eBusiness: The Hope, the Hype, the Power, the Pain
|
(© Jack M. Wilson,
1999, 2000) |
Technology makes it possible to do things that were never before possible. Unfortunately many of those things may be illegal, immoral, or unethical and still be easy to do. With the legal system far behind the growth of new business models there have been few generally accepted guidelines for many of the new business practices. The “wild-west” mentality that this freedom engendered has led some to question the ethics of eBusiness. The June 2000 issue of the magazine Smart Business for the New Economy, headlined the cover story as “The New Business Ethics: Cheat, Lie, & Steal; Technology makes it easy. Get used to it.[i]” Technology allows both employees and consumers to be watched and profiled in ways never before imaginable. There are transgressions made by employees against the company such as using the Internet for personal transactions including objectionable uses such as pornography and harassment. There are transgressions that companies make against employees, such as invasion of privacy. There are also transgressions of companies against consumers through invasion of privacy, unauthorized data collection, price fixing, or sale of personal information. Lastly, there are simply the criminal uses of the Internet to steal, vandalize, and assault.
The Smart Business article foreshadowed the events of 2002 in which company after company ran into financial and legal difficulties. In many cases these difficulties came about because executives tried to make the company look more successful that it really was. There are many motivations for doing this: need to raise capital, trying to increase stock price, wanting to borrow capital from the banks, desire to earn performance bonuses, or even a need to hide other skullduggery. Whatever the reasons, it seems that there had been an epidemic of such behavior in the years leading up to the dénouement in 2002. Enron’s collapse revealed that they had been inflating earnings and hiding debt by creating subsidiaries that took on debt and paid sums to the parent that were shown as revenues. The results were inflated revenues and hidden debts. Investors reacted by taken a sudden distrust toward all companies and soon many others companies were found to have similar problems. MCIWorldComm was forced into bankruptcy when it was found that they had classified certain expenses as capital items. This delayed the recording of expenses by spreading them out over the coming years and thereby inflated earnings. Tyco and Adelphia executives were charged with exploiting their executive positions by using company funds for person use. The resulting distrust carried the markets lower and lower.
The cloud of suspicion moved beyond the companies to those who provide audits, analysis, or research upon which investors rely. The audit firm, Arthur Anderson, was completely destroyed by their work with Enron and other companies with suspect accounting practices. Merrill Lynch and other brokerage firms were forced to settle with clients who felt that the analysts had given falsely positive reports on companies in order to win their business. In some case firms were found to have given positive public reports while privately downplaying their own research to selected customers. It (2002) was not a good year for year for either law or ethics.
Although these legal and ethical lapses were of monumental impact, this chapter will focus on issues that pertain more primarily to Internet based businesses. Other texts on law and ethics will address these more general issues in far greater detail.
[i] “The New Business Ethics: Cheat, Lie, & Steal;” Smart Business for the New Economy p 86 June 2000.
If the Holiday season in December 1998 demonstrated the viability of eCommerce, the events of February 8 and following days demonstrated the vulnerability of eBusiness to security issues. It all began on Monday 8 February as a coordinated and massive denial of service attack was launched against Yahoo, clogging the site with spurious requests for service and blocking service to others. It lasted for about two hours before Yahoo struggled back into service. It was probably not a coincidence that the world’s largest independent web site was the first one targeted. The attack continued on the following day to other large eCommerce retailers including Buy.com, eBay, Amazon.com and the CNN.com news site. By Wednesday the attackers moved on to the leading on-line brokerage E*Trade, technology news site ZDNet, and other sites. The damages ranged from blocked services to hours of site downtime. By Tuesday the FBI had begun an intense investigation.
The Financial Times headlined their story as “Hacker attacks raise fears of threat to e-commerce.”
We should not have been surprised. Computer security experts had been watching the gathering storm for months. On November 18, 1999 a CERT Security Bulletin was posted that warned that:
We have received reports of intruders installing
distributed denial of service tools. Tools we have encountered utilize
distributed technology to create large networks of hosts capable of launching
large coordinated packet flooding denial of service attacks.
