Privacy and Ecommerce

Electron Commerce Res (2007) 7: 89–116
DOI 10.1007/s10660-007-9002-9
Privacy and e-commerce: a consumer-centric

perspective
Rhys Smith · Jianhua Shao
Published online: 16 March 2007

© Springer Science+Business Media, LLC 2007
Abstract Privacy is an ancient concept, but its interpretation and application in the
area of e-commerce are still new. It is increasingly widely accepted, however, that
by giving precedence to consumer privacy bigger benefits can be reaped by all par-
ties involved. There has been much investigation into the concept of privacy, legal
frameworks for protecting this most impalpable of human values and, more recently,
computing technologies that help preserve an individual’s privacy in today’s environ-
ment. In this paper we review the historical development of this fundamental concept,
discussing how advancements both in society and in technology have challenged the
right to privacy, and we survey the existing computing technologies that promote
consumer privacy in e-commerce. Our study shows that historically the protection of
privacy has been driven primarily both by our understanding of privacy and by the
advancement of technology, analyses the limitations of privacy protections for cur-
rent e-commerce applications, and identifies directions for the future development of
successful privacy enhancing technologies.
Keywords E-commerce · Privacy · Privacy enhancing technology
1 Introduction
New technologies (which of course includes the Internet) are able to offer to in-
dividuals levels of privacy unprecedented in modern human history. However, new
technologies are equally able to facilitate gross breaches of an individual’s privacy
at equally unprecedented levels. Unfortunately, the latter case seems to be the more
R. Smith () · J. Shao

School of Computer Science, Cardiff University, Cardiff, CF24 3AA, UK
e-mail: r.o.smith@cs.cardiff.ac.uk
J. Shao
e-mail: j.shao@cs.cardiff.ac.uk
90 R. Smith, J. Shao
predominant. The commonly cited possibility, penned by Peter Steiner in a cartoon in

The New Yorker (July 5th 1993), exists that “On the Internet, nobody knows you’re
a dog.” What is in fact closer to reality in the world of today is that not only can
anyone know that you are a dog—they can also find out what breed you are, what
your favourite food is, your entire history of inoculations, your current geographical
location (accurate to within one metre), and which is your favourite brand of shoe to
chew.
One ever-emerging new technology is the area of e-commerce: although the area
has existed for several years it is a technology that is undoubtedly yet to reach its
full potential. If one examines the current state of e-commerce and compares this
with the vision of the future of e-commerce presented several years ago then cur-
rent e-commerce levels seem rather lacklustre. One report by Forrester Research es-
timated that e-tailers lost US$15 billion in 2001 because of the privacy concerns of
consumers [28], while a report by Jupiter Research estimates that online retail sales
would be approximately 24 percent higher in 2006 if these concerns were addressed
effectively [39]. Comparing Forrester Research’s 1999 prediction of US$184 billion
of US online retail sales in 2004 [27] to the actual figures for 2004—approximately
US$69 billion1 —shows that there has been an extremely large deficit in predicted
revenue. One of the major reasons for this gulf between predicted and actual levels
that has been suggested by the research community at large and backed up by many
studies, e.g. [21, 28, 31, 37–39, 81, 82], is simply one of trust: a vast proportion of
individuals able to engage in e-commerce are not willing to do so (or to do so, but
at reduced levels) simply because they do not trust e-commerce sites to be secure
and respectful of their privacy. The most recent of these studies was a Gartner sur-
vey [31] in June 2005 which shows that this problem is not abating, and predicts that
it will continue to further inhibit e-commerce growth rates in the coming years. The
obvious conclusion is that, to impel e-commerce to boom to the oft-predicted levels,
either e-commerce based companies need to increase the trust engendered to them
by the general e-consumer, or technologies need to be created that are designed to
protect an individual’s privacy and security—forcefully if necessary.
The first of these possibilities, that of establishing and maintaining more trusted
relationships with customers, is not a trivial matter. Numerous studies investigating
ways of encouraging trust have been carried out and a number of mechanisms have
been proposed, ranging from altering the design of an e-commerce site to make it
appear more professional and “friendly” through to facilitating user interaction via
the use of a computer-generated human-like agent. Patton and Jøsang surveyed the
current state of this area in [51]. However, trust is viewed as something that is difficult
to build and easy to lose [49], and there are doubts as to whether the effectiveness of
these techniques is enough to subdue the fears of individuals to any large degree.
The other possibility, that of using technologies to protect individual privacy,
neatly avoids these problems by actually attempting to allay some of the common
fears of individuals rather than using psychological approaches in a simple attempt to
circumvent these fears. There have been a wide range of these technologies proposed
which can generally be split into two main methods: those that attempt to preserve an
1 Source: US Census Bureau—http://www.census.gov/estats.

Privacy and e-commerce: a consumer-centric perspective 91
individual’s privacy by enabling anonymous communication channels for interaction

