Preface
This book was inspired by the recognition that risk has new dimensions in electronic commerce and pushed forward by my experiences with the those who are evaluating and assessing these new dimensions using inappropriate traditional business practices as models.
Each month produces a new model for success on the Internet. First Yahoo! was a search engine and now it is a portal. First it was marketing and now it is service. Yet somehow many consultants and businesses offer a single approach to all these opportunities and all the various businesses. I had a most illuminating conversation with senior consultant from a major consulting company. I asked her to enumerate the times when, after reviewing their own work, the consultant's solution was found to be wrong. I asked her to explain the company actions in response to this discovery of error. There were none. Such flawlessness for a single integrated solution in the face of rapid change of businesses and wide variances within the business community was stunning, too stunning to be believable.
Thus this book is based on some unmentionable facts in business: Internet commerce is a change in business; some businesses will do everything "right" yet be destroyed; some businesses will make mistakes yet thrive. There is no single right model for Internet commerce. There is no single right answer that can be bought with certainty by paying the most expensive consultants. For every business there are different choices. Although some businesses have some obvious price advantages (e.g. Big Lots) and advantages in consumer confidence (e.g. Crayola), these businesses are not destined to succeed. When the business is in code ,not in concrete, there are an infinite numbers of forms. There will be an explosion of business models in the near term.
There are of course some excellent consultants, who offer many solutions and endeavor to create not a marginally customized product, but a truly tailored solution. As with all that is excellent, these are rare. The vast majority of customers get a set of viewgraphs and documents prepared for the mythical generic firm. The generic firm is as mythical as the unicorn. The unicorn was a transmutation beginning with the rhino and resulting from the textual drift inherent in of hand-copied scribal documents. As scribal copying embodied human error and inherently resulted in slow transformation of documents , so mass production embodies the understanding of economic actors as generic units. The mythical firm is a creature of technological limits, beginning with common institutional constructs and resulting from the requirements of mass production. The mythical firm results from the need for a standard compatible with the mass-production model of business and business consulting. In the information age everything is malleable, customized, individual. Thus the texts that propose generic solutions are flawed. Texts that educate and enable individuals to make their own tailored choices are needed for the post-print age. Thus I have endeavored to create one of these: a text that explains some basic parameters.
There are some stable factors in electronic commerce, the towering power of the browser bookmark being one, but every business has its own model. The browser bookmark promises that a site will be the first place checked for news or shopping. But if that site is badly designed, offers bad service, or is unreliable it is unlikely to get a second look.
Expecting a single monetary form to emerge form Internet commerce is a reasonable as expecting a single paper currency to come off the printing press. Movable type created fundamental changes in knowledge production: standardization, the ability to compare systems of knowledge, and specialization of intellectual labor. With the printing press, complex markets for intellectual goods developed, contracts proliferated, paper money expanded, and the age of quantification took flight . (Crosby, 1997; Eisenstein, 1979).
At the beginning of the age of print there was no clear single path on which to direct those beginning at vastly different positions. Similarly there is no single path forward through the age of electronic information. Every business person and consumer has a risk profile that is a function of (to name a few variables) market, market position, and risk aversion; because of this diversity this book is meant to be not prescription but rather descriptive. Just as there was no single way to re-organize business is response to the wealth of paper, forms, and currencies made possible by movable type, there is no single way to minimize risk for every party in light of digital information.
The interdisciplinary nature of this book hints at the magnitude of the changes ahead. The current disciplinary structure was built on the print mode of learning and teaching. Just as a Mater's of Information Science degree is a creature of modern change, a future student might get a Bachelor's in Trust. Similarly some modern business structures will be as useful as the medieval guild as the next century approaches and passes. This magnitude of change requires that a detailed book be focused on the near term. Thus this book inherently has a near-term focus, especially with respect to the Internet commerce systems examined. Trust, risk, privacy, security, and reliability are as fundamental to information commerce as Arabic numerals are to paper modes of commerce. Thus trust and risk are the core of this book.
