Legal research topics in user-centric services

Service science is an emerging discipline that brings together the ongoing work in computer science, operations research, industrial engineering, and business strategy, as well as management, social, cognitive, and legal science, in the effort to develop the skills required for a service-oriented economy.^1–3 The importance of the service sector (formerly a neglected category in economic statistics) has grown dramatically both domestically and globally.

In the past, the primary production sector as defined in economic statistics included agriculture, forestry, and mining; the secondary production sector, manufacturing, was the mainstay for commerce. Other economic activities were simply categorized as “services” and academics did not feel a need to consider whether these activities actually formed a homogeneous class.

The role of the services category has now increased dramatically. Efficiency in the primary production sector has improved so much that this sector employs only a small fraction of the workforce. A similar development is occurring in the secondary production sector. The growing part of the labor force is employed by the service sector. In some countries as much as 75 percent of gross production and 80 percent of employment are attributed to the service sector.

This change has created challenges. For example, IBM has had to go through significant changes in its business, transforming it from a company that initially sold machines to one that sells software and systems, and is currently expected to provide services. IBM is promoting systematic service research to improve the productivity of the service business. Other companies will be facing the same challenges, though they may not yet be aware of this.^2,4

Services form a huge category that includes a wide range of activities, from haircutting to IT outsourcing, from health care to legal services, from consumer services to business services, and from private to public services. Service providers include self-employed persons, multinational corporations, public authorities, and nonprofit organizations. Experts often have a certain type of service in mind when they propose definitions of “service” which involve payment for performance, a time-perishable, intangible experience, an activity performed for a client who is also a coproducer, or one which transforms a state of a client. For an excellent summary of definitions of a service, see Reference 4.

Information and communication technology (ICT) has enabled the provision of many intangible commodities, and this makes the concept of service ever more ambiguous. A digital recording is not necessarily “material”; i.e., it does not have to be fixed on a physical carrier that is handed over together with the distribution of the content, but it may still be quite permanent, and may be easier to sell as a product or a good than as a service. On the other hand, information can be automatically adapted in accordance with certain customers' needs and circumstances. Such information, owing to the personalization and the work involved in the adaptation process, begins to resemble a service, though it still has several characteristics of a product or a good.

Successful businesses are based on customers' needs. Technical features do not justify a transaction unless they provide solutions to a customer's problems. Despite this, traditional solutions have centered on material articles. If, for example, the problem has been related to communication, the customer typically purchased a phone capable of more efficient communication. In contrast, a service provider does not sell devices, but provides services that solve the problem. A communication service may still be based on phones, software, and computer systems, but instead of purchasing these devices, a customer purchases a service enabled by them.

To solve customers' real problems, the service provider must have a profound understanding of their needs. It is enough to have a general or statistical view of users to design a mass-produced good, but to serve a particular user effectively, one needs to know the user thoroughly. Service provision stresses the importance of user needs. Therefore, the concept of a successful service is also close to the concept of a solution. Services, unlike most goods, are often coproduced with the user; thus the solution aspect is innate and characteristic to services. Consequently, understanding user needs and user research are key issues in service research and development. The human-centric element and its potential for the development of new ICT-based services is provided by bringing different stakeholders and technologies together in a co-creative way.

The concept of innovation refers to the evolution of new commodities by means of inventing, developing, manufacturing, and marketing novel products, processes, and services. In particular, service innovations are successfully commercialized service inventions, not just clever technical ideas. The role of innovation in this process is generally accepted as central to knowledge economies. The commercial viability of an innovation is therefore critical.

An innovation has to correspond to user needs and be technically feasible, legally and socially acceptable, and accompanied by a business model. All of these aspects can be studied by testing a service prototype among users and developing all elements of a solution based on the study results. Users often create new ways of using the service and reveal its hidden possibilities. The users may even develop new services, if the platforms with which they are provided allow this.

Service systems comprise service providers and customers coproducing value in complex and dynamic formations.⁵ The various actors in service systems have diverse interests that are governed by various laws. Typically, the actors belong to one of the following groups: businesses (corporations for profit), consumers (individuals), public entities (government, state officials, etc), and communities (informal groups of individuals, usually not for profit). Service providers and customers may belong to any one of these groups.

To analyze what sort of legal challenges service systems have, a set of case studies and scenarios are presented herein. They are selected from numerous examples that we have analyzed. They include an example of an advanced service framework, MobiLife Service Framework, that highlights challenges related to business-to-consumer (B2C) services. Business-to-business (B2B) case studies and a sample public service are also included. A user-centric approach is illustrated, whereby the proper legal protection of user information is essential to ensure healthy competition.