between customer and e-business; and those that attempt to minimise the amount of
personal information given to an e-business during the interaction. Whichever tech-
nological method is used, this approach of actually allaying individuals’ fears about
privacy is probably the more productive of the two possible approaches in the attempt
to expand e-commerce levels, as a real solution to the problem will be seen in a more
positive light by the individuals involved.
In order to fully explore the idea that e-commerce would benefit from enhanced
consumer privacy, some fundamental understanding of privacy is required: what ex-
actly privacy is, how our understanding of it has changed throughout history, and how
this changing understanding coupled with technological development have histori-
cally affected the protection of privacy. This understanding will then give us the nec-
essary tools to discuss how privacy exists in the information age that we live in. Thus,
in the first part of this paper we firstly review the meaning of “privacy” and discuss
how technological advancements in recent times have challenged the right to privacy.
We then focus our discussion upon the burgeoning area of e-commerce, where we at-
tempt to apply the lessons learned about privacy to the current world of e-commerce,
coming from a consumer’s point of view. Given this enhanced understanding of pri-
vacy, in the second part of the paper we survey, evaluate, and analyse the limitations
of the existing technologies that promote consumer privacy in e-commerce. Finally,
we draw some conclusions about the future of e-commerce and consumer privacy.
The rest of the paper is structured as follows. Section 2 explores the general idea
of privacy, discussing its nature, history, meaning, and how it has been affected by
technological advances. Section 3 then uses these ideas to discuss the problem of
retaining privacy in e-commerce and the ways in which this problem can be solved.
Section 4 reviews some of the currently existing technologies that attempt to pre-
serve/enhance privacy in the technological domain and discusses the future of these
technologies and areas where more research is needed. Finally, some conclusions are
drawn in Sect. 5.
2 Privacy
“Every man should know that his conversations, his correspondence, and his
personal life are private.” Lyndon B. Johnson, President of the United States,
1963–69.
Privacy, as a concept, is highly interesting. Perhaps its most striking feature is the
fact that nobody seems able to agree upon what it actually is. The “right to privacy”
has inspired considerable debate in many fields of thinking: including the areas of law,
philosophy, sociology, politics, and more recently, computer science. This debate is
fascinating, complex, and at times rather surprising. Furthermore, how this right to
privacy fares when applied to the world of e-commerce is an even more contentious
issue.
In our attempt to explore the issues presented in the introduction, and to grasp how
the competing worlds of individual privacy and e-commerce can meet without col-
liding head-on, we need to first attempt to understand the general concept of privacy.
In this section we will first examine the meaning and nature of privacy, followed by
briefly examining some important points in the historical development of privacy.
2.1 The nature of privacy
At first glance, the idea of privacy seems fairly intuitive. When pressed upon to elu-
cidate this idea of privacy in a clear-cut all-encompassing definition and defence of
privacy however, people consistently flounder. Thus, debate about this most impal-
pable of human values has raged throughout recorded history. These debates became
prominent in the philosophy/sociology literature in the latter half of the 20th cen-
tury: Benn and Gaus’ anthology [9], Schoeman’s anthology [67], and Weintraub and
Kumar’s anthology [78] have collected many of the important arguments presented
throughout these decades.
The most rudimentary area of this debate is one which is concerned with the de-
fence of privacy: why is privacy important, and what does retaining privacy bring to
an individual? Many theorists have produced defences of privacy that state that pri-
vacy is a highly important human value necessary for many aspects of an individual’s
moral and social being, such as: privacy being a requirement of the ability to develop
diverse and meaningful relationships [30, 55]; privacy being a basic aspect of indi-
vidual personality and integrity [30]; privacy being a requirement for human dignity
and retaining one’s uniqueness and autonomy [10]; and privacy being a necessary
prerequisite for intimacy [32].
Another area of debate—probably the most fundamental and essential of areas—is
the definition of privacy. The fact is that nobody has yet produced a single agreed-
upon definition for the right to privacy—and this is not at all surprising since an
individual’s conception of privacy is based partly upon their society’s general con-
ception of privacy (see Westin’s work in [80], taken from his book [79]) and partly
upon their own life’s experiences and general social attitudes. Despite this difficulty,
many people have (of course) attempted to produce all-encompassing definitions of
“privacy.” Schoeman noted [66] that they all fall into three main categories:
1. The right an individual has in being able to control access to personal information
about themselves.
2. The measure of control an individual has over information about themselves, or
who has sensory access to them.
3. The state of limited access to an individual and their personal information.
Each of the three proposed categories of definitions has properties that are pleasing
in the attempt to produce a single unified definition of privacy, however, they all also
contain some major problems. The first category is simply a statement about privacy
that assumes that privacy is a morally significant human value and therefore some-
thing sacred that should be protected, but does not say why this should be the case,
and indeed does not define what privacy actually is. The second category’s critics ar-
gue that counter-examples can easily be created that question the definition (although
its proponents claim that such examples are not realistic and to produce them “would
be to engage in irony” [30]). The third category inherently poses the question as to
whether privacy is desirable, and to what extent. It also raises further questions about
the difference between privacy itself and the right to privacy—examples where one
can be said to have lost privacy but not had one’s right to privacy violated (and the
converse) are easily constructed.
More recently, theorists have argued that the reason that no-one has yet produced a
single unified concept of privacy is that privacy is far too complex to actually capture
in a single (relatively) simple definition—therefore it should instead be treated as a
collection of related concepts. Benn and Gaus, for example, suggest that privacy is
a wide-ranging social concept that shapes how an individual sees and interacts with
society [9]. Many studies have been carried out investigating the cultural relativity of
privacy: most social theorists claim that privacy is recognised and institutionalised (in
some way) in all societies (e.g. [48, 80]), with only a few notable exceptions (e.g. [5]).
The attempt to define privacy has further been complicated with the transition from
the industrial society to the technological society through to the information society.
In the information society, an individual’s concept of self is expanded into provinces
additional to the traditional: it gets expressed through, and affected by, technology
and the projection of one’s identity to include one’s online identity. This addition
of a component that exists in a totally different kind of space shifts and blurs the
public/private boundary, making an attempt to define privacy even more difficult than
ever before. Thus, increasing numbers of theorists have started to subscribe to the
view that privacy is in fact a collection of concepts rather than one specific concept.
On the other hand, there are those that are more critical of the idea of privacy.
Some of the most common arguments against privacy are those such as the view put
forward by Prosser and Thomson who hold that privacy is non-distinctive—there is
no “right to privacy” [54, 71]. They argue that while privacy is important, thinking
of privacy as something special is unproductive, as any interest that could be cate-
gorised as a privacy interest could be equally well explained and better protected by
considering other interests or rights, such as property rights and the right to bodily
security. This view is not actually “anti-privacy” per se, but can be considered crit-
ical of it as it questions the whole foundations of privacy as previously discussed.
When investigating privacy from a purely legal standpoint, Volokh came to a similar
conclusion—that privacy is possibly best protected in law by relying on contractual
protections [74].
Delving deeper into the criticism of privacy, a very highly sceptical view of privacy
was produced by Wasserstrom who argued that withholding information about one-
self might be morally equivalent to deception, and therefore socially undesirable [76].
He suggests that views on privacy encourage individuals to feel more vulnerable than
they should simply by accepting the notion that there are thoughts and actions which
should make one feel ashamed or embarrassed, and that privacy encourages hypocrisy
and deceit.
Another view—one possibly more interesting in the context of e-commerce—
sceptical of the reasons for privacy was introduced by Posner. He argued that privacy
interests are non-distinctive, and are better thought of in economic terms [52]. He
posits that information can have value—people will incur costs to discover it—and
that there therefore are two economic goods: “privacy” and “prying.” He however
regards them as instrumental rather than “final” goods, allowing them to be analysed
economically. According to this idea, people do not desire privacy for privacy’s sake,
but for the economic or social advantage that it gives them. His view is that pri-
vacy should only be protected when allowing access to information would reduce its
value. He classifies personal information such as “my ill health, evil temper, even my
income” [52] as facts that should not generally be protected since the main motive for
concealment is often to mislead others, or for private economic gain. Since corporate
gains enhance the economy more than individual gains, he concludes that defence of
individual privacy is hard to justify as it can negatively impact these more “impor-
tant” corporate gains. Whether one agrees with this stance of course depends entirely
on whether one is a corporation or an individual. Also, thinking specifically about
e-commerce, this view of privacy does not take into account the facts presented in the
introduction—that favouring corporate over individual privacy leads to a reduction in
the amount of e-commerce an individual will engage in.
One thing that all of these arguments—both those for and those against privacy—
have in common is that they all agree on the core existence of the concept of privacy:
to debate whether something is materially good or bad must necessarily mandate the
existence of the subject of the debate. Thus, virtually all theorists have acknowledged
that the idea of privacy is indeed a real concept. Additionally, although a single, all-
encompassing view of privacy has not yet been presented (and is not likely to ever be
presented), individual privacy (however defined) is seen by the majority of theorists
as a highly important human value. Thus, this value deserves to be fiercely protected
in all areas of life: both the existing areas and the newly developing areas presented
by the information age.
2.2 The development of privacy
The idea of privacy, as with any other human sociological creation, is not absolute
and static—developments in society itself have grown and shaped this human value
for most of recorded human history. The development of privacy has gone through
several main stages in the lead up from its initial articulation in ancient times to its
current incarnation in today’s world. Each of these stages can be differentiated by
their unique view of privacy and how it has been protected.
2.2.1 The infancy of privacy
The concept of privacy has roots dating back many millennia. In approximately 350
BC in his treatise Politics, Aristotle distinguished between the public sphere of the
city and its political activities (polis) and the private sphere of the household and
its domestic life (oikos). Aristotle claimed that the private sphere has an inherent
hierarchical structure whose assets provide the material ability for the citizen to act
in the public political sphere. Thus, the presence of the “private” is a necessity for the
smooth running of the “public.”
This idea of public and private spheres were embodied in Greco–Roman society,
where the public sphere was not a metaphorical place but an actual physical space—
the Roman forum and the Greek agora—where public and legal affairs were discussed
and where any free man could directly participate in the running of public life.
Greek society originally conceived of no separation between the two spheres. The
concept of an individual being separate from the polis was brought to the Greek
peninsula in the fifth century BC by radical Sophists, teaching that the human being
was the measure of all things—not the city or gods as was the prevailing philoso-
phy [61]. This view was alien and highly radical but slowly permeated through Greek
society, being discussed by the great Greek philosophers and ultimately inspiring
Aristotle’s Politics as attempt to solve this opposition between the opposing views.
The Romans further developed the idea of the private sphere as opposed to the
public sphere. In Roman society, the notion of public equated to the good of the
state and its sovereignty, while the notion of private equated to the interests of the
individuals in the empire [36, 77]. These notions were actually eventually accepted
as fundamental enough that they were incorporated into late Roman Law—in the first
chapter of the two sections of the Corpus Juris Civilis, the compilation of Roman
Law issued by Emperor Justinian in 533–534 AD [77]. Indeed, the words “public”
and “private” have a Roman origin.2
As the Roman Empire fell into decline and the middle ages advanced upon Europe,
the idea of the separation of the state and the individual, the public and the private,
fell out of public consciousness for reasons that are quite understandable. Society at
the time simply did not have any significant distinction between public and private,
mainly due to the feudal system of rule which was based upon kinship and bonds
of loyalty—basically a network of personal dependent links in which there was no
distinction between state and individual [77].
The revival of the separation of public and private began in more modern history
with firstly the occurrence of the enlightenment and later with the growth of capi-
talism, as the separation of the sovereignty and the citizen once more occurred and
public political society came back into prevalence. Habermas famously discussed
how the development of the public sphere was affected through the development of
bourgeois society [36].
In this age of privacy, the basic tenet of privacy was slowly recognised as a con-
crete human value, and thus support for treating it as such began to grow. With these
occurrences the concept of privacy entered a new age as it began to be afforded legal
protections in an effort by the legislators to protect this most basic of human rights.
2.2.2 The legal age of privacy
One of the first areas in the legal arena in which privacy has been deliberated was
in English common law, where the idea of the right to privacy has been discussed
for at least the last few centuries in numerous legal cases and judgements over the
years. One example of this was articulated by Mr. Justice Yates in 1769 (Millar v.
Taylor [83]):
It is certain every man has a right to keep his own sentiments, if he pleases. He
has certainly a right to judge whether he will make them public, or commit them
only to the sight of his friends.
These early English legal cases paved the way for many further privacy devel-
opments. Since most American legal practises have their roots in English common
law, it has been argued by many that one of the most basic and well-known of these
developments is the U.S. constitution—many arguments have been put forth support-
ing the idea that the distinction of the private sphere is enshrined within it. The First
2 Public originally comes from the Latin “populus” (public), while private originally comes from the Latin
“privus” (single, alone).
Amendment protects freedom of conscience and the Fourth Amendment protects the
physical private sphere of an individual against unreasonable violation. Other of the
amendments (the Third, Fifth and Ninth) also arguably have privacy interests.
This basic idea of privacy being incorporated into the very foundation of the
United States further paved the way for one of the most famous, influential and oft-
cited articles about privacy, published in 1890 by Warren and Brandeis [75]. Their
article mainly focused upon the privacy violation that can occur due to the public
dissemination of information about an individual that the individual would rather
stay private (the article was inspired by the press intruding in Mr. Warren’s private
life—the reporting on the wedding of his daughter). During the course of the article
the authors discuss many aspects of privacy—including control over one’s private
thoughts—and they connect it to many other values, such as an individual’s “right
to be left alone” and the respect due an individual’s “inviolate personality,” although
they (perhaps sensibly) do not attempt to define what privacy actually is. Their main
argument is that in order for law to properly protect privacy, privacy needs explicit
legal recognition, as simply applying other legal arguments to protect privacy—such
as using copyright law or contract law—is inadequate. A significant claim that they
make is that privacy is a specific human interest, connected to the moral character,
and that this interest is more important in the present than it has been in the past—the
importance of privacy is increasing.
In the wake of Warren and Brandeis’ article, privacy related cases slowly began
to surface over the next several decades that supported the article’s views. This con-
tinued until 1965 when what is known as the “constitutional right to privacy” was
explicitly recognised by the U.S. Supreme Court (Griswold vs. Connecticut, U.S. 381
(1965), 479). Until this point, protection of privacy in U.S. law was simply viewed
as being necessary to the protection of other more well-established rights, and were
therefore dealt with as such. Justice Douglas wrote that the case in question con-
cerned “a relationship lying within the zone of privacy created by several fundamen-