This book is meant to empower individuals to be their own contractors when shopping on the net, constructing an information business, or building a virtual addition onto their current business structure, to encourage shoppers to tread on the Internet instead of in the mall, and tell them how to keep their hands tightly on their virtual purses. The Internet has a power to intimidate that is unfathomable for someone who has seen the vast bulk of digital silliness that was the early days of the Web. This book should remove any residual intimidation. Should it fail to do so, a quick tour of Usenet should eliminate any residual awe for the denizens of the modern Internet. Decades ago, the Internet was inhabited only by researchers, intellectually engaged gentlepersons with shared norms of behavior and common interests.. Now, it's everyone, all the myriad human foolishness, wisdom, joy, and grief flows through the wires every day. There was a widely used acronym on the Internet, IRL, which stood for "in real life". Now the Internet is real life. Sign up or miss it.
It is my contention that Internet commerce will truly come of age in the Christmas season of 1999. Allow a digression into personal experience to explain this entirely qualitative, rather unfounded projection. First I find that I tend to be a moderate early adopter, the first (or third) to try out new technology. Second, I am rare among technical researchers in Internet commerce as I am the one who actually does the family holiday shopping. I attribute this to gender role differences. During the holiday season of 1998 I did my shopping one Saturday morning while my children played downstairs. I had the list, my credit card, and dogpile. (Dogpile is a metasearch engine. That is, it is a search engine that searches other search engines.) As I have been shopping on the Web for nearly four years I was one or two years ahead of the curve. Thus I predict that in the next holiday season working parents and the elderly across the globe will discover this saver of trouble and time, leading to a more relaxed holiday season for everyone (except, of course, the retailers who have not adapted to Internet commerce.) I found in my shopping no price (dis)advantage, as the difference in price tended to be absorbed by shipping costs. Shopping on the Internet gave me a price equivalent to the discount store, with no taxes paid, and home delivery.
This leads to the second, more mundane, inspiration for this book. Three years ago at the First Usenix Workshop on Electronic Commerce, I realized I was perhaps one of three people in the room, by a combination of gender, class, and age, who actually shopped. I was the representative of every parent who has the experience of holiday shopping. I was the single person there who understood at a visceral level the need for shopping without catalogues, phone calls, or expensive personal assistance. I live in the gap between mythical SuperMom and actual working parent. That is, I am an actual working parent who needs life to be friction free to meet the demands of the mythical SuperMom. The time crunch and the need for schedule -friendly remote shopping that is oblivious to interruptions will drive Internet shopping. The aging of the population makes a trip to the mall less an effortless jaunt and more a day's event. The reorganization of the modern family demands, and the technology allows, Internet commerce. Together these forces point to inevitability. This is the ideal moment to thank my family. First the incomparable Shaun McDermott, a truly wonderful man. A patient and supportive man most supportive in that he is a wonderful father. y daughters, Adonica and Amelia, who have made their own contributions to this book by immeasurable contributions to my life. And finally, Wilson, who taught me many lessons I will not forget.
Certainly my early academic mentors deserve acknowledgment. I would never have started the program of study, much less the book, without the support of Michael Feldman. Early on Hudson Welch and James Morris were endlessly intellectually engaging. I am deeply indebted to Granger Morgan for following his own dreams and beginning the department where I had the honor of studying.. Pam Samuelson provided irreplaceable insight into the subtleties of the law, and despite a schedule that is frightening even in retrospect, always found time to provide detailed comments. Mary Shaw has offered valuable time and insights from her technical and personal wisdom. Bennet Yee has given both professional counsel and patient consideration. I wish his office were still across the way, rather than across the continent. Finally my dissertation advisors, without whom this text would not have come to fruition, Marvin Sirbu and Doug Tygar.
