Published on: Sunday 25th April 1999 By: Pankaj Kamthan
Oh! What a Tangled Web We Weave,
When First We Practice to Deceive ...
- Sir Walter Scott
The Internet provides consumers with a new means for obtaining useful information and for purchasing products and services. Although this form of E-Commerce has undergone rapid growth, particularly through the use of the WWW, its growth has been inhibited by consumer fears and concerns about the risks, both real and perceived, of doing business electronically. In this Pankaj Kamthan discusses the following questions:
E-Commerce involves individuals as well as companies engaging in a variety of electronic business transactions using computer and telecommunication networks. Traditionally, the definition of E-Commerce has focused on Electronic Data Interchange (EDI) as the primary means of conducting business electronically between companies having a pre-established contractual relationship. Recently, however, due to the WWW's surge in popularity and the acceptance of the Internet as a viable transport mechanism for business information, the definition of E-Commerce has broadened to encompass business conducted over the Internet and includes individuals and companies not previously known to each other.
It has been estimated that the world-wide E-Commerce market will exceed $46 billion in consumer transactions by the year 2001 (courtesy IDC) and 15% of all WWW users have used it to purchase a product or service online (courtesy CommerceNet/Nielsen Media). Figure 1 illustrates the statistics of some of these market predictions.
The risks associated with E-Commerce can be broadly classified into the following categories:
E-Commerce often involves transactions between strangers. However, appearances can be deceiving and several questions arise: How can a consumer know
With the anonymity of E-Commerce, the unscrupulous can establish (and abandon) electronic identities with relative ease. This makes it crucial that people know that those companies with which they are doing business, disclose and follow certain business practices. Without such information, and the assurance that the company has a history of following such practices, consumers could face an increased risk of loss, fraud, inconvenience, or unsatisfied expectations.
It is important for consumers to have confidence that they have reached a properly identified WWW site, and that the company takes appropriate steps to protect private consumer information. Although it is relatively easy to establish a WWW site on the Internet, the underlying technology can entail a multitude of information protection and related security issues. As a result, the confidentiality of sensitive information transmitted over the Internet can be compromised. For example, without the use of basic encryption techniques, consumer credit card numbers can be intercepted and stolen during transmission. Without appropriate firewalls and other security practices, private consumer information residing on a company's E-Commerce computer system can be intentionally or unintentionally provided to third parties not related to the company's business. Security breaches may also include unauthorized access to the consumer's computer through an Internet connection. Thus, potential consumers involved in E-Commerce may seek assurance that the company has effective information protection controls and a history of protecting private consumer information.
Without proper controls, electronic transactions and documents can be easily changed, lost, duplicated and incorrectly processed. These attributes may cause the integrity of electronic transactions and documents to be questioned, causing disputes regarding the terms of a transaction and the related billing. Potential consumers involved in E-Commerce may seek assurance that the company has effective transaction integrity controls and a history of processing its transactions accurately, completely, and promptly, and of appropriately billing its consumers.
This section emphasizes the significance of privacy and transaction security from the consumer's viewpoint.
According to the GVU Center's 10th WWW User Survey (October 1998), very high number of users value their privacy on the Internet (Figure 2). Privacy is also currently the most important issue facing Internet users (Figure 3) and a major reason for people not purchasing (Figure 4).
According to the GVU Center's 10th WWW User Survey (October 1998), security (or the lost thereof) in E-Commerce is a reason of serious concern (Figure 5) for Internet users and is a primary reason for people not purchasing (Figure 4).
Usually, international laws for businesses, including quality control and consumer rights, vary from country to country. Therefore, for example, in case of a violation of conditions of payment or fraud, it might be prohibitive or relatively expensive for a customer in Australia to pursue a company in Canada. Such possibilities have led a large number of consumers being very concerned about international business, as shown in Figure 6.
There are various issues related to privacy and transaction security that can arise during business transactions. This section outlines such problems and suggests some solutions. By taking appropriate steps on your WWW site, you can increase consumer confidence.
Most WWW servers log every access to them. The log usually includes the IP/DNS address, the time of the download, the user's name (if known by user authentication or obtained by the identd protocol), the URL requested, the status of the request, and the size of the data transmitted. Some browsers also provide the client used by the reader, the URL that the client came from, and the user's e-mail address. Revealing any of these data could be potentially damaging to a user.
