Embed Size (px)
Citation preview
Copyright1996-2008
1
B2C Distrust Factors in the Prosumer Era
Roger Clarke
Xamax Consultancy Pty Ltd, Canberra Visiting Professor in eCommerce, Uni. of Hong Kong;
in Cyberspace Law & Policy, UNSW; and in Computer Science, ANU
http://www.anu.edu.au/people/Roger.Clarke/EC/...... Collecter08 {.html, .ppt}
CollECTeR Iberoamerica – Madrid – 25 June 2008
Copyright1996-2008
2
B2C Growth Metrics are Hard to Get
• Lots of pseudo-statistics from ‘consultancies’(Blue-sky projections from minimal data)
• Little authoritative empirical research(It’s very difficult and expensive to do)
• Considerable definitional changes over time• Bias inherent in the data
(e.g. conflating Internet Banking, shopping for a house, searching for information on products)
Copyright1996-2008
3
B2C Growth Metrics are Not Good!
• Too few committed online purchasers• Too few success stories, and many arise
from stick rather than carrot (discount air tickets)
• Mostly low transaction-values• Mostly low conversion rates:
• Info Searchers ==>> Customers• Prospects / Visitors ==>>
Customers• Other Sites’ Customers ==>> Ours
(i.e. low confidence transitivity)• Still the same old reasons are given
i.e. Security, Trust, Privacy
Copyright1996-2008
4
Use of B2C eCommerce is Fragile
Successive security scares have been associatedwith pauses in growth and ‘negative adoption’.Even in Internet Banking
Copyright1996-2008
5
Use of B2C eCommerce is Fragile
Successive security scares have been associatedwith pauses in growth and ‘negative adoption’.Even in Internet Banking
• Viruses• Worms
• Phishing• Spyware
especially keystroke-loggers
Copyright1996-2008
6
B2C Distrust Factors in the Prosumer Era
Agenda
• 'Distrust' rather than 'Trust'• From Passive to Proactive
Consumers
• Marketer - with - Prosumer Comms• Consumer Device Insecurity• Privacy Law, Policies and Practice
Copyright1996-2008
7
Recap: Phases of eMarketer Activity
• "Billboards along the Information Superhighway" (1994-95)
• Closed Electronic 'Communities' (AOL, MSN – 1995-97)• Widespread adoption of the term 'B2C' (1996-)• Push Technologies, 'web-casting' and 'channels' (1996-98)• Info-mediaries (1997-99)• Portals, then Vortals (1998-)• Malware, from cookie abuse (1996-), via pop-ups (1999-)
and web-bugs (1999-), to adware and spyware (2000-)• Data rapaciousness and consumer profile construction• Identity management and the consolidation of
individual consumers' multiple identities• Consumer Location and Tracking
Copyright1996-2008
8
Copyright1996-2008
9
The eCommerce Research Focus on 'Trust'
• "Dimensions of trust in an Internet vendor" are "competence, integrity and benevolence"
• "Benevolence is the ability of a company to hold consumer interests ahead of its own self-interest and indicates sincere concern for the welfare of the customers"
Chen S.C. & Dhillon G.S. (2003) 'Interpreting Dimensions of Consumer Trust in E-Commerce' Information Technology & Management 4, 2-3 (April 2003) 303-318
Copyright1996-2008
10
The eCommerce Research Focus on 'Trust'
Has Always Been Naïve
• "Dimensions of trust in an Internet vendor" are "competence, integrity and benevolence"
• "Benevolence is the ability of a company to hold consumer interests ahead of its own self-interest and indicates sincere concern for the welfare of the customers"
• 'Holding consumer interests ahead of a company's own self-interest' and ‘showing sincere concern’ are in direct conflict with business culture, and with the law
Copyright1996-2008
11
What Should eCommerce Research Do?
• The Focus on 'Trust' assumes that:• Consumer Marketers are altruistic• Consumers are stupid enough to believe
it
• A Focus on 'Distrust', on the other hand:• Draws attention to Key Impediments• Enables work on how to overcome them
Copyright1996-2008
12
Conventional B2C ThinkingIs Several Decades Out-of-Date
• Mass MediaOne-way, broadcast modeBillboards, print, radio, TV
• Mass ProductionHigh-Volume / Low Unit-Cost
• Passive Consumers
• Interactive MultimediaNow Immersive Media
• Mass CustomisationLow-Volume / Low Unit-Cost
• Active Consumers'rip, mix, mash' is 'what you do'
Copyright1996-2008
13
The GenerationsGen. Birth Age FeaturesSenior <'46 >62 RetireesBB1 '46-'55 53-62 Early Baby-Boomers
Post-War hard workBB2 '56-'64 44-52 Late Baby-Boomers
'60s counter-cultural loosening overlay
X '65-'78 30-43 Mass MediaBalance of work and play
Y '79-'99 9-29 Interactive Media, incr'gly Immersive
Have fun, constrained by workM? >'00 0-8 Millenials?
