Copyright B2C Distrust Factors in the Prosumer Era Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in eCommerce, Uni. of Hong Kong; in Cyberspace Law & Policy, UNSW; and in Computer Science, ANU Collecter08 {.html,.ppt} CollECTeR Iberoamerica – Madrid – 25 June 2008

Copyright B2C Growth Metrics are Hard to Get Lots of pseudo-statistics from consultancies (Blue-sky projections from minimal data) Little authoritative empirical research (Its very difficult and expensive to do) Considerable definitional changes over time Bias inherent in the data (e.g. conflating Internet Banking, shopping for a house, searching for information on products)

Copyright B2C Growth Metrics are Not Good! Too few committed online purchasers Too few success stories, and many arise from stick rather than carrot (discount air tickets) Mostly low transaction-values Mostly low conversion rates: Info Searchers ==>> Customers Prospects / Visitors ==>> Customers Other Sites Customers ==>> Ours (i.e. low confidence transitivity) Still the same old reasons are given i.e. Security, Trust, Privacy

Copyright Use of B2C eCommerce is Fragile Successive security scares have been associated with pauses in growth and negative adoption. Even in Internet Banking

Copyright Use of B2C eCommerce is Fragile Successive security scares have been associated with pauses in growth and negative adoption. Even in Internet Banking Viruses Worms Phishing Spyware especially keystroke-loggers

Copyright B2C Distrust Factors in the Prosumer Era Agenda 'Distrust' rather than 'Trust' From Passive to Proactive Consumers Marketer - with - Prosumer Comms Consumer Device Insecurity Privacy Law, Policies and Practice

Copyright Recap: Phases of eMarketer Activity "Billboards along the Information Superhighway" ( ) Closed Electronic 'Communities' (AOL, MSN – ) Widespread adoption of the term 'B2C' (1996-) Push Technologies, 'web-casting' and 'channels' ( ) Info-mediaries ( ) Portals, then Vortals (1998-) Malware, from cookie abuse (1996-), via pop-ups (1999-) and web-bugs (1999-), to adware and spyware (2000-) Data rapaciousness and consumer profile construction Identity management and the consolidation of individual consumers' multiple identities Consumer Location and Tracking

Copyright

Copyright The eCommerce Research Focus on 'Trust' "Dimensions of trust in an Internet vendor" are "competence, integrity and benevolence" "Benevolence is the ability of a company to hold consumer interests ahead of its own self-interest and indicates sincere concern for the welfare of the customers" Chen S.C. & Dhillon G.S. (2003) 'Interpreting Dimensions of Consumer Trust in E-Commerce' Information Technology & Management 4, 2-3 (April 2003)

Copyright The eCommerce Research Focus on 'Trust' Has Always Been Naïve "Dimensions of trust in an Internet vendor" are "competence, integrity and benevolence" "Benevolence is the ability of a company to hold consumer interests ahead of its own self-interest and indicates sincere concern for the welfare of the customers" 'Holding consumer interests ahead of a company's own self-interest' and showing sincere concern are in direct conflict with business culture, and with the law

Copyright What Should eCommerce Research Do? The Focus on 'Trust' assumes that: Consumer Marketers are altruistic Consumers are stupid enough to believe it A Focus on 'Distrust', on the other hand: Draws attention to Key Impediments Enables work on how to overcome them

Copyright Conventional B2C Thinking Is Several Decades Out-of-Date Mass Media One-way, broadcast mode Billboards, print, radio, TV Mass Production High-Volume / Low Unit-Cost Passive Consumers Interactive Multimedia Now Immersive Media Mass Customisation Low-Volume / Low Unit-Cost Active Consumers 'rip, mix, mash' is 'what you do'

Copyright The Generations Gen.Birth AgeFeatures Senior 62Retirees BB1'46-' Early Baby-Boomers Post-War hard work BB2'56-' Late Baby-Boomers '60s counter-cultural loosening overlay X'65-' Mass Media Balance of work and play Y'79-' Interactive Media, incr'gly Immersive Have fun, constrained by work M? >'00 0-8Millenials? Pervasive/always-on, why work?

