Keywords

1 The Daily Dilemma: Convenience Versus Disclosure of Data

The Internet connects all of us. It offers an almost infinite variety of different services of which many of them are for free. Consumers in particular profit from the variety of services that make their lives easier or more interesting. The diversity of services ranges from complimentary worldwide telephony using for instance Skype to the exchange of news on Facebook, the sharing of photos with friends on Instagram and communication via video messages on Snapchat. Online shopping services allow purchases to be made flexibly from home, and smart home solutions connect the entire home in a single network, so that a smartphone can be used to operate multiple devices remotely, be it lamps, radiators or televisions. Isn’t it convenient to stay at home all the time not having to leave the house to take care of shopping or standing up to turn devices on and off?

But that is not all. Wearables such as smartwatches allow people to collect and analyze their vital signs; the results can point the way to a healthier life style. Not knowing your way around a city does not mean you have to go to the tourist information office or ask passer-by for directions; just turn on your smartphone’s location function and let the navigation app direct you to the desired destination. These use cases are only some of the many examples from our everyday lives. The benefits of all of the use cases can be summarized under key words such as digitalization, sharing economy, and convenience. The usefulness of these services, however, is offset by certain risks that consumers face. Everything has a price—and in this case it is not only a question of money. Consumers pay the highest price by disclosing their data.

Providers of Internet services generate enormous quantities of personal data, then analyze them for the purpose of preparing detailed customer profiles. These profiles are used by providers to tailor advertising and, in general, all types of information to the interests of specific consumers. The problem is that these activities on the part of providers are not transparently revealed to consumers. All the customers can see—based on the advertisements and messages tailored for them specifically—is that inferences are constantly being drawn about their personalities from the generation and analysis of their data. But the collection and analysis of the data are not the only risks for consumers. Many providers of Internet services store their customers’ data and may even disclose them to third parties. Consumers have no idea of what may later happen with these data; they are also at risk because the providers of Internet services cannot fully protect their customers from hacker attacks and espionage as these companies are themselves often victims of massive cyber-attacks.

In short, consumers are no longer the masters of their personal data. They can neither control what data are recorded and analyzed nor determine when and how long their data are stored. If they want to avoid these risks, consumers have to do without Internet services. Conversely, they do not receive any economic compensation for the use of their data or any share in the added value generated for the companies using the data, although a study by the Ponemon Institute (2015) reveals that consumers are definitely aware of the value of their data.Footnote 1

So what can people do who want to enjoy the benefits of Internet services, but nevertheless want to protect their personal data? Can protection services offer the appropriate protection model to consumers according to their individual need for protection? Would such a protection model be at all helpful and desirable from the customers’ perspective?

1.1 Key Theses About Protection of Personal Data from the Customer Perspective

  1. 1.

    Lack of transparency for consumers regarding the use of their data:

    There is a lack of transparency, ranging from extensive to complete, for consumers concerning the recording, processing, analysis, and storage of their data. According to the Eurobarometer study on the subject of data protection, 50% of the respondents replied that they had only partial control over their data (Schiavoni 2015). 35% of the respondents stated that they did not have any control whatsoever over the data they share (Schiavoni 2015).

  1. 2.

    Risk of complete surveillance and spying:

    Consumers are increasingly aware of the risks of surveillance and spying when using Internet services (Bonneau 2016; Bartley 2017). The Eurobarometer study reveals that 50% of the respondents are concerned about becoming victims of the misuse of their data (Schiavoni 2015). 32% of the respondents fear that their information is used or even stolen (29%) without their knowledge (Schiavoni 2015).

  2. 3.

    Lack of trust of consumers in the companies processing their data:

    Consumers must entrust their data to the Internet service providers if they want to utilize the offered services. Yet there is a heightened mistrust on the part of consumers regarding these companies when the issue is the handling of their personal data. The Eurobarometer study showed that 78% of consumers find it hard to trust the companies that process their personal data (Schiavoni 2015). Even though almost 80% of the surveyed consumers mistrust the data processing companies, the majority of these consumers continue to use the services of these providers because they do not want to do without the benefits or conveniences they obtain from these services (Schiavoni 2015). Facebook’s acquisition of WhatsApp at the beginning of 2014 is a good example illustrating this situation. When it was announced that Facebook would be acquiring WhatsApp, there was a wave of revolt because Facebook’s data protection provisions are not the friendliest for consumers (Radke 2016). There were concerns that WhatsApp would be forced to align itself with Facebook’s data protection provisions, and this was seen as a risk to the security of the user data (Radke 2016). Many consumers, looking for a more secure chat alternative, decided to go to Threema. Even though Threema actually does offer significantly user-friendlier handling of its customers’ data (Stiftung Warentest 2014), this service was in the middle term not able to compete with WhatsApp and has not achieved user figures (4.0 million) that are anywhere nearly comparable to those of WhatsApp (per Jan 2017) (Statista 2017a, b) (Fig. 1). This could be explained by the unwillingness of the majority of users to make the effort to look for and use an alternative secure solution.