The goal of the MobiLife project (which was funded by the European Union's sixth Framework program in 2004–2006) was to bring advances in mobile applications and services within the reach of users in their everyday lives by innovating and deploying new applications and services. MobiLife introduced a mobile service framework that identified the essential functional blocks for the implementation of new mobile services and applications. The project developed several initial applications based on the framework.⁶

The mobile application framework uses contextual information including low-level context data such as location, time, temperature, and noise, as well as higher-level context data such as user situation (e.g., in a meeting or with friends). Context data gathered from various sources influences which services are provided to the user as well as how the services are defined. The framework is able to personalize applications; that is, to acquire, manage, and use personal information about the user to adapt applications' behavior to specific user needs.

The framework supports services that are controlled by a service provider as well as services that are provided in an ad hoc manner between users without the control of a third party. The framework is not restricted to current provider-consumer value chains, but is flexible regarding new ways of service provisioning, such as new ways of incorporating third-party service providers.

The framework supports relevant solutions for privacy and trust issues, legacy as well as emerging applications, context management, and seamless service access through multiple access technologies. It also provides service and component life-cycle support.

The user-interface adaptation function of the framework uses available and relevant contextual information to facilitate user-interface adaptability for services and applications. This function adapts both the input modalities of users as well as the output of the services. The user-interface adaptation function is also related to other functions, such as service-quality adaptation.

Finnair, the Finnish commercial airline, was the first to enable passengers to use a text message to check in for flights in advance. Finnair carried more than eight million passengers in 2004. Especially during peak hours, serving passengers in person requires extensive human resources and often results in delays.

For the customers and staff of Finnair, the new BookIT check-in service provided welcome relief for this problem.⁷ The check-in service enables frequent flyers to go directly to the departure gate and bypass the normal check-in procedure when travelling with hand baggage only. Before the departure, Finnair sends a check-in text message to the passenger's mobile phone. The passenger confirms the check-in by answering the message with a single letter. After confirmation, a message detailing the necessary gate and seat information (as illustrated in Figure 1) is sent.

Figure 1

The service has improved customer service while reducing costs. The service was very rapidly and widely accepted by the passengers because it saves time, is easy to use, works on any GSM (Global System for Mobile communications) phone and is independent of location and telecom service provider. The penetration rate of the service has been over 75 percent among frequent fliers.

This service is an interesting combination of B2B and B2C features. BookIT, the company which developed the system, also acts as a service supplier, providing Finnair with the service on a regular basis. On the other hand, most of the Finnair's frequent flyers are business travelers whose trips are paid for by their employers. Thus, the service is a business-to-business service (BookIT to Finnair and Finnair to business customers). The real success of the service is dependent on the end users: individuals decide whether the service corresponds to their needs.

Because travel information is personal data, data protection laws are applicable in this case. The European data protection law provides safeguards for subscribers against violations of their privacy by unsolicited commercial communications (e.g., those using text messages). The European Union's directive on privacy and electronic communications⁸ stipulates an opt-in policy: prior explicit consent of the recipients is required. In the Finnair case, frequent fliers give their consent by selecting the option on Finnair's Web site specifying that Finnair may send them text messages.

From the service provider's viewpoint, the innovations that are implemented here are relatively straightforward to copy and thus the competitive advantage can be easily lost. Therefore it is crucial to know to what extent the service can be protected by law. The computer programs that are developed to implement the service can be protected by copyright. The methods and devices that the service includes may well include patentable inventions.

The Thomas Cook Company of the United Kingdom and Ireland operated a holiday airline, nine tour operating brands, three call centers, and a popular travel Web site. It had three business units: sales, tour operations, and the airline. Each of them had their own management, financial procedures, and IT infrastructure. A majority of the internal operations in these three business units were performed separately, leading occasionally to the triplication of back-office functions.⁹

Owing to new low-cost airlines and travel services, the competitive environment in the travel industry made it difficult to support office activities, leading to annual losses for Thomas Cook. This, together with the increasingly more difficult market for holiday tour operators in today's heightened-security environment, made improvements in its internal processes and organization of critical importance.

