge, 1998. "The Internet: A Little Privacy, Please," Business Week (March 16).
3. See also D. Chaum, "Security Without Identification: Card Computers To Make Big Brother Obsolete" and M. Nash, 1997. "Future Of Web Success Relies On Converging Micro-Payment Model With Privacy Technology," Gartners Group Leaders Online (September).
4. The White House and U.S. Congress Web sites provide information on government positions on Internet privacy issues.
5. For more information on cookies, visit Electronic Privacy Information Center Cookies Page and David Braun, 1997. "Federal Websites Faulted For Privacy Practices," TechWeb News (August 27).
6. Additional sites that provide more information about Internet privacy are the Internet Fraud Watch, the California Public Interest Research Group, the Better Business Bureau, the Privacy Rights Clearinghouse and the Direct Marketing Association.
7. Rutrell Yasin, 1998. "Security Breaches Surge Over Past Two Years, FBI Says," CMPnet: Today's News (April 7).
8. Tim Wilson, 1998. "Profits Embolden Hackers," CMPnet: Today's News (March 23).
9. To understand the growing concern about privacy on the Internet, examine the following: Electronic Privacy Information Center, 1998. "Letter Regarding a Proposed White House Conference on Privacy," (February 26).
Copyright © 1998, ¡ ® s - m ¤ ñ d @ ¥