  3. 4.

    Growing unease when using Internet services:

    There have been a number of incidents in the past in which companies have lost customer data because of security gaps and hacker attacks. In October 2013, for instance, three million credit card records of Adobe customers were stolen (Little 2014). These and other such incidents have not only raised the level of fear among consumers regarding malware and cyber-attacks, but have also increased their awareness of the value of their data. Their fears of becoming potential victims of data misuse incidents or identity theft are on the rise. The information policies of many companies in the event of data misuse or security breaches are often way too defensive and reinforce these reservations (Rybak 2015). But despite these fears, the majority of consumers do not handle their data carefully. A study conducted by GSMA on the subject of awareness of data protection provisions of mobile Internet users determined that 80% of the users of Internet services or apps accepted the data protection provisions without reading them because they are too long or contain too much legalese (Schiavoni 2015). This implies that consumers are often overwhelmed by the current data protection provisions.

  4. 5.

    Growing demand for protection services:

    Consumers are not only demanding more and more security during the use of Internet services, but are also insisting more persistently that they want to be able to decide where and to what extent they disclose what data. According to the GSMA study, 60% of the surveyed consumers want a standard body of rules for the protection of their data and want all providers to comply uniformly with these rules (Schiavoni 2015). Even though most customer solutions are still not understandable and are too technical for the average user, more and more consumers are concerning themselves with the subject of security because the significance and necessity of security solutions are rising in the eyes of the consumers (Mohr-McClune 2015). Until now, however, consumers had to become active on their own initiative if they wanted to protect their data because they did not receive any active or extensive help or the appropriate services for this purpose. A study conducted by Orange on the subject of behavior change among consumers in relation to data protection revealed that 37% of the respondents had the feeling that companies or organizations did not give them any instructions for personal data management (Schiavoni 2015). Consumers are more likely to have the feeling that they are dependent on the good intentions of the providers despite the previous agreement of data protection provisions. “[Customers] are concerned that companies are using their data for more than was initially agreed.” (Schiavoni 2015).

  5. 6.

    Less trust in OTTs than in telecommunications providers:

    Consumers regard OTTs as companies that want to profit from the data of their customers (Schiavoni 2015). Telecommunications companies, on the other hand, are perceived as the “clearing agents” of data and are therefore seen to be more trustworthy where the handling of personal data are concerned (Schiavoni 2015): “[…] [Operators] are often seen as more trustworthy than Internet companies or other service providers and can position themselves more strongly in terms of protecting their customer’s privacy.“ According to the GSMA study (Schiavoni 2015), telecommunications providers are even regarded as the consumers’ contacts when there are problems related to the subject of protection of data or privacy because 58% of the respondents ask telecommunications providers for help whenever they have these kinds of problems (Schiavoni 2015). A recent study by Syniverse (2016), however, shows that the trust consumers have in mobile providers has declined. Respondents were asked to state whether their trust in mobile providers with regard to the protection of their personal data had changed.Footnote 2 Half of the respondents indicated that over the last 3 years they have had “less” trust, 35% have had “just as much” trust, and 15% have had “more” trust in mobile providers (Syniverse 2016). This implies that consumers have become increasingly skeptical about mobile providers when it comes to data security over the last 3 years. A basic finding, however, is that consumers of providers who give them more control and transparency in the management of their data are regarded more positively than other providers who resist or even refuse to give transparency: “Consumers appear increasingly to trust and to use companies that are willing to offer them greater control through tools that are easy to use“ (Schiavoni 2015).

