1

Establishing Trust in Establishing Trust in Electronic CommerceElectronic Commerce

With Special Reference toWith Special Reference toConsumer Data Protection and PrivacyConsumer Data Protection and Privacy

Trevor R. StewartTrevor R. Stewart

New Orleans, August 1998New Orleans, August 1998

2

17501750 18001800 18501850 19001900 19501950 20002000

IndustrializationIndustrializationIndustrializationIndustrialization

TransportationTransportationTransportationTransportation

ComputerizationComputerizationComputerizationComputerization

VirtualizationVirtualizationVirtualizationVirtualization

CommunicationCommunicationCommunicationCommunication

Beyond...Beyond...

TechnologicalTechnological Shaping Forces Shaping Forces1750-20001750-2000

3

Phenomenal growthPhenomenal growth

Total bandwidth increasing 300% annually

Internet traffic doubling every 100 days

Amount of e-business on the Internet doubling annually

Internet community growing 50% annually

130 million people on-line as of June 1998

Web adopted faster than any previous technology

E-business on the Internet could exceed $1 trillion by 2002

Exploding connectivity is Revolutionizing interaction, which will Force fundamental change in business, and Precipitate the transformation of entire

industries, which will Make possible new ways to serve, sell, buy and

organize

A Revolution in InteractionA Revolution in Interaction

Trust in the new Trust in the new cyberspace frontiercyberspace frontier

Security Privacy

Assurance

“Trust, but verify” Ronald Reagan

“Trust, but verify” Ronald Reagan

6

Privacy and data Privacy and data protection are protection are

major concernsmajor concerns

7

8

9

10

Consumer concerns onlineConsumer concerns online Violations of privacy (snooping) Misuse of private information by an organization

to whom it has been entrusted Theft of personal information from organization to

whom it has been entrusted Corruption of personal information Theft of identity Fraud, theft Harassers, stalkers, pedophiles, and other sundry

weirdoes

11

Useful feature or invasion of privacy?

12

Approaches to Privacy and Data ProtectionApproaches to Privacy and Data Protection

1980, OECD, “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”; 1998, “Focus on the Internet”

1980, OECD, “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”; 1998, “Focus on the Internet”

1974, U.S., “Privacy Act of 1974”1974, U.S., “Privacy Act of 1974”

Legislative ApproachLegislative Approach1995, European Union, 1995, European Union, “Directive on Data Protection”“Directive on Data Protection”

Also:Also:Hong KongHong KongNew ZealandNew ZealandTaiwanTaiwanothers...others...

Legislative ApproachLegislative Approach1995, European Union, 1995, European Union, “Directive on Data Protection”“Directive on Data Protection”

Also:Also:Hong KongHong KongNew ZealandNew ZealandTaiwanTaiwanothers...others...

Self-regulatory ApproachSelf-regulatory Approach1997, U.S., “Framework for 1997, U.S., “Framework for Global Electronic Commerce”Global Electronic Commerce”

Also:Also:CanadaCanadaJapanJapanAustraliaAustraliaothers...others...

Self-regulatory ApproachSelf-regulatory Approach1997, U.S., “Framework for 1997, U.S., “Framework for Global Electronic Commerce”Global Electronic Commerce”

Also:Also:CanadaCanadaJapanJapanAustraliaAustraliaothers...others...

13

The self-regulatory The self-regulatory approachapproach

14

Principles of Fair Information PracticesPrinciples of Fair Information Practices

Awareness. Consumers should be informed about what information is being collected, who is collecting it, and how it will be used

Choice. Consumers should be allowed to choose whether and how their personal information is used, and choices should be easy to exercise

Data Quality. Companies should ensure that the information they collect is accurate

Data Security. Companies must protect the information they collect

Consumer Access. Consumers should have reasonable access to information about them and be able to correct it

15

Effective Self-Regulatory Effective Self-Regulatory Enforcement MechanismsEnforcement Mechanisms

Consumer recourse. Companies should offer consumers readily available and affordable mechanisms for resolving complaints

Verification. Companies’ assertions about privacy practices and their implementation should be independently verified

Consequences. Failure to comply with fair information practices should have consequences that are stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion

16

The “Internet Industry” is getting The “Internet Industry” is getting involvedinvolved

The Internet Alliance (IA) Commercial Internet Exchange (CIX) Information Technology Association of

America (ITAA) Interactive Industry Association Software Publishers Association Direct Marketing Association Online Privacy Alliance

17

Platform for Privacy Platform for Privacy Preferences (P3P)Preferences (P3P)

Complements regulatory and self-regulatory approaches to privacy

P3P is a specification of syntax and semantics for describing both information practices and data elements

Enables consumers to: Profile themselves once Choose what information may be collected about

them, and how it may be used and disclosed

18

1. Web site declares privacy practices and makes a data request through a machine-readable P3P proposal

2. User’s Web browser parses the request and compares it with the privacy preferences set by the user

3. If there is a match, the transaction proceeds seamlessly

4. If not, the user is informed about the data request and the Web site’s privacy practices and given an opportunity to agree or exit the site

P3P draft published May 1998

How P3P WorksHow P3P Works

19

Seal programs Seal programs

Compliance with WebTrust criteria Compliance with WebTrust criteria including data protectionincluding data protection

Membership of Better Membership of Better Business BureauBusiness Bureau

Compliance with Compliance with privacy statementprivacy statement

20

21

Customer assurance,Customer assurance,the WebTrust™ seal of approvalthe WebTrust™ seal of approval

The WebTrust Service CPA provides assurance that

website complies with criteria for good business practice

“Seal of Assurance” visible on the website

Seal refreshed every 3 months Work performed under

professional attest standards VeriSign controls issuance,

expiration, revocation

AICPAChartered Accountants of Canada

Comptablesagréésdu Canada

The WebTrust Criteria Business Practices Disclosure

Business terms and conditions Warranty, complaints, claims, etc.

Transaction Integrity Controls Order and billing accuracy and

completeness

Information Protection Secure transmissions over Internet Protection of private information Permission to perform activities on

customer’s computer

22

WebTrustWebTrust

23

WebTrustWebTrust

24

The legislative The legislative approachapproach

25

1400 Web sites sampled March 1998 85% collect personal information 14% have information practice

statements 2% have comprehensive privacy

policies

“…industry’s efforts to encourage the most basic fair information practice principle - notice - have fallen far short of what is needed to protect consumers”

PPrivacy Onlinerivacy OnlineA Report to CongressA Report to CongressJUNE 1998

Recommend legislation to

protect children This summer will

recommend an appropriate response to

protect the privacy of all online consumers

26

Accordingly, the Accordingly, the Commission believes that, Commission believes that, unless industry can unless industry can demonstrate that it has demonstrate that it has developed and developed and implemented broad-based implemented broad-based and effective self-and effective self-regulatory programs by the regulatory programs by the end of this year, end of this year, additional governmental additional governmental authority in this area authority in this area would be appropriate would be appropriate and necessaryand necessary..

July 21 Testimony to the House Subcommittee on July 21 Testimony to the House Subcommittee on Telecommunications, Trade and Consumer Protection, Telecommunications, Trade and Consumer Protection,

Encouraging signs that the private sector is attempting to address consumer concerns about online privacy.

Considerable barriers to be surmounted for self-regulation to work.

An effective enforcement mechanism is crucial.

It will be difficult for self-regulatory programs to govern all or even most commercial Web sites.

continued...

27

European UnionEuropean UnionDirective on Data ProtectionDirective on Data Protection

Requires all 15 member states to enact strict privacy laws

Prohibits transfer of personal information to other countries that the EU determines lack adequate protection of privacy (Article 25)

Effective October 25, 1998 Question 1: Is privacy adequately protected in the

U.S? Question 2: If not, so what?

28

Stay Tuned...Stay Tuned...

Increasing public awareness of and concern about issues

Increased private sector activism Showdown with European Union in 1998? U.S. privacy legislation in 1999?

29

Establishing Trust in Establishing Trust in Electronic CommerceElectronic Commerce

With Special Reference toWith Special Reference toConsumer Data Protection and PrivacyConsumer Data Protection and Privacy

Trevor R. StewartTrevor R. Stewart

New Orleans, August 1998New Orleans, August 1998