Many users these days are aware of the information related them being logged (Figure 7), but do not necessarily support all of it (Figure 8). It seems the only type of information about them that the users recommend being logged, is the page and the time of its request, and the browser being used. Many users seem to be comfortable with providing demographic information if its intent and application was made clear to them. As Figure 9 shows, they would volunteer demographic information to a site if a statement was provided as to what information was being collected, how it will be used and if the data would be used in an aggregate (as opposed to individual) form only.
Thus, for a site to gain consumer trust, the policies regarding any practices that involve using record of user accesses for statistics generation and/or debugging, should be made known to the users. If such access logs are being used for purposes other than statistical, such as creating mailing lists, then users should be made aware of that. Such "disclaimer" can appear at places where the users have to fill a form field (in cases such as ordering a product, subscribing to a mailing list, etc.), as well as, in a section with company's "privacy policies".
Lapse in security can lead to loss of privacy. Some sites may leave the server logs open for casual viewing by local users at the site. It is therefore important that the site is well administered keeping the log files secure.
A "cookie" is a mechanism to make up for the stateless nature of the HTTP protocol. Cookies can be used to store information that you have provided at some point when you access a WWW site. Among that data are the name and IP address of your computer, the flavour of browser you are using, the operating system you are running, the URL of the WWW document you accessed, and the URL of the document you were last viewing. Such information can be used for controversial purposes. Figure 10 shows that a high percentage of users do accept cookies. This consumer trust should not be betrayed. Along with the other privacy policies a site uses, the policy for cookies should also be made known to the users.
In many ways the transaction security of a WWW site can be compromised. There are numerous means for an unsavory individual to snoop into what you are sending or receiving from the other end, including, but not limited to, the following:
In each of these cases, the risk can be alleviated (or greatly reduced). In the cases of spoofing and sniffing, the preferred technique is to use data encryption, or signed data for the transaction. When the receiving end gets what your server sends them, they must have the appropriate key to decrypt and make use of it. In the case of traffic analysis of the data files, assigning the file permissions on the directory, logs, and the files themselves is the preferred technique. The logs themselves can be encrypted for permanent archival. Nowadays, most commercially available servers and their respective clients implement encrypted transactions via some, usually proprietary, means.
Credit card is one of the primary means of electronic payment on the WWW. Inspite of that a large percentage of users (20%) reported that they had their credit card stolen (Figure 11), there is still a lot of consumer confidence (Figure 12) in credit card mode of payment. Again, this trust should not be betrayed and arrangements should be made to assure those who are reluctant (25%).
However, E-Commerce security is more than simply encrypting the transactions. Businesses must also ensure that sensitive consumer information, such as credit card numbers, cannot be abused by employees and should not store unencrypted credit card information on the system's hard drive, nor should that information ever be stored in cookies. Remote users should not be asked to submit their credit card number in a fill-out form field unless you are using an encrypting server/browser combination. Even with an encrypting server, you should be careful about what happens to the credit card number after it is received by the server. For example, if the number is received by a server script, make sure not to write it out to a world-readable log file or send it via e-mail to a remote site. Consumers should be made aware of companies policies regarding the use and archival of credit card numbers, after they have been received.
Some types of transactions, especially credit card purchases, may require that you assure the security of the transaction itself. There are schemes such as First Virtual Accounts, Digicash, and SET, that have been developed to process commercial transactions over the WWW without transmitting credit card numbers or other confidential information.
Recently, in order to gain consumer confidence, many companies have joined programs administered by objective third parties to make their privacy policies and their business practices explicit. Two particularly notable initiatives in that direction are: the WebTrust E-Commerce seal of assurance from the public accounting profession and the TRUSTe "trustmark" program that takes users directly to the privacy statement of a company that has joined a program. In some sense, these "global" efforts are supplementary to the "local" efforts discussed above, as they provide credibility to them.
In response to the concerns related to E-Commerce and to increase consumer confidence, the public accounting profession has developed and is promoting this set of principles and criteria for business-to-consumer E-Commerce, referred to as the WebTrustTM Principles and Criteria, and the related WebTrust seal of assurance. Independent and objective certified public accountant (CPA) or chartered accountant (CA), who are specifically licensed by the American Institute of Certified Public Accountants (AICPA) or Canadian Institute of Chartered Accountants (CICA), can provide assurance services to evaluate and test whether a particular WWW site meets these principles and criteria.
The WebTrust seal of assurance is a symbolic representation of a practitioner's objective report. It also indicates to consumers that they need to click to see practitioner's report. This seal can be displayed on the company's WWW site together with links to the practitioner's report and other relevant information. This seal was developed by AICPA, CICA and VeriSign. VeriSign encryption and authentication technology and practices help assure the consumer that the seal on a WWW site is authentic and the site is entitled to display it:
A list of participants of WebTrust program is available. It is anticipated that this service will be taken up by CAs and CPAs around the world.
