Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2009-11 1. Copyright 2009-11 2 Copyright 2009-11 3 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer.

Similar presentations


Presentation on theme: "Copyright 2009-11 1. Copyright 2009-11 2 Copyright 2009-11 3 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer."— Presentation transcript:

1 Copyright 2009-11 1

2 Copyright 2009-11 2

3 Copyright 2009-11 3 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 24th Bled eConference 14 June 2011 http://www.rogerclarke.com/EC/CCC {.html,.ppt} The Cloudy Future of Consumer Computing

4 Copyright 2009-11 4 Consumer Computing Functions Email Web-Sites Personal Blogs Micro-Blogs (Twit) Personal Galleries Personal Music and Video Libraries Doc Prep File-Sharing Personal Databases (Acc, Family Trees)

5 Copyright 2009-11 5 Consumer Computing Email clients, with smtp/pop/imap Personal Web-Sites Office on the Desktop FTP-server and -client Functions Applications 1975-2000 Email Personal Galleries Doc Prep File-Sharing

6 Copyright 2009-11 6 Consumer Computing Email clients, with smtp/pop/imap Personal Web-Sites Office on the Desktop FTP-server and -client Webmail, with http Flickr, Picasa Zoho, Google Docs Dropbox Functions Applications ==>> Services 1975-2000 2000- Email Personal Galleries Doc Prep File-Sharing

7 Copyright 2009-11 7 The Research Question How well are Consumer Computing Services satisfying consumers needs? To the extent that there are problems, what should be done about them?

8 Copyright 2009-11 8 Consumers – Segmentation Age / 'Generation'

9 Copyright 2009-11 9 The Generations of Computing Consumers

10 Copyright 2009-11 10 The Generations of Computing Consumers Baby Boomers (45-65) Handshake/phone, PCs came late, had to adapt to mobile phones Work is Life, the team discusses / the boss decides, process-oriented GenXs (30-45) Grew up with PCs, email and mobile phones, hence multi-taskers Work to Have More Life, expect payback from work, product-oriented GenYs (15-30) Grew up with IM/chat, texting and video-games, strong multi-taskers Life-Work Balance, expect fulfilment from work, highly interactive iGens (to 15) Growing up with texting, multi-media social networking, networked games, multi-channel immersion / inherent multi-tasking ?Life before Work, even more hedonistic, highly (e-)interactive

11 Copyright 2009-11 11 Consumers – Segmentation Age / 'Generation' Education, Income, Wealth Infrastructure Availability Technical Capability Opportunity-Awareness Leadership / Followership Risk-Awareness, Risk-Aversion

12 Copyright 2009-11 12 Challenges Inherent in the Research Domain Diversity: of technologies of consumers of consumer uses of technologies Ongoing, rapid change / unstable phenomena Can 'consumer requirements' be operationalised? Can 'consumer disbenefits and risks' be evaluated?

13 Copyright 2009-11 13 Requirements, Disbenefits and Risks The Organisational Perspective 1.Operational Requirements Dependability on a day-to-day basis 2.Contingent Risks Low likelihood, but highly significant 3.Security Risks 4.Commercial Disbenefits and Risks 5.Compliance Disbenefits and Risks

14 Copyright 2009-11 14 Org 1.Operational Requirements Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

15 Copyright 2009-11 15 Org 2.Contingent Risks Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring/synch, accessibility Data Acessibility – blockage by opponents or a foreign power Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-Compatibilityto migrate to new levels Backward-Compatibilityto protect legacy systems Lateral Compatibilityto enable dual-sourcing and escape

16 Copyright 2009-11 16 Consumer Requirements and Risks – 1 of 3 The Basic Needs Does it do what I want it to do? [Fit] Will it be there when I want it? [Availability, Reliability] The Basic Protections How do I keep going if it stays fallen over for a long time? [Service Interruptions] Will you respond helpfully and quickly enough when I ask for help? [Customer Service] Will you lose my data, or muck it up? [Data Integrity] Do I get my data back if you fall over or withdraw the service? [Survival] Can I move my data to another supplier? [Lateral Compatibility] Who can I complain to if I get dudded, and will they actually help me? [Consumer Protection]

17 Copyright 2009-11 17 Consumer Requirements and Risks – 2 of 3 More Advanced Needs Will it keep doing what it does now? [Service Integrity] Will it stay up-to-date? [Future Fit] Will it fall over too often? [Robustness] Will it come back quickly after it falls over? [Resilience] Is my service protected against you, them and the gods? [Service Security] If bits of it are broken, will you fix it without breaking it some more? [Maintainability] Can I fiddle with it a bit if I need to? [Flexibility] Can I move my data to an upgraded version? [Forward Compatibility] How long will old versions keep working for me? [Backward Compatibility] Am I breaking the law if I use the service? [Legal Compliance]