Pervasive/always-on, why work?
Copyright1996-2008
14
Phases of Society• Pre-Industrial
• IndustrialEmergent from the Mid-1700s
• Post-IndustrialEmergent from the 1960s / 1980s
• Production for Consumption
• Production for ExchangeProgress in material wellbeing came from specialisation of labour, and separation of production from consumption activities
• Production for ConsumptionPartial, selective, but important
Copyright1996-2008
15
The 'Prosumer'Or Proactive Producer-
Consumer
• The 'do it yourself' (DIY) movement• The 'home handyman' phenomenon• Self-service retail stores, checkouts• Focus groups, consumer panels• Direct data capture (ATMs, EFT/POS)• Internet Banking• The free software & open source
movements• Self-help, mutual service, FAQs• Wikipedia
Toffler A. (1980) 'The Third Wave' Pan, 1980
Copyright1996-2008
16
Conventional Publishing, 1450-1995
The PublishingIndustry Value-Chain
Copyright1996-2008
17
Conventional Publishing, 1450-1995
The PublishingIndustry Value-Chain
Parts of the PublishingIndustry Value-Chain
Desk-Top Publishing, 1985-20..
Copyright1996-2008
18
Electronic Publishing, 1990-20..
Copyright1996-2008
19
Electronic Publishing, 1990-20..
Cross-Media Publishing, 1998-20..
FormatConversion
Copyright1996-2008
20
Interactive 'Publishing', 1995-2095'Bees Around a Honey-Pot'
TheHoney
Pot
Copyright1996-2008
21
Prosumers Have Different Expectationsfrom Baby-Boomer & Gen-X
ConsumersAddled by Mass Media Massage
• 'How do you relate to me'Marketer - with - Prosumer Comms
• 'Which of us wears the risks'Consumer Device Insecurity
• 'What you do with my data'Privacy Law, Policies and Practices
Copyright1996-2008
22
Marketer - with - Prosumer Communications
A Normative Template
• Information• Terms of
Contract• Security• Choice• Consent• Recourse• Redress
Copyright1996-2008
23
Marketer - with - Prosumer Communications
A Normative Template
• Information• Terms• Security• Choice• Consent• Recourse
==>>• Redress
Recourse• Enquiry and Complaints Process
• accessibility• prompt acknowledgement• copy into the consumer's email-archive• responsiveness to enquiry or complaint
• acknowledgement• resolution
• Restitution• product quality shortfalls
• own products and services• third-party products and services
• fulfilment quality shortfalls• payment errors
• External Complaints Mechanisms• information provided about them• prompt and appropriate communications with
regulators
Copyright1996-2008
24
B2C Web-Site Features Generally
There are Positives
• User-Interface• Basic User Assistance• Features to allay consumers’ fears
about security, and about privacy• Clarity about the point of contract• Order checking• Delivery Tracking• Policy re
return/exchange/credit/refund
Copyright1996-2008
25
The Overall Verdict: Appalling
• Terms of ContractNo consolidated document
• Clarity of TermsSplit Personality between chummy sales documents and the actual lawyer-written Terms. Inconsistencies have probable legal implications
• Prior Versions of TermsNo access
• Changes to TermsUnilateral, without notice, let alone consent; and even with retrospective applicability
• Warranties and LiabilitiesEmphatic denials of all forms of warranty and liability, generally far in excess of the legal position, even asserting no responsibility for merchantable quality or errors in product descriptions
• Complaint MechanismsVery poor accessibility (even no Acknowledgement!), and no information about complaints processes
• RedressNo information at all
Copyright1996-2008
26
Copyright1996-2008
27
A Tourist’s Experience – Mon 23 Jun 08
• Guggenheim Bilbao says it offers a Wifi service• It doesn’t. It lets a telco sell a Wifi service• The web-page is in Spanish, and
the only other option is Euskadi• After taking money from the credit-card,
no loginid or password is provided• But the next page demands one• It is impossible to re-display the web-page• So the telco takes consumers’ money
without providing a service
Copyright1996-2008
28
Consumer Device Insecurity
• Second-Party Threats• Third-Party Threats:
• Within the System• Within the Device• Infiltration by Malware
• Consumer Device Vulnerabilities
• 'Which of us wears the risks'• How To Deal with Insecurity
Copyright1996-2008
29
A Risk Assessment Framework for Mobile Payments
Copyright1996-2008
30
Consumer Device InsecuritySecond-Party Threats
• Situations of Threat:• Banks• Telcos / Mobile Phone Providers• Toll-Road eTag Providers• Intermediaries• Devices
• Safeguards:• Terms of Contract• Risk Allocation• Enforceability• Consumer Rights
Copyright1996-2008
31
Consumer Device InsecurityThird-Party Threats – Within the
System(Who else can get at you, where, and
how?)• Points-of-Payment Physical:
• Observation• Coercion
• Points-of-Payment Electronic:
• Rogue Devices• Rogue Transactions• Keystroke Loggers• Private Key Reapers
• Network Electronic• Interception• Decryption• Man-in-the-
Middle Attacks• Points-of-Processing
• Rogue Employee• Rogue Company• Error
Copyright1996-2008
32
Consumer Device InsecurityThird-Party Threats – Within the
Device• Physical Intrusion• Social Engineering
• Confidence Tricks• Phishing
• Masquerade• Abuse of Privilege
• Hardware• Software• Data
• Electronic Intrusion• Interception• Cracking / ‘Hacking’
• Bugs• Trojans• Backdoors• Masquerade
• Distributed Denialof Service (DDOS)
• Infiltration by Software with a Payload ===>>
Copyright1996-2008
33
Consumer Device InsecurityThird-Party Threats – Infiltration by
Malware(Software with a Malicious Payload)
The Vector• Pre-Installed• User-Installed• Virus• Worm• ...