Thomas Cook hired Accenture to establish a cost-effective shared services center in Bangalore, India, with markedly lower personnel cost. The aim was not only to maintain the quality of services but also to consolidate the internal activities of the three business units. Accenture identified the activities that could be transferred and then designed (together with Thomas Cook) a multi-process center which brought together human resources management, project delivery, finance, and payroll functions along with integrated IT services. About 60 percent of the total shared internal workload was transferred to the new delivery center. The transition took less than a year to achieve, together with a simultaneous redeployment program for those U.K. and Ireland employees whose jobs had migrated to Bangalore. Operation costs were reduced by 30 percent in the first year and one-half (with respect to shared center services). The workforce had more time to service the customers and the company was able to concentrate on its core competence.

With respect to legal issues, the contractual arrangement between Thomas Cook and Accenture required the provision of a long-time outsourcing agreement with the transfer of approximately 400 workers from Thomas Cook to Accenture, giving responsibility for operational management of service delivery and overall performance of the new center to Accenture. Accenture deployed automated knowledge-transfer tools and processes to facilitate the start-up and information sharing between the European and overseas units. Several new technologies, such as electronic invoicing, vendor payment services, and automated human resource administration systems were introduced.

Several components and procedures of the solution call for intellectual property protection such as copyrights for software and patents for devices and automated processes, trade secrets, and the like. The transfer of large amounts of customer information between the cooperating parties concerning such sensitive data as payment and credit details and the information required by security and aviation safety officials call for careful consideration of the relevant data protection and privacy legislation.

In 2006, the prime minister of Finland gave the annual Information Society Award to the Finnish tax authorities for successfully introducing a system that produces prefilled tax return forms for citizens. The system collects necessary information from employers, banks, and so on, calculates an estimate, and fills in the tax forms accordingly. The taxpayer checks the calculations and makes corrections only if necessary. This saves a remarkable amount of work for both the taxpayers and the authorities.¹⁰ The tax return forms are still in paper format, but it is expected that the next generation of this service will be electronic and online.

Information on taxpayers' income, expenses, property, and so on, is personal data, and so is subject to data protection laws. However, tax law and a number of special stipulations override the general data protection law. Obviously, privacy is a concern and data protection needs to be maintained, but the special regulations concerning tax returns can be exploited to support this kind of useful service.

In each service relationship, there are at least three legal objectives that are of particular interest for the development of the service and consequently for service science:

• to properly protect information concerning customers or end users and their needs;

• to promote competition by appropriately protecting the service provider's competitive advantage, including information concerning the provider's skills and inventions; and

• to secure the terms and conditions of the service and to address liability issues.

From the legal point of view, information on the end user is subject to privacy and data protection. In addition to technical measures to protect privacy and personal information, other aspects of privacy protection need to be considered: in particular, the legal and moral standards of the society. Since it is possible for technology to fail, it is important to have alternative means for protecting privacy.

Surveys and experiments have uncovered a dichotomy between stated attitudes and actual behavior of individuals facing decisions affecting their privacy and their personal information security. Most individuals are concerned about the security of their personal information, but very few actually take any action to protect it.¹¹ Many business and government leaders have an unquestioned, optimistic, over-simplified faith in science and technology as solutions to social issues. Such leaders argue for unleashing technology and maximizing economic and security values.¹² Technologies as such have a limited direct effect on individuals' behavior with respect to personal information safety, but they have a very significant indirect effect.

Technology has the potential to regulate behavior by enabling or disabling it, in contrast with law, which regulates mainly by imposing sanctions. The law has significant other limitations as well. Many undesirable phenomena are out of the reach of the legal system: the law cannot effectively control issues that are hidden or that are not considered to be within the subject matter of the legal system (but are, for example, ethical). Technology does not have the same limitations: through technology, it is often possible to control issues that are out of the range of the law. Then again, the law can regulate behavior by influencing the development of technology. Therefore, it is necessary to consider these approaches simultaneously: should the law, the technology, or the socioeconomic environment and conditions be changed?^13,14

As computing and communication devices become more pervasive, they will become increasingly embedded in everyday objects and places, connected by communications networks. This development is called ubiquitous computing, ambient intelligence, or pervasive computing. Tiny pervasive computing devices will form the future technology environment for services.^12,15 How will ubiquitous computing or ambient intelligence technologies affect privacy? Because of the proliferation of devices that are able to exchange information about people, the quantity of privacy problems is expected to increase. However, at least three categories of qualitative changes in privacy protection also seem probable.

First, current legislation, although it claims to be technology-neutral, is biased toward existing technical solutions, such as personal computers. According to the European Directive on privacy and electronic communications,⁸ services must consistently provide the option, using a simple means and free of charge, of temporarily refusing the processing of certain personal data for each connection to the network or for each transmission of a communication. It would be quite easy to fulfill such requirements with a PC-based system, but very difficult with a tiny ubiquitous computing device that has a minimal user interface.