tal constitutional guarantees”—the amendments previously mentioned, each of which
creates different zones or “penumbras” of privacy. Some people are now arguing that
this ruling should be taken further and another amendment to the constitution should
be added that explicitly recognises the right to privacy in a specific and fundamental
manner.
Outside of the USA, many other countries developed laws that protected people’s
privacy. For example, in 1789 in France La Declaration des droits de l’homme et du
citoyen (The Declaration of the Rights of Man and of the Citizen) was adopted by
the ruling government, which included privacy guarantees to its post-revolutionary
citizens. Meanwhile, on a wider scale, two highly important developments occurred.
Firstly, in 1948 (on December 10th), the General Assembly of the United Nations
adopted the Universal Declaration of Human Rights, wherein privacy was enumer-
ated in Article 12:
No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honour and reputation. Every-
one has the right to the protection of the law against such interference or attacks.
However, since the Universal Declaration of Human rights was so wide-ranging
in scope, it never garnered the international consensus necessary to become a binding
treaty. To solve this problem, the declaration was spilt into two binding covenants—
with the privacy guarantees becoming part of the International Covenant on Civil and
Political Rights (Article 17), which has been ratified by 149 parties worldwide.
Secondly, in 1950, the European Convention on Human Rights (officially the Con-
vention for the Protection of Human Rights and Fundamental Freedoms) was adopted
by most Council of Europe member states, wherein privacy was enumerated in Arti-
cle 8 (right to respect for private life):
1. Everyone has the right to respect for his private and family life, his home and his
correspondence.
2. There shall be no interference by a public authority with the exercise of this right
except such as is in accordance with the law and is necessary in a democratic
society in the interests of national security, public safety or the economic well-
being of the country, for the prevention of disorder or crime, for the protection of
health or morals, or for the protection of the rights and freedoms of others.
The history of privacy thus far has taught us that as societies have risen and fallen
in their haphazard progression and current society slowly emerged, the importance
placed upon the ideal of privacy as a fundamental human right has increased enor-
mously, and the subsequent necessity for its protection thus also grown and gained
in importance. However, the nature of protection of privacy has changed as this legal
age of privacy gradually gave way to the current modern age of privacy. This transi-
tion was initiated by the ever-forward march of technology which has affected both
the concept of privacy and the mechanisms of its protection in some major ways.
2.2.3 Privacy in the technological age
The privacy implications of ever-evolving technology are not exactly new: Warren
and Brandeis’ “right to be left alone” came from a time when privacy was threatened
by a new technology that allowed photographs to be included in mass-circulation
newspapers. During the 115 years since their article, the problems posed by tech-
nology have increased wildly, and privacy protection has struggled to keep apace.
Tuerkheimer classified these problems into two broad categories: surveillance and
personal data protection [72].
Surveillance technologies include such things as electronic wiretapping and moni-
toring of computer network traffic. Some specific examples of privacy issues brought
forth by these technologies (both already available and forthcoming) include wireless
telematics networks embedded in lamp posts tracking the location of one’s automo-
bile at all times [42], facial recognition systems employed widely tracking the loca-
tion of individuals, national identity cards [53], mandatory drug testing of employees,
Caller ID, Biometrics, blanket coverage of CCTV [11], monitoring of computer traf-
fic, email and telephone calls, and governmental surveillance systems such as Carni-
vore and Echelon [26]. All of these technologies are able to violate an individual’s
privacy in some major ways, as in extreme cases a person can be monitored 24 hours
a day without any awareness as to this fact.
So far, there has been little legislation guarding against privacy violations caused
by such surveillance technologies, except in a few specific cases: such as when the
basic protections that the Fourth Amendment brings Americans against unreasonable
violation was extended in the latter half of the last century to cover developments
in electronic surveillance (Katz vs. United States, U.S. 389 (1967), 479), requiring
U.S. government agencies to obtain a court order giving permission to use a wire-
tap. This does not however solve the problem in many other countries where such a
thing is not necessary, and it also fails to solve the problem of monitoring by private
organisations.
Personal data protection is the well-known privacy issue created by the prolifera-
tion of databases containing information about individuals’ lives, habits, preferences,
and personal histories. From virtually every place one goes to shop, from the su-
permarket to the videostore to the bookstore to the pharmacy, a steady stream of
information and statistical data about customers pours into vast warehouses of data.
These vast treasure-troves of knowledge about everyone can help companies in their
drive to ultimate efficiency and therefore the good of the customers—at least, that is
the argument used to support this. Undoubtedly this is true. However it can also give
a business a huge unfair advantage in their dealings with the customers, as it leaves
them holding all the cards in the game of commerce, while most of the individuals
playing do not know for sure how to play the game, or even that they are playing at
all. The time may come when everything it is possible to know about an individual
is stored somewhere, and there are no technological guarantees that this information
cannot be accessed by anyone, at any time.
In an attempt to counter this problem, governments in many countries have enacted
legislation that specifically attempts to protect the privacy of this data: for example,
in the UK and Sweden there is a legal restriction on any entity possessing any kind of
personal information without the explicit consent of the data subject, and every entity
that does store such data has to register this fact with the government. This approach
to privacy protection led to the Organisation of Economic Development issuing a set
of guidelines (the OECD privacy guidelines) which sets out the minimum standards
for data collection, storage, processing and dissemination that both the public and
the private sector should adhere to. These guidelines are commonly consulted by na-
tions and private organisations when drafting privacy laws and policies. One notable
set of privacy laws created based upon some of these principles are those created
by the European Union: in 1981 personal data protection became specifically highly
protected when the Convention for the Protection of Individuals with regard to Au-
tomatic Processing of Personal Data came into being. This convention obliged the
members of the Union to enact legislation concerning the automatic processing of
personal data, resulting in different types of regulatory models and approaches [45]
being adopted, ranging from the “self-help” approach (where there is no government
interference and it is up to the countries’ citizens to challenge inappropriate prac-
tises and bring them to the attention of the courts) to the “registration”/“licensing”
approach (where a government takes full control of ensuring that personal data about
its citizens is not misused).
After viewing the range of diverging legislation that had been enacted, the Eu-
ropean Commission realised that the different, and sometimes contradictory, ap-
proaches and laws enacted by its member states would impede the free flow of data
within the EU. Therefore the European Commission decided to harmonise data pro-
tection regulation across the member states and proposed the Directive on the Protec-
tion of Personal Data (officially Directive 95/46/EC on the protection of individuals
with regard to the processing of personal data and on the free movement of such
data). All members of the EU had to transpose this legislation into their internal
law by 1998, and all did. This directive required that many things become legally
mandatory, including the creation of government data protection agencies and the
registration of any databases of personal information with these agencies. One of
the stipulations of the Directive was that personal data would only be allowed to be
transferred to non-EU countries if the country provided an adequate level of pro-
tection of the data protection. However, while the EU and the United States both
ostensibly share the goal of enhancing privacy protection for their citizens, the EU
and the USA take fundamentally different approaches to achieve this. As we have
seen, the EU approach relies on comprehensive legislation to mandate its corporate
citizens be respectful of an individual’s privacy; the USA, however, uses an approach
that mixes small amounts of legislation with large amounts of self-regulation, relying
on its corporate citizens to behave responsibly. This, however, means that it is im-
possible to show that the USA can provide an adequate enough level of protection,
and means that the directive could have significantly hampered many U.S. companies
from engaging in transatlantic transactions with European customers. In an attempt
to solve this problem, the European Commission and the U.S. Department of Com-
merce jointly developed what is known as the “Safe Harbor” framework,3 which was
adopted in 2000. Under the safe harbor agreement, U.S. companies can choose to reg-
ister and enter the safe harbor (self certifying annually): agreeing to comply with the
agreement’s rules and regulations (which includes elements such as notice, choice,
access, and enforcement). EU organisations can then ensure they are sending per-
sonal information to U.S. companies in accordance with EU rules by checking that
the U.S. company they are dealing with is on the list of participating companies.
In this age of privacy, technology has advanced so far and so fast that the approach
of protecting privacy through legal means is not as effective as it once was: techno-
logical development is far outpacing the ability of the legal system to react and adapt
to new developments—and in many cases overstepping the line where the legal sys-
tem is able to protect privacy at all. In an effort to keep up, instead of continuing the
past legal developments calling for an all-encompassing legal and moral protection
of privacy, the legislators have instead had to mitigate against specific privacy viola-
tions as they appear—resulting in today’s legal landscape containing a mishmash of
various legal protections and requirements that help guard against isolated pockets of
privacy violations.
2.2.4 Privacy in the information age
In the information age that we live in the nature of privacy changes in some interest-
ing ways. Moor has discussed how in the information age information is “greased”—
quick moving and with uses impossible to imagine when it was initially entered onto
a computer [46]. The privacy implications of this one development alone are stagger-
ing. It is now possible for one to give personal information to one entity (purposefully
or without realising it) for one specific purpose or reason, only for it to be transferred
3 http://export.gov/safeharbor.
to another entity and used for an entirely different (possibly objectionable) purpose,
ad infinitum. Moor therefore argues that we need to create “zones of privacy” which
allow individuals to control levels of access to private information differently in dif-
ferent situations. He argues that it is important to think of privacy as an amalgamation
of the competing ideas that privacy is either about controlling one’s information or
about the state of limited access to one’s information, saying that although the con-
trol theory is highly desirable it is impossible to totally control one’s information in
a computerised society.
Obviously, Moor’s conclusion is based upon the assumption that individuals re-
ally do care about the privacy of their personal information in this greased world of
the information age. However, not everyone believes this to be the case. One point
often raised that argues this is that while most individuals state they are concerned
about privacy, many of them then go online and give away personal information with
apparently no thought or hesitation. This, they argue, seems to suggest that retain-
ing privacy of their personal information online is not as important to people as they
like to think, and therefore it can safely be ignored. To counter this argument, Syver-
son briefly discussed this view and produced some preliminary evidence debunking
it in [70]. To investigate more formally the statistics of this occurrence, Ackerman,
Cranor and Reagle surveyed a number of U.S. Internet users, recording their privacy
preferences and then giving them a range of e-commerce scenarios and examining
their privacy concerns [1]. The results show that while consumers in general have
a high level of concern about privacy, when faced with real online situations things
complicate somewhat. They state that consumers can be split into three main cate-
gories (supporting Westin’s earlier findings in [81]), termed the privacy fundamen-
talists, the pragmatic majority, and the marginally concerned. Privacy fundamental-
ists (17% of participants in the survey) are extremely concerned about privacy, un-
willing to provide private information under almost any circumstances. Pragmatists
(56%) have privacy concerns, but were willing to give certain private information
for pertinent reasons when assured by privacy protection measures. The marginally
concerned (27%) were willing to give private information under almost any circum-
stances. Thus, while some individuals may reveal private information at any time, the
majority of people (73%) are at least concerned about their privacy online.
Due to the “greased” nature of information in the age we live in, the methods to
best protect privacy are changing. Previously, most privacy violations against individ-
uals were due to calculated acts by specific entities, without the individuals consent,
and therefore the best defence against these was legislation protecting individuals
against them. Privacy violations in the world of the information age, however, can
equally as likely be due to entities misusing data collected from individuals for ap-
parently legitimate reasons. Thus, protection of privacy becomes a new challenge as
individuals have freely given this information away for a specific purpose—and once
this information is out in the wild, it is impossible to recapture and difficult to monitor
whether it has been utilised legally or exploited illegally.
These conclusions seem to suggest that a new model of privacy protection is nec-
essary in the information age if the laudable goal of protecting an individual’s privacy
is to be achieved. Instead of relying upon legal protections alone to guarantee that no
entity can violate one’s privacy, technologies should perhaps instead be used that put
individuals back in control of their information: thus allowing them to protect their
own privacy to whatever extent they wish, releasing certain amounts of personal in-
formation for whatever reasons they wish, tailored to the specific circumstance they
are faced with.
3 Privacy in e-commerce
The dawning of the information age has enabled us to realise that on the one hand,
information itself is valuable: possession of intellectual, personal, social and eco-
nomic information can both create opportunities for the individual and give social
and economic advantages to them; but on the other hand it has led to a world where
an individual can unwittingly give away this valuable information while engaging in,
or attempting to take advantage of, the use of new technologies. This situation is best
illustrated in one specific area of recent technological development: e-commerce—
where consumers and businesses exchange performative statements via electronic
media to express their commitments to the achievement of future states involving the
exchange of goods with one another [44].
Transacting in e-commerce today typically necessitates the divulgence of large
amounts of personal information which is either necessary for the transaction (for
example, credit card information, delivery details) or is desired by the e-business:
possession of this information gives them the opportunity to analyse it, discovering
trends and increasing the efficiency of their business dealings. Consumers typically
have little idea as to the range of possible uses that possession of this information
allows for, and thus have little idea as to the possible violation of their privacy that
could occur right under their noses with their unintentional consent. One of these
uses is price discrimination—Odlyzko noted that in e-commerce “privacy appears to
be declining largely in order to facilitate differential pricing” [50], and discussed the
fact that while such price discrimination is largely seen as economically efficient it is
also widely disliked by the public.
Conventionally, this friction between the incompatible ideas of either supporting
the corporate viewpoint or the individual viewpoint in the conflict between business
interests and individual interests has led to the idea that the two viewpoints are mu-
tually exclusive and thus either one or the other should be encouraged. Generally
economists have tended to uphold the corporate viewpoint since business interests
enhance the economy the most, while privacy advocates and civil liberties groups
have upheld the individual viewpoint arguing that everyone has fundamental human
rights to privacy and non-discrimination. In the new world of the information age and
e-commerce however there seems to be a need to—and the possibility to—reach a
compromise between the two competing ideas and to arrive at a solution somewhere
in the middle-ground that is mutually beneficial to all. This compromise is to support
consumer-centric privacy in e-commerce: the enabling of the ability of the individual
to retain the maximum amount of privacy and control possible over their personal
information.
From an individual’s point of view, consumer-centric privacy would mean putting
them back in control of their information to use and give away as they see fit. Aside
from the socio-philosophic benefits discussed in the previous section, the maximisa-
tion of privacy and control could also produce significant economic benefits:
• It enables an individual to take advantage of the highly valuable assets they

