Managing User Trust On the Web: A Primer In P3P

_______________

Copyright 1999 CitiGroup. All rights reserved.

Few individuals in IT have had to confront the dilemmas posed by Web-based customer service projects at quite the scale as Dan Schutzer has. As vice president and director of external standards and advanced technology at CitiGroup, he confronts them each day.

In this seminar, an excerpt from a presentation made at the Xplor Marketspace conference in Atlanta, March 1999, he tackles the trade-offs and legal dilemmas you confront when you begin to collect customer data on your Web site in an effort to expand and personalize services to your customers. --Editor

Electronic commerce (e-commerce) poses tremendous opportunities, both for VARs and integrators, and for their clients. In terms of reduced costs and generate new sources of revenue, the ability to deliver innovative new products and develop personalized Web-based customer and client services, and move information, goods, and value in the commerce value chain.

In the banking industry alone the cost per transaction in Internet banking, according to a Booz, Allen Hamilton study conducted in 1996, was estimated to be $.01, compared to $1.07 per transaction in a full service branch bank.

But the e-commerce infrastructure, particularly for banking, requires security, trust, interoperability and an electronic payments scheme. To conduct commerce online, we need:

* Secure, safe, trusted payment and credit mechanisms

* Authentication and authorization

* Integrity and non-repudiation

* Reliable payment and delivery, with recourse

* Trusted agent

* Low cost

Financial Institutions, such as CitiGroup play this role. But online commerce also presents unique requirements, particularly when you request information from users in order to customize services just for them. These include:

* Protecting the message not just the medium.

* Establishing an electronic identity for the individuals.

* Meet business and legal requirements.

You must establish: Is this a valid entity? Is this entity on that has been authorized? Was the information exchanged without tampering? Is the relevant information being kept private and confidential? Can the parties in the transaction dispute it? And can access to the service be disrupted.

What makes online security difficult is that, unlike a transaction that takes place offline, it is not face-to-face. The information in an online form can be easily modified by computer. And, with the huge increase in the rate of change, speed and volumes of transactions, it increases the difficulty in authentication and authorization of transactions.

There is a need for operating rules to define best practices of service providers, help resolve how responsibilities and liability is shared, how disputes are resolved, and how we assure customer service.

To establish trust over a public network, we rely on technology's cornerstone: Public Key Cryptography. Public key cryptography is based on its ability to handle the difficult task of factoring very large numbers and a public-private key pair to secure the exchange of information. It provides: Secure hash algorithms for tamper-proofing, digital signatures for proof of issue, and electronic certificates for authentication.

Public Key Infrastructure (PKI) uses two keys. These are two large numbers that are related mathematically. One is public, one is private.

You can encrypt with either key and decrypt with the other. To send a confidential message, you encrypt with the receiver's public key so that only the receiver can decrypt the message or information being sent. To authenticate the message and establish the identity of the sender, the sender encrypts the message or message digest with his or her private key and the receiver authenticates it by using senders public key. To be sure you have the right public key, it is sent in a certificate that has been digitally signed by a trusted third party whose public key is known to you.

In the online world, the trusted party becomes digital signatures or digital certificates which link specific public keys to an individual or company, or a certificate authority that represents a trusted third party that verifies the identity and documents that verification by using unique electronic certificates.

The role and value of trusted third parties is evolving. We should soon see a broad range of new value-added services built around trust and security, including: authentication over public networks; certification of information, parties and transactions; protection of intellectual property and usage rights; performance bonding; electronic escrow; transaction insurance; appraisal services; various electronic broker services, and trusted agents to witness and resolve disputes and claims.

But there are still issues to be resolved. We're now working with a Web of trust instead of the traditional hierarchical trust chain, for instance. And issues of trust are likely to increase in importance online, adding to the important and increased value placed on trust-related services.

So as we confront those issues, we need to ask: How much security do you need and in what form? And we need to keep in mind that, once we operate online, there is a need to balance security with system performance requirements. There is a trade-off between cost, convenience and security. We need to balance concerns for the user's trust with technological and contractual safeguards that preserve that trust by authenticating transactions.

There are multiple overlapping ways to achieve authentication. You can use cryptography, shared knowledge of a user's identity or biometrics. And security can be built into the system or addressed as an online process. Often we need to use a process, in addition to built in controls, at the time of a transaction so that we can deliver receipts and acknowledgements with date-time stamping, accommodate reviews and audits, detect anomalies, and analyze and learn from the data after it is collected.

Today, customer authentication is done primarily using SSL and passwords. Why? Because it's easy to use. It is widely available and it's relatively low-cost. But stronger authentication technology has been advocated to address the need for non-reputability, dispute resolution, and to secure higher risk transactions. Some of the technologies that have been proposed include PKI, which we've already discussed and which is the current front-runner; biometrics, such as fingerprints or iris detection; and card-based or software-based certificates. All of those approaches have their shortcomings and strong points; it is not clear which, if any, will actually become widely accepted or when they will.

What's missing from those approaches? The current approaches can be characterized as technology solutions looking for a problem. Many are application-specific and there are still many issues surrounding PKI. Biometrics is still not very well understood and is a less mature technology. Because no set standards have emerged, the result has been solutions that are not sufficiently generic, too expensive, too slow, too complicated for consumers and clients, too difficult for banks and organizations to manage, that are not widely accessible and that can't work together or fit under an overall system and architectural concept. There are interoperability problems.

