powerpoint slides
DESCRIPTION
TRANSCRIPT
Copyright,2000-02
1
E-ConsentA Critical Element of Trust in e-
Business
Roger Clarke, Xamax Consultancy Pty Ltd
http://www.anu.edu.au/people/Roger.Clarke/ ...
.../EC/eConsent.html, eConsent02.ppt
15th Bled Electronic Commerce Conference,
Bled, Slovenia, 17-19 June 2002
Copyright,2000-02
2
E-ConsentA Critical Element of Trust in e-
BusinessAgenda
• Trust in e-Business• Consent
• Definition• Contexts• Characteristics
• e-Consent• Process• Object• Implementations• Implementability
Copyright,2000-02
3
Fundamental Risks in All MarketsThat Are Perceived to Be Greater in
Marketspaces
• Seller Default• Buyer Default• Market Operator Default• Intermediary Default• Service-Provider Default
• Tradable Item Quality• Fulfilment Quality
Copyright,2000-02
4
Trust as an e-Business Enabler
• Cyberspace adds to Uncertainties, Risk
• Lack of Information• Jurisdictional Issues
• What are you doing with my money?• Will you really deliver the goods?• What are you going to do with my
data?
Copyright,2000-02
5
Trust
confident reliance by one party about the behaviour of the other
parties
• Origins in kinship groups• Extensible to cultural affinity (i.e. friends)
• Not directly extensible to business relationships• In business, it’s merely what a party has to
depend on when no other form of risk amelioration strategy is available
Copyright,2000-02
6
Sources of Trust• Direct Relationship
kinship, mateship, principal-agent, contract, multiple prior transactions
• Direct Experienceprior exposure, a prior transaction or trial
• Referred Trust'word-of-mouth', reputation, accreditation
• Symbols of Trust or Images of Trustbrands, meta-brands
Copyright,2000-02
7
Latest in a Long Line of Marketer Manoeuvres
Dynamic Consumer Profiling• Self-Identifying Data, consensually
provided‘the click-trail’
• Self-Identifying Data, acquired by trickerye.g. pseudo-surveys, cookies, web-bugs, ...
• Server-Driven Client-Side ProcessingJavaScript, Java Applets, CaptiveX, spy-ware, ...
• Self-Identifying Personal Profile Dataaka 'Identity Management'esp. MS Passport / wallets, but also Liberty Alliance
Copyright,2000-02
8
Trust Through Buyer Protection
• Service Longevity and Reliability• Transparency of Data About the Seller• Fairness of Marketspace Processes• Security of Tradable Items and Funds• Risk Allocation / Clarity of Risk Exposure• Safeguards such as Warranties, Recourse, Insurance, a
Credible Insurer of Last Resort• Protections for the Buyer’s Data
Copyright,2000-02
9
Consent
concurrenceby a party
with an actionto be taken by another party
Copyright,2000-02
10
Consent Context: The Human Body
• medical procedures• drug prescription, innoculation, surgery
• acquisition and use of body fluids/tissue/organs• donations of blood, semen, bone marrow, kidneys• organ donations from the dead
• acquisition and testing of body tissue/fluids• health care diagnostics• substance abuse testing• suspect identification and suspect ‘elimination’
Copyright,2000-02
11
Consent Contexts: e-Business
• Promotion and Marketing• Price, and Terms of Contract
• (Invitation to Treat)• Offer• Acceptance
• Payments• Handling of Purchaser Data
• Commercial Confidence• Privacy
Copyright,2000-02
12
Consent and Consumer Marketing Practices
• on the street• via mass media• at an exhibition
site
• the telephone• physical mail-box• email-box
CustomerProspectSuspect
Copyright,2000-02
13
Contracting and Payments
• Declaration of Offer• Signification of Acceptance• Consumer Choice• Evidence of Offer and Acceptance
• Consent to Use Credit-Card Details:• Once and Destroy?• Once and Retain?• Once and Retain, and Re-Use?
Copyright,2000-02
14
Consent and Personal Data• Consumer Expectations
• privacy is a 'fundamental human right'• excited (and/or numbed) by abuses• excited by advocates and the media
• Particularly Serious Concerns• anti-discrimination categories • taxation and financial data• health data• household data• location data for persons-at-risk
Copyright,2000-02
15
Consent , Personal Data and the Law
• General Privacy Laws:• OECD Guidelines as a framework, 1980• EU Directive on Data Protection, 1995/98• US – a scatter of laws, but intransigence
re a general law, hence 'safe harbor'/FCC• Specific Laws, e.g.
• Spam• EU Directive on Cookies?