To my friends who started virtual and ended up more than actualized: Phaedra Hise, Charlotte Chen, Robin Schoelenthaler, and of course Pip. Laura Painton and Tse-Sung Wu: Thank you. Rosy Chen shared her heart, wisdom and office. Milind Kandlikar provided passionate occasional doses of perspective. Indira Nair for whom mention is necessary but not sufficient. Donna Riley shared her rare gifts of strength and kindness, bestowed with a discerning wit. Ian Simpson provided continued intellectual engagement. Richard Field offered his very relevant expertise and the kindness of his heart in reviewing and commenting on my work. Cathleen McGrath offered engaging debate or empathy, as appropriate, over uncounted cups of tea. Phoebe Sengers reminded me to like myself, and hold my work just dear enough.
Barbara Slater, Andrew Russell, Denise Murrin-Macey, Patricia Steranchak, Janice Trygar, and Victoria Massimino assisted in a many ways, the greatest of which has been in the sharing of their company and friendship.
At Harvard, Jane Fountain, Susan Cooper, Rob Jensen, and Lewis Branscomb have provided moral support and given me the gift of their time. Harvey Brooks was kind enough to be a reader, and gentle in communicating his sharp insights.
Introduction
Consider a dollar bill. To hold one is to have a tangible experience, at the higher denominations a feeling of near-term wealth. Newly minted bills have a unique texture and even a distinct odor. A dollar is the measure of money. It is the most readily accepted monetary form on the globe. To exchange that for a machine-readable data stream seems a great leap. It is not.
The value bound to the paper abstraction of wealth is not a result of mass hysteria or a widespread delusion, as an examination of the purely physical components of paper and ink might suggest. Rather it is a reflection of trust that is widely shared and built over centuries. The dollar is worth as much as there is trust in the solvency and continuity of the U. S. Government; trust in the ability of law enforcement to prevent counterfeiting; trust that a merchant or bank would not knowingly pass on a counterfeit bill; trust in the foundations of the American economy. These trust decisions are deeply embedded and unexamined in daily transactions.
Trust in American monetary instruments is not an eternal national constant. American commercial instruments were marked by early failures; the Continental being the obvious example. 1 In Internet commerce people are once again embarking on a long-term trust commitment. Internet moneys are both unlike and like the dollar. It is one thing to build on the trust of generations past on a monetary instrument and, another to be among the first to take the risk that trust implies. The adopters of the Continental were not made whole by the eventual global adoption of today's greenback.
Internet moneys are like the modern green and historical Continental dollar in that all are based on invisible trust bindings. The trust binding value to the dollar depends on the physical difficulties of reproducing the paper monetary instrument and a centuries-old governance system; Internet commerce depends on the difficulties of calculating mathematical functions and decades-old networks. An Internet commerce system may require trust in the merchant's goodwill as well as his technical competence. Another system may require only faith in risk management of major financial institutions.
In this text the trust relationships in electronic commerce are examined and illuminated. The focus is on trust, but it is equally on risk. Trust is the positive view of exposure: whenever there is trust, there is risk. I focus on these two interrelated topics: trust is risk.
The focus here is on trust as well as risk not only to stress the continuity of the evolution of money from gold bars to bytes but also to provide the most broad explanation of Internet commerce. This focus further distinguishes this study from a consultant's, who might consider risks in a specific scenario to the mythical generic firm.
The determination of risk can be found in an examination of who trusts in Internet commerce transactions. Who will pay, in terms of both money and data, if trust is misplaced? When the inevitable early failures occur, who will be at risk? Who is liable? In many commerce systems there is a trusted third party. Who is this trusted third party? Why is it necessary to trust this party? What exactly is this party trusted to do? Answering these questions means understanding risk allocation in electronic commerce. Answering these questions requires understanding security, record-keeping, privacy, and reliability.
There is no single currency or transaction system which is certain to dominate the future Internet. The answers to the previous questions vary across the multitude of protocols proposed for electronic commerce on the Internet. However, an examination of a broad range of these protocols makes clear that in electronic commerce, there is considerable opportunity to lose both money and data. Customers can lose money and privacy. Merchants can lose money, proprietary information, and reputations. There is much to be gained. It is worth the necessary risk, but only that risk which is necessary. It worth extending trust , but narrowly.