We have seen distributed tools installed on hosts that
have been compromised due to exploitation of known vulnerabilities.
This bulletin, which was updated and strengthened on December 8, 1999, alerted the web world to the danger and suggested appropriate counter measures. Unfortunately, the warnings were not adequately heeded.
The warning of “distributed denial of service tools,” referred to the creation of “zombie” machines by hackers. These “zombie” machines were just regular computers owned by unwitting individuals connected to the web. Hackers planted secret programs on these machines that could be activated by simple and hard to detect commends. Upon receiving these commends the “Zombie” machines began to execute the plan of attack against the commercial sites. When the attacked sites tried to find out who was attacking them, they discovered hundreds and maybe thousands of zombies belonging to innocent owners who were completely aware of the damage they had wrought.
The Wall Street Journal headlined one of its columns with “Cyber Assaults Raise Jitters for Investors.[2]” The Dallas Morning News trumpeted that the “Yahoo attack sends up red flag for e-businesses,” and suggested that “If it could happen to Yahoo Inc., it could happen to anyone.[3]” The Dow Jones Industrial Average fell 258.44 points on February 8 with investors citing concerns over security and interest rate issues.[4]
Eventually Canadian police took a 15 year old boy using the screen name “Mafiaboy” into custody and charged him with initiating at least some of the attacks.[5] No one is expecting these kinds of attacks to end soon. While the denial of service attacks exploited features found in Unix and Linux servers, many recent viruses have been designed to attack Windows client machines, often through attachments and often using the scripting ability built in Microsoft Office products. In the spring of 2000 a series of attacks was launched (probably from the Philippines that emailed the LoveBug virus as a Visual Basic attachment to emails. Once opened on a target machine, the virus would take over the Outlook email program and mail copies of itself to everyone in the user’s Outlook address book. Each email was marked with the subject “ILOVEYOU.” It is still an open question why so many persons opened email from business associates, enterprises, government, and friends with this subject line!
Soon after the LoveBug, there was a rash of copycat viruses that changed the subject line and added extra characters in the Visual Basic script to fool the virus detectors. Just as biological viruses mutate and evade detection, computer virus can also mutate and avoid detection. Modifying these Visual Basic programs is so easy that nearly any programmer can create his or her own variant.
For eCommerce to be successful, there must be a reliable, available, scaleable, and secure platform. These attacks graphically demonstrated that eCommerce was still an immature business model based on a very new medium of communication. It also raised fears of a backlash against the commercialization of the Internet and a clash between the original internet culture that valued open, free, non-profit, and unregulated use of the internet and a business culture that saw this new communication system as an ideal way to buy and sell things and that valued security and reliability over openness and unfettered use. Elias Levy of Securityfocus.com observed that “This should remind us that the Internet is fairly new and fragile. E-commerce is growing faster than the building blocks underneath the Internet, and we have to go back and take a look at them.[6]”
The earlier concerns about security in eCommerce related to the security of the personal and financial information that was being transferred across the network, stored in eBusiness web servers, or even stored in “cookies” on the users own computers.
As we have seen, it is possible for web sites to collect enormous quantities of data about those browsing their web sites. At first, web users felt anonymous, protected by screen names, the anonymity of indeterminate location, and a lack of identifying characteristics. Even when the vast quantities of data being collected by sites became clear, users often comforted themselves in the knowledge that there was probably just too much data to really be analyzed. But, technology moves very quickly as we have seen. Soon web enterprises could apply data mining tools to the data and begin to create profiles with information about the users. Many users even appreciated some of the side effects. Ad’s could be presented that targeted specific users interests and avoided ads that would not be of interest. In the meantime the quantity of data available in “cookies” and site databases continued to grow.
People were often induced to give information freely in order to obtain more personalized service and more convenient on-line transactions. If they were willing to give information about themselves and their credit cards or banks, then users could take advantage of “single click” purchases and personalized services. Millions took advantage of this through Amazon.com, Expedia.com, and many other eCommerce sites.
