Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

CCC

VIEWS: 2 PAGES: 44

									Copyright
            1
2009-11
Copyright
            2
2009-11
The Cloudy Future of Consumer Computing

                              Roger Clarke
            Xamax Consultancy and PSARN Security, Canberra
                   Visiting Professor in Computer Science, ANU
                     and in Cyberspace Law & Policy, UNSW


                          24th Bled eConference
                               14 June 2011
               http://www.rogerclarke.com/EC/CCC {.html,.ppt}


Copyright
                                                                 3
2009-11
              Consumer Computing Functions

        •   Email                •   Personal Music and
        •   Web-Sites                Video Libraries
        •   Personal Blogs       •   Doc Prep
        •   Micro-Blogs (Twit)   •   File-Sharing
        •   Personal Galleries   •   Personal Databases
                                     (Acc, Family Trees)




Copyright
                                                           4
2009-11
                Consumer Computing
 Functions      Applications
                  1975-2000
 Email          Email clients, with
                  smtp/pop/imap
 Personal       Personal Web-Sites
 Galleries
 Doc Prep       Office on the Desktop
 File-Sharing   FTP-server and -client


Copyright
                                         5
2009-11
                Consumer Computing
 Functions      Applications ==>> Services
                  1975-2000            2000-
 Email          Email clients, with      Webmail,
                  smtp/pop/imap            with http
 Personal       Personal Web-Sites       Flickr, Picasa
 Galleries
 Doc Prep       Office on the Desktop    Zoho, Google Docs
 File-Sharing   FTP-server and -client   Dropbox


Copyright
                                                             6
2009-11
                  The Research Question

            How well are Consumer Computing Services
            satisfying consumers’ needs?

            To the extent that there are problems, what
            should be done about them?




Copyright
                                                          7
2009-11
            Consumers – Segmentation

            •   Age / 'Generation'




Copyright
                                       8
2009-11
    The Generations of Computing Consumers



                      QuickTime™ and a
                  TIFF (LZW) decompressor
               are neede d to see this picture.




Copyright
                                                  9
2009-11
    The Generations of Computing Consumers
Baby Boomers (45-65)
   Handshake/phone, PCs came late, had to adapt to mobile phones
   Work is Life, the team discusses / the boss decides, process-oriented
GenXs (30-45)
   Grew up with PCs, email and mobile phones, hence multi-taskers
   Work to Have More Life, expect payback from work, product-oriented
GenYs (15-30)
   Grew up with IM/chat, texting and video-games, strong multi-taskers
   Life-Work Balance, expect fulfilment from work, highly interactive
iGens (to 15)
   Growing up with texting, multi-media social networking, networked
   games, multi-channel immersion / inherent multi-tasking
   ?Life before Work, even more hedonistic, highly (e-)interactive

Copyright
                                                                           10
2009-11
            Consumers – Segmentation

            •   Age / 'Generation'

            •   Education, Income, Wealth
            •   Infrastructure Availability
            •   Technical Capability

            •   Opportunity-Awareness
            •   Leadership / Followership
            •   Risk-Awareness, Risk-Aversion


Copyright
                                                11
2009-11
  Challenges Inherent in the Research Domain
      •     Diversity:
             •  of technologies
             •  of consumers
             •  of consumer uses of technologies
      •     Ongoing, rapid change / unstable phenomena
      •     Can 'consumer requirements' be operationalised?
      •     Can 'consumer disbenefits and risks' be
            evaluated?
Copyright
                                                              12
2009-11
            Requirements, Disbenefits and Risks
              The Organisational Perspective
               1. Operational Requirements
                  Dependability on a day-to-day basis

               2. Contingent Risks
                  Low likelihood, but highly significant

               3. Security Risks
               4. Commercial Disbenefits and Risks
               5. Compliance Disbenefits and Risks

Copyright
                                                           13
2009-11
                Org 1.     Operational Requirements
  •     Fit – to users' needs, and customisability
  •     Reliability – continuity of operation
         •   Availability      hosts/server/db readiness/reachability
         •   Accessibility network readiness
         •   Usability         response-time, and consistency
         •   Robustness        frequency of un/planned unavailability
                                    (97% uptime = 5 hr per week offline)
            •    Resilience         speed of resumption after outages
            •    Recoverability     service readiness after resumption

  •     Integrity – sustained correctness of the service, and the data
  •     Maintainability – fit, reliability, integrity after bug-fixes & mods
Copyright
                                                                               14
2009-11
                  Org 2.          Contingent Risks
 •     Major Service Interruptions
 •     Service Survival – supplier collapse or withdrawal
       Safeguards include software escrow; escrow inspection; proven
       recovery procedures; rights that are proof against actions by receivers
 •     Data Survival – data backup/mirroring/synch, accessibility
 •     Data Acessibility – blockage by opponents or a foreign power
 •     Compatibility – software, versions, protocols, data formats
 •     Flexibility
       Customisation
       Forward-Compatibility       to migrate to new levels
       Backward-Compatibility      to protect legacy systems
       Lateral Compatibility       to enable dual-sourcing and escape

Copyright
                                                                                 15
2009-11
    Consumer Requirements and Risks – 1 of 3
The Basic Needs
•    Does it do what I want it to do? [Fit]
•    Will it be there when I want it? [Availability, Reliability]
The Basic Protections
•    How do I keep going if it stays fallen over for a long time?
     [Service Interruptions]
•    Will you respond helpfully and quickly enough when I ask for help?
     [Customer Service]
•    Will you lose my data, or muck it up? [Data Integrity]
•    Do I get my data back if you fall over or withdraw the service?
     [Survival]
•    Can I move my data to another supplier? [Lateral Compatibility]
•    Who can I complain to if I get dudded, and will they actually help
     me? [Consumer Protection]
Copyright
                                                                          16
2009-11
     Consumer Requirements and Risks – 2 of 3
 More Advanced Needs
 •    Will it keep doing what it does now? [Service Integrity]
 •    Will it stay up-to-date? [Future Fit]
 •    Will it fall over too often? [Robustness]
 •    Will it come back quickly after it falls over? [Resilience]
 •    Is my service protected against you, them and the gods? [Service
      Security]
 •    If bits of it are broken, will you fix it without breaking it some more?
      [Maintainability]
 •    Can I fiddle with it a bit if I need to? [Flexibility]
 •    Can I move my data to an upgraded version? [Forward Compatibility]
 •    How long will old versions keep working for me?
      [Backward Compatibility]
 •    Am I breaking the law if I use the service? [Legal Compliance]
Copyright
                                                                                 17
2009-11
     Consumer Requirements and Risks – 3 of 3
 More Advanced Protections
 •    Am I going to get gouged? [Cost]
 •    Can only appropriate people get in and do things?
      [Authentication and Authorisation]
 •    Can I get access to all data that you hold about me?
      [Subject Access]
 •    Is my data protected against you, them and the gods?
      [Data Security]
 •    Is my privacy protected against you, them and the gods?
      [Privacy Controls]
 •    If I terminate our relationship, will my data be irretrievably deleted?
      [Fully Effective Withdrawal]
 •    What happens to my data if I die? [Archival / Memorialisation]
Copyright
                                                                                18
2009-11
  How are Consumer Requirements Satisfied?
     How are Consumer Risks Managed?
            •   Through the Provider:
                 •  Terms of Service
                 •  Policies
                 •  Practices

            •   Through the State:
                 •  Law
                 •  Regulatory Resources
                 •  Regulatory Enforcement

            •   Through Private Litigation
Copyright
                                             19
2009-11
  How are Consumer Requirements Satisfied?
     How are Consumer Risks Managed?
            •   Through the Provider:
                 •  Terms of Service
                 •  Policies
                 •  Practices

            •   Through the State:
                 •  Law
                 •  Regulatory Resources
                 •  Regulatory Enforcement

            •   Through Private Litigation
Copyright
                                             20
2009-11
                    Research Method
                            Empirical Phase
Preliminary Phase
                            •  Validation of Consumer
•  ...                         Requirements
                            •  Sample Selection
                            •  In-Depth ToS Studies
                            •  Comparative ToS Studies
                            Articulation Phase
                            •  ...




Copyright
                                                         21
2009-11
                  Research Method
                               Empirical Phase
Preliminary Phase
                               •  Validation of Consumer
•  Studies of the Domain          Requirements
•  Definition of Consumer      •  Sample Selection
   Requirements
                               •  In-Depth ToS Studies
•  Accessibility of ToS
                               •  Comparative ToS Studies
•  In-Depth Study of 1 ToS
                               Articulation Phase
•  Comparative Study of
                               •  ...
   ToS re 1 Cluster of Terms
•  Consumer Protection Laws,
   Resources, Enforcement


Copyright
                                                            22
2009-11
                  Research Method
                               Empirical Phase
Preliminary Phase
                               •  Validation of Consumer
•  Studies of the Domain          Requirements
•  Definition of Consumer      •  Sample Selection
   Requirements
                               •  In-Depth ToS Studies
•  Accessibility of ToS
                               •  Comparative ToS Studies
•  In-Depth Study of 1 ToS
                               Articulation Phase
•  Comparative Study of
                               •  Discussions with Providers
   ToS re 1 Cluster of Terms
                               •  Expression of Model Terms
•  Consumer Protection Laws,
   Resources, Enforcement      •  Interactions with Consumer
                                  Advocacy Organisations,
                                  Regulators, Policy Makers
Copyright
                                                           23
2009-11
          1.    Accessibility of the Terms of Service
•       The Current Version of the ToS
         •    In all cases, they are on the web-site
         •    Generally, no date of applicability is provided
•       Prior Versions of the ToS
         •    In not one case are prior versions visible
•       Changes to the ToS
        All but one ToS claim the right to unilaterally change the Terms:
         •    most do not require notice, but just an announcement
              somewhere on the website, and changes have immediate effect
         •    a few require that notice be provided, the change is to be
              explained, and the notice is to be provided in advance, and by
              user-convenient means

    Copyright
                                                                           24
    2009-11
            Accessibility of the Terms of Service
              The Significance for Consumers

  •     Consumers can only know what Terms apply to an earlier
        transaction if they mirrored the Terms at the time
  •     The Terms applicable to the next transaction may not be
        the same as they were for previous transactions
  •     The Terms applicable to transactions and to the
        consumer’s data are entirely under the provider's control
  •     Consumers can place no reliance on what they may have
        previously read or heard about the Terms


Copyright
                                                                    25
2009-11
        2.      In-Depth Study of Terms of Service
                          LinkedIn

    A (‘social’) networking service for professionals

    A Priori:
    •  Its users should be well-informed and demanding
    •  So the provider is likely to:
         •   address its customers' needs
         •   balance their interests against the company's

    •       So it can be expected to provide a benchmark

Copyright
                                                             26
2009-11
                           LinkedIn In-Depth
    •       No responsibility to provide the service, to do so reliably,
            or to sustain data stored in it
    •       Subscribers must disclose physical location, even if
            irrelevant
    •       No internal complaints process
    •       No rights to restitution, no liability for identity fraud
    •       LinkedIn gains rights to customers' data that are almost
            equivalent to the rights of the customers themselves
    •       Unilateral changes to the Privacy Statement, without
            notice
    •       Storage in the USA under lax privacy laws
    •       No undertakings to control the behaviour of staff
    •       Enforced 'permission' to disclose personal data, without
            legal authority, "to assist government enforcement
Copyright   agencies"                                                      27
2009-11
    •       Inadequate subject access and correction rights
                      LinkedIn In-Depth
               The Significance for Consumers

    •       LinkedIn projects itself as a networking service for
            well-informed and demanding professionals
    •       It was expected to provide a benchmark

    •       In fact, many aspects are badly handled
    •       Not a benchmark, but rather a considerable concern



Copyright
                                                                   28
2009-11
                           Terms of Service
                             3. Clusters
            •   Service-Level Warranties and Indemnities
            •   Lateral Compatibility ('Can I get my data out?')
            •   Authentication and Authorisation
            •   Second-Party Risk Exposure
            •   Third-Party Risk Exposure
            •   Data Deletion
            •   Subject Access
            •   Customer Service
            •   Complaints-Handling – Internal, External

Copyright
                                                                   29
2009-11
                           Terms of Service
                             3. Clusters
            •   Service-Level Warranties and Indemnities
            •   Lateral Compatibility ('Can I get my data out?')
            •   Authentication and Authorisation
            •   Second-Party Risk Exposure
            •   Third-Party Risk Exposure
            •   Data Deletion
            •   Subject Access
            •   Customer Service
            •   Complaints-Handling – Internal, External

Copyright
                                                                   30
2009-11
     Consumer Requirements and Risks – 3 of 3
 More Advanced Protections
 •    Am I going to get gouged? [Cost]
 •    Can only appropriate people get in and do things?
      [Authentication and Authorisation]
 •    Can I get access to all data that you hold about me?
      [Subject Access]
 •    Is my data protected against you, them and the gods?
      [Data Security]
 •    Is my privacy protected against you, them and the gods?
      [Privacy Controls]
 •    If I terminate our relationship, will my data be irretrievably deleted?
      [Fully Effective Withdrawal]
 •    What happens to my data if I die? [Archival / Memorialisation]
Copyright
                                                                                31
2009-11
                  Second-Party Risk-Exposure
                       Scope Definition

   •        Not data relevant to the commercial relationship
   •        Not uses of data that are necessary as part of the
            service being provided

   •        'Private data' intended for use by the consumer only
   •        'Restricted data' intended to be accessible by some
            other parties, but not by parties generally


Copyright
                                                                   32
2009-11
            Comparative Table




                       QuickTime™ and a
                   TIFF (LZW) decomp resso r
                are need ed to see this picture.