possess—their personal information—that is currently freely given away. Keep-
ing control of these assets would allow an individual to possess more leverage in
economic transactions. Simply stated, this increased leverage should enable indi-
viduals to directly “get a better deal” for themselves.
• More generally, if consumer-centric privacy existed in the world of e-commerce
then the security and privacy trust barrier discussed in the introduction would be
broken down, thus many more individuals would be comfortable being a part of the
world of e-commerce, leading to increased e-commerce levels. This increase would
benefit the consumer as generally increased e-commerce levels should lead to more
e-commerce providers, thus leading to lower prices due to increased competition,
and all that entails.
From a business’ point of view, consumer-centric privacy would mean consider-
ing their customers as entities engaging in a two-way business interaction rather than
entities to exploit in a one-way process. While initial consideration of this enable-
ment of consumer-centric privacy would seem to only contain disadvantages from
a business point of view—losing the control e-businesses currently wield over their
customer’s information would result in them being in less of a position to exploit this
information through data mining, price discrimination, etc.—a more careful analysis
exposes the possibility of some significant benefits:
• The main possibility is fairly simple: cold hard cash. Privacy concerns of individ-
uals are currently holding back e-commerce levels by significant amounts. Once
these privacy concerns are alleviated then the growth of e-commerce levels should
start to reach the uninhibited amounts that it is capable of. This increase would
almost certainly be of a significant amount, resulting in a significant increase in
e-commerce levels.
• A by-product of shifting the onus of protecting privacy in e-commerce from the
side of the e-business to the side of the individual, and thus the technology achiev-
ing this protection, is that the costs of setting up the systems that provide server-
side personalisation and all related technologies required should decrease (or even
disappear); causing the running and maintenance costs of the e-business to drop.
Thus when considered as a whole, the possible benefits of encouraging consumer-
centric privacy in e-commerce are fairly captivating. There are, however, significant
challenges associated with doing this, both technological and in the fact that it would
involve providers embrace a complete paradigm shift in the way they conduct busi-
ness in the world of e-commerce. To understand some of the technological challenges,
we will survey the current technologies that have been produced and draw some over-
all conclusions about them.
4 Privacy enhancing technologies
Desire for consumer privacy had led some in the research community to design tech-
nologies that aim to uphold the ideal of protecting it in the e-commerce environ-
ment. These technologies can generally be placed into one of two categories: anony-
mous technologies and non-anonymous technologies, or to use the correct antonym
of anonymous—“onymous” technologies. The methods by which these two types of