Copyright Phases of Society Pre-Industrial Industrial Emergent from the Mid-1700s Post-Industrial Emergent from the 1960s / 1980s Production for Consumption Production for Exchange Progress in material wellbeing came from specialisation of labour, and separation of production from consumption activities Production for Consumption Partial, selective, but important

Copyright The 'Prosumer' Or Proactive Producer-Consumer The 'do it yourself' (DIY) movement The 'home handyman' phenomenon Self-service retail stores, checkouts Focus groups, consumer panels Direct data capture (ATMs, EFT/POS) Internet Banking The free software & open source movements Self-help, mutual service, FAQs Wikipedia Toffler A. (1980) 'The Third Wave' Pan, 1980

Copyright Conventional Publishing,

Copyright Conventional Publishing, Desk-Top Publishing,

Copyright Electronic Publishing,

Copyright Electronic Publishing, Cross-Media Publishing,

Copyright Interactive 'Publishing', 'Bees Around a Honey-Pot'

Copyright Prosumers Have Different Expectations from Baby-Boomer & Gen-X Consumers Addled by Mass Media Massage 'How do you relate to me' Marketer - with - Prosumer Comms 'Which of us wears the risks' Consumer Device Insecurity 'What you do with my data' Privacy Law, Policies and Practices

Copyright Marketer - with - Prosumer Communications A Normative Template Information Terms of Contract Security Choice Consent Recourse Redress

Copyright Marketer - with - Prosumer Communications A Normative Template Information Terms Security Choice Consent Recourse ==>> Redress Recourse Enquiry and Complaints Process accessibility prompt acknowledgement copy into the consumer's -archive responsiveness to enquiry or complaint acknowledgement resolution Restitution product quality shortfalls own products and services third-party products and services fulfilment quality shortfalls payment errors External Complaints Mechanisms information provided about them prompt and appropriate communications with regulators

Copyright B2C Web-Site Features Generally There are Positives User-Interface Basic User Assistance Features to allay consumers fears about security, and about privacy Clarity about the point of contract Order checking Delivery Tracking Policy re return/exchange/credit/refund

Copyright The Overall Verdict: Appalling Terms of Contract No consolidated document Clarity of Terms Split Personality between chummy sales documents and the actual lawyer-written Terms. Inconsistencies have probable legal implications Prior Versions of Terms No access Changes to Terms Unilateral, without notice, let alone consent; and even with retrospective applicability Warranties and Liabilities Emphatic denials of all forms of warranty and liability, generally far in excess of the legal position, even asserting no responsibility for merchantable quality or errors in product descriptions Complaint Mechanisms Very poor accessibility (even no Acknowledgement!), and no information about complaints processes Redress No information at all

Copyright

Copyright A Tourists Experience – Mon 23 Jun 08 Guggenheim Bilbao says it offers a Wifi service It doesnt. It lets a telco sell a Wifi service The web-page is in Spanish, and the only other option is Euskadi After taking money from the credit-card, no loginid or password is provided But the next page demands one It is impossible to re-display the web-page So the telco takes consumers money without providing a service

Copyright Consumer Device Insecurity Second-Party Threats Third-Party Threats: Within the System Within the Device Infiltration by Malware Consumer Device Vulnerabilities 'Which of us wears the risks' How To Deal with Insecurity

Copyright A Risk Assessment Framework for Mobile Payments

Copyright Consumer Device Insecurity Second-Party Threats Situations of Threat: Banks Telcos / Mobile Phone Providers Toll-Road eTag Providers Intermediaries Devices Safeguards: Terms of Contract Risk Allocation Enforceability Consumer Rights

Copyright Consumer Device Insecurity Third-Party Threats – Within the System (Who else can get at you, where, and how?) Points-of-Payment Physical: Observation Coercion Points-of-Payment Electronic: Rogue Devices Rogue Transactions Keystroke Loggers Private Key Reapers Network Electronic Interception Decryption Man-in-the- Middle Attacks Points-of-Processing Rogue Employee Rogue Company Error