In this text I translate from the technical protocol to the financial risk. There are three basic sources of risk: security failures, data misuse, and reliability failures. This book placed to illuminate the space defined by these three axes. I do not attempt to address every possible risk inherent in electronic commerce. Electronic funds transfer can magnify the weaknesses of cash control systems (Fischer, 1988; Mayland, 1993). If a company has problems with cash control mechanisms and misplaced trust, electronic commerce can make it worse. This is obvious, and is not the focus of this text. The purpose of this book and set of system evaluations is to illustrate risk allocation when a customer, merchant, Internet Service Provider, or commerce service vendor misplaces trust in others, not within their own organizations. (Note that I refer to sellers of all goods but Internet commerce systems as merchants; I refer to those who offer commerce systems as vendors.)
Vendors, banks, consumers, and merchants have different interests. Market and legal mechanisms will assure that the needs all are met in the long term. But one takes risks in the short term. Today the legal environment is uncertain. The market requires information to function, and many are functioning without any better sources of information than the vendors themselves. Thus there are systems which place risks on participants that might better be left with the vendor. This text should provide the tools to determine the sources of risks, what risks are of greatest concern in a few specific systems, and how to evaluate other similar systems.
Understanding risks in Internet commerce requires integrating an understanding of money, network technologies, information security, and the potential for data appropriation and misuse. Thus this books begins with definitions and discussions of money, the Internet, security, and privacy.
In this book I consider the Internet as a framework for commerce. Much of the argument for Internet commerce is essentially information on the growth and population of the Internet. The history of the Internet is included, as it is more than academic. There was at one point an alternative vision of the Information Highway -- citizens as consumers of 600 channels with feedback limited to a single button labeled "BUY". Instead the open Internet has prospered. With respect to shopping and selling, the open nature of the Internet creates trust issues. An open Internet with millions of "channels" has far different trust implications than a centralized broadcast model with orders of magnitude fewer choices.
In short this text addresses the terrain of Internet commerce, rather than trying to lay out a specific path or roadmap. Here are identified the avoidable hazards which are likely to be found on the road to Internet commerce. And thus we begin by considering the nature of the Internet.
The customer base on the Internet grows as the number of countries and connections grows: exponentially with time. Although the coefficient of growth varies across the continents, the shape of the growth curve remains the same for each region. It is the expectation of the future of these growth curves as much as the current magnitude that so excite the providers of content and commerce services.
The table above shows how many networks of each class it is possible to have. Looking at the table and then returning to the postcard example it is clear that Sandia National Laboratories has a class A address and Lawrence Berkeley Laboratory has a class B address. This is because the address is within the appropriate minimum/maximum range shown in the table. The number of networks and the number of hosts is limited by the size of the IP address; it is 2(number of bits in netid). The number of nodes is 2(number of bits in hostid) which is the same as 2(32 - number of bits in netid).
All this means that the number of Internet network addresses is a little over two million, rather than the excess of four billion that the simple length of the address suggests. Since the network addresses were separated into classes so that all machine could have individual addresses the number of networks which can have addresses is limited. So, despite the simple observation of the length of the address, it is possible to have a shortage of IP addresses.
Considering that IP was developed in 1974 (Cerf & Kahn, 1974) when there were sixty-two computers, not networks but computers, on the ARPANET allowing two million networks to easily connect shows foresight and the grace of fine design. The next version of the Internet Protocol, Ipv6 will have mechanisms to address the shortage of IP addresses.
An IP address provides a guess on the size of a network. Of course such a guess does not always prove correct. A network may be connected to the Internet at only one point, so that it really needs only one address, and host routing can be handled behind this point of connection. This is very common with commercial sites that have firewalls 4and extensive local area networks. Or a connected institution may use dynamic IP addressing5 so that they need fewer addresses than machines. So a large internal network does not require a correspondingly generous IP address.