    This customer perspective clearly shows that consumers always want services that collect, analyze, and store as little of their personal data as possible. Since in reality there are almost no offers of any such services at this time, customers must accept the loss of control over their data. Nevertheless, they are becoming increasingly sensitive to the topics of security and data protection so we can deduce there is a fundamental need for protection services. Since many consumers often have difficulties in understanding the content of data protection provisions, such services should aim to provide intuitive security services that are simple to understand and simple to use and that customers can use to manage the security of their data. Protection services are a measure that builds trust among consumers as it gives them transparency about and control over the utilization of their data (Schiavoni 2015). Conflicts of interest severely limit the credibility of the providers of services. Since customers use a number of providers at the same time, clarity suffers. In our view, only regulatory authorities, network operators, or completely new companies with a security focus will be able to provide a relevant protection product that encompasses all of the services and at the same time offers impartial protection. We believe that network operators are in the best position to provide this: the traffic flows all come together in their purview, they have the customer relationships, and are less sluggish than government authorities. In comparison with the startups that are appearing, they (still) have the advantage of greater reach from their clientele, brand awareness, and trust in the brand.

Fig. 1
figure 1

Comparison of user figures for Threema and WhatsApp (Statista 2017a, b)

Full size image

2 Key Arguments in Favor of Offering Protection Services from the Telecommunications Providers’ Perspective

2.1 Regional Representation and High Reachability

Large telecommunications companies cover a broad geographical territory through their own subsidiaries or partners. In the countries where they provide service, they can generally be reached easily because of the full-area coverage provided by a network of shops and their excellent accessibility on digital and phone channels served by large service (Agresti et al. 2016) units operating these channels; they are consequently well prepared to respond and act, especially if there are problems or in crisis situations. In their position as local telecommunications service providers who are subject to domestic jurisdiction (and therefore directly addressable by legal action despite their multinational character) they can build a trust positioning more credible than competitors from other industries.

2.2 Data and Communication Security Is a Part of the Core Business

The security of the networks and the communications that flow through them have long been a part of the core business of telecommunications providers. They never stop thinking about these aspects and have the corresponding expertise at the technical, procedural, and regulatory levels. They are especially qualified to incorporate the growing regulatory pressure related to data protection and data security operatively and productively (Little 2014; Agresti et al. 2016). They can control data security in the utilization, processing, and transportation layers of their ecosystem, and this contributes additional credibility to their portfolio. Moreover, they usually have proven and sensitive anti-fraud processes in place. This combined with the capability to limit or (in case of major security breaches) even totally stop data traffic with a device in general or a specific app, gives telcos a special advantage in safeguarding their customers’ data and protecting their interests (Copigneaux 2016).

Nevertheless, this presumes the appropriate sensitization and emphasis on the subject as well as the adaptation of the appropriate plans for actions and emergencies in the event of a security incident (Rybak 2015).

2.3 IT Competence and Trend to Cloud Products

Most telecommunications providers already have a pronounced IT competence, in some cases including even their own divisions or branch businesses whose core business includes IT development and operation for customers. As cloud products become increasingly important and large telcos acknowledge this by expanding their portfolios accordingly, these business offers will gain additional impetus, but they must also meet heightened security demands (Newman 2017).

2.4 Simple Processability of Security Services in the Business Model

The character of communications services as a continuing obligation is consistent with the business model of protection services as they also represent a commitment that is ongoing or related to a period of time. Protection services of this type can be offered simply as a supplementary option to existing contracts or as a stand-alone product. The matching billing opportunities are existing as well as capacities for third-party providers or partners already established (Clark-Dickson 2014). The necessary distribution and service competencies are already in place as well or can be added with little effort.

Overall, telecommunications service providers have an excellent position, from the customer perspective as well as on the basis of their branding and the required competencies, to assume the role of guardian of customers’ data security (Copigneaux 2016). The next question concerns the possible form of such a service, i.e., what design elements and levels are desired on the customers’ side and would represent sensible components of an attractive service.

3 Seize the Opportunity: Build Up a Protection Portfolio Step by Step (Protection as a Service)

Monetarization can be realized as explicit protection services as well as in the form of a general premium price model based on perceived brand dimensions. In our opinion, a logical approach is a step-by-step build-up that combines both concepts.

The fundamental axis is the impact depth of the protection. Only shallow impact depth will be realized if the information customers receive from their providers:

  • Is provided only on rather rare occasions, e.g., when the contract is concluded or if significant risks appear;

  • Is related primarily to the services and data offered or used by the provider itself;

  • Is mostly very generalized;

  • Concerns more general risks.

Starting from such a basic foundation, a protection portfolio can be developed gradually along three key dimensions:

  1. 1.

    Timeliness, nature, and scope of the risk assessments, i.e., the question whether these are only services that the carrier itself offers or services that go (slightly/extensively) beyond this scope;

  2. 2.

