A paradigm shift towards Near-Zero-Knowledge e-commerce
Near-Zero-Knowledge e-commerce could allow e-commerce businesses to structurally reduce their cybersecurity costs, minimise reputational damage caused by data breaches and increase digital trust while offering the same user experience and revenue potential as today.
E-commerce businesses of all sizes gather personal information for various reasons, including to execute the broad range of e-commerce functions, improve the user experience and boost their revenue potential. The benefits of collecting and distributing personal information are obvious, but protecting that same personal information is becoming increasingly costly for e-commerce companies from an information security perspective.
Despite this, e-commerce businesses do not appear to be challenging the status quo by actively searching for alternatives that allow them to maintain the same level of functionality without collecting personal information; there is a notable lack of development – and use – of such alternatives. This is all the more surprising because a suitable alternative already exists: Near-Zero-Knowledge (NZK) e-commerce.
At INNOPAY, we believe that NZK e-commerce could allow e-commerce businesses to structurally reduce their information security costs, minimise reputational damage caused by data breaches and increase digital trust while offering the same user experience and revenue potential.
In 2013, a cyberattack on US retailer Target resulted in the loss of credit card and personal information from 110 million customers (Global Trade magazine, 2020). More recently, earlier this year, the Netherlands’ biggest data breach to date resulted in e-commerce business Allekabels losing personal data from 3.6 million Dutch and Belgian users (Heliview, 2021).
There could be various operational reasons why Target and Allekabels suffered these breaches (e.g. lack of cybersecurity, mismanagement, ignorance) but ultimately they only occurred because the customer information they collected made them interesting targets for cybercriminals. And since Target and Allekabels are far from unique in gathering personal information about their customers, the next major breach is only a matter of time.
In fact, e-commerce businesses of all sizes are currently collecting personal information (see Figure 1) to execute the broad range of e-commerce functions and manage the associated risks. For example, personal details such as name and address are used to process shipments, payment details are used to make transactions easier for returning customers, and a customer’s date of birth could be used to send them a personalised birthday gift such as a voucher. Personal information could also be used to build comprehensive customer profiles for marketing purposes, offer payment products and other value-added services, as well as to manage payment/fraud-related risks.
Moreover, since e-commerce businesses work with numerous specialised partners and providers, the personal information they accumulate is often shared and thus duplicated. For example, Amazon could potentially share personal information with an entire web of third-party service providers (see Figure 2).
Protecting information is increasing costs of doing business
While there are obvious benefits to accumulating and distributing personal information, protecting that information is one of the key factors driving the rise in information security-related costs for e-commerce businesses. After all, if companies lose the personal information they have accumulated from customers – whether due to leaks, breaches or hacks – they can face heavy fines by regulatory bodies (e.g. the EU’s GDPR stipulates fines of up to 4% of global turnover (IT Governance) for reputational damage). These costs and damages will most likely rise further as the e-commerce market and the information security-related market continue to grow.
A growing e-commerce market, both in terms of the number of businesses and the revenue per business (see Figure 3), increases the reputational risks and size of fines plus it makes the e-commerce market in general a more attractive target for cyberattacks.
The information security-related market also shows strong growth, both in terms of costs associated with data breaches and cybersecurity-related spending by organisations (see Figure 4).
Since the current e-commerce system stimulates the gathering of personal information, e-commerce businesses appear unable to structurally reduce these costs and risks. There is little to no use of alternatives that do not require the collection of personal information and, because e-commerce businesses are not actively challenging the status quo by searching for such solutions, no new alternatives are being developed.
The alternative: Near-Zero-Knowledge e-commerce
This raises the question of whether it is even possible to shift the e-commerce paradigm towards a system offering the same benefits, while drastically decreasing the collection and distribution of personal information in order to structurally reduce security-related costs. At INNOPAY we believe that it is possible. The solution is called Near-Zero-Knowledge e-commerce: a paradigm shift in which the collection, distribution and burden of handling personal information is offloaded from e-commerce businesses onto specialised third parties, called identity service providers, who manage customers’ digital identities.
In the case of Near-Zero-Knowledge e-commerce, all businesses in the e-commerce ecosystem would only have access to the personal information required to offer their services. On a simplified level, this could work as follows: at the customer’s request, the identity provider creates a token to be used in the e-commerce ecosystem. This token enables the e-commerce business and other service providers to recognise the customer and request from the identity provider the personal information needed to perform their service. Personal information shared by the identity provider is used exclusively to perform the service and then deleted afterwards. In this scenario, only the identity provider has to store and protect the personal information, thus enabling e-commerce businesses and their service providers to structurally reduce their information security-related costs.
The identity service provider could be a small, specialised third party, but the role could also be fulfilled by large e-commerce businesses. In the Netherlands, for example, Bol.com is already partially doing this by offering customers the option to sign in to the Albert Heijn and Waardijk web shops using their Bol.com login details.
The ingredients for developing such solutions are already widely available. Contribute to driving this paradigm shift and join us in further exploring NZK e-commerce together. After all, the less you know, the more you grow…