Copyright Consumer Device Insecurity Third-Party Threats – Within the Device Physical Intrusion Social Engineering Confidence Tricks Phishing Masquerade Abuse of Privilege Hardware Software Data Electronic Intrusion Interception Cracking / Hacking Bugs Trojans Backdoors Masquerade Distributed Denial of Service (DDOS) Infiltration by Software with a Payload ===>>

Copyright Consumer Device Insecurity Third-Party Threats – Infiltration by Malware (Software with a Malicious Payload) The Vector Pre-Installed User-Installed Virus Worm... The Payload Trojan: Spyware Performative Communicative Bot / Zombie Spyware: Software Monitor Adware Keystroke Logger...

Copyright Consumer Device Vulnerabilities The Environment Physical Surroundings Organisational Context Social Engineering The Device Hardware, Systems Software Applications Server-Driven Apps (ActiveX, Java, AJAX) The Device's Functions: Known, Unknown, Hidden Software Installation Software Activation Communications Transaction Partners Data Transmission Intrusions Malware Vectors Malware Payloads Hacking, incl. Backdoors, Botnets

Copyright 'Which of us wears the risks' Consumer Device Insecurity In jurisdictions with strong consumer protections, consumers have not been held responsible for the security of the devices that they use to conduct transactions Banks in some countries recently sought to impose heavy responsibilities on consumers Those banks are losing that battle They are also losing cred with prosumers

Copyright How to Deal with Insecurities in B2C Internet Commerce Recognise that the risks are created by: Technology Providers (inherently insecure products) Financial Institutions (inherently insecure payment processes) Consumer Marketers (reliance on insecure infrastructure) Take appropriate steps: Educate consumers Provide on-demand advice to consumers Make appropriate software readily available Provide pre-packaged security-settings to download, install Provide understandable advice on installation, configuration

Copyright 'What you do with my data' Privacy Law, Policies and Practices Legal protections are very weak Legal protections are continually undermined by technological change Consumer marketers mostly 'don't get it' Consumer marketers commit many blunders Distrust of consumer marketers is rife Prosumers demand much more

Copyright Conclusions from a PPS Study in 2005 The 4 large marketers have done no more than create a pretence of being privacy-protective The sceptical, privacy-sensitive consumer would be aghast at the level of abuse of their privacy, and would decline to conduct business with any of them The pragmatic consumer is likely to be keeping an eye open for alternatives, and balancing availability and reliability of service against abuses of market power The desirable warm glow of trustworthiness of consumer eCommerce is distinctly lacking

Copyright Things Prosumer Marketers Can Do 1Establish a comprehensive Privacy Strategy 2Conduct Privacy Impact Assessments (PIAs) 3Publish Privacy Policy Statements (PPS) 4Ensure Business Processes reflect the Strategy, the PIA outcomes and the PPS 5Apply Privacy-Enhancing Technologies (PETs)

Copyright Snakes and Ladders

Copyright Snakes and Ladders in B2C eCommerce Huge Investment in Image Factors providing a small increase in Trust [really a decrease in Distrust]

Copyright Snakes and Ladders in B2C eCommerce Huge Investment in Image Factors providing a small increase in Trust [really a decrease in Distrust] Tiny Investment in Prosumer-Oriented contract terms and privacy policies (let alone the business processes to implement them) When things go wrong, there is a larger decrease in Trust / increase in Distrust

Copyright BwithP Distrust Factors in the Prosumer Era Agenda 'Distrust' rather than 'Trust' From Passive to Proactive Consumers Marketer - with - Prosumer Comms Consumer Device Insecurity Privacy Law, Policies and Practice

Copyright BwithP Distrust Factors in the Prosumer Era Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in eCommerce, Uni. of Hong Kong; in Cyberspace Law & Policy, UNSW; and in Computer Science, ANU Collecter08 {.html,.ppt} CollECTeR Iberoamerica – Madrid – June 2008