    Degree of personalization of the security information, i.e., assessment or information only if the installed and utilized services are affected;

  3. 3.

    Action intensity, i.e., information only or a concrete request to take action up to an automatic action triggered by predefined action points agreed with or defined by the customer.

We assume that greater depth of the protection service will go hand in hand with increased willingness to pay. The portfolio evolution depicted in Fig. 2 begins with the creation of transparency as a “measure to build trust” and develops step by step into an avatar that can assume a broad range of virtual identities for customers in their relationships to other virtual transaction partners (Deuker et al. 2011). We see only the positioning and the brand goodwill with parallel premium pricing as a monetarization approach for the portfolio cluster “Transparency and Self-determination”. In our opinion, the opportunity to offer this approach as an independently priced service appears with the cluster “Passive Protection”.

Fig. 2
figure 2

Potential protection services for carriers

Full size image

Carriers have not taken general possession of this protection function yet. But there are already OTT providers who are actively positioning themselves in the direction of protection function and data security.

One example is Digi.me, an app that has developed from the function of a private storage facility for personal social media content into a security function and a central profile with controlled release of personal profile data (Bonneau 2016). This app is already being used by around 400,000 customers in various countries and will now be further strengthened through a merger with another startup called Personal which offers a company security platform with the target of building a personal data ecosystem (O’Hear 2017). There is also the competitor Datacoup, which sells profile information released by customers to interested data buyers and compensates the customers with payouts. Datacoup is at the moment active only in the USA, however (Datacoup 2017). These are indications that pioneers are already staking out positions in this gap. Telcos must act quickly and seize the “window of opportunity” before it closes. Some telcos have set up programs with more or less ambitious protection focus. Telefonica for example has set up a high level program called “Aura” which aims to improve customer interaction through AI combined with a customer side agreement to which extend data can be used and possibly shared with third party service providers. First use cases are planned to go live in the first quarter of 2018 (Alvares de Souza Soares 2017; Kompany 2016). Deutsche Telekom has been working on Open ID solutions for some time (Copigneaux 2016) and has merged all its Security and privacy products and competences in a new business unit T-Sec in 2017 which already has a substantial security portfolio in place and is now rapidly enhancing and connecting its offerings (T-SEC 2017). Other carriers have also started respective programs of various scopes and sizes. Which ones will be fast and sustainable enough to establish themselves on this now forming market remains to be seen.

4 Demand Today and Tomorrow: A Quick Check

At first glance, the avatar described briefly above may seem like a vision from a far-distant future. But if we look at the developments that have already taken place or the ones now in the pilot phase (and consequently within reach), we quickly have the impression that we already have one foot “in the matrix”.

4.1 Am I Watching Television: Or Is Television Watching Me?

Two smart TVs with webcam, three laptops, two tablets, and three smartphones combine for no fewer than fifteen cameras and ten microphones. One watch monitoring my sports activities and one action camera plus smartphones and tablets translate into seven devices with GPS/location function. The shopping list still contains sensors and cameras for the security of the smart home. Data protection regulations for 107 apps from the most recent count that have been read: 2; number understood: 0. Who knows when these devices transmit what data and who has, or could have, access to the devices or the data? The owner usually does not.

4.2 Stalked in the Supermarket?!

Is the WiFi on the smartphone now on or off? People often forget to turn it off—the savings in energy appear too insignificant to take the trouble. What people don’t think about: the smartphone cheerfully shares its ID (its MAC) with every WiFi access point it passes during the day. Companies such as Euclid take advantage of this and generate movement profiles based on the device ID for retail companies prepared to pay for the information (Gibbs 2016). How long a user is in what supermarket, how long he or she stood in front of what shelf, and the points the user rushed passed become visible. Users should receive bonus points entitling them to discounts for the provision of these data. As a minimum.

4.3 Paying with a Beautiful Voice Instead of Your “Good Name”?

The broad acceptance of Amazon’s Alexa represents a clear leap forward in the voice base man-machine interaction, leading even to a new category called “voice commerce”. Voice is becoming increasingly popular as a convenient means of control and personal identification. Also, services like the “hands-free” payment by voice command tested by Google appears to be a logical and convenient evolutionary step. In terms of convenience and voice identification surely wins over a PIN entry. However, it results in devices constantly listening to you (Edwards 2017). Is it possible to determine whether the camera and microphone are really turned off—and stay off? Are the service providers always eavesdropping?