To quantify and characterize the need for an E-Commerce assurance service, POLLARA, a Canadian research company, conducted a nationwide survey designed to assess the opinions, perceptions and concerns about E-Commerce over the Internet. The POLLARA study concluded that about 59% of Internet users who have been held back from conducting e-commerce transactions, say that they would be more likely to conduct an online transaction if they were given some assurance about the security and privacy of their personal information and the delivery of the right product. Nearly 70% of Internet users under the age of 35, say their Internet purchasing would increase with these assurances. U.S. research reflects similar results. In a study commissioned by the AICPA, Yankelovich Partners found that 78% of Internet users have a favourable impression of the WebTrust concept.
TRUSTe offers a program that addresses the privacy concerns of consumers and WWW sites. The TRUSTe program enables companies to develop privacy statements that reflect the information gathering and dissemination practices of their site. Its goal is to provide:
A cornerstone of the program is the TRUSTe "trustmark," an online branded seal that takes users directly to a company's privacy statement:
The trustmark is awarded only to sites that adhere to TRUSTe's established privacy principles and agree to comply with ongoing TRUSTe oversight and resolution process. The privacy principles embody fair information practices approved by the U.S. Department of Commerce, Federal Trade Commission, and prominent industry-represented organizations and associations.
TRUSTe's program has gained significant momentum in the past year, as online publishers mobilize to address the privacy concerns of their consumers. Since February 1998, many prominent companies have signed on as TRUSTe participants, including America Online, The New York Times, and Yahoo! A complete list of TRUSTe program participants is also available.
W3C's Platform for Privacy Preferences Project (P3P) provides a framework for informed Internet interactions. The goal of P3P is to enable WWW sites to express their privacy practices and users to to exercise preferences over those practices.
P3P is designed to help users reach agreements with services, such as WWW sites that declare privacy practices and make data requests. As the first step towards reaching an agreement, a service sends a machine-readable proposal in which the organization responsible for the service declares its identity and privacy practices. This privacy proposal enumerates the data elements that the service proposes to collect and explains how each will be used, with whom data may be shared, and whether data will be used in an identifiable manner. The set of statements that may be made in a proposal is defined by a core set of information practice disclosures designed to describe what a service does. Proposals can be automatically parsed by WWW user-agents such as WWW browsers or servers, and compared with privacy preferences set by the user. Thus, users need not read the privacy policies at every WWW site they visit. If a proposal matches the user's preferences, the user agent may accept it automatically by returning a "fingerprint" of the proposal. If the proposal and preferences are inconsistent, the agent may prompt the user, reject the proposal, send the service an alternative proposal, or ask the service to send another proposal.
P3P uses RDF/XML as a format for making privacy statements as well as for exchanging data under user control. P3P will support future digital certificate and digital signature capabilities as they become available.
Although P3P provides a technical mechanism for ensuring that information is released only under an acceptable agreement, it does not provide a technical mechanism for making sure services act according to their agreements. However, laws and self-regulatory programs can provide enforcement mechanisms. For example, P3P proposals may include reference to an assuring party that may take legal action against the service provider if it violates an agreement.
P3P gives users the ability to make informed decisions regarding their WWW experience and their ability to control the use of their information. Sites can use P3P to increase the level of confidence users place in their services.
Towards Building a Web that We Can Believe In
The WWW has captured the attention of businesses and consumers, causing the number and types of electronic transactions to grow rapidly. Nevertheless, many feel that E-Commerce will not reach its full potential until consumers perceive that the risks of doing business electronically have been reduced to an acceptable level. consumers may have legitimate concerns about transaction integrity, control, authorization, confidentiality and anonymity. For the business to thrive, such issues must be addressed at all cost by a company involved in E-commerce.
In the faceless world of E-Commerce, consumers need the assurance of an objective third party. This assurance can be provided by independent and objective initiative such as WebTrust that set criteria and provide verification for E-Commerce. The standards for privacy are higher for a medium with the power and reach of the Internet. There is a need for enforceable standards for privacy that consumers can rely on and trust. Programs such as TRUSTe and P3P can help meet consumers' expectations about privacy and build trust in the online medium.
I would like to thank Hervé Mamodhoussen, C.A., for introducing me to the WebTrust project. Statistical graphs and icons presented here are copyrights of respective organizations, and their use is hereby acknowledged.