18 Copyright 2009-11 18 Consumer Requirements and Risks – 3 of 3 More Advanced Protections Am I going to get gouged? [Cost] Can only appropriate people get in and do things? [Authentication and Authorisation] Can I get access to all data that you hold about me? [Subject Access] Is my data protected against you, them and the gods? [Data Security] Is my privacy protected against you, them and the gods? [Privacy Controls] If I terminate our relationship, will my data be irretrievably deleted? [Fully Effective Withdrawal] What happens to my data if I die? [Archival / Memorialisation]

19 Copyright 2009-11 19 How are Consumer Requirements Satisfied? How are Consumer Risks Managed? Through the Provider: Terms of Service Policies Practices Through the State: Law Regulatory Resources Regulatory Enforcement Through Private Litigation

20 Copyright 2009-11 20 How are Consumer Requirements Satisfied? How are Consumer Risks Managed? Through the Provider: Terms of Service Policies Practices Through the State: Law Regulatory Resources Regulatory Enforcement Through Private Litigation

21 Copyright 2009-11 21 Research Method Preliminary Phase... Empirical Phase Validation of Consumer Requirements Sample Selection In-Depth ToS Studies Comparative ToS Studies Articulation Phase...

22 Copyright 2009-11 22 Research Method Preliminary Phase Studies of the Domain Definition of Consumer Requirements Accessibility of ToS In-Depth Study of 1 ToS Comparative Study of ToS re 1 Cluster of Terms Consumer Protection Laws, Resources, Enforcement Empirical Phase Validation of Consumer Requirements Sample Selection In-Depth ToS Studies Comparative ToS Studies Articulation Phase...

23 Copyright 2009-11 23 Research Method Preliminary Phase Studies of the Domain Definition of Consumer Requirements Accessibility of ToS In-Depth Study of 1 ToS Comparative Study of ToS re 1 Cluster of Terms Consumer Protection Laws, Resources, Enforcement Empirical Phase Validation of Consumer Requirements Sample Selection In-Depth ToS Studies Comparative ToS Studies Articulation Phase Discussions with Providers Expression of Model Terms Interactions with Consumer Advocacy Organisations, Regulators, Policy Makers

24 Copyright 2009-11 24 1.Accessibility of the Terms of Service The Current Version of the ToS In all cases, they are on the web-site Generally, no date of applicability is provided Prior Versions of the ToS In not one case are prior versions visible Changes to the ToS All but one ToS claim the right to unilaterally change the Terms: most do not require notice, but just an announcement somewhere on the website, and changes have immediate effect a few require that notice be provided, the change is to be explained, and the notice is to be provided in advance, and by user-convenient means

25 Copyright 2009-11 25 Accessibility of the Terms of Service The Significance for Consumers Consumers can only know what Terms apply to an earlier transaction if they mirrored the Terms at the time The Terms applicable to the next transaction may not be the same as they were for previous transactions The Terms applicable to transactions and to the consumers data are entirely under the provider's control Consumers can place no reliance on what they may have previously read or heard about the Terms

26 Copyright 2009-11 26 2.In-Depth Study of Terms of Service LinkedIn A (social) networking service for professionals A Priori: Its users should be well-informed and demanding So the provider is likely to: address its customers' needs balance their interests against the company's So it can be expected to provide a benchmark

27 Copyright 2009-11 27 LinkedIn In-Depth No responsibility to provide the service, to do so reliably, or to sustain data stored in it Subscribers must disclose physical location, even if irrelevant No internal complaints process No rights to restitution, no liability for identity fraud LinkedIn gains rights to customers' data that are almost equivalent to the rights of the customers themselves Unilateral changes to the Privacy Statement, without notice Storage in the USA under lax privacy laws No undertakings to control the behaviour of staff Enforced 'permission' to disclose personal data, without legal authority, "to assist government enforcement agencies" Inadequate subject access and correction rights

28 Copyright 2009-11 28 LinkedIn In-Depth The Significance for Consumers LinkedIn projects itself as a networking service for well-informed and demanding professionals It was expected to provide a benchmark In fact, many aspects are badly handled Not a benchmark, but rather a considerable concern

29 Copyright 2009-11 29 Terms of Service 3.Clusters Service-Level Warranties and Indemnities Lateral Compatibility ('Can I get my data out?') Authentication and Authorisation Second-Party Risk Exposure Third-Party Risk Exposure Data Deletion Subject Access Customer Service Complaints-Handling – Internal, External

30 Copyright 2009-11 30 Terms of Service 3.Clusters Service-Level Warranties and Indemnities Lateral Compatibility ('Can I get my data out?') Authentication and Authorisation Second-Party Risk Exposure Third-Party Risk Exposure Data Deletion Subject Access Customer Service Complaints-Handling – Internal, External

