Business Process Management (BPM) and Enterprise Content Management
The e-Commerce Challenge: Protecting Online Privacy
By Arvind Krishna, IBM
If you lived your life based on what you read about crime in the daily papers,
you wouldnt get out of bed in the morning. The same is true of much of
what were seeing on Web security. Web insecurity is news; successful Web
security isnt. Nevertheless, the media reports about Web security breaches
are mostly correct.
The Web can be a dangerous place for consumers and businesses. One recent report
says credit card fraud is now 12 times higher online than in-store, while another
report pegs online fraud at four times the old-fashioned kind. No matter how
you slice it, thats a pretty scary statistic.
But we must also realize that the Web is driving double-digit sales growth
and that online fraud still accounts for less than 1.2 cents out of every dollar
spent online. As IT professionals, do we have a challenge managing Web security?
Yes, we do, but its manageable.
Ease of use, flexibility and economy need to be built into the way we manage
Web commerce risk. Today, the customer is asked to provide several layers of
information for authentication: user ID, password, credit card number and possibly
other identifying information such as his or her date of birth, address or zip
code. If this information checks out with the credit card company and the business,
the customer is allowed to complete the transaction.
But the natural corollary to all these layers of authentication is that consumers
are wary of the Web. They know that a social security number entered online
could wind up in an identity thiefs hands. They know that a phone number
or e-mail address given for questions about your order could quickly
turn into dinnertime sales pitches or junk e-mails flooding their inboxes. And
they want it to stop.
Lack of Confidence Costs
Have you ever considered what youre losing in online business by not
managing security better? Its estimated that electronic commerce would
double if people had greater confidence that their privacy was protected on
the Web. In fact, the lack of confidence in privacy outpaces all other concerns--including
price and ease of use--in inhibiting people from buying on the Web.
Harris Interactive says 70 percent of consumers worry that their online transactions
arent secure, and 75 percent are concerned that companies will share their
personal information with others. Those fears reduced U.S. online purchasing
by $15 billion last year, according to the latest consumer research.
Thats a huge wasted opportunity--and a very clear message that we have
some serious work to do to turn these percentages around.
The biggest mistake IT professionals make in assessing Web security is focusing
on the challenge and not looking at the business opportunity. If you help build
online relationships with customers based on trust, they will ask you to add
them to your mailing lists, they will want you to recommend products from marketing
partners, and they will stick by you forever.
What can be done differently? Here are some rules designed to set the stage
for acceptable use of customer data:
- Do a thorough inventory of your company to understand exactly what your
carried out throughout your operations.
- Post a privacy statement that clearly states how personal information will
be used. If information will be used beyond the immediate processing of the
transaction, it should be clearly stated. More than half the respondents in
If they dont see it--or if they dont understand it--they leave.
- Give customers a choice about using data beyond what is required for transaction
processing. Consumers will continue to embrace the Internet only to the degree
that they trust those who use the technology to respect the privacy of their
personal information. Equipping consumers with knowledge and choice about
how their personal information is used is key to building such confidence
Consumer demand for privacy is increasing. Just as companies continually look
to improve their products and services to meet customer demand, the same needs
to be done with regard to privacy.
The good news is that new technologies coming to market give individuals the
power to prohibit or limit others from tracking their movements on the Web.
For example, some companies make software that will enable businesses to automate
the enforcement of company privacy policies. New standards-based technologies
are emerging that allow companies to protect privacy while continuing to offer
the personalized e-business services that consumers have come to expect from
These new enterprise-class privacy management tools allow companies to translate
written privacy policies into an electronic description of who can access personally
identifiable information and for what purpose. CPOs--chief privacy officers--or
other IT managers will be able to monitor access to privacy-sensitive resources,
enforce the governing privacy policies on those resources, and produce audit
trails and compliance reports. In addition, IT staff will be able to deploy
policies written by the company and defined by the end user into the IT systems
that store privacy-sensitive information.
On the consumer side, standards such as the Platform for Privacy Preferences
(P3P) are emerging to help solve privacy concerns. P3P allows a browser to compare
a Web sites privacy policies with the users own preferences, thereby
ensuring that the user only visits or does business with Web sites that agree
to meet his or her personal standards for privacy protection. A project of the
World Wide Web Consortium, P3P enables Web sites to express their privacy practices
in a standard format--in XML--that can be automatically retrieved and read by
a users agent.
For example, if a customer visits an e-commerce site that collects data from
its HTTP access logs, and if that customer has told her browser that this policy
is unacceptable, then a pop-up window would appear, listing the relevant section
and used. If she has told her browser that such a policy is acceptable, she
would get no such notification.
An online site might have several policies, such as for browsing a catalog
versus purchasing a product. The customers browser would access and compare
each policy associated with each page of the site. P3P essentially automates
the process of reading and interpreting all the fine print. It does not, of
course, guarantee that an e-commerce site will follow its stated privacy policies.
In the end, technology is not the only solution. The answer lies in companies
instituting strict practices and behavioral standards--and following them. Privacy
is, above all, a question of behavior as much as technology. Its a question
of finding the best set of motivators and inducements to meet a simple challenge
made more complicated by the networked world, but simple nonetheless. And this
is the challenge: consumers want businesses to do more than just pay lip service
About the Author
Arvind Krishna, Ph.D., is the vice president for security products for IBM's Tivoli Software, a provider of systems management applications. Previously, he was the director for Internet infrastructure and computing utilities research at IBM's Thomas J. Watson Research Center. Krishna joined IBM in 1990 and has held executive, technical management and research positions in the areas of Web infrastructure, network and computer security, wireless networks and distributed computing. He has received numerous technical and invention achievement awards from IBM and has been active on the editorial boards and program committees of several IEEE and ACM technical journals and conferences. Krishna received degrees in electrical and computer engineering, a bachelor's degree from the Indian Institute of Technology, Kanpur, and a doctorate degree from the University of Illinois at Urbana-Champaign. For more information on Tivoli products, visit http://www.tivoli.com.More by Arvind Krishna
IBM is the world's largest information technology company, with 80 years of leadership in helping businesses innovate. Drawing on resources from across IBM and key IBM Business Partners, IBM offers a wide range of services, solutions and technologies that enable customers, large and small, to take full advantage of the new era of on demand business. For more information about IBM, visit http://www.ibm.com.