• Standards, e.g. Cookies RFCs 2964, 2965
Copyright,2000-02
16
Consent, Personal Dataand Australian Law
Under the Privacy Act 1988 as amended by the Privacy Amendment (Private Sector) Act 2000, wef 21 Dec 01:
• collection, use and disclosure of personal data are all subject to controls based on consent
• direct marketing is subject to some specific provisions (much less than the EU demands)
• what it all means in particular contexts is far from clear; but a level of expectation has been created
Copyright,2000-02
17
Characteristics of Consent – 1 of 2
• {express in writing OR• express unrecorded OR
• implied OR• inferred}
• {declared by 'opt-in' OR• presumed with 'opt-out', but
• subject to the absence of express denial}
Copyright,2000-02
18
Characteristics of Consent - 2 of 2• legal capacity• physical and intellectual capacity• informed
• what scope of actions• who may take such action• for what purpose may it be taken• over what time-period does it apply
• freely-given• revocable and variable• delegable
Copyright,2000-02
19
e-Consent
signification by recorded electronic means
of concurrence or otherwisewith an action to be taken by
another party
• To achieve trust in the e-business context, recording is essential, in order to enable authentication
• Recording by electronic means is highly desirable, so as to use the same facilities as the e-business transaction, and to enable automated processing of the consent
Copyright,2000-02
20
Thee-
ConsentProcess
(2) Declarationof Consent
(4) Transmissionof the
e-Consent Object
(5) Authenticationof the e-Consent
(6) Applicationof the e-Consent
(3) Expressionin an
e-Consent Object
Actor
(1) Initiation
Copyright,2000-02
21
(1) Initiation
• two parties enter into some form of information interchange, resulting in an intention by one party to provide consent to an action by another
• possibilities include:• email-interchange• an exchange between browser and web-server• telephone conversation• personal contact
Copyright,2000-02
22
(2) Declaration of the Consent
• could be performed on the consent-giver’s own computing facility, or through interactions between the facilities of the two parties
• possibly an email-interchange, or an exchange between a browser plug-in and web-server script
• possibly on the site of the marketer or an agent (accountant, solicitor, financial adviser, health care professional), with a signature on an office-copy of the printed document, or a keystroke on a computer
Copyright,2000-02
23
(3) Expression of an e-Consent Object
(e.g. for the Specific Purpose of Data Access)
Access to <data>by <one or more entities or identities, or categories thereof>for <one or more purposes>in <a context> is [consented to | denied]by <an identity>
Copyright,2000-02
24
(4) Transmission of the e-Consent Object
• Transmission Security:• virtual private networks (VPNs)• channel-encryption measures e.g.
SSL/TLS• message-encryption tools such as PGP
Copyright,2000-02
25
(5) Authentication of the e-Consent
• Authentication of Individual Identity• possibly digital signature, perhaps using a secure token and even
biometrics• more easily password / PIN / passphrase
• Alternatives:• Anonymity• Pseudonymity• Authentication of Attributes / Credentials• Authentication of Value
Copyright,2000-02
26
Conventional X.509-Based PKI• the maths makes lots of unjustifed assumptions• private key generation is insecure• private key storage is insecure (and unsecureable)• X.509 certificates are privacy-hostile• acquiring a certificate is utterly privacy-hostile• fine print in CAs' contracts denies all liability• key revocation is largely unsupported• the industry is built on mythology• no effective open, public schemes exist• if they ever did, they'd be highly privacy-invasive
Copyright,2000-02
27
What Conventional PKI Does
It providesto the recipient of a message
zero assurance about the identity of the sender
It provides assurance only thatthe device that signed the message
had access to a particular private key
Copyright,2000-02
28
(6) Application of the e-Consent
• Display-Only; but with logging, log-analysis, exception-reporting, powers, action against abuses
• Authorisation / Access Control:• permission to access a resource (data, a process) based on
consent (or legal authority, or power)• absence of permission results in
• denial of access ('gatekeeper'); or• qualified access (with controls as above)
Copyright,2000-02
29
Subtleties in an e-Consent Object
• specific, operational definitions of domains on which data-items are defined, e.g. which data, which other party or which category of parties, which purpose
• supplementary data (e.g. re power of attorney)• general consent with specific denial (all except ...)• general denial with specific consent (none except ...)• a hierarchy of such qualifications• reliable date-time stamps, to support authentication
Copyright,2000-02
30
Existing Implementations?
• 'I accept' buttons (which deny consumer choice)• Info-mediaries as agents (are there any?)• MS Open Profiling Standard (OPS) (RIP?)• So-called ‘Identity Management’ schemes:
• MS XP, .NET, Passport, wallet, web-services• AOL Screen Name, and Quick Checkout• Liberty Alliance - http://www.projectliberty.org/
• W3C Platform for Privacy Preferences (P3P) - or just Platform for Publishing Privacy Policies (P4P)
Copyright,2000-02
31
Implementability
• Marketer uses P3P-like syntax to declare terms, in XML format, in a document on the web-site
• Consumer uses a browser to access it, and a plug-in to analyse the content and display it
• Consumer uses a browser plug-in and templates to express a consent in XML format
• Consumer transmits the consent using SSL• Marketer uses a CGI script to analyse it, and
either accept, reject, or enter into negotiations
Copyright,2000-02
32
e-ConsentCONCLUSIONS
• a critical element of trust in e-business• requires maturation beyond old-fashioned
'consumer as prey' marketing philosophies • requires inversion of current thinking about
'identity management' and marketer-controlled storage of personal data
• implementable using existing technologies• a research opportunity• a business opportunity