Second, people's notions of privacy are evolving. In the future, people may have different notions of privacy and they may be content with reduced privacy in exchange for the enhanced convenience that more elaborate services and security provide.

Third, information and communication technologies will no longer affect only informational privacy, but other types of privacy as well. One well-known example is Professor Kevin Warwick at the University of Reading, who has been implanted with a wireless device connecting him to a computer network. He has shown how the use of implant technology is rapidly diminishing the distance between humans and intelligent networks. His example shows how technology can be used to observe and control human beings through computer networks from a distance. It is possible even to affect his brain's decision-making process.¹⁶ Until now, developing information and communication technology has threatened only informational privacy. Professor Warwick's example shows that the emerging technologies can also jeopardize other components of privacy, and in extreme scenarios even physical or mental integrity. This implies a major qualitative change in privacy problems.

Copyrights will play a central role in the information society. Many business models will increasingly depend on them. To date, the most important part of copyrights has been the exclusive right to make copies. However, the way computers, networks, and other digital devices operate results in the constant copying of information. It is no longer essential or even possible to restrict copying, but rather to try to manage information access. This occurs in practice usually by controlling rights of distribution and communication to the public or alternatively rights of display and performance to the public.

Copyrights may provide the copyright owner with the right to object to content modifications. It is illegal to distribute adapted copyrighted content without permission of the owner or to modify a work in a way which would be prejudicial to the author's reputation. Many content owners are concerned about unauthorized adaptations not only for moral reasons, but also because poor adaptations spoil their brands. A purely technical modification that does not affect the information content, but only data, is typically legal, but notable changes to the information require the copyright owner's permission. In some jurisdictions, modification rights are not separate, independent rights, but either part of distribution rights or moral rights. The details of the right to modify a work depend on the country. In the United States, the owner of copyright has the exclusive right to prepare derivative works based upon the copyrighted work.

Another issue related to adapting content concerns the laws many countries currently have that protect network operators from being liable for illegal content. These “safe harbor” rules usually require that the operator acts as a simple conduit and does not alter the information. If an operator or another service provider begins to adapt content, the safe harbor rules may cease to apply and the operator may also become liable for distributing illegal content.

Copyrights also provide the author with moral rights. For many people, especially amateurs, it is not vital to make money from the works they have created, but to be credited as an author. Thus, copyrights can be important for nonprofit communities.

Copyrights protect the expression of original and creative works. They do not protect ideas and inventions. For example, a computer program is often copyrightable, but others may freely use the same ideas and simply re-implement the code as long as they do not directly copy the original program. Copyright alone typically does not adequately protect innovative services.

Digital rights management (DRM) refers to the technical protection of copyrighted content. Often, it does not appear to be sufficient for the authors or publishers that the law stipulates the rights of the copyright owner. The content industry in particular has demanded technical tools that give them additional protection. DRM technologies are usually based on encryption: data is encrypted in a way that makes unauthorized access to information difficult. A DRM system allows the end user to access the information only in accordance with the license terms that are expressed in machine-readable rights expression language (REL). The most important license term is usually that the end user must pay for the usage in advance. Also, the license terms may restrict how many copies of the product the end user may produce, and in how many devices those copies can be used.

DRM technologies cannot completely protect data. It is always possible to circumvent the protection. Sometimes the circumvention is difficult and requires special skills; at other times it is very easy. The content industry has lobbied for anti-circumvention rules. In recent years, copyright law has been amended to include this legal protection for DRM.

DRM is often considered to be harmful for consumers and other end users, yet there are situations in which an ordinary person may benefit from DRM technologies. If individuals and nonprofit communities want to be sure that their moral rights are respected, they may apply lightweight DRM technologies that do not necessarily limit access to the information but make sure that the work is attributed to its creators. DRM technologies may also engender serious privacy issues. Although DRM is meant to ensure copyright protection, it often manages information about end users, their behavior, and their preferences. Therefore, DRM systems must comply with data protection laws.

The patent system was developed to protect inventions that are related to tangible industrial products. Because of this history, it is often difficult to apply patent law to intangible services. The subject matter of patent law has been gradually extending: computer programs are already largely patentable, and many countries, most notably the United States, also allow business method patents. Therefore, it seems that regardless of problems, patenting service-related inventions is a growing option. Arguably, the patent system has many flaws, and some opponents claim that the system as a whole is mostly harmful and hinders development. However, if society considers it useful to promote inventions with such a system, there should be no reason not to introduce a similar protection for service-related inventions. It should, however, be used to promote competition and not to develop unnecessary monopolies. The legal protection of services needs to be developed carefully to balance the various interests.