What is inhibiting authentication today? High costs and the lack of a widely accessible standard that is easy to use and understand, fast and convenient, interoperable and technology neutral and is sufficiently trusted.

But the Web has evolved from a tool for quickly distributing information to a powerful medium for conducting e-commerce. And the ability to customize news, information, and shopping features greatly increases the potential of e-commerce. Already users are able to customize their news selections on CNN, travel preferences on Yahoo! And tastes in books on Amazon.com. This poses even greater challenges.

Delivering customized information and providing goods and services both require site operators to collect user information. And there are various ways of doing this. You can get the information directly from user input by using HTML forms or indirectly from tracking users' HTTP activities or from cookies placed on users' computers.

But either way raises additional concerns. Consumers are becoming more aware and concerned about privacy rights as horror stories begin to surface. There are the issues of junk e-mails (or spam), unauthorized buying and selling of user information, and even people having their identities taken over. Identity takeover is a very scary issue. Someone could get enough information on me to know my name and address, my mother's maiden name, my license and my social security number, they could take over my identity. .

The challenge in collecting user information on the Web get back to user concerns: What information is collected? Who will have access to those information ? How will the information be used? Can the user trust the other party to keep their word? Will the user have recourse if the information is misused? A lot of sites address these by simply not automating the data collection or issuing privacy statements about how it will be used. But those statements, too, are often unclear, difficult to read or are non-existent.

On the part of the Web site operator, there are concerns that people might not take as many pains to fill out user information forms accurately. Are we getting the real information? Web operators also have legitimate concerns that there might be lawsuits for invasion of privacy. And there's a looming threat of government intervention, much more so in Europe where they're passing directives that are very difficult for American companies to absorb. There they follow the "opt-in" philosophy which says that I can't get any information from somebody unless they physically give me permission to get the information. In this country we tend to say "we're going to collect this information unless you tell us not to." That's called opt-out. Consequently, we're seeing a lot of pressure on the part of the U.S. government to try to get us to police ourselves and civil liberties groups are pressing for more privacy rights.

So how can we match, in an automated fashion, what information Web sites want from users with the information users are willing to give, considering the stated privacy declarations and the services provided by the Web sites? One solution comes from the World Wide Web Consortium. That is, the Platform for Privacy Preferences or P3P.

What is P3P? It is a method for a user to declare the conditions under which he or she will make personal information available over the Web. It addresses how we can match, in an automated fashion, the information that Web sites want from users with what users are willing to give, considering the stated privacy declarations and the services provided by the Web sites.

The Web site must declare its privacy policy and specify the types of consumer information being collected, what the information will be used for, who will have access to the information, and how the user can update or remove the information. So P3P is also a mechanism for operators and users to automate the process of reaching an agreement between their respective privacy declarations and the subsequent exchanging of user information.

Future versions of P3P will provide authentication of identities and agreements. P3P will not provide communication security but it will allow other security measures to be overlaid on top of it ( e.g., SSL). P3P agreements are end-to-end and between the user and the service. Intermediaries such as ISPs are not included in the agreement between the end parties. It is only used for server-to-client communication.

Its implications for the future of Web privacy and data collection are that it offers better protection against privacy related litigation, provides customers with a higher level of confidence and seamless access to our services. It encourages visitors to provide information and to do business on the site. It satisfies the government's call for better privacy protection and it requires changes in how privacy statements are declared and how the data are managed.

What will drive the technology is new sales and delivery channels, i.e., the Internet, and companies' insistence on new payment methods that are beyond the capabilities of the old channels.

In summary:

* There is a growing concern regarding the potential abuse of users' privacy as well as a growing demand for sophisticated content and services on the Web .

*User Information is critical to e-commerce but the current methods of information collection are inefficient and open Web site operators to potential lawsuits.

* The threat of government intervention is growing stronger.

* P3P provides a mechanism for Web sites to respect users' privacy preferences for data collected.

* P3P automates the exchange of user information and the process of coming to an agreement.

* P3P has gained support from the federal government, as well as internet heavyweights from the private sector.

* Web sites can benefit from P3P but will be required to make operational changes to accommodate it.

The questions you need to ask before implementing a P3P solution are:

* Can P3P adequately express privacy declaration needs on the site?

* Can P3P be modified to accommodate other security mechanisms, such as Digital Wallet technology or server-to-server communication? And you need to investigate how to best manage data collected via P3P.

Questions? You can e-mail Dan Schutzer at Dan.Schutzer@citicorp.com

--------------------------

This tutorial is excerpted from a session given at the Xplor Marketspace '99 conference and exhibition, sponsored by Xplor International in Atlanta earlier this year. The Marketspace conference focuses on the management of documents that support the transactions of business, primarily the generation and collection of money in cyberspace.

Xplor International is a worldwide, not-for-profit professional association representing 2,900 organizations that develop and use the technology of the U.S. $124-billion document systems industry. For more information on Xplor, please visit the Xplor International web site by clicking on this link or call (310) 791-9521.