Why e-commerce can thrive with near-zero (data) knowledge

13 August 2021 Consultancy.eu 6 min. read

Online commerce based on the minimal use of data could allow e-commerce businesses to structurally reduce their costs. They can save on their cybersecurity costs, minimise reputational damage caused by data breaches and increase digital trust while offering the same user experience and revenue potential as today. Vincent Jansen, Leon Kluiters and Constantijn Molengraaf from Innopay explain how. 

The benefits of collecting and distributing personal information are obvious, but protecting that same personal information is becoming increasingly costly for e-commerce companies from an information security perspective. 

Despite this, e-commerce businesses do not appear to be challenging the status quo by actively searching for alternatives that allow them to maintain the same level of functionality without collecting personal information; there is a notable lack of development – and use – of such alternatives. This is all the more surprising because a suitable alternative already exists: Near-Zero-Knowledge (NZK) e-commerce.

The e-commerce market

At Innopay, we believe that Near-Zero-Knowledge e-commerce could provide e-commerce businesses a win-win scenario. 

Data breaches

In 2013, a cyberattack on US retailer Target resulted in the loss of credit card and personal information from 110 million customers. More recently, earlier this year, the Netherlands’ biggest data breach to date resulted in e-commerce business Allekabels losing personal data from 3.6 million Dutch and Belgian users. 

There could be various operational reasons why Target and Allekabels suffered these breaches (e.g. lack of cybersecurity, mismanagement, ignorance) but ultimately they only occurred because the customer information they collected made them interesting targets for cybercriminals. And since Target and Allekabels are far from unique in gathering personal information about their customers, the next major breach is only a matter of time. 

In fact, e-commerce businesses of all sizes are currently collecting personal information to execute the broad range of e-commerce functions and manage the associated risks. 

Personal information

For example, personal details such as name and address are used to process shipments, payment details are used to make transactions easier for returning customers, and a customer’s date of birth could be used to send them a personalised birthday gift such as a voucher. Personal information could also be used to build comprehensive customer profiles for marketing purposes, offer payment products and other value-added services, as well as to manage payment/fraud-related risks. 

Moreover, since e-commerce businesses work with numerous specialised partners and providers, the personal information they accumulate is often shared and thus duplicated. For example, Amazon could potentially share personal information with an entire web of third-party service providers. 

Personal information acc

Surging IT security costs

While there are obvious benefits to accumulating and distributing personal information, protecting that information is one of the key factors driving the rise in information security-related costs for e-commerce businesses. After all, if companies lose the personal information they have accumulated from customers – whether due to leaks, breaches or hacks – they can face heavy fines by regulatory bodies (e.g. the EU’s GDPR stipulates fines of up to 4% of global turnover for reputational damage).

These costs and damages will most likely rise further as the e-commerce market and the information security-related market continue to grow.

A growing e-commerce market, both in terms of the number of businesses and the revenue per business, increases the reputational risks and size of fines plus it makes the e-commerce market in general a more attractive target for cyberattacks. 

The information security-related market also shows strong growth, both in terms of costs associated with data breaches and cybersecurity-related spending by organisations. 

Cost of data breaches

Since the current e-commerce system stimulates the gathering of personal information, e-commerce businesses appear unable to structurally reduce these costs and risks. There is little to no use of alternatives that do not require the collection of personal information and, because e-commerce businesses are not actively challenging the status quo by searching for such solutions, no new alternatives are being developed.

The alternative: Near-Zero-Knowledge

This raises the question of whether it is even possible to shift the e-commerce paradigm towards a system offering the same benefits, while drastically decreasing the collection and distribution of personal information in order to structurally reduce security-related costs. At INNOPAY we believe that it is possible.

The solution is called Near-Zero-Knowledge e-commerce: a paradigm shift in which the collection, distribution and burden of handling personal information is offloaded from e-commerce businesses onto specialised third parties, called identity service providers, who manage customers’ digital identities. 

In the case of Near-Zero-Knowledge e-commerce, all businesses in the e-commerce ecosystem would only have access to the personal information required to offer their services. On a simplified level, this could work as follows: at the customer’s request, the identity provider creates a token to be used in the e-commerce ecosystem. This token enables the e-commerce business and other service providers to recognise the customer and request from the identity provider the personal information needed to perform their service. 

Personal information shared by the identity provider is used exclusively to perform the service and then deleted afterwards. In this scenario, only the identity provider has to store and protect the personal information, thus enabling e-commerce businesses and their service providers to structurally reduce their information security-related costs. 

The identity service provider could be a small, specialised third party, but the role could also be fulfilled by large e-commerce businesses. In the Netherlands, for example, Bol.com is already partially doing this by offering customers the option to sign in to the Albert Heijn and Waardijk web shops using their Bol.com login details.

The ingredients for developing such solutions are already widely available. Contribute to driving this paradigm shift and join us in further exploring NZK e-commerce together. After all, the less you know, the more you grow…