DoubleClick.com was an enterprise that was founded specifically to help other enterprises collect and use the information about on-line visitors to their sites. DoubleClick provided advertising for over 1500 different web sites and mined the data found in the cookies linked to these sites to create profiles of visitors that could be cross linked and mined for information. By the beginning of 2000 DoubleClick had amassed over 100 million profiles!
At first DoubleClick provided only anonymous profiles. No names and addresses were either available or sold. In the fall of 1999, DoubleClick acquired Abacus Direct for $1.7 million and began to cross-link their name and address files to the DoubleClick profiles. Now it was possible for DoubleClick to sell companies your name and address and vast quantities of data about what you do on-line. Where you visit, what you buy, and how long you spend at each site, all became available and linked to you, the consumer by name and address. As this became clear to consumers a firestorm ensued.[7] Eventually DoubleClick was forced to recant, for at least the short term.
Web advertisers suggest that consumers want the personalized marketing that can be made possible with the data now available. They suggest that consumers will willingly give up privacy in return for services and convenience. Privacy advocates counter those consumers are not really aware of the privacy that they are giving up and that if they fully understood they would be aghast! The privacy issue is likely to continue to be a major issue for the next few years.
Key elements of a privacy policy include both disclosure and options. EBusinesses are urged to disclose their privacy policies and then give the customer the right to “opt in” or “opt out” of data collection. There remains quite a bit of controversy over the selection of the default condition. “Opt out” privacy policies require the customer to make an active choice to “opt out” of the data collection. Data is collected by default unless the consumer makes that active choice to “opt out” Many privacy advocates urge the uniform adoption of “opt in” policies that do not collect data unless the consumer “opts in” by actively agreeing to have the data collection. The difference between these two policies is very important since most consumers tend to select the default condition, either by inattention or by intention.
There have been a number of organizations arise to monitor privacy issues on the web (EPIC [www.epic.org], or Institute for Business Technology Ethics [http://www.ethix.org/] or provide a “seal of approval” for web sites (Truste [ www.truste.com ] or BBB On-Line [www.BBBonline.com]).
Efforts by industry groups to create a technological solution have thus far received mixed reception.[8],[9] The World Wide Web Consortium (W3) has created a “Platform for Privacy Preferences Project” (P3P) over a three year period. The idea is to allow each consumer to describe his or her level of privacy need to the P3P Technology. Then, each time a consumer visits a web site a P3P agent will examine the privacy policy of the site as described through a standard method of tagging. If the site does not meet the standards set by the consumer, the P3P agent will warn the consumer. Some privacy advocates have criticized the standard as providing too little protection and too little recourse.[10]
Privacy advocates see cookies as a key vulnerability of
browsers and have tried to have them deleted as a standard part of browser
operation. This has also been the
subject of an Internet Engineering Task Force, RFC
2109 proposal in 1997. As noted by the
Electronic Privacy Information Center: “These requests have met with
resistance and inaction because by making that simple change of disallowing
third-party cookies, the privacy damage being done by Internet advertisers
could have been avoided. The browser makers decided the privacy of surfers was
not as important as that the data-gather opportunities of their companies and
their commercial partners. Rather than fix the problems with cookies, which
Microsoft and Netscape could have done long ago, the companies that develop
browser software are now promoting P3P which will raises even more privacy
problems than cookies.”
The failure of several on-line
retailers in mid 2000 provided another opportunity for privacy abuse. When Toysmart.com, Boo.com, CraftShop.com,
and others were failing, it was alleged that they were trying to sell private
customer information, including, names, addresses, phone numbers, credit cards,
and shopping habits. Coupled with the
DoubleClick program, these intrusions into personal privacy have generated over
300 bills in congress.[11]
Amazon.com announced a new privacy
policy on September 1, 2000 that disclosed how they treat customer data, and
that they consider such data a business asset that could be bought or sold,
especially in the event of a bankruptcy, merger, or acquisition. The disclosure infuriated privacy advocates
such as EPIC, which cut ties to Amazon.
