This version of the contribution has been
accepted for publication, after peer review (when applicable) but is not the Version of
Record and does not reflect post-acceptance improvements, or any corrections. The
Version of Record is available online at: http://dx.doi.org/10.1007/978-3-031-32808-4_1. Use of this
Accepted Version is subject to the publisher’s Accepted Manuscript terms of use
https://www.springernature.com/gp/open-research/policies/accepted-manuscript-terms
has context menu
[en] E-commerce has grown rapidly over the past years, with prevailing e-commerce platforms aggregating large amounts of customer data. This practice has several undesirable side effects, such as facilitating profiling that may lead to price discrimination and data feedback loops that can hamper competition. Moreover, data hoarding carries security risks through data breaches and undermines customers' privacy expectations. On the other hand, convenience aspects and compliance regulation demand the processing and storage of user-related data. To address this tension field, we aim to conceptualize and iteratively refine a data-minimizinig e-commerce platform. Following a design science research approach, we identify design objectives and propose and implement a solution in which stakeholders receive only customer data that is indispensable for their part of the process. Our solution leverages digital identity wallets and general-purpose zero-knowledge proofs (zk-SNARKs). We aim to perform a criteria-based evaluation to assess our artifact's feasibility and fitness from an interdisciplinary perspective. With our results, we hope to illustrate that combining state-of-the-art cryptographic techniques and an emerging digital identity paradigm allows reaching the user experience of incumbent e-commerce platforms while mitigating the undesirable socio-economic side effects of avoidable data disclosure.
Centre de recherche :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > FINATRAX - Digital Financial Services and Cross-organizational Digital Transformations NCER-FT - FinTech National Centre of Excellence in Research
Disciplines :
Sciences informatiques Gestion des systèmes d’information
Auteur, co-auteur :
ERMOLAEV, Egor ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
ABELLÁN ÁLVAREZ, Iván ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
SEDLMEIR, Johannes ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
FRIDGEN, Gilbert ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
z-Commerce: Designing a Data-Minimizing One-Click Checkout Solution
Date de publication/diffusion :
2023
Nom de la manifestation :
Proceedings of the 18th International Conference on Design Science Research in Information Systems and Technology (DESRIST)
Date de la manifestation :
from 31-05-2023 to 02-06-2023
Manifestation à portée :
International
Titre de l'ouvrage principal :
Design Science Research for a New Society: Society 5.0
Maison d'édition :
Springer Nature, Cham, Inconnu/non spécifié
ISBN/EAN :
978-3-031-32808-4
Pagination :
3--17
Peer reviewed :
Peer reviewed
Focus Area :
Security, Reliability and Trust
Projet FnR :
FNR13342933 - Paypal-fnr Pearl Chair In Digital Financial Services, 2019 (01/01/2020-31/12/2024) - Gilbert Fridgen FNR16326754 - Privacy-preserving Tokenisation Of Artworks, 2021 (01/06/2022-31/05/2025) - Gilbert Fridgen
This research was funded in part by the Luxembourg National Research Fund (FNR) through the PABLO project (grant reference 16326754) and by PayPal, grant reference “P17/IS/13342933/PayPal-FNR/Chair in DFS/Gilbert Fridgen” (PEARL). For the purpose of open access, the author has applied a Creative Commons Attribution 4.0 International (CC BY 4.0) license to any Author Accepted Manuscript version arising from this submission.
Alashoor, T., Keil, M., Smith, H.J., McConnell, A.R.: Too tired and in too good of a mood to worry about privacy: explaining the privacy paradox through the lens of effort level in information processing. Inf. Syst. Res. (2022)
Allen, C.: The path to self-sovereign identity (2016). http://www.lifewithalacrity. com/2016/04/the-path-to-self-soverereign-identity.html
Alt, R.: Electronic markets on business model development. Electron. Mark. 30(3), 405–411 (2020)
Alt, R.: Electronic markets on platform transformation. Electron. Mark. 32(2), 401–409 (2022)
Babel, M., Sedlmeir, J.: Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs (2023). http://arxiv.org/abs/2301.00823
Baethge, C., Klier, J., Klier, M.: Social commerce-state-of-the-art and future research directions. Electron. Mark. 26(3), 269–290 (2016)
Bella, G., Giustolisi, R., Riccobene, S.: Enforcing privacy in e-commerce by balancing anonymity and trust. Comput. Secur. 30(8), 705–718 (2011)
Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Scalable, transparent, and post-quantum secure computational integrity (2018). https://eprint.iacr.org/2018/046
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from Bitcoin. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 459–474 (2014)
Bergemann, D., Brooks, B., Morris, S.: The limits of price discrimination. Am. Econ. Rev. 105(3), 921–57 (2015)
Braud, A., Fromentoux, G., Radier, B., Le Grand, O.: The road to European digital sovereignty with Gaia-X and IDSA. IEEE Network 35(2), 4–5 (2021)
Busch, C.: eidas 2.0: digital identity service in platform economy (2022). https://cerre.eu/wp-content/uploads/2022/10/CERRE Digital-Identity Issue-Paper FINAL-2.pdf
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Proceedings of International Conference on the Theory and Applications of Cryptographic Techniques, pp. 93–118 (2001)
Camp, L.J., Osorio, C.A.: Privacy-enhancing technologies for internet commerce (2002). https://papers.ssrn.com/abstract=329282
Chaum, D.: Security without identification: transaction systems to make Big Brother obsolete. Commun. ACM 28(10), 1030–1044 (1985)
Dold, F.: The GNU Taler system: practical and provably secure electronic payments (2019). https://syntheses.univ-rennes1.fr/search-theses/notice.html?id=rennes1-ori-wf-1-12183&printable=true
European Central Bank: The revised payment services directive (PSD2) (2018). http://www.ecb.europa.eu/paym/intro/mip-online/2018/html/1803 revisedpsd. en.html
European Comission: The digital services act: Ensuring a safe and accountable online environment (2022). https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-services-act-ensuring-safe-and-accountable-online-environment en
Fedorowicz, J., Gogan, J.L., Culnan, M.J.: Barriers to interorganizational information sharing in e-government: a stakeholder analysis. Inf. Soc. 26(5), 315–329 (2010)
Fienberg, S.E.: Privacy and confidentiality in an e-commerce world: data mining, data warehousing, matching and disclosure limitation. Stat. Sci. 21(2), 143–154 (2006)
Garrido, G.M., Sedlmeir, J., Uludağ, Ö., Alaoui, I.S., Luckow, A., Matthes, F.: Revealing the landscape of privacy-enhancing technologies in the context of data markets for the IoT: a systematic literature review. J. Netw. Comput. Appl. 207, 103465 (2022)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Gregor, S., Hevner, A.R.: Positioning and presenting design science research for maximum impact. MIS Q. 37(2), 337–355 (2013)
Gregory, R.W., Henfridsson, O., Kaganer, E., Kyriakou, H.: The role of artificial intelligence and data network effects for creating user value. Acad. Manag. Rev. 46(3), 534–551 (2021)
Gross, J., Sedlmeir, J., Babel, M., Bechtel, A., Schellinger, B.: Designing a central bank digital currency with support for cash-like privacy (2021). https://papers. ssrn.com/abstract=3891121
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5 11
Guggenberger, T., Neubauer, L., Stramm, J., Völter, F., Zwede, T.: Accept me as I am or see me go: a qualitative analysis of user acceptance of self-sovereign identity applications. In: Proceedings of the 56th Hawaii International Conference on System Sciences (2023)
Hermes, S., Kaufmann-Ludwig, J., Schreieck, M.: A taxonomy of platform envelopment: revealing patterns and particularities. In: Proceedings of the 26th Americas Conference on Information Systems (2020)
Hevner, A., March, S.T., Park, J., Ram, S., et al.: Design science research in information systems. MIS Q. 28(1), 75–105 (2004)
Jøsang, A., Fabre, J., Hay, B., Dalziel, J., Pope, S.: Trust requirements in identity management. In: Proceedings of the 44th Australasian Workshop on Grid Computing and e-Research, pp. 99–108 (2005)
Kaye, J.: The tension between data sharing and the protection of privacy in genomics research. Annu. Rev. Genomics Hum. Genet. 13(1), 415–431 (2012)
Kayes, I., Iamnitchi, A.: Privacy and security in online social networks: a survey. Online Soc. Netw. Media 3–4 (2017)
Keenan, M.: Global e-commerce: stats and trends to watch (2022). http://www. shopify.com/enterprise/global-ecommerce-statistics
Khayretdinova, A., Kubach, M., Sellung, R., Roßnagel, H.: Conducting a usability evaluation of decentralized identity management solutions. In: Friedewald, M., Kreutzer, M., Hansen, M. (eds.) Selbstbestimmung, Privatheit und Datenschutz. D, pp. 389–406. Springer, Wiesbaden (2022). https://doi.org/10.1007/978-3-658-33306-5 19
Koutsos, V., Papadopoulos, D., Chatzopoulos, D., Tarkoma, S., Hui, P.: Agora: a privacy-aware data marketplace. IEEE Trans. Dependable Secure Comput. 19(6), 3728–3740 (2022)
Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015)