Copyright
                                                   33
2009-11
              Second-Party Risk-Exposure
                 Summary of Results
  •    3 – the Terms provide the ISP with no right to use the
       data (iinet, Internode, Yahoo!)
  •    1 – use is limited to 'access' - although what that
       limitation means is unclear (Dropbox)
  •    2 – use is authorised, but ... only in a manner directly
       related to the contract (Infinite, Zoho)
  •    1 – use is authorised "to provide the service" - which
       can be readily interpreted as being the service as a whole,
       not just the service provided to that user (MS Live)
  •    2 – the ISP has very substantial rights (Google, LinkedIn)

Copyright
                                                                     34
2009-11
            Second-Party Risk-Exposure
            The [Semi-Arbitrary] Scores

                 Dropbox      7.5
                 MS Live      7.0
                 Yahoo!       4.5
                 Zoho         4.5




Copyright
                                          35
2009-11
            Second-Party Risk-Exposure
            The [Semi-Arbitrary] Scores

                 Dropbox         7.5
                 MS Live         7.0
                 Yahoo!          4.5
                 Zoho            4.5
                 ___________________
                    __
                 Google Gmail    0.0
                         Docs
                       0.0
                         Groups  0.0
                         Apps
Copyright
2009-11                0.0                36
                 Cloudy Consumer Computing
                          AGENDA

       •    The Research Domain
             •   Consumer Computing
             •   Consumer Apps ==>> Consumer Services
             •   Consumers
             •   Consumer Requirements and Risks
       •    The Research Method
       •    Preliminary Results
       •    (Tentative) Conclusions and Next Steps

Copyright
                                                        37
2009-11
                     Preliminary Phase
                   Policy-Relevant Results
  •       Consumers dependent on C.C. Services are at dire risk
          Service malfunctions, loss of data, provider exploitation of their
          data, low standards of accessibility and clarity of Terms, largely
          unfettered scope for providers to change the Terms
   •      Consumer Protections are essential, but seriously
          inadequate
          Transnationality of Internet commerce, dominance of US
          marketing morés, pro-corporate and anti-consumer stance of
          US regulators, meekness of regulators in other countries, the
          lack of organised resistance by consumer reps, advocacy
          bodies
   •      Serious consumer disappointments are inevitable
Copyright Recriminations against out-/cloud-sourcing are inevitable
   •
                                                                               38
2009-11
                      Preliminary Phase
                   Research-Relevant Results
   •        The Research Method’s feasibility has been demonstrated
   •        The project is giving rise to new and deeper information
   •        Complementary research is needed
            In-depth studies of actual cases of harm to consumers
            In-depth studies of scenarios likely to lead to harm
            Studies of different categories of service
            Studies of different categories of consumers
            • across the Generations
            • across different levels of consumer sophistication
   •        Results from all lines of research need to be combined
   •        Feedforward is needed into providers’ Terms of Service

Copyright
                                                                       39
2009-11
                      Next Steps
                               Empirical Phase
Preliminary Phase
                               •  Validation of Consumer
•  Studies of the Domain          Requirements
•  Definition of Consumer      •  Sample Selection
   Requirements
                               •  In-Depth ToS Studies
•  Accessibility of ToS
                               •  Comparative ToS Studies
•  In-Depth Study of 1 ToS
                               Articulation Phase
•  Comparative Study of
                               •  Discussions with Providers
   ToS re 1 Cluster of Terms
                               •  Expression of Model Terms
•  Consumer Protection Laws,
   Resources, Enforcement      •  Interactions with Consumer
                                  Advocacy Organisations,
                                  Regulators, Policy Makers
Copyright
                                                           40
2009-11
The Cloudy Future of Consumer Computing




                            Roger Clarke
                Xamax Consultancy and PSARN Security, Canberra
                   Visiting Professor in Computer Science, ANU
                     and in Cyberspace Law & Policy, UNSW

            http://www.rogerclarke.com/EC/CCC {.html,.ppt}


Copyright
                                                                 41
2009-11
Copyright
            42
2009-11
             Consumer Computing Devices

  •     Desktops, Laptops

  •     Thin Clients, Netbooks
  •     Handhelds / Palmtops

  •     Tablets

  •     Smartphones



Copyright
                                          43
2009-11
            Consumer Computing Interfaces

  •     Desktops, Laptops        QWERTY, Fingers,
                                     Desktop Metaphor
  •     Thin Clients, Netbooks   Ditto
  •     Handhelds / Palmtops     Soft-QWERTY, Fingers,
                                     Stylus, Voice
  •     Tablets                  Soft-QWERTY, Fingers,
                                     Gesture, Browser-Based
  •     Smartphones              Soft-PhoneKeyboard,
                                     Thumbs or Fingers


Copyright
                                                              44
2009-11

								
To top