It also was disturbing to European Community leaders when Amazon
disclosed that it could move data outside of the European Community for
processing. Many see this as a direct
violation of EU privacy laws. The EU
views U.S. privacy laws as inadequate protection for consumers and thus wants
to prevent any export of EU data to the U.S. where it might be out of reach of
EU regulators.
http://dailynews.yahoo.com/h/zd/20000522/tc/targeted_ads_a_real_nuisance_1.html
Privacy issues become even more important when children are involved. For that reason, a Child
Online Protection Act was passed in 1999 to regulate Children’s interactions with the web. Ironically many of the same groups that lobbied for increased privacy rights challenged this act in court and so far have prevailed in staying the implementation. As of June 22, 2000, the United States Court of Appeals for the Third Circuit affirmed an injunction against the act asserting that
“We will affirm the District Court's grant of a preliminary injunction because we are confident that the ACLU's attack on COPA's constitutionality is likely to succeed on the merits. Because material posted on the Web is accessible by all Internet users worldwide, and because current technology does not permit a Web publisher to restrict access to its site based on the geographic locale of each particular Internet user, COPA essentially requires that every Web publisher subject to the statute abide by the most restrictive and conservative state's community standards in order to avoid criminal liability. Thus, because the standard by which COPA gauges whether material is "harmful to minors" is based on identifying” contemporary community standards" the inability of Web publishers to restrict access to their Web sites based on the geographic locale of the site visitor, in and of itself, imposes an impermissible burden on constitutionally protected First Amendment speech.”
Nevertheless, most observers believe that eBusinesses will eventually be held to a higher standard of privacy protection for children. Privacy is also beginning to be an issue that becomes part of the positioning of an web based business.
Sites that fully disclose their privacy policies and rigorously follow those policies will fare better than those that do not. In that group, those that have the more protective policies are likely to be more attractive to consumers, but consumers do appear to be willing to trade off a bit of privacy for increased service if they can develop a basic level of trust in the eBusiness.
If the grand traditions of communal ownership remain alive
today, they remain alive in a portion of the Internet community. There is a vocal segment of the community
that rejects private ownership of intellectual property. This can been seen in Richard Stallman’s
free software initiative and in the legal situation encountered by Napster
which developed a technology for allowing fans to exchange (usually illegal)
copies of MP3 encoded digital music.
When the rock group Metallica, as a representative of the music
industry, sued Napster for illegally appropriating its music and facilitating
its distribution over the Internet, the free stuff movement began an indignant
protest. {XXXXXXX
finish}
“Method Madness: The battle over e-commerce patents heats up,” IP magazine, By Richard Poynder, http://www.ipmag.com/monthly/99-nov/poynder.html
The eBusiness revolution has resurrected a moribund Antitrust division at the department of Justice. The Microsoft case has raised new issues and is testing new theories of anti trust in the new economy. While the antitrust cases of the middle of the 20th century focused on market domination leading to decreased competition and in turn leading to higher prices, the Microsoft case focused on monopoly as a hindrance to innovation. Little in the Microsoft case pointed toward consumers paying higher prices. So where was the consumer harm? According to the Justice department case, Microsoft’s monopoly in operating systems allowed them to wield that power to stifle competitive innovation.
There was general agreement in the legal community that innovation was the right focus, but there was a significant divergence of opinion on whether monopolies lead to less innovation. One school of thought felt that it led to more not less.
Although many think that monopolies, in and of themselves, are harmful to consumers and lead to higher prices, research and legal theory does not support this popular view. Monopolies can instead lead to lower prices and increased innovation. Harvard economist Joseph Schumpeter maintained that a monopoly might increase innovation because they had little to fear from the market place. They could take risks that less protected companies could not afford. Innovations are often expensive to develop and more expensive to deploy. Monopolies have much more assurance that their investment may be recovered before a competitor matched their new products without having to stand the expense of the research and development. In highly competitive markets, it might be hard to maintain the exclusivity required in order for the innovative product to pay off the development expenses.
