The e-Commerce Challenge: Protecting Online Privacy

If you lived your life based on what you read about crime in the daily papers, you wouldn’t get out of bed in the morning. The same is true of much of what we’re seeing on Web security. Web insecurity is news; successful Web security isn’t. Nevertheless, the media reports about Web security breaches are mostly correct.

The Web can be a dangerous place for consumers and businesses. One recent report says credit card fraud is now 12 times higher online than in-store, while another report pegs online fraud at four times the old-fashioned kind. No matter how you slice it, that’s a pretty scary statistic.

But we must also realize that the Web is driving double-digit sales growth and that online fraud still accounts for less than 1.2 cents out of every dollar spent online. As IT professionals, do we have a challenge managing Web security? Yes, we do, but it’s manageable.

Ease of use, flexibility and economy need to be built into the way we manage Web commerce risk. Today, the customer is asked to provide several layers of information for authentication: user ID, password, credit card number and possibly other identifying information such as his or her date of birth, address or zip code. If this information checks out with the credit card company and the business, the customer is allowed to complete the transaction.

But the natural corollary to all these layers of authentication is that consumers are wary of the Web. They know that a social security number entered online could wind up in an identity thief’s hands. They know that a phone number or e-mail address given for “questions about your order” could quickly turn into dinnertime sales pitches or junk e-mails flooding their inboxes. And they want it to stop.

Lack of Confidence Costs

Have you ever considered what you’re losing in online business by not managing security better? It’s estimated that electronic commerce would double if people had greater confidence that their privacy was protected on the Web. In fact, the lack of confidence in privacy outpaces all other concerns--including price and ease of use--in inhibiting people from buying on the Web.

Harris Interactive says 70 percent of consumers worry that their online transactions aren’t secure, and 75 percent are concerned that companies will share their personal information with others. Those fears reduced U.S. online purchasing by $15 billion last year, according to the latest consumer research.

That’s a huge wasted opportunity--and a very clear message that we have some serious work to do to turn these percentages around.

The biggest mistake IT professionals make in assessing Web security is focusing on the challenge and not looking at the business opportunity. If you help build online relationships with customers based on trust, they will ask you to add them to your mailing lists, they will want you to recommend products from marketing partners, and they will stick by you forever.

What can be done differently? Here are some rules designed to set the stage for acceptable use of customer data:

  • Do a thorough inventory of your company to understand exactly what your position on privacy is and confirm that this privacy policy is being rigorously carried out throughout your operations.

  • Post a privacy statement that clearly states how personal information will be used. If information will be used beyond the immediate processing of the transaction, it should be clearly stated. More than half the respondents in a survey we took reported leaving a site if the privacy policy is unclear. If they don’t see it--or if they don’t understand it--they leave.

  • Give customers a choice about using data beyond what is required for transaction processing. Consumers will continue to embrace the Internet only to the degree that they trust those who use the technology to respect the privacy of their personal information. Equipping consumers with knowledge and choice about how their personal information is used is key to building such confidence and trust.

Consumer demand for privacy is increasing. Just as companies continually look to improve their products and services to meet customer demand, the same needs to be done with regard to privacy.

The good news is that new technologies coming to market give individuals the power to prohibit or limit others from tracking their movements on the Web. For example, some companies make software that will enable businesses to automate the enforcement of company privacy policies. New standards-based technologies are emerging that allow companies to protect privacy while continuing to offer the personalized e-business services that consumers have come to expect from businesses.

These new enterprise-class privacy management tools allow companies to translate written privacy policies into an electronic description of who can access personally identifiable information and for what purpose. CPOs--chief privacy officers--or other IT managers will be able to monitor access to privacy-sensitive resources, enforce the governing privacy policies on those resources, and produce audit trails and compliance reports. In addition, IT staff will be able to deploy policies written by the company and defined by the end user into the IT systems that store privacy-sensitive information.

On the consumer side, standards such as the Platform for Privacy Preferences (P3P) are emerging to help solve privacy concerns. P3P allows a browser to compare a Web site’s privacy policies with the user’s own preferences, thereby ensuring that the user only visits or does business with Web sites that agree to meet his or her personal standards for privacy protection. A project of the World Wide Web Consortium, P3P enables Web sites to express their privacy practices in a standard format--in XML--that can be automatically retrieved and read by a user’s agent.

For example, if a customer visits an e-commerce site that collects data from its HTTP access logs, and if that customer has told her browser that this policy is unacceptable, then a pop-up window would appear, listing the relevant section from the Web site’s privacy policy on why and how the information is collected and used. If she has told her browser that such a policy is acceptable, she would get no such notification.

An online site might have several policies, such as for browsing a catalog versus purchasing a product. The customer’s browser would access and compare each policy associated with each page of the site. P3P essentially automates the process of reading and interpreting all the fine print. It does not, of course, guarantee that an e-commerce site will follow its stated privacy policies.

In the end, technology is not the only solution. The answer lies in companies instituting strict practices and behavioral standards--and following them. Privacy is, above all, a question of behavior as much as technology. It’s a question of finding the best set of motivators and inducements to meet a simple challenge made more complicated by the networked world, but simple nonetheless. And this is the challenge: consumers want businesses to do more than just pay lip service to privacy policy; they want to see it in practice. The ball is in our court.

About the Author

Arvind Krishna, Ph.D., is the vice president for security products for IBM's Tivoli Software, a provider of systems management applications. Previously, he was the director for Internet infrastructure and computing utilities research at IBM's Thomas J. Watson Research Center. Krishna joined IBM in 1990 and has held executive, technical management and research positions in the areas of Web infrastructure, network and computer security, wireless networks and distributed computing. He has received numerous technical and invention achievement awards from IBM and has been active on the editorial boards and program committees of several IEEE and ACM technical journals and conferences. Krishna received degrees in electrical and computer engineering, a bachelor's degree from the Indian Institute of Technology, Kanpur, and a doctorate degree from the University of Illinois at Urbana-Champaign. For more information on Tivoli products, visit

More by Arvind Krishna

About IBM

IBM is the world's largest information technology company, with 80 years of leadership in helping businesses innovate. Drawing on resources from across IBM and key IBM Business Partners, IBM offers a wide range of services, solutions and technologies that enable customers, large and small, to take full advantage of the new era of on demand business. For more information about IBM, visit