technologies attempt to preserve individual privacy differ both in fundamental phi-
losophy and in application.
4.1 Anonymous/pseudonymous techniques
Anonymising/pseudonymising technologies attempt to achieve unlinkability between

an individual and any of their personal information. That is, they aim to secure
the privacy of an individual’s personal information by simply trying to ensure that
any personal information released to an organisation cannot be linked to an indi-
vidual’s real identity. There are a range of levels of anonymity available: from the
truly anonymous—no one can find out who you really are; through the pseudo-
anonymous—your identity is generally not known but can be obtained if deemed
necessary and with enough hard work; through to the pseudonymous—where an
individual can create a range of virtual identities for use in various circumstances.
Throughout this spread individual privacy is maintained—as although an attacker try-
ing to harvest personal information is able to gather large quantities of it, the material
gathered cannot (normally) be linked back to a specific individual.
User anonymity (at whatever level) can be achieved through one of three main
methods: anonymising the transport medium; allowing anonymous but accountable
transactions (credential systems); and “scrubbing” of data stored by an organisation.
4.1.1 Anonymising the transport medium
One method of enforcing anonymity between consumers and their prospective

e-commerce providers is to ensure that any communications between the two occur
in such a way that the original identity of the consumer cannot be gleaned through
examination of any of the communications, or by eavesdropping on communication
patterns. So for example, when a consumer browses through an e-business’ website
and buys items from them, this type of technology will aim to prevent the e-business
from ever knowing exactly who they are dealing with. Technologies have been cre-
ated that attempt to achieve this goal, with varying degrees of success.
One of the simplest possible of ways for an individual to achieve anonymity in
this fashion is to simply set up an account with a free email service such as Hotmail,4
Yahoo Mail5 or Mail.com.6 This allows an individual to have a point of contact for
communications, enabling them to be members of online communities; have accounts
with e-businesses, etc. Hushmail7 takes this idea further offering end-to-end encryp-
tion for its users ensuring eavesdroppers cannot breach the privacy of this setup. This
simple approach to anonymity through free email systems however requires that the
individual trust the email service provider completely—that they will not log com-
munication details such as IP addresses during email sessions. Additionally, this ap-
proach is fast becoming impossible in recent times as the majority of these services
4 http://www.hotmail.com/.
5 http://mail.yahoo.com/.
6 http://www.mail.com/.
7 http://www.hushmail.com/.
increasingly require personal details to sign up. That being said, there is generally
nothing to stop users signing up with false details.
A step up in technological complexity leads us to a well known tool to achieve
anonymous web browsing—Anonymizer.8 When an individual uses this service to
view items on the internet or submit information to remote sites, it is done with all
communications being routed through Anonymizer’s servers—thus the remote site
has no way of detecting the IP address or identity of the user. However, this kind of
technique also requires a trusted third-party—in this case Anonymizer itself. This is
simply because Anonymizer’s servers (or the user’s ISP) can certainly identify the
user if they so desired.
To achieve complete anonymity on the internet, tools are needed that do not
rely on a trusted third-party. In this vein, Reiter and Rubin created a system called
Crowds [58, 59] that operates by grouping users into large groups (crowds). Individ-
uals connect to this crowd, and instead of directly issuing requests to internet servers,
they instead give it to the crowd. The request gets passed around the members of the
crowd with an arbitrary degree of randomness until it eventually gets submitted to
the intended recipient. To use Crowds is essentially to play “pass the parcel” with
users’ requests. The recipient of the request thus cannot identify who in the crowd
issued the initial request—as it is equally likely to have been any of the members of
the crowd. However, malicious behaviour by any rogue crowd members can affect
the usefulness and reliability of the system—although they cannot compromise the
anonymity of any of the other members through such behaviour.
Another step up in complexity of technology leads to technologies that use en-
cryption to assist with solving the problem. A well known technology of this type
that spurned numerous off-shoots was created by Chaum in 1981 [16]. A Chaum Mix
is a system based upon public key cryptography that allows users to communicate via
email while remaining anonymous to each other (and any global eavesdropper), all
without needing any guarantees as to the security of the underlying communications
system. It does this by ensuring that messages passing through the system are of equal
size, cryptographically changing them and then sending the messages to their recip-
ients in a different order. This makes it very difficult for even a global eavesdropper
to link an incoming message and its sender to an outgoing message and its recipient.
Chaum Mixes can be improved by linking mixes together to create a “cascade” of
Mixes in order to further provide security guarantees and not to have to require a user
to trust one single mix server.
One of the off-shoots of Chaum Mixes was created by Goldschlag, Reed and
Syverson [33, 34]. They designed an anonymous communication architecture called
Onion Routing which can be used by any protocol capable of being adapted to use a
proxy service. It is built upon the idea of using a network of dynamic real-time Chaum
Mixes. Onion routing allows bi-directional, near real-time connections that are highly
resistant to eavesdropping and traffic analysis. The user submits an encrypted request
in the form of an onion—a layered data structure specifying the properties of the
connection at each point along the route (including cryptographic information and
keys). Each point can only decrypt its layer, finding out only where the next point in
8 http://www.anonymizer.com/.
the route is, except for the final point which decrypts its onion to find the request to
send and whom to send it to, which it then does. Thus, a recipient only knows the
identity of the person at the end of the chain. The Freedom Network9 designed and
operated by Zero-Knowledge Systems Inc. is a commercial implementation of a vari-
ant of Onion Routing, routing IP connections through intermediate nodes to provide
users with anonymity.
This first generation of Onion Routing, however, never developed much beyond
a proof-of-concept system that ran on a single machine. A new second generation
Onion Routing system (supported by the Electronic Frontier Foundation) called Tor
has recently been presented [24]. This new generation of communication service ad-
dresses many of the limitations of the original design, adding many useful features
designed to make Onion Routing secure, efficient, and usable enough for real world
use.
All of these anonymising technologies however have one major caveat—they only
work properly (providing anonymity) if certain conditions are met. Some of these
conditions have been noted by Clayton, Danezis and Kuhn [19]: for example, attacks
can be made that will reveal a supposedly anonymous individual’s IP address by
doing such things as making use of client-side scripting, sending images which can
be tracked when loaded by the user (web bugs), cookie stealing, and many other
methods. The conclusion by the authors in [19] is that it is important to not only think
about the anonymity properties of communication channels, but to also consider ways
of protecting anonymity throughout the entire system. To use the old adage, “A chain
is only as secure as its weakest link.”
4.1.2 Credential systems
Besides anonymising the transport medium, another method of enabling anonymity

between a customer and an e-business is through the use of a credential system (some-
times referred to as a pseudonym system). In a credential system, users are known to
the organisation they are doing business with only by a pseudonym (or nym). A sin-
gle user can use different pseudonyms with different organisations, and these cannot
be linked together by any member of the system. However, an organisation can is-
sue a credential to a pseudonym, who can then prove possession of this to another
organisation revealing only that the user owns a credential. A certification authority
sometimes plays an important role in guaranteeing that the system is used properly
and that users can be trusted. What this means in e-commerce transactions is that
these technologies enable customers to buy items from an e-business by proving cer-
tain facts: that they are eligible to buy the item, that they have given a payment, etc.,
all without the e-business knowing exactly who they are dealing with.
The idea and basic framework of credential systems were first introduced by
Chaum in 1985 [14], who soon after published a full model with security proofs using
RSA as a one-way function [15]. This model, however, requires a trusted third party
(the certification authority) which manages the transfers of users’ credentials between
organisations. To relax this constraint, Damguård developed a model that only needs
9 http://www.freedom.net/.
a third party to be involved—it does not necessarily have to be trusted [22]. It does
this by using the idea of multi-party computations [35], resulting in a scheme that is
provably immune to forgery by malicious entities in the system. This model however
is not meant for implementation as some of the methods used are too inefficient for
heavy use. A practical version of this work was produced by Chen [17], it however
requires that the certification authority behave honestly.
One weakness of all of these models of credential systems is that there is nothing
to stop a user from sharing his pseudonym and/or credentials with other users. For
example if a user was issued with a certificate proving that they are over 18, they
could then share this with other under-age users who could use it to purchase age-
limited products. While this is in fact acceptable from the perspective of protecting
privacy, it may result in business transactions that are not valid or intended. In an
attempt to solve this problem Lysyanskaya, Rivest and Sahai produced a model [43]
that includes the presumption that the user’s private key (linked to the corresponding
public key in the credential system) is something that they are motivated to keep
secret—for example, it could be their digital signature key. If a user then shared a
credential with another user, the other user would have access to this secret. If the
secret was the digital signature key, the other user could then forge signatures on any
documents in the original users name. This idea was termed non-transferability. As
with Damguård’s model however, this model is not directly usable in practise due to
the reliance on methods that are too inefficient to use in practise.
Camenisch and Lysyanskaya further developed this idea of non-transferability [12]
producing another model for a credential system that additionally has the optional
property of allowing a users identity to be revealed if the user misuses their credential
or uses it in illegal transaction. This model, however, requires that the certification
authority is trusted to do their job properly—this risk can be minimised, however,
through distribution of the tasks of the certification authority, weakening the trust
assumptions. Camenisch and Van Herreweghen have recently described a prototype
of a system based upon this model [13].
More recently, the idea of credential systems, along with the lack of success of
PKI (Public Key Infrastructure) systems, has recently led to the development of PMI
(Privilege Management Infrastructures) and AAI (Authentication and Authorisation
Infrastructures) systems. As such, several proposals for working systems have been
put forward: such as Kerberos, SESAME, PERMIS, AKENTI, Microsoft Passport,
Shibboleth and the Liberty Framework. Schlaeger and Pernul surveyed these new pro-
posals, concluding that none of them “is perfectly suitable for b2c e-commerce” [62].
4.1.3 Privacy in databases
A different approach to enabling anonymity of a user “after the fact” consists es-
sentially of finding a method of allowing an organisation to hold a vast database of
information about its customers, yet guaranteeing that any information gleaned from
the database cannot be linked back to a specific individual. This means that cus-
tomers can buy items from an e-business in a totally standard way but when their
data is stored in a database all information that uniquely identifies the owner of the
information is removed thereby achieving anonymity. This technique was originally
pioneered to help solve privacy issues in statistical databases. In these databases it is
the statistical information about the data—rather than the data itself—that is impor-
tant, thus methods have been considered that can keep the statistics of the data-set
valid whilst keeping the individual data itself private. Two excellent surveys of these
ares were produced by Adam and Worthmann [2] and Shoshani [68]. Broadly, the
methods that attempt to accomplish this ideal of privacy of database information can
be split into three main categories: query restriction, data perturbation and output
transformation [2].
The goal of technologies that fall into the query restriction category is to retain
privacy of individual data items by restricting the information that can be released.
In this approach only queries that obey specific criteria are allowed, in an effort to
prevent information about specific data items becoming known. The problem of this
approach is that only a small subset of possible queries are allowed, reducing the
usefulness of the database. Similar to this idea is query auditing [18], where an audit
trail of all queries that have been performed is kept and every new query is checked for
possible compromise. If a possible compromise is detected, the query is disallowed.
The main problem with this approach, however, is that an entity can use the results
of queries along with the knowledge of what queries have been allowed and denied
to infer data and thus compromise the privacy of the data contained in the database.
The goal of data perturbation is to modify the original database in such a way that
the overall statistics remain valid while individual items are changed, thus preserv-
ing privacy of individual records. A very basic method of achieving a limited degree
of confidentiality is simple rounding of numerical data. This naive approach can be
improved slightly by randomly rounding or by adding random values with a mean of
zero [73]. This idea has been further developed, for example in [3, 4]. Other meth-
ods have been proposed that fall into this category, including data swapping, which
involves swapping each item in the database with another one from the same distribu-
tion, thus creating a new database with supposedly the same statistics [57]. However,
by its very nature the process of modifying the original data will always alter the
overall statistics at least slightly, as well as making the original data meaningless in
of itself, making the information gained less useful overall.
The final category of output perturbation allows a database to permanently store
the original data and perform queries on it, however the results of any query per-
formed are altered such that the original data cannot be inferred before being returned
to the user. Methods that achieve this include adding a random perturbation to query
results (with increasing variance as queries are repeated) [8].
All of these techniques have one major technical drawback however—they do not
adequately satisfy the conflict of being able to provide high quality statistics while
simultaneously preventing disclosure of individual information [2]. Also, attempting
to achieve the privacy of individual data itself is a very hard problem to overcome.
Denning and Denning discussed the details of this problem—whereby statistical in-
formation “contain[s] vestiges of the original information; a snooper might be able
to reconstruct this information by processing enough summaries” [23]—drawing on
work both by themselves and Schlorer (e.g. [63–65]).
From an e-commerce and consumer point of view there is an even bigger draw-
back with these methods: any individuals wishing to enter into a business relationship
with an organisation have to trust that organisation’s word that once their personal in-
formation is received and stored it will be anonymised.
4.1.4 Summary
Where anonymous/pseudonymous techniques are both desirable and technically

plausible, they are an excellent method of preserving individual privacy. A range of
techniques have been proposed ranging from the simple to the highly technologically
complex. A summary of the techniques surveyed is presented in Table 1, where we
compare each of the techniques by their basic architecture, whether they are usable in
practical circumstances, and in which application areas they can be used successfully.
As can be seen, the majority of the anonymous/pseudonymous privacy enhancing
techniques are practically usable in areas involving web applications (which includes
e-commerce), but require a trusted third party in their architecture. This is potentially
a serious limiting factor for the usefulness of this type of technology: it requires that
entities exist that consumers trust entirely (and all the problems this entails); also as
e-commerce develops further and e-businesses become ever more distributed, it may
not be realistic to require the existence of a trusted third party in order to protect
privacy for consumers.
Of course, there are other privacy-enhancing techniques available to be used. One
such area of techniques is the area of steganography [40, 41]—the science of hiding
Table 1 Anonymous/pseudonymous privacy enhancing technologies
Technology References Architecture Usable Application areas

