Legal research topics in user-centric services

http://sske.cloud.upb.ro/sskemw/images/b/b0/Pitkanen.pdf O. PitkanenP. VirtanenJ. KemppinenThere are several essential legal topics that must be included in the research agenda ofservice science. In this paper, we discuss these topics, beginning with an analysis ofthe definition of a service and a categorization of some of the actors in service systems,with their diverse interests. A set of case studies and scenarios is presented to illustratethe kinds of legal challenges that are involved in providing user-centric and customer-oriented services. We conclude by suggesting the most important legal topics thatshould be studied further in relation to service science.

INTRODUCTION Service science is an emerging discipline that bringstogether the ongoing work in computer science,operations research, industrial engineering, andbusiness strategy, as well as management, social,cognitive, and legal science, in the effort to developthe skills required for a service-oriented economy.1–3The importance of the service sector (formerly aneglected category in economic statistics) has growndramatically both domestically and globally.In the past, the primary production sector as definedin economic statistics included agriculture, forestry,and mining; the secondary production sector,manufacturing, was the mainstay for commerce.Other economic activities were simply categorizedas‘‘services’’and academics did not feel a need toconsider whether these activities actually formed ahomogeneous class.The role of the services category has now increaseddramatically. Efficiency in the primary productionsector has improved so much that this sectoremploys only a small fraction of the workforce. Asimilar development is occurring in the secondaryproduction sector. The growing part of the laborforce is employed by the service sector. In somecountries as much as 75 percent of gross productionand 80 percent of employment are attributed to theservice sector.This change has created challenges. For example, IBMhas had to go through significant changes in itsbusiness, transforming it from a company thatinitially sold machines to one that sells software andsystems, and is currently expected to provide servic-es. IBM is promoting systematic service research toimprove the productivity of the service business.Other companies will be facing the same challenges,though they may not yet be aware of this.2,4ÓCopyright 2008 by International Business Machines Corporation. Copying inprinted form for private use is permitted without payment of royalty providedthat (1) each reproduction is done without alteration and (2) the Journalreference and IBM copyright notice are included on the first page. The titleand abstract, but no other portions, of this paper may be copied or distributedroyalty free without further permission by computer-based and otherinformation-service systems. Permission to republish any other portion of thepaper must be obtained from the Editor. 0018-8670/08/$5.00Ó2008 IBMIBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008 PITKÄNEN, VIRTANEN, AND KEMPPINEN143What is a service?Services form a huge category that includes a widerange of activities, from haircutting to IT outsourc-ing, from health care to legal services, fromconsumer services to business services, and fromprivate to public services. Service providers includeself-employed persons, multinational corporations,public authorities, and nonprofit organizations.Experts often have a certain type of service in mindwhen they propose definitions of‘‘service’’whichinvolve payment for performance, a time-perish-able, intangible experience, an activity performedfor a client who is also a coproducer, or one whichtransforms a state of a client. For an excellentsummary of definitions of a service, see Reference 4.Information and communication technology (ICT)has enabled the provision of many intangiblecommodities, and this makes the concept of serviceever more ambiguous. A digital recording is notnecessarily‘‘material’’; i.e., it does not have to befixed on a physical carrier that is handed overtogether with the distribution of the content, but itmay still be quite permanent, and may be easier tosell as a product or a good than as a service. On theother hand, information can be automaticallyadapted in accordance with certain customers’needs and circumstances. Such information, owingto the personalization and the work involved in theadaptation process, begins to resemble a service,though it still has several characteristics of a productor a good.Successful businesses are based on customers’needs. Technical features do not justify a transactionunless they provide solutions to a customer’sproblems. Despite this, traditional solutions havecentered on material articles. If, for example, theproblem has been related to communication, thecustomer typically purchased a phone capable ofmore efficient communication. In contrast, a serviceprovider does not sell devices, but provides servicesthat solve the problem. A communication servicemay still be based on phones, software, andcomputer systems, but instead of purchasing thesedevices, a customer purchases a service enabled bythem.To solve customers’ real problems, the serviceprovider must have a profound understanding oftheir needs. It is enough to have a general orstatistical view of users to design a mass-producedgood, but to serve a particular user effectively, oneneeds to know the user thoroughly. Service provi-sion stresses the importance of user needs. There-fore, the concept of a successful service is also closeto the concept of a solution. Services, unlike mostgoods, are often coproduced with the user; thus thesolution aspect is innate and characteristic toservices. Consequently, understanding user needsand user research are key issues in service researchand development. The human-centric element andits potential for the development of new ICT-basedservices is provided by bringing different stake-holders and technologies together in a co-creativeway.The concept of innovation refers to the evolution ofnew commodities by means of inventing, develop-ing, manufacturing, and marketing novel products,processes, and services. In particular, serviceinnovations are successfully commercialized serviceinventions, not just clever technical ideas. The roleof innovation in this process is generally accepted ascentral to knowledge economies. The commercialviability of an innovation is therefore critical.An innovation has to correspond to user needs andbe technically feasible, legally and socially accept-able, and accompanied by a business model. All ofthese aspects can be studied by testing a serviceprototype among users and developing all elementsof a solution based on the study results. Users oftencreate new ways of using the service and reveal itshidden possibilities. The users may even developnew services, if the platforms with which they areprovided allow this.LEGAL FRAMEWORK FOR SERVICE SYSTