Upload
makayla-foster
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
1
Establishing Trust in Establishing Trust in Electronic CommerceElectronic Commerce
With Special Reference toWith Special Reference toConsumer Data Protection and PrivacyConsumer Data Protection and Privacy
Trevor R. StewartTrevor R. Stewart
New Orleans, August 1998New Orleans, August 1998
2
17501750 18001800 18501850 19001900 19501950 20002000
IndustrializationIndustrializationIndustrializationIndustrialization
TransportationTransportationTransportationTransportation
ComputerizationComputerizationComputerizationComputerization
VirtualizationVirtualizationVirtualizationVirtualization
CommunicationCommunicationCommunicationCommunication
Beyond...Beyond...
TechnologicalTechnological Shaping Forces Shaping Forces1750-20001750-2000
3
Phenomenal growthPhenomenal growth
Total bandwidth increasing 300% annually
Internet traffic doubling every 100 days
Amount of e-business on the Internet doubling annually
Internet community growing 50% annually
130 million people on-line as of June 1998
Web adopted faster than any previous technology
E-business on the Internet could exceed $1 trillion by 2002
Exploding connectivity is Revolutionizing interaction, which will Force fundamental change in business, and Precipitate the transformation of entire
industries, which will Make possible new ways to serve, sell, buy and
organize
A Revolution in InteractionA Revolution in Interaction
Trust in the new Trust in the new cyberspace frontiercyberspace frontier
Security Privacy
Assurance
“Trust, but verify” Ronald Reagan
“Trust, but verify” Ronald Reagan
6
Privacy and data Privacy and data protection are protection are
major concernsmajor concerns
7
8
9
10
Consumer concerns onlineConsumer concerns online Violations of privacy (snooping) Misuse of private information by an organization
to whom it has been entrusted Theft of personal information from organization to
whom it has been entrusted Corruption of personal information Theft of identity Fraud, theft Harassers, stalkers, pedophiles, and other sundry
weirdoes
11
Useful feature or invasion of privacy?
12
Approaches to Privacy and Data ProtectionApproaches to Privacy and Data Protection
1980, OECD, “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”; 1998, “Focus on the Internet”
1980, OECD, “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”; 1998, “Focus on the Internet”
1974, U.S., “Privacy Act of 1974”1974, U.S., “Privacy Act of 1974”
Legislative ApproachLegislative Approach1995, European Union, 1995, European Union, “Directive on Data Protection”“Directive on Data Protection”
Also:Also:Hong KongHong KongNew ZealandNew ZealandTaiwanTaiwanothers...others...
Legislative ApproachLegislative Approach1995, European Union, 1995, European Union, “Directive on Data Protection”“Directive on Data Protection”
Also:Also:Hong KongHong KongNew ZealandNew ZealandTaiwanTaiwanothers...others...
Self-regulatory ApproachSelf-regulatory Approach1997, U.S., “Framework for 1997, U.S., “Framework for Global Electronic Commerce”Global Electronic Commerce”
Also:Also:CanadaCanadaJapanJapanAustraliaAustraliaothers...others...
Self-regulatory ApproachSelf-regulatory Approach1997, U.S., “Framework for 1997, U.S., “Framework for Global Electronic Commerce”Global Electronic Commerce”
Also:Also:CanadaCanadaJapanJapanAustraliaAustraliaothers...others...
13
The self-regulatory The self-regulatory approachapproach
14
Principles of Fair Information PracticesPrinciples of Fair Information Practices
Awareness. Consumers should be informed about what information is being collected, who is collecting it, and how it will be used
Choice. Consumers should be allowed to choose whether and how their personal information is used, and choices should be easy to exercise
Data Quality. Companies should ensure that the information they collect is accurate
Data Security. Companies must protect the information they collect
Consumer Access. Consumers should have reasonable access to information about them and be able to correct it
15
Effective Self-Regulatory Effective Self-Regulatory Enforcement MechanismsEnforcement Mechanisms
Consumer recourse. Companies should offer consumers readily available and affordable mechanisms for resolving complaints
Verification. Companies’ assertions about privacy practices and their implementation should be independently verified
Consequences. Failure to comply with fair information practices should have consequences that are stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion
16
The “Internet Industry” is getting The “Internet Industry” is getting involvedinvolved
The Internet Alliance (IA) Commercial Internet Exchange (CIX) Information Technology Association of
America (ITAA) Interactive Industry Association Software Publishers Association Direct Marketing Association Online Privacy Alliance
17
Platform for Privacy Platform for Privacy Preferences (P3P)Preferences (P3P)
Complements regulatory and self-regulatory approaches to privacy
P3P is a specification of syntax and semantics for describing both information practices and data elements
Enables consumers to: Profile themselves once Choose what information may be collected about
them, and how it may be used and disclosed
18
1. Web site declares privacy practices and makes a data request through a machine-readable P3P proposal
2. User’s Web browser parses the request and compares it with the privacy preferences set by the user
3. If there is a match, the transaction proceeds seamlessly
4. If not, the user is informed about the data request and the Web site’s privacy practices and given an opportunity to agree or exit the site
P3P draft published May 1998
How P3P WorksHow P3P Works
19
Seal programs Seal programs
Compliance with WebTrust criteria Compliance with WebTrust criteria including data protectionincluding data protection
Membership of Better Membership of Better Business BureauBusiness Bureau
Compliance with Compliance with privacy statementprivacy statement
20
21
Customer assurance,Customer assurance,the WebTrust™ seal of approvalthe WebTrust™ seal of approval
The WebTrust Service CPA provides assurance that
website complies with criteria for good business practice
“Seal of Assurance” visible on the website
Seal refreshed every 3 months Work performed under
professional attest standards VeriSign controls issuance,
expiration, revocation
AICPAChartered Accountants of Canada
Comptablesagréésdu Canada
The WebTrust Criteria Business Practices Disclosure
Business terms and conditions Warranty, complaints, claims, etc.
Transaction Integrity Controls Order and billing accuracy and
completeness
Information Protection Secure transmissions over Internet Protection of private information Permission to perform activities on
customer’s computer
22
WebTrustWebTrust
23
WebTrustWebTrust
24
The legislative The legislative approachapproach
25
1400 Web sites sampled March 1998 85% collect personal information 14% have information practice
statements 2% have comprehensive privacy
policies
“…industry’s efforts to encourage the most basic fair information practice principle - notice - have fallen far short of what is needed to protect consumers”
PPrivacy Onlinerivacy OnlineA Report to CongressA Report to CongressJUNE 1998
Recommend legislation to
protect children This summer will
recommend an appropriate response to
protect the privacy of all online consumers
26
Accordingly, the Accordingly, the Commission believes that, Commission believes that, unless industry can unless industry can demonstrate that it has demonstrate that it has developed and developed and implemented broad-based implemented broad-based and effective self-and effective self-regulatory programs by the regulatory programs by the end of this year, end of this year, additional governmental additional governmental authority in this area authority in this area would be appropriate would be appropriate and necessaryand necessary..
July 21 Testimony to the House Subcommittee on July 21 Testimony to the House Subcommittee on Telecommunications, Trade and Consumer Protection, Telecommunications, Trade and Consumer Protection,
Encouraging signs that the private sector is attempting to address consumer concerns about online privacy.
Considerable barriers to be surmounted for self-regulation to work.
An effective enforcement mechanism is crucial.
It will be difficult for self-regulatory programs to govern all or even most commercial Web sites.
continued...
27
European UnionEuropean UnionDirective on Data ProtectionDirective on Data Protection
Requires all 15 member states to enact strict privacy laws
Prohibits transfer of personal information to other countries that the EU determines lack adequate protection of privacy (Article 25)
Effective October 25, 1998 Question 1: Is privacy adequately protected in the
U.S? Question 2: If not, so what?
28
Stay Tuned...Stay Tuned...
Increasing public awareness of and concern about issues
Increased private sector activism Showdown with European Union in 1998? U.S. privacy legislation in 1999?
29
Establishing Trust in Establishing Trust in Electronic CommerceElectronic Commerce
With Special Reference toWith Special Reference toConsumer Data Protection and PrivacyConsumer Data Protection and Privacy
Trevor R. StewartTrevor R. Stewart
New Orleans, August 1998New Orleans, August 1998