T3P 3P De E-mail Web Other
Anonymous techniques
Anonymous e-mail email.com, etc. x x x
“Anonymizer” anonymizer.com x x x
“Crowds” [58, 59] x x x
Simple Chaum mix [16] x x x
Network of Chaum mixes [16] x x x
“Onion Routing” [33, 34] x x x x
Credential systems (CS)

Chaum’s CS [14, 15] x x x
Damguård’s CS [22] x x
Chen’s CS [17] x x x
Lysyanskaya et al.’s CS [43] x x
Camenisch et al.’s CS [12] x x x
“Idemix” [13] x x x
Database privacy
Query restriction [18] x x N/A N/A N/A
Data perturbation [3, 4, 57, 73] x x N/A N/A N/A
Output perturbation [8] x x N/A N/A N/A
Key: T3P = Trusted third Party

3P = Third Party
De = Decentralised
communication between two parties in such a manner than an eavesdropper would not
know that a message exists. However, while these techniques are highly developed,
none are realistically applicable to the field of e-commerce as it stands today (e.g. in
the case of steganography, hiding the fact that an individual e-commerce transaction
was occurring from an eavesdropper would only guard against privacy invasions from
that eavesdropper—which is not where most privacy invasions are occurring).
4.2 Onymous techniques
Preserving privacy by staying anonymous is not always possible. Sometimes an indi-

vidual is required to be identified by an e-business in order to receive their services.
Examples of cases where this may be true are the use of digital libraries where pay-
ment is required to access the data (and therefore credit card details, and thus identity
can be revealed) or standard Business-to-Consumer (B2C) e-commerce—if an indi-
vidual orders a book from Amazon, payment details as well as delivery details are
required. While anonymous e-cash systems have been developed that could solve the
first problem, any material goods one orders still need to be delivered: therefore an
address needs to be supplied, and thence identity can be discovered. Solutions to this
problem have also been proposed—a simple example being that an individual set up
a PO Box. However, none of the solutions to this problem developed so far would re-
alistically work in the real world of e-commerce, where the average individual would
simply not bother engaging in e-commerce if it meant having to go well out of one’s
way to retain privacy by enacting one of the solutions.
Thus, onymous technologies have started to be developed to counter this problem.
The main philosophy behind onymous technologies is not to attempt to withhold
an individual’s identity from an organisation, instead attempting to help individuals
preserve the privacy of some of their information—or at the very least to help them to
make informed decisions about which entities can be trusted. This area of technology
is becoming increasingly important in recent times as more resources on the Internet
slowly move away from the free-service model and as security concerns are pressing
for fully accountable and identifiable transactions.
Onymous technologies fall largely into two distinct groups: those that help con-
sumers to make informed decisions when transacting in e-commerce, and those that
actively attempt to actually enforce the preservation of privacy.
4.2.1 Decision helping techniques
One of the simplest methods of helping maintain consumer privacy onymously are
those which aim to guide a consumer in the decision about which e-businesses can
be trusted to be (relatively) respectful of their privacy and which to avoid. One such
method is embodied by TRUSTe, the “online privacy seal.” TRUSTe is simply a pro-
gramme designed to help an individual make a choice over which websites they can
trust and enter into business with. The TRUSTe organisation issues a “trustmark”
to e-businesses that adhere to TRUSTe’s privacy principles—practises approved by
the U.S. Department of Commerce and the Federal Trade Commission—and which
allow oversight to ensure that they follow through on their promises. Moores and
Dhillon [47] conducted a study into the effectiveness of these methods and concluded
that while they can be effective for the organisations that participate in these pro-
grammes and abide by their stated privacy principles, the overall perception of trust
in e-commerce is still heavily damaged by the majority of organisations that do not
participate. Thus, this solution to the trust problem of e-commerce is not effective
enough to make a significant difference.
A more technological solution of the decision helping techniques proposed is the
Platform for Privacy Preferences (P3P) [56], from the World-Wide Web Consortium
(W3C). Its main philosophy is that if individuals have to give up some privacy in
order to transact with an e-business, they should be able to at least make an informed
choice as to which e-businesses they wish to interact with. To achieve this, P3P en-
abled e-businesses make available their P3P policy—a set of privacy practises that
their website and company adhere to. P3P enabled individuals create their own policy,
deciding what privacy practises they find acceptable. These two items come together
when a user visits an e-business’ website, where a P3P agent under the individual’s
control compares the two policies, informing the individual about their similarities
and whether they match. This process allows individuals to tailor their relationships
with different e-businesses, releasing different amounts of personal information ac-
cordingly. P3P however has one main drawback—an e-business’ P3P policy only
states what their policies are, it does not ensure these policies are actually enforced.
Once again we have reached a point where the user has to trust the e-business to keep
to its promises.
4.2.2 Enforcement techniques
In an attempt to counter the main drawback with P3P, Ashley, Powers and Schunter
created an extended variant of it which works towards enterprise-wide enforcement of
P3P policies [6, 7]. Organisations create an “Enterprise Privacy Policy” which is then
enforced by a protected system holding the consumer’s data. The system grants or
denies attempts to access information and creates an audit trail that can be requested
by the consumer. While this is a good step forward for P3P enforcement—ensuring
that employees of the company can only access a consumer’s data for agreed upon
reasons—the consumer must still assume that the company has indeed protected its
system, and therefore the company as a whole is trustworthy.
A more consumer-centric privacy-enforcement solution was presented by Elovici,
Shapira and Maschiach [25]. They presented a model for hiding information about
group interests of a group of individuals who share a common point of access to
the internet. The model works by generating faked transactions in various fields of
interest in an attempt to prevent the real group profile being inferred. The raison d’être
for the model is to allow individuals within the group to identify themselves to, and
thence make use of, various services—such as digital libraries, specialised databases,
etc.—without allowing eavesdroppers to infer a common group interest. This could
be used for example to prevent someone inferring the direction of research within
research groups in rival companies. The measure of the model’s success is based
upon measuring the “degree of confusion” the system can inflict upon eavesdroppers.
Another technological solution to preserving privacy by enforcement was pre-
sented by Rezgui, Ouzzani, Bouguettaya and Medjahed [60]. Their system con-
centrates on preserving privacy of a citizen’s personal information in web-services
in general, and in e-government applications in particular. Its main thrust is in en-

forcing privacy by requiring entities which wish to access data to provide credentials
proving that they are allowed to access it, filtering out data that they are not allowed
to access, and finally by delivering the data through mobile privacy preserving agents
which enforces the privacy of the data on the remote site. However, the security of
mobile agents is a major problem that has not yet been addressed adequately (see [60]
for an overview of this problem), consequently any solutions that include the use of
mobile agents cannot currently contain any security guarantees.
Another onymous technology produced dealing specifically with the area of pre-
serving privacy of a consumer’s preferences when utilising newly developed search
technologies in e-commerce was proposed by Smith and Shao [69]. The approach
used in this case is to maximise a consumer’s privacy through a process of gradual
release of their preferences, attempting to minimise the amount released while still
acquiring (near) optimal search results. The approach currently lacks any concrete
measures of privacy however, so its effectiveness has yet to be seen in real world
situations.
4.2.3 Summary
Onymous techniques can be very useful in e-commerce as they support the ideal
of consumer privacy—attempting to maximise the amount preserved—whilst still
allowing fully onymous verifiable transactions to occur between consumer and
e-business. However, compared to anonymising technologies there have been rela-
tively few technologies of this type proposed—possibly because realistically usable
methods of maintaining consumer privacy onymously spring to mind less readily than
their anonymous counterparts. A summary of the techniques surveyed is presented in
Table 2, where we compare each of the techniques by their basic philosophy (whether
they are decision helping or enforcement), whether they require a trusted third party,
and whether they can be applicable to the general area of e-commerce. As we can see,
with the relatively few onymous privacy enhancing technologies so far proposed,
only two actually fulfill the ultimate goal of enforcement of consumer privacy in
e-commerce without requiring a trusted third party to operate: the technologies pro-
posed by Elovici, Shapira and Maschiach [25] and Smith and Shao [69]. Given that
onymous technologies are more likely to have a bigger impact on e-commerce levels
for the reasons stated in this paper, more work in this area is clearly desirable.
4.3 The future of privacy enhancing technologies
In this section we attempt to identify some directions for future work on the develop-
ment of privacy enhancing technologies for e-commerce applications, based on our
analysis of the existing techniques surveyed in the previous two sections.
Current privacy enhancing technologies are making significant achievements in
the arena of preserving the privacy of individuals through achieving user anonymity.
In the cases where anonymity is possible (and indeed desirable), and the caveats
mentioned are managed satisfactorily, this is a very viable and effective approach and
definitely merits the attention it currently receives. However, more work is required
into the area of designing systems that can manage these caveats automatically, and
Table 2 Onymous privacy enhancing technologies
Technology References Privacy philosophy T3P Applicable to e-commerce