Other intellectual property rights, including database sui generis rights (i.e., protection for databases that do not meet the originality criteria for copyright protection) and domain name protections will remain important, as will trademarks, but they fall outside the scope of this paper.^17,18

New information and communication technologies introduce new kinds of contractual challenges. When users with many kinds of wireless devices are moving, their network access points keep changing, and it can be increasingly difficult to identify who the user is. From the contractual viewpoint, it is troublesome if one contracting party is not able to identify the other party. This can be addressed by using, for example, digital signatures that are certified by a trusted third party. However, this requires technological solutions that will not be available in the near future.

One important topic related to contracts is the level of service that the service provider is committed to perform. Service-level agreements (SLAs) describe the minimum service levels to be provided and state the consequences if the provider fails to achieve these levels. The general problem with SLAs is in defining the correct measures to assess services. If incorrect characteristics are used as measures, it may appear that service levels are acceptable and that the service provider has legally fulfilled its obligations, even if the actual user needs are not satisfied. On the other hand, the satisfaction of user needs is often difficult to measure directly. It is therefore critical to base service levels on a quantity that is measurable and adequately reflects real needs.

Consumer protection laws protect individuals against unfair trade and credit practices. They ensure not only the safety of goods and services, but also the economic and legal protections that enable consumers to shop with confidence. The European Union's 2005 directive on unfair business-to-consumer commercial practices¹⁹ addresses these issues. The scenarios and applications based on Example 1 depict a future world in which various applications and services are provided through networks by numerous providers. It will be challenging for a consumer to determine which providers are trustworthy and with whom it is safe to transact. Consumer protection law will have a difficult but increasingly important role in increasing consumers' trust and enabling business.

There are no international laws that govern the legal topics discussed previously, only a variety of national laws. As discussed previously, national laws can be quite different, and services, which are becoming increasingly international, may face problems when trying to cope with multiple jurisdictions.

Intellectual property rights, like copyrights and patents, have been addressed by international treaties, but there are important differences between countries that may harm service providers. Privacy and data protection laws are coordinated in the European Union, but not worldwide. Therefore many other countries, like the United States, are considered insecure, and transferring personal data to them is limited. Contract law is based on the freedom of contract in most countries and therefore, in principle, all the agreements that are legal in one country are enforceable also in other countries, but legal details (such as those related to consumer protection) can be very different.

To summarize, service providers could benefit from worldwide borderless digital markets, but the current legal system does not support it. To foster service provisioning and to promote fair global competition, it is essential to reduce the problems that differences between national laws introduce.

Several legal areas are important within the context of service science. In particular, privacy and data protection law have been highlighted in the previous discussion. The examples given support the conclusion that privacy and data protection will be very significant legal topics in relation to emerging services.

The examples highlight issues related to personalization and adaptation. User profiles are often personal data that needs to be processed in accordance with privacy and data protection law. Personalization is usually an acceptable purpose for collecting data. If data is collected for another purpose, it should not be further processed in a way which is incompatible with that purpose, and no inadequate, irrelevant, or excessive data in relation to the purpose should be processed. Therefore, one needs to be careful if personalization uses data that is collected for other purposes and is related to identifiable people. Also, care must be taken that any major decisions are not made based on incorrect or incomplete information.

The examples emphasize the personalization of content based on device properties, context, user preferences, and so on. DRM and copyright technical protection pose issues in relation to both intellectual property law and data protection law. Other legal areas, like tax law, may need to be modified to adapt to emerging services. However, based on our analysis, it seems that those kinds of modifications are more random and perhaps not central to service science.

To conclude, the most important legal topics that should be studied further are:

1. Privacy and data protection

   • The challenges that new technologies pose to privacy and data protection law

   • The contradictions between technology-based laws and the services based on new technologies

   • The changing notions of privacy and how they affect legislation

   • Technologies such as implants that may require the area of law to be widened because they not only gather information about us, but can actually affect us physically

2. Intellectual property rights

   • Copyrights, especially the changing focus from copying to modifying

   • DRM with respect to services

   • Protection of inventions related to intangible services, since the current patent system fits them poorly

3. Contracts

   • The adjustments that contracts require for new technologies

   • In business-to-consumer markets, the revisions that consumer protection law requires

Accepted for publication March 25, 2007; Published online January 24, 2008.