Coincidentally with the expansion of the ARPANET there was BITNET. BITNET was an early network that consisted of dial-up terminals and IBM mainframes. (The UNIX-based NSFNET grew to embrace and obliterate this concurrent network.) By 1985 BITNET had its first exponential growth in mainframes, to seven "conference machines". Mainframes ran distribution list and forerunners of Usenix groups and could be considered ancestors to today's servers. In addition there were hundreds of machines which could connect to BITNET including machines at Yale, University of Maine, State University of New York -Stony Brook, Brown University, Harvard, MIT, and Tufts University. BITNET allowed users from hundreds of machines to run terminal emulators to come together and chat synchronously. Daniel Oberst offered the followed evaluation of the network in the BITNET monthly newsletter: "BITNET is still by and large a voluntary, cooperative network that only exists to the extent that people work together..."
That this comment came from BITNET illustrates an important point: networking is connectivity, is sharing, is trust. The following rough description of Internet routing shows why this previous evaluation remains arguably applicable. Routing illustrates is an excellent example of trust. Routing is how a machine, given that a machine has an IP address, connects to others. Routing is, specifically, how a packet (small information chunks, like postcard greetings) gets from machine A to machine B. Routers are special -purpose machines which direct packets. Routing is also a function of a general purpose desktop machine. Here the primary focus is on the mechanisms, not the machines. However, envisioning only a router as performing the function of might make this explanation easier to follow.
Routers keep a list of all the machines or hosts to which the router is directly connected, and a list of machine to which all the physically adjacent routers are directly connected. A network to which neither the router itself nor none of the physically adjacent routers are directly connected is a remote network. For remote networks, the router keeps a continually updated list of the first step of what it believes to be the shortest path to that remote network. Routers do not store complete paths to remote destinations, they store only enough information to send the message to the next router, under the assumption that the next router will direct the message properly, and so on until the message reaches its destination. The trip between two routers is called a 'hop' regardless of the physical distance between two routers the distance between them is still one hop. Thus routers trust the message to other routers.
Routers are always updating their beliefs about the network. At any time a router may receive a broadcast from another router about that routers stored information. The receiving router always trusts the received information about routes and updates itself appropriately. Because of the constant updating it is quite possible that in a message consisting of several packets will travel on different paths and possibly arrive out of order.
Notice the addresses on this table are imaginary numbers, the point is to illustrate the type of knowledge a router would have.
Consider the network of routers on the Internet as analogous to a social network. Imagine a world with no central information for people in various regions, in other words no telephone directories. Imagine searching for a person, say Gene Eric Person in San Francisco, in the way a router searches. First you would go to your address book. Consider a region a subnetwork and a person a machine to make this analogy function. You would know all the regions to which you can send directly --Chicago, Dallas, Charlotte. You who also know the regions to which your direct contacts can send to. Here is how a page in your address information would work if it was analogous to a router. In this case you would send your message to Gene Eric Person in region San Francisco to Cathy. She would look at her address book and send it to someone in San Francisco, and that person would send it to Gene Eric.
If you did not have him in your address book you would send the message to Carter, knowing Carter is well-connected and is likely to be able to get a message to any location. Carter is your default router.
Imagine later you get an updated address book from your friend Carlos. Carlos notes that it takes him one friend, one hop, to get to San Francisco. You notice that it took only three hops to get to San Francisco through Cathy. You would update your address book as so:
You may find also that Carlos is two hops separate from Carolyn who lives in Portland. You would not add Carolyn to your address book because you are not trying to build a complete and global database of every location. You just want to update your information on the best way to get to any location from your location. But the next time you looked for Gene you would send your postcard to Carlos instead of Cathy.
The address book is your local routing. If the person you wanted to contact was not in your address book you would call someone who would be likely to know him or her because of their location. That is, like the router, you would make your best guess from your most recent information about your network of peers as to the shortest path to the person you want to reach.