Helper Enforcement
TRUSTe truste.com x x x
P3P [20, 56] x x x
E-P3P [6, 7] x x x
ESM’s [25] x x
ROBM’s [60] x x
SS’s [69] x x
Key: T3P = Trusted third Party
also into relaxing the requirement of trusted third parties in their architectures. This
will then provide total anonymity/pseudonymity, rather than just concentrating on the
basic methods and protocols that provide anonymity at the base level.
It is not always possible, however, for a user to remain anonymous. This is espe-
cially true in the area of e-commerce—where names, payment details, delivery de-
tails, etc. are required when one buys material goods over the internet and enters into
a contract with that company. Thus we feel that onymous technologies are needed
to allow an individual to preserve their privacy whilst simultaneously fulfilling the
practical necessity for fully accountable and identifiable transactions.
So far, in this area of preserving privacy in onymous circumstances only a few
technologies have been produced: the main contender (at least as far as take-up is
concerned) being the Platform for Privacy Preferences (P3P). However, this technol-
ogy does not actually enforce individual privacy, it is a technology to help guide de-
cision making about whom to trust. More technologies, and specifically technologies
that attempt to enforce the preservation of privacy, are required to fill this void.
If we accept that there is a need to produce new and more advanced onymous
technologies then we need to understand fundamentally how consumer privacy in the
e-commerce context may be measured. That is, we need to consider, for example: if
some types of information are worth more than others, whether there is any corre-
lation between what businesses and individuals value the most, and if certain kinds
of private information hold more economic, and thus bargaining, power. Establishing
these measures will then give us a sound basis for developing onymous technologies,
and allow us to fully evaluate and compare any technologies that may be created in
future.
Finally, there is a need to study privacy enhancing technologies in the light of se-
curity requirements. Allowing any individual to transact anonymously on the internet
is sometimes considered a potential security problem in today’s world. However, in
the specific context of e-commerce, it is easy to argue that any individual who truly
desires to be anonymous can simply choose to not transact electronically and in-
stead go into a physical shop in person and pay with cash. Thus, stopping anonymous
e-transactions may not get rid of this potential security problem; it only removes it
from e-commerce shifting it to a different area. We therefore believe that more studies
are needed in order to understand how the two sets of requirements can be meaning-
fully balanced in e-commerce, and we feel that onymous technologies can play an
important role in viable solutions.
5 Conclusion
In this paper, we have briefly given an overview of the history and development of
the idea of “privacy” from ancient times through to today’s world and explored ex-
actly how this idea of privacy fits within the developing world of e-commerce. Our
analysis has suggested that protecting individual privacy in e-commerce is important
and beneficial to both consumers and e-businesses.
From a consumer’s point of view, releasing the absolute minimum amount of per-
sonal information, interests and preferences as possible to an e-business is simply a
means to an end. The idea of releasing as little information as possible is the “means,”
while the “end” is entirely dependent upon an individual’s personal viewpoints. If one
believes that privacy is an important human value and that an individual should have
total control over personal information (the control theory of privacy) then the end is
to retain one’s individuality in society (and all that this entails) by keeping control of
one’s information. If one believes that privacy is characterised by other people know-
ing as little about them as possible (the limited access theory of privacy) then the
end is to keep the maximum amount of personal information private. If one believes
that privacy is less noble than these grand social theories and is simply about the
economics of information (the economic theory of privacy) then the end is to retain
an economic advantage in one’s dealings with business by retaining control of one’s
property and assets. Since the majority of people agree with at least one of the “ends”
of privacy, the ability to retain individual privacy is highly important.
From a business’ point of view, to support technologies that enable individuals to
retain privacy makes good business sense. Surveys have shown that e-commerce is
losing a significant amount of income because of privacy and security concerns of
its potential user base. Whatever the business feels about the “right to privacy” of its
customers, embracing technologies that give some degree of control to its customers
should alleviate a lot of consumer concerns with the knock-on effect that the take-
up of e-commerce should increase. This benefit may become more evident in the
newly emerging computing paradigm of service oriented computing across the Grid
infrastructure [29]—where more businesses will be expected, if not forced, to operate
electronically. To e-businesses, therefore, the ability to give consumers control of
their privacy in an attempt to create an acceptable level of trust is highly essential.
We have also surveyed some of the existing technologies for enhancing consumer
privacy in e-commerce in this paper. While these technologies represent a promising
start to the enhancement of consumer privacy in e-commerce, much still needs to be
accomplished to advance the state of the art. Anonymising technologies are highly
effective in the goal of preserving privacy in many cases but they are not the only
possible type of solution—and in some cases are not a viable solution at all. In such
situations—where anonymity is either not possible or not desirable—onymous (non-
anonymous) technologies could play a major role. Currently there is little work on
developing onymous technologies and further work in this area would be beneficial
to all parties involved in e-commerce.
References
1. Ackerman, M.S., Cranor, L.F., & Reagle, J. (1999). Privacy in e-commerce: examining user scenarios
and privacy preferences. In Proceedings of the 1st ACM conference on electronic commerce (pp. 1–8).
New York: ACM
2. Adam, N.R., & Worthmann, J. C. (1989). Security-control methods for statistical databases: a com-
parative study. ACM Computing Surveys, 21(4), 515–556
3. Agrawal, D., & Aggarwal, C.C. (2001). On the design and quantification of privacy preserving data
mining algorithms. In Proceedings of the twentieth ACM SIGMOD-SIGACT-SIGART symposium on
principles of database systems (pp. 247–255). New York: ACM
4. Agrawal, R., & Srikant, R. (2000). Privacy-preserving data mining. In Proceedings of the 2000 ACM
SIGMOD international conference on management of data (pp. 439–450). New York: ACM
5. Arendt, H. (1958). The Human Condition. Chicago: University of Chicago Press
6. Ashley, P., Hada, S., Karjoth, G., & Schunter, M. (2002). E-p3p privacy policies and privacy autho-
rization. In Proceeding of the ACM workshop on privacy in the electronic society (pp. 103–109). New
York: ACM
7. Ashley, P., Powers, C., & Schunter, M. (2002). From privacy promises to privacy management: a new
approach for enforcing privacy throughout an enterprise. In Proceedings of the 2002 workshop on new
security paradigms (pp. 43–50). New York: ACM
8. Beck, L.L. (1980). A security mechanism for statistical databases. ACM Transactions on Database
Systems, 5(3), 316–338
9. Benn, S.I., & Gaus, G.F. (1983). Public and Private in Social Life. St. Martins Press
10. Bloustein, E.J. (1964). Privacy as an aspect of human dignity. New York University Law Review, 39,
962–1007
11. Brin, D. The transparent society. http://www.wired.com/wired/archive/4.12/fftransparent.html
12. Camenisch, J., & Lysyanskaya, A. (2001). An efficient system for non-transferable anonymous
credentials with optional anonymity revocation. In B. Pfitzmann (Ed.), Advances in cryptology—
EUROCRYPT 2001. Lecture Notes in Computer Science, vol. 2045 (pp. 93–118). Heidelberg:
Springer
13. Camenisch, J., & Van Herreweghen, E. (2002). Design and implementation of the idemix anonymous
credential system. In Proceedings of the 9th ACM conference on computer and communications se-
curity (pp. 21–30). New York: ACM
14. Chaum, D. (1985). Security without identification: transaction systems to make big brother obsolete.
Communications of the ACM, 28(10), 1030–1044
15. Chaum, D., & Evertse, J.-H. (1987). A secure and privacy-protecting protocol for transmitting
personal information between organizations. In CRYPTO 86. Lecture Notes in Computer Science,
vol. 263 (pp. 118–167). Heidelberg: Springer
16. Chaum, D.L. (1981). Untraceable electronic mail, return addresses, and digital pseudonyms. Commu-
nications of the ACM, 24(2), 84–90
17. Chen, L. (1995). Access with pseudonyms. In E. Dawson and J. Golić (Eds.), Cryptography: policy
and algorithms. Lecture Notes in Computer Science, vol. 1029 (pp. 232–243). Heidelberg: Springer
18. Chin, F.Y., & Ozsoyoglu, G. (1982). Auditing and inference control in statistical databases. IEEE
Transactions Software Engineering, 8(6), 113–139
19. Clayton, R., Danezis, G., & Kuhn, M.G. (2001). Real world patterns of failure in anonymity systems.
In Information hiding: 4th international workshop, IHW 2001. Lecture Notes in Computer Science,
vol. 2137 (pp. 230–244). Heidelberg: Springer
20. Cranor, L.F. (2002). The role of privacy advocates and data protection authorities in the design and
deployment of the platform for privacy preferences. In Proceedings of the 12th annual conference on
computers, freedom and privacy, (pp. 1–8). New York: ACM
21. Cyber Dialogue (2001). Cyber dialogue survey reveals lost revenue for retailers due to widespread
consumer privacy concerns. http://www.cyberdialogue.com/news/releases/2001/11-07-uco-retail.
html
22. Damguård, I. (1990). Payment systems and credential mechanism with provable security against abuse
by individuals. In CRYPTO 88. Lecture Notes in Computer Science, vol. 403 (pp. 328–335). Heidel-
berg: Springer
23. Denning, D.E., & Denning, P.J. (1979). Data security. ACM Computing Surveys, 11(3), 227–249
24. Dingledine, R., Mathewson, N., & Syverson, P. (2004). Tor: The second-generation onion router. In
Proceedings of the 13th USENIX security symposium (August)
25. Elovici, Y., Shapira, B., & Maschiach, A. (2002). A new privacy model for hiding group interests
while accessing the web. In Proceeding of the ACM workshop on privacy in the electronic society (pp.
63–70). New York: ACM
26. European Parliament, Report on echelon. http://www.europarl.eu.int/tempcom/echelon/pdf/rapport_
echelon_en.pdf
27. Forrester Research (1999). Post-web retail (September). http://www.forrester.com/
28. Forrester Research (2001). Privacy concerns cost e-commerce $15 billion (September). http://www.
forrester.com/
29. Foster, I., Kesselman, C., & Tuecke, S. (2001). The anatomy of the grid: Enabling scalable virtual
organizations. International Journal of High Performance Computing Applications, 15(3), 200–222
30. Fried, C. (1968). Privacy [a moral analysis]. Yale Law Journal, 77, 475–493
31. Gartner Research (2005). Increased phishing and online attacks cause dip in consumer confidence
(June). http://www.gartner.com/
32. Gerstein, R.S. (1978). Intimacy and privacy. Ethics, 89, 76–81
33. Goldschlag, D., Reed, M., & Syverson, P. (1999). Onion routing. Communications of the ACM, 42(2),
39–41
34. Goldschlag, D.M., Reed, M.G., & Syverson, P.F. (1996). Hiding routing information. In Information
Hiding (pp. 137–150). Berlin/Heidelberg: Springer
35. Goldwasser, S. (1997). Multi party computations: past and present. In Proceedings of the sixteenth
annual ACM symposium on principles of distributed computing (pp. 1–6). New York: ACM
36. Habermas, J. (1989). The structural transformation of the public sphere: an inquiry into a category of
bourgeois society. Cambridge: MIT (translated by T. Burger)
37. Harris Interactive (2002). First major post-9/11 privacy survey finds consumers demanding companies
do more to protect privacy. http://www.harrisinteractive.com/news/allnewsbydate.asp?NewsID=429
38. IBM Global Services (1999). IBM multi-national consumer privacy survey. Conducted by Louis Har-
ris and Associates, Inc. http://www.ibm.com/services/files/privacy_survey_oct991.pdf
39. Jupiter Research (2002). Seventy percent of us consumers worry about online privacy, but few take
protective action. http://www.jupiterresearch.com/xp/jmm/press/2002/pr_060302.html
40. Kahn, D. (1996). The history of steganography. In Proceedings of the first international workshop on
information hiding, London, UK. (pp. 1–5). Berlin: Springer
41. Katzenbeisser, S., & Petitcolas, F.A. (Eds.) (2000). Information hiding techniques for steganography
and digital watermarking. Norwood: Artech House
42. Kewney, G. Wireless lamp posts take over the world! http://www.theregister.co.uk/content/69/34894.
html
43. Lysyanskaya, A., Rivest, R.L., Sahai, A., & Wolf, S. (1999). Pseudonym systems. In Proceedings of
the sixth annual workshop on selected areas in cryptography (SAC’99). Lecture Notes in Computer
Science, vol. 1758. Heidelberg: Springer
44. McBurney, P., & Parsons, S. (2003). Posit spaces: a performative model of e-commerce. In Proceed-
ings of the second international joint conference on autonomous agents and multiagent systems (pp.
624–631). New York: ACM
45. Milberg, S.J., Burke, S.J., Smith, H.J., & Kallman, E.A. (1995). Values, personal information privacy,
and regulatory approaches. Communications of the ACM, 38(12), 65–74
46. Moor, J.H. (1997). Towards a theory of privacy in the information age. ACM SIGCAS Computers and
Society, 27(3), 27–32
47. Moores, T.T., & Dhillon, G. (2003). Do privacy seals in e-commerce really work? Communications
of the ACM, 46(12), 265–271
48. Murphy, R.F. (1984). Social distance and the veil. In Philosophical dimensions of privacy: an anthol-
ogy (pp. 34–54). Cambridge: Cambridge University Press (chapter 2)
49. Nielsen, J., Molich, R., Snyder, C., & Farrell, S. (2000). E-commerce user experience. Technical
report, Nielson Norman Group
50. Odlyzko, A. (2003). Privacy, economics, and price discrimination on the internet. In Proceedings of
the 5th international conference on electronic commerce (pp. 355–366). New York: ACM
51. Patton, M.A., & Jøsang, A. (2004). Technologies for trust in electronic commerce. Electronic Com-
merce Research, 4(1–2), 9–21
52. Posner, R.A. (1984). An economic theory of privacy. In Philosophical dimensions of privacy: an
anthology (pp. 333–345). Cambridge: Cambridge University Press (chapter 15)
53. Privacy International. National id cards. http://www.privacy.org/pi/activities/idcard/
54. Prosser, W.L. (1960). Privacy [a legal analysis]. Harvard Law Review, 48, 338–423
55. Rachels, J. (1975). Why privacy is important. Philosophy and Public Affairs, 4(4), 323–333
56. Reagle, J., & Cranor, L.F. (1999). The platform for privacy preferences. Communications of the ACM,
42(2), 48–55
57. Reiss, S.P. (1984). Practical data-swapping: the first steps. ACM Transactions on Database Systems,
9(1), 20–37
58. Reiter, M.K., & Rubin, A.D. (1998). Crowds: anonymity for web transactions. ACM Transactions on
Information System Security 1(1), 66–92
59. Reiter, M.K., & Rubin, A.D. (1999). Anonymous web transactions with crowds. Communications of
the ACM, 42(2), 32–48
60. Rezgui, A., Ouzzani, M., Bouguettaya, A., & Medjahed, B. (2002). Preserving privacy in web ser-
vices. In Proceedings of the fourth international workshop on Web information and data management
(pp. 56–62). New York: ACM
61. Saxonhouse, A.W. (1983). Classical greek conceptions of public and private. In Public and private in
social life (pp. 363–384). New York: St. Martins (chapter 15)
62. Schlaeger, C., & Pernul, G. (2005). Authentication and authorisation infrastructures in b2c e-
commerce. In Proceedings of the sixth international conference on electronic commerce and Web
technologies (EC-Web’05). Lecture Notes in Computer Science. Heidelberg: Springer
63. Schlörer, J. (1975). Identification and retrieval of personal records from a statistical data bank. Meth-
ods of Information in Medicine, 14(1), 7–13
64. Schlörer, J. (1977). Confidentiality and security in statistical data banks. In Proceedings of workshop
on data documentation (pp. 101–123). Munich: Verlag Dokumentation
65. Schlörer, J. (1981). Security of statistical databases: multidimensional transformation. ACM Transac-
tions on Database Systems, 6(1), 95–112
66. Schoeman, F. (1984). Privacy: philosophical dimensions of the literature. In Philosophical dimensions
of privacy: an anthology (pp. 1–33). Cambridge: Cambridge University Press (chapter 1)
67. Schoemen, F.D. (1984). Philosophical dimensions of privacy: an anthology. Cambridge: Cambridge
University Press
68. Shoshani, A. (1982). Statistical databases: characteristics, problems, and some solutions. In Proceed-
ings of the eighth international conference on very large data bases. September 8–10, Mexico city,
Mexico (pp. 208–222). San Francisco, CA: Morgan Kaufmann
69. Smith, R., & Shao, J. (2003). Preserving privacy when preference searching in e-commerce. In
P. Samarati and P. Syverson (Eds.), Proceedings of the 2003 ACM workshop on privacy in the elec-
tronic society (WPES’03) (pp. 101–110). New York: ACM
70. Syverson, P. (2003). The paradoxical value of privacy. In Proceedings of the 2nd annual workshop on
economics and information security, WEIS 2003
71. Thomson, J.J. (1975). The right to privacy. Philosophy and Public Affairs, 4(4), 295–314
72. Tuerkheimer, F.M. (1993). The underpinnings of privacy protection. Communications of the ACM,
36(8), 69–73
73. US Office of Federal Statistical Policy and Standards (1978). Statistical policy working paper 2: report
on statistical disclosure and disclosure avoidance techniques
74. Volokh, E. (2000). Personalization and privacy. Communications of the ACM, 43(8), 84–88
75. Warren, S.D., & Brandeis, L.D. (1890). The right to privacy [the implicit made explicit]. Harvard Law
Review, 4(5), 193–220
76. Wasserstrom, R.A. (1984). Privacy: some arguments and assumptions. In Philosophical dimensions
of privacy: an anthology (pp. 317–332). Cambridge: Cambridge University Press (chapter 14)
77. Weintraub, J. (1997). The theory and politics of the public/private distinction. In Public and private
in thought and practise (pp. 1–42). Chicago: University of Chicago Press (chapter 1)
78. Weintraub, J., & Kumar, K. (1997). Public and private in thought and practise. Chicago: University
of Chicago Press
79. Westin, A.F. (1967). Privacy and freedom. New York: Atheneum
80. Westin, A.F. (1984). The origins of modern claims to privacy. In Philosophical dimensions of privacy:
an anthology (pp. 56–74). Cambridge, UK: Cambridge University Press (chapter 3)
81. Westin, A.F. (1991). Equifax-Harris consumer privacy survey. New York: Louis Harris & Associates
82. Westin, A.F. (1994). Equifax-Harris consumer privacy survey. New York: Louis Harris & Associates
83. Yates, J. (1769). Millar vs. Taylor. In 4 Burr. (pp. 2303–2379)