At any rate, the European Commission in its proposal for a new ePrivacy guideline as of January 2017 plans to expand the regulation scope to OTT communications services besides the traditional communications services as provided by telcos (Schiavoni 2017). This shows that politics begin to see the need for regulating a wider scope of players in the market besides the traditional telco players.

4.4 What Does the Future Look Like?

Growing connectivity of personal devices of all kinds, an increase in the connected devices for improved company processes—all of this will lead to exponential rise in the density of the sensors surrounding us. Moreover, the number of network access points for precisely these sensors will increase significantly. The probability of our communicating with others, whether we are aware of it or not, in all areas of our lives will mushroom significantly.

The situation becomes disquieting when we give serious thought to what the linking of all these data can do. The television knows what we are watching, the heartbeat monitor records our reactions to what we see—outstanding for the measurement of the effectiveness of the advertising! The car insurance company believes that it can use the data to determine the extent to which we obey the laws of physics and the highway code—and adjusts the premiums accordingly. The health insurance company believes it knows whether, when, and how much we exercise or go shopping in our local wine shop. Will we still be able to get insurance if we refuse to allow ourselves to be tracked?

All mentioned scenarios illustrate, that even within regular use cases, users are depending on the security and privacy ethics of their business partner (even if new regulation initiatives might steer providers to some extent). But: whatever is connected, can—and probably will be—hacked. What happens, if your autonomous car dashboard urges you to pay ransom to regain control?

At the moment, the risks do not appear to frighten users very much. Despite the criticism heard from many different sides, the user numbers for large platforms such as Facebook and WhatsApp have not suffered significantly. The network effect—the decisive point for the individual: that the majority of his or her contacts also change—plays right into the hands of the large players. Moreover, the risk is still considered relatively low from the user perspective. WhatsApp users, for instance, saw the risk of unsecured messages as generally negligible for a long time. As digitalization continues to advance, however, this perspective will become more disproportionate: fully digitalized everyday life cannot be anything but fully documented and analyzable everyday life.

We see the greatest risk in the curtailing of information neutrality. What happens if the seamless record of a person’s behavior is used as the basis for providing only that information that others (systems) deem to be relevant? Instead of being able to see the full range of world events and shopping opportunities that is available, a person will be given only an enhanced mirror image of what are seemingly his or her interests and inclinations. The “classic” risks such as identity theft, transaction fraud, or extortion are, and will remain, more tangible and encountered in daily life. All of these risks will be multiplied by the progressively deeper penetration into personal everyday life by digital services in the future.

5 Carriers Should Stake Out a Position: And Soon

In summary, we have prepared five hypotheses that serve as guideposts for carriers for the step-by-step determination of their need for action:

  1. 1.

    Drivers on the demand side: The insecurities experienced by users of telecommunications services as digitalization progresses will escalate rapidly.

  2. 2.

    Opportunity for carriers: In the current market system, carriers are fundamentally the most qualified entities to create services that respond quickly across all sectors and to provide transparency and protection to a broad range of customers.

  3. 3.

    Time pressure for carriers: The longer carriers hesitate to stake out a position “a safeguarding complement” to OTTs, the more they will be viewed as the latter’s supporters.

  4. 4.

    Assessment and development requirements for carriers: The monetarization of the possible aspects related to customer data is viewed at this time almost exclusively through the “classic” big data glasses. Our experience indicates that the aspect of protection in terms of its possible added value has not been appraised.

  5. 5.

    Need for carriers to act: Not every carrier is today regarded by its customers as being adequately qualified to serve as a trustworthy protective body.

  6. 6.

    Rebalance the rules of the game: Carriers should not only demand the extension of communications privacy rules to OTTs in equal terms as telcos but play out the regulation adherence head start they have compared with OTTs in the market.

  7. 7.

    Teaming up: Participating in cross-industry alliances striving to create alternative trustable choices for consumers and businesses alike should be considered as an option. Initiatives like Verimi might in return also strengthen attractiveness—as alliance partner products can be integrated to widen the operators’ offerings.

It is therefore urgently necessary for carriers to determine now the positioning that is initially relevant and possible for them. The gradual emancipation from the OTT Big Brother model that is also credible in terms of branding and the empowerment of telecommunications users are possible. The process can be oriented to the evolutionary model for protection services described above. Startups are already addressing relevant elements of this model. In view of the required build-up of competencies and the product development phase that is to be expected, the time to act is now. The need for protection of the digitally illuminated customers is a great opportunity to compensate the losses at the customer interface to the OTTs. In our opinion, it is possible to compensate these losses completely—and even more.