The Payload• Trojan:
• Spyware• Performative• Communicative• Bot / Zombie
• Spyware:• Software Monitor• Adware• Keystroke Logger• ...
Copyright1996-2008
34
Consumer Device Vulnerabilities• The Environment
• Physical Surroundings• Organisational Context• Social Engineering
• The Device• Hardware, Systems Software• Applications• Server-Driven Apps
(ActiveX, Java, AJAX)• The Device's Functions:
Known, Unknown, Hidden• Software Installation• Software Activation
• Communications• Transaction
Partners• Data Transmission
• Intrusions• Malware Vectors• Malware Payloads• Hacking, incl.
Backdoors, Botnets
Copyright1996-2008
35
'Which of us wears the risks'Consumer Device Insecurity
• In jurisdictions with strong consumer protections, consumers have not been held responsible for the security of the devices that they use to conduct transactions
• Banks in some countries recently sought to impose heavy responsibilities on consumers
• Those banks are losing that battle• They are also losing cred with prosumers
Copyright1996-2008
36
How to Deal with Insecurities in B2C Internet Commerce
Recognise that the risks are created by:• Technology Providers (inherently insecure products)• Financial Institutions (inherently insecure payment
processes)• Consumer Marketers (reliance on insecure infrastructure)Take appropriate steps:• Educate consumers• Provide on-demand advice to consumers• Make appropriate software readily available• Provide pre-packaged security-settings to download, install• Provide understandable advice on installation, configuration
Copyright1996-2008
37
'What you do with my data'Privacy Law, Policies and
Practices
• Legal protections are very weak• Legal protections are continually
undermined by technological change• Consumer marketers mostly 'don't get it'• Consumer marketers commit many blunders• Distrust of consumer marketers is rife• Prosumers demand much more
Copyright1996-2008
38
Conclusions from a PPS Study in 2005
• The 4 large marketers have done no more than create a pretence of being privacy-protective
• The sceptical, privacy-sensitive consumer would be aghast at the level of abuse of their privacy, and would decline to conduct business with any of them
• The pragmatic consumer is likely to be keeping an eyeopen for alternatives, and balancing availability and reliability of service against abuses of market power
• The desirable warm glow of trustworthiness of consumer eCommerce is distinctly lacking
Copyright1996-2008
39
Things Prosumer Marketers Can Do
1 Establish a comprehensive Privacy Strategy
2 Conduct Privacy Impact Assessments (PIAs)3 Publish Privacy Policy Statements (PPS)4 Ensure Business Processes reflect
the Strategy, the PIA outcomes and the PPS5 Apply Privacy-Enhancing Technologies
(PETs)
Copyright1996-2008
40
Snakes and Ladders
Copyright1996-2008
41
Snakes and Laddersin B2C eCommerce
• Huge Investment in Image Factorsproviding a small increase in Trust[really a decrease in Distrust]
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Copyright1996-2008
42
Snakes and Laddersin B2C eCommerce
• Huge Investment in Image Factorsproviding a small increase in Trust[really a decrease in Distrust]
• Tiny Investment in Prosumer-Orientedcontract terms and privacy policies (let alonethe business processes to implement them)When things go wrong, there is a largerdecrease in Trust / increase in Distrust
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Copyright1996-2008
43
BwithP Distrust Factors in the Prosumer Era
Agenda
• 'Distrust' rather than 'Trust'• From Passive to Proactive Consumers
• Marketer - with - Prosumer Comms• Consumer Device Insecurity• Privacy Law, Policies and Practice
Copyright1996-2008
44
BwithP Distrust Factors in the Prosumer Era
Roger Clarke
Xamax Consultancy Pty Ltd, Canberra Visiting Professor in eCommerce, Uni. of Hong Kong;
in Cyberspace Law & Policy, UNSW; and in Computer Science, ANU
http://www.anu.edu.au/people/Roger.Clarke/EC/...... Collecter08 {.html, .ppt}
CollECTeR Iberoamerica – Madrid – 25-28 June 2008