Lee, C.: An analytical framework for evaluating e-commerce business models and strategies. Internet Res. 11(4), 349–359 (2001)
Maseeh, H.I., Jebarajakirthy, C., Pentecost, R., Arli, D., Weaven, S., Ashaduz-zaman, M.: Privacy concerns in e-commerce: a multilevel meta-analysis. Psychol. Mark. 38(10), 1779–1798 (2021)
Mattke, J., Maier, C., Hund, A.: How an enterprise blockchain application in the U.S. pharmaceuticals supply chain is saving lives. MIS Q. Executive 18(4), 246–261 (2019)
Morganti, E., Seidel, S., Blanquart, C., Dablanc, L., Lenz, B.: The impact of e-commerce on final deliveries: alternative parcel delivery services in France and Germany. Transp. Res. Procedia 4, 178–190 (2014)
Niu, C., Zheng, Z., Wu, F., Gao, X., Chen, G.: Achieving data truthfulness and privacy preservation in data markets’. IEEE Trans. Knowl. Data Eng. 31(1), 105– 119 (2019)
Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24(3), 45–77 (2007)
Platt, M., Bandara, R.J., Drăgnoiu, A.-E., Krishnamoorthy, S.: Information privacy in decentralized applications. In: Rehman, M.H., Svetinovic, D., Salah, K., Damiani, E. (eds.) Trust Models for Next-Generation Blockchain Ecosystems. EICC, pp. 85–104. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75107-4 4
Qin, Z.: Introduction to E-commerce. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-49645-8
Reuters, CNBC: Hackers raid eBay in historic breach, access 145M records (2014). http://www.cnbc.com/2014/05/22/hackers-raid-ebay-in-historic-breach-access-145-mln-records.html
Rogaway, P.: The moral character of cryptographic work (2015). https://eprint. iacr.org/2015/1162
Rosenberg, M., White, J., Garman, C., Miers, I.: zk-creds: flexible anonymous credentials from zkSNARKs and existing identity infrastructure (2022). https://eprint.iacr.org/2022/878
Sartor, S., Sedlmeir, J., Rieger, A., Roth, T.: Love at first sight? A user experience study of self-sovereign identity wallets. In: Proceedings of 30th European Conference on Information Systems (2022)
Schanzenbach, M., Grothoff, C., Wenger, H., Kaul, M.: Decentralized identities for self-sovereign end-users (DISSENS). In: Proceedings of Open Identity Summit, pp. 47–58 (2021)
Schlatt, V., Sedlmeir, J., Feulner, S., Urbach, N.: Designing a framework for digital KYC processes built on blockchain-based self-sovereign identity. Inf. Manag. 59(7), 103553 (2022)
Sedlmeir, J., Huber, J., Barbereau, T., Weigl, L., Roth, T.: Transition pathways towards design principles of self-sovereign identity. In: Proceedings of the 43rd International Conference on Information Systems (2022)
Sedlmeir, J., Lautenschlager, J., Fridgen, G., Urbach, N.: The transparency challenge of blockchain in organizations. Electron. Mark. 32, 1779–1794 (2022)
Stahl, F., Schomm, F., Vossen, G., Vomfell, L.: A classification framework for data marketplaces. Vietnam J. Comput. Sci. 3(3), 137–143 (2016)
Targett, D.: B2B or not B2B? Scenarios for the future of e-commerce. Eur. Bus. J. 13(1) (2001)
Trautman, L.J.: E-commerce, cyber, and electronic payment system risks: lessons from PayPal (2016). https://papers.ssrn.com/abstract=2314119
Ukil, A., Bandyopadhyay, S., Pal, A.: IoT-privacy: to be private or not to be private. In: Proceedings of the Conference on Computer Communications Workshops, pp. 123–124 (2014)
W3C: Engineering privacy for verified credentials (2022). https://w3c-ccg.github. io/data-minimization/#selective-disclosure
Weigl, L., Barbereau, T.J., Rieger, A., Fridgen, G.: The social construction of self-sovereign identity: an extended model of interpretive flexibility. In: Proceedings of the 55th Hawaii International Conference on System Sciences, pp. 2543–2552 (2022)
Wolford, B.: What is GDPR, the EU’s new data protection law? (2018). https://gdpr.eu/what-is-gdpr/
van der Wolk, A., Silva, K.: Insight: a slap on the wrist or show of force-GDPR fines reveal need for EU penalty guidelines (2019). https://news.bloomberglaw. com/privacy-and-data-security/insight-a-slap-on-the-wrist-or-show-of-force-gdpr-fines-reveal-need-for-eu-penalty-guidelines
Wüst, K., Kostiainen, K., Delius, N., Capkun, S.: Platypus: a central bank digital currency with unlinkable transactions and privacy-preserving regulation. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 2947–2960 (2022)
Zhuang, Y., Lederer, A.L.: An instrument for measuring the business benefits of e-commerce retailing. Int. J. Electron. Commer. 7(3), 65–99 (2003)
Zhou, L.: Product advertising recommendation in e-commerce based on deep learning and distributed expression. Electron. Commer. Res. 20(2), 321–342 (2020)
Zuboff, S.: Big other: surveillance capitalism and the prospects of an information civilization. J. Inf. Technol. 30(1), 75–89 (2015)