There are three critical observations from the above discussion of routing: there is no optimal physical location, there is no single point of failure, and routing is a cooperative exercise in trust.
First, there is no optimal physical street corner on which to reside. Customers will come from all locations, and the appearance of a web presentation depends upon the path between a browser and the information. It is not possible to be adjacent to every browser - there is no ubiquitous next door location. Yet there is valuable real estate in the Internet: not on the network but on the customer's desktop. A good place to be on the Internet is in the Web surfer's bookmarks. The ideal place to be is in the bookmarks that the user trusts.
An ancillary implication of this lack of optimal physical location is that there is limited possibility for monopoly control of distribution6. In traditional media markets there is limited competition. Consider newspaper, television, and radio markets. The ownership concentration results from expensive or exclusive distribution channels. Most towns have one newspaper because the start-up costs are too expensive in a market with an existing newspaper. The newspaper chicken-and-egg problem is that one must have a subscription base and a distribution network to have a paper. Only one radio or television station can exist at one wavelength. On the Internet there is no single advertising venue. There is no reason that multiple competitive search engines as well as multiple meta-search engines can not continue to thrive and compete. Because there is no center to the Internet, because of the routing, there is no way to ensure that every person entering a market sees one product first.
Second, in a connectionless network each packet is delivered independently, so that there is no single point of failure. So if packets are not getting through on one route the following packets will try a different more likely route. Packets are routed independently of each other, and therefore are not stuck repeating previous mistakes. Because there is no central directory of addresses, there is no single point of failure. This means connectionless networks are survivable, that is, hard to disrupt. One business implication of this is that such networks are reliable.
Third, routing is an exercise in social cooperation. Social networks break down from lack of cooperation. Routing could similarly break down. The widespread routing failures that I know about (there may be classified information but a routing failure tend to be noticeable) have thus far resulted only from errors in router configuration, not from malevolence.
With the development of the Web, the Internet became fully capable of supporting user-friendly distributed commerce, just as previous protocols had enabled functionality from simple communication to file transmission. Table 1.6 above illustrates how Internet commerce protocols have built on previous protocols, which has in turn expanded the pool of possible merchants and consumers. Without the ability to locate goods, consumers would not shop on the Internet. Without the ability to easily present goods, merchants would have difficulty selling their wares on the Internet even if they could be located. Of course, Internet commerce does not depend entirely on HTTP as some protocols include options for users with only email with no HTTP capacity.
The Internet supports a range of business functions, not simply payment. Every transaction, on or off the Internet, has multiple phases: discovery, price negotiation, final selection, payment, delivery, and dispute resolution. The Internet can support many types and all stages of Internet commerce (Sirbu and Tygar, 1995). Understanding how necessitates understanding why.
HTTP works on a simple client/server request and response mechanism. The Web is indeed the "killer app." Not only is it the killer app in business terms, it could have "killed" the Internet by having many short, and therefore potentially ill-behaved, connections ill-suited for TCP/IP. The investment to ensure that the Internet will succeed and thrive has been made despite the sub-optimal design of HTTP offers promise that the informal governing structure of the Internet can handle future problems that may arise.
Internet commerce has increasingly become possible with the advent of the World Wide Web. The Web is growing at many times the rate of overall Internet host growth. The Web allows the consumer to locate information of interest on the Internet without requiring any technical expertise.
All Internet commerce protocols can be used with the Web. In addition, some commerce protocols (Mastercard, 1995; VISA, 1995) are comprehensive and include the ability to transfer funds using only email. (For a detailed discussion of network protocols see Schwartz, 1987 and National Center for Supercomputing Applications, 1995).
The standards that will determine how money and information flow around the Internet are being determined now and some of the fundamental decisions about the risks businesses and consumers will take are being integrated as technical details in technical specifications. Examination of those specifications and enumeration of the risk is particularly timely while the standards are still in flux.