31 Copyright 2009-11 31 Consumer Requirements and Risks – 3 of 3 More Advanced Protections Am I going to get gouged? [Cost] Can only appropriate people get in and do things? [Authentication and Authorisation] Can I get access to all data that you hold about me? [Subject Access] Is my data protected against you, them and the gods? [Data Security] Is my privacy protected against you, them and the gods? [Privacy Controls] If I terminate our relationship, will my data be irretrievably deleted? [Fully Effective Withdrawal] What happens to my data if I die? [Archival / Memorialisation]

32 Copyright 2009-11 32 Second-Party Risk-Exposure Scope Definition Not data relevant to the commercial relationship Not uses of data that are necessary as part of the service being provided 'Private data' intended for use by the consumer only 'Restricted data' intended to be accessible by some other parties, but not by parties generally

33 Copyright 2009-11 33 Comparative Table

34 Copyright 2009-11 34 Second-Party Risk-Exposure Summary of Results 3 – the Terms provide the ISP with no right to use the data (iinet, Internode, Yahoo!) 1 – use is limited to 'access' - although what that limitation means is unclear (Dropbox) 2 – use is authorised, but... only in a manner directly related to the contract (Infinite, Zoho) 1 – use is authorised "to provide the service" - which can be readily interpreted as being the service as a whole, not just the service provided to that user (MS Live) 2 – the ISP has very substantial rights (Google, LinkedIn)

35 Copyright 2009-11 35 Second-Party Risk-Exposure The [Semi-Arbitrary] Scores Dropbox7.5 MS Live7.0 Yahoo!4.5 Zoho4.5

36 Copyright 2009-11 36 Second-Party Risk-Exposure The [Semi-Arbitrary] Scores Dropbox7.5 MS Live7.0 Yahoo!4.5 Zoho4.5 ___________________ __ Google Gmail0.0 Docs 0.0 Groups0.0 Apps 0.0 LinkedIn0.0

37 Copyright 2009-11 37 Cloudy Consumer Computing AGENDA The Research Domain Consumer Computing Consumer Apps ==>> Consumer Services Consumers Consumer Requirements and Risks The Research Method Preliminary Results (Tentative) Conclusions and Next Steps

38 Copyright 2009-11 38 Preliminary Phase Policy-Relevant Results Consumers dependent on C.C. Services are at dire risk Service malfunctions, loss of data, provider exploitation of their data, low standards of accessibility and clarity of Terms, largely unfettered scope for providers to change the Terms Consumer Protections are essential, but seriously inadequate Transnationality of Internet commerce, dominance of US marketing morés, pro-corporate and anti-consumer stance of US regulators, meekness of regulators in other countries, the lack of organised resistance by consumer reps, advocacy bodies Serious consumer disappointments are inevitable Recriminations against out-/cloud-sourcing are inevitable

39 Copyright 2009-11 39 Preliminary Phase Research-Relevant Results The Research Methods feasibility has been demonstrated The project is giving rise to new and deeper information Complementary research is needed In-depth studies of actual cases of harm to consumers In-depth studies of scenarios likely to lead to harm Studies of different categories of service Studies of different categories of consumers across the Generations across different levels of consumer sophistication Results from all lines of research need to be combined Feedforward is needed into providers Terms of Service

40 Copyright 2009-11 40 Next Steps Preliminary Phase Studies of the Domain Definition of Consumer Requirements Accessibility of ToS In-Depth Study of 1 ToS Comparative Study of ToS re 1 Cluster of Terms Consumer Protection Laws, Resources, Enforcement Empirical Phase Validation of Consumer Requirements Sample Selection In-Depth ToS Studies Comparative ToS Studies Articulation Phase Discussions with Providers Expression of Model Terms Interactions with Consumer Advocacy Organisations, Regulators, Policy Makers

41 Copyright 2009-11 41 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW http://www.rogerclarke.com/EC/CCC {.html,.ppt} The Cloudy Future of Consumer Computing

42 Copyright 2009-11 42

43 Copyright 2009-11 43 Consumer Computing Devices Desktops, Laptops Thin Clients, Netbooks Handhelds / Palmtops Tablets Smartphones

44 Copyright 2009-11 44 Consumer Computing Interfaces Desktops, Laptops Thin Clients, Netbooks Handhelds / Palmtops Tablets Smartphones QWERTY, Fingers, Desktop Metaphor Ditto Soft-QWERTY, Fingers, Stylus, Voice Soft-QWERTY, Fingers, Gesture, Browser-Based Soft-PhoneKeyboard, Thumbs or Fingers


Download ppt "Copyright 2009-11 1. Copyright 2009-11 2 Copyright 2009-11 3 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer."

Similar presentations


Ads by Google