Privacy and Ecommerce

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Privacy and Ecommerce

Uploaded by

Copyright:

Available Formats

Electron Commerce Res (2007) 7: 89–116

Privacy and e-commerce: a consumer-centric

Rhys Smith · Jianhua Shao

Published online: 16 March 2007

Keywords E-commerce · Privacy · Privacy enhancing technology

R. Smith () · J. Shao

predominant. The commonly cited possibility, penned by Peter Steiner in a cartoon in

1 Source: US Census Bureau—http://www.census.gov/estats.

individual’s privacy by enabling anonymous communication channels for interaction

2.1 The nature of privacy

2.2 The development of privacy

2.2.1 The infancy of privacy

2.2.2 The legal age of privacy

2.2.3 Privacy in the technological age

2.2.4 Privacy in the information age

• It enables an individual to take advantage of the highly valuable assets they

4 Privacy enhancing technologies

of anonymous—“onymous” technologies. The methods by which these two types of

4.1 Anonymous/pseudonymous techniques

Anonymising/pseudonymising technologies attempt to achieve unlinkability between

4.1.1 Anonymising the transport medium

One method of enforcing anonymity between consumers and their prospective

4.1.2 Credential systems

Besides anonymising the transport medium, another method of enabling anonymity

4.1.3 Privacy in databases

Where anonymous/pseudonymous techniques are both desirable and technically

Table 1 Anonymous/pseudonymous privacy enhancing technologies

Technology References Architecture Usable Application areas

Credential systems (CS)

Key: T3P = Trusted third Party

4.2 Onymous techniques

Preserving privacy by staying anonymous is not always possible. Sometimes an indi-

4.2.1 Decision helping techniques

4.2.2 Enforcement techniques

in general, and in e-government applications in particular. Its main thrust is in en-

4.3 The future of privacy enhancing technologies

Table 2 Onymous privacy enhancing technologies

Technology References Privacy philosophy T3P Applicable to e-commerce

Key: T3P = Trusted third Party

You might also like