Thus an antitrust case needs to demonstrate both that a monopoly exists and that it has been used illegally to either drive up prices or (in the new economy theory) stifle innovation. Gary Becker, the Nobel Prize winning economist from the University of Chicago, points out that the rate of innovation in the computer industry continued to accelerate throughout the growth of Microsoft and was indeed greater during the last half of the 1990’s than in prior years. He concludes that “the evidence suggests loudly that the government should leave this sector alone.[12]”
Antitrust also recognizes that organizations that do not have a monopoly themselves can band together to create a de-facto monopoly to fix prices. The OPEC oil cartel is an example of a collection of organizations (in this case governments) who have banded together to fix the price of a good (oil). The fact that this is a collection of governments has put the OPEC cartel out of the reach of antitrust law from both a legal and political standpoint. Had the oil companies done the same kind of price-fixing, it would have surely drawn the attention of the U.S. department of Justice.
The creation of eBusiness portals has put the price fixing issue squarely before the Justice department in an entirely new context. For example, General Motors, Ford, and Daimler Chrysler have announced that they intend to band together to form a B2B portal to enable them to acquire parts and supplies from the many suppliers to the three organizations.[13] This has made many of their suppliers nervous and has generated an anti-trust debate. Similarly, United, Delta, American, Continental, and Northwest Airlines have decided to create a portal for ticket sales called T2.[14] Competitors, such as travel agents, Expedia.com and Travelocity fear that the new site could be used to freeze them out of the business. Consumer groups worry that the airlines could work together to raise prices and avoid competition. The Justice Department views the airline industry as one in which there is a prior history of anti-competitive behavior and significant potential for mischief in the new portal.
As more and more industries develop, industry specific portals, there may be more and more opportunities for illegal collusion on prices and other kinds of anti-competitive behavior. It will take a few years and landmark cases to establish the precedents that can guide business behavior. In the meantime, eBusiness would be well advised to exercise some caution in their participation in industry wide portals. This does not mean that these portals should be avoided, but it does mean that business should be quite careful in how they interact with competitors in operating these portals.
[DoubleClick, AOL, Microsoft
[1] “The New Business Ethics: Cheat, Lie, & Steal;” Smart Business for the New Economy p 86 June 2000.
[2] “Cyber Assaults Raise Jitters for Investors,” Wall Street Journal, Thursday February 10, 2000, page C1.
[3] “Yahoo attack sends up red flag for e-businesses,” The Dallas Morning News, 9 February 2000.
[4] “Blue Chips Slide 258.44 Points as Bonds Tumble,” Wall Street Journal, Thursday February 10, 2000, page C1.
[5] “Canadian police arrest suspect in major Web attacks;” By Erich Luening; CNET News.com; April 19, 2000
[6] “Hackers on the Attack, Hitting Top Sites,” By Dick Satran, SAN FRANCISCO (Reuters) on Yahoo Tuesday February 8.
[7] “Privacy: Outrage on the Web;” Heather Green; Business Week; Feb. 14, 2000
[8] “P3P privacy technology slammed: Consumer groups say P3P technology allows companies to collect more consumer information, not less.” By Robert Lemos, ZDNet News; June 22, 2000. [http://www.zdnet.com/zdnn/stories/news/0,4586,2591856,00.html]
[9] “Privacy Critics Slam Project Backed by White House, AOL and Microsoft;” Time Magazine; June 23, 2000. [http://www.time.com/time/digital/daily/0,2822,48014,00.html]
[10] “Pretty Poor Privacy: An Assessment of P3P and Internet Privacy; Electronic Privacy Information Center;” June 2000; [http://www.epic.org/reports/prettypoorprivacy.html]
[11] “The Politics of Privacy Protection;” Information Week p 40; July 17, 2000.
[12] “Uncle Sam Has No Business Busting up Microsoft;” Business Week; p 36; June 19, 2000.
[13] (Ford-GM-Chrysler Portal)
[14] “Why this new E-Biz is raising Trustbusters’ Hackles;” BusinessWeek p 51; June 19, 2000.