Presentation on theme: "1 Establishing Trust in Electronic Commerce With Special Reference to Consumer Data Protection and Privacy Trevor R. Stewart New Orleans, August 1998."— Presentation transcript:
1 Establishing Trust in Electronic Commerce With Special Reference to Consumer Data Protection and Privacy Trevor R. Stewart New Orleans, August 1998
3 Phenomenal growth Total bandwidth increasing 300% annually Internet traffic doubling every 100 days Amount of e-business on the Internet doubling annually Internet community growing 50% annually 130 million people on-line as of June 1998 Web adopted faster than any previous technology E-business on the Internet could exceed $1 trillion by 2002
n Exploding connectivity is n Revolutionizing interaction, which will n Force fundamental change in business, and n Precipitate the transformation of entire industries, which will n Make possible new ways to serve, sell, buy and organize A Revolution in Interaction
Trust in the new cyberspace frontier 4 Security 4 Privacy 4 Assurance Trust, but verify Ronald Reagan
6 Privacy and data protection are major concerns
10 Consumer concerns online n Violations of privacy (snooping) n Misuse of private information by an organization to whom it has been entrusted n Theft of personal information from organization to whom it has been entrusted n Corruption of personal information n Theft of identity n Fraud, theft n Harassers, stalkers, pedophiles, and other sundry weirdoes
12 Approaches to Privacy and Data Protection 1980, OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; 1998, Focus on the Internet 1974, U.S., Privacy Act of 1974 Legislative Approach 1995, European Union, Directive on Data Protection Also: n Hong Kong n New Zealand n Taiwan n others... Self-regulatory Approach 1997, U.S., Framework for Global Electronic Commerce Also: n Canada n Japan n Australia n others...
14 Principles of Fair Information Practices Awareness. Consumers should be informed about what information is being collected, who is collecting it, and how it will be used Choice. Consumers should be allowed to choose whether and how their personal information is used, and choices should be easy to exercise Data Quality. Companies should ensure that the information they collect is accurate Data Security. Companies must protect the information they collect Consumer Access. Consumers should have reasonable access to information about them and be able to correct it
15 Effective Self-Regulatory Enforcement Mechanisms Consumer recourse. Companies should offer consumers readily available and affordable mechanisms for resolving complaints Verification. Companies assertions about privacy practices and their implementation should be independently verified Consequences. Failure to comply with fair information practices should have consequences that are stiff enough to be meaningful and swift enough to assure consumers that their concerns are addressed in a timely fashion
16 The Internet Industry is getting involved n The Internet Alliance (IA) n Commercial Internet Exchange (CIX) n Information Technology Association of America (ITAA) n Interactive Industry Association n Software Publishers Association n Direct Marketing Association n Online Privacy Alliance
17 Platform for Privacy Preferences (P3P) n Complements regulatory and self-regulatory approaches to privacy n P3P is a specification of syntax and semantics for describing both information practices and data elements n Enables consumers to: n Profile themselves once n Choose what information may be collected about them, and how it may be used and disclosed
18 1. Web site declares privacy practices and makes a data request through a machine-readable P3P proposal 2. Users Web browser parses the request and compares it with the privacy preferences set by the user 3. If there is a match, the transaction proceeds seamlessly 4. If not, the user is informed about the data request and the Web sites privacy practices and given an opportunity to agree or exit the site P3P draft published May 1998 How P3P Works
19 Seal programs Compliance with WebTrust criteria including data protection Membership of Better Business Bureau Compliance with privacy statement
21 Customer assurance, the WebTrust seal of approval The WebTrust Service n CPA provides assurance that website complies with criteria for good business practice n Seal of Assurance visible on the website n Seal refreshed every 3 months n Work performed under professional attest standards n VeriSign controls issuance, expiration, revocation Chartered Accountants of Canada Comptables agréés du Canada The WebTrust Criteria n Business Practices Disclosure n Business terms and conditions n Warranty, complaints, claims, etc. n Transaction Integrity Controls n Order and billing accuracy and completeness n Information Protection n Secure transmissions over Internet n Protection of private information n Permission to perform activities on customers computer
25 n 1400 Web sites sampled March 1998 n 85% collect personal information n 14% have information practice statements n 2% have comprehensive privacy policies n …industrys efforts to encourage the most basic fair information practice principle - notice - have fallen far short of what is needed to protect consumers Privacy Online A Report to Congress JUNE 1998 n Recommend legislation to protect children n This summer will recommend an appropriate response to protect the privacy of all online consumers
26 Accordingly, the Commission believes that, unless industry can demonstrate that it has developed and implemented broad-based and effective self- regulatory programs by the end of this year, additional governmental authority in this area would be appropriate and necessary. July 21 Testimony to the House Subcommittee on Telecommunications, Trade and Consumer Protection, n Encouraging signs that the private sector is attempting to address consumer concerns about online privacy. n Considerable barriers to be surmounted for self-regulation to work. n An effective enforcement mechanism is crucial. n It will be difficult for self- regulatory programs to govern all or even most commercial Web sites. continued...
27 European Union Directive on Data Protection n Requires all 15 member states to enact strict privacy laws n Prohibits transfer of personal information to other countries that the EU determines lack adequate protection of privacy (Article 25) n Effective October 25, 1998 n Question 1: Is privacy adequately protected in the U.S? n Question 2: If not, so what?
28 Stay Tuned... n Increasing public awareness of and concern about issues n Increased private sector activism n Showdown with European Union in 1998? n U.S. privacy legislation in 1999?
29 Establishing Trust in Electronic Commerce With Special Reference to Consumer Data Protection and Privacy Trevor R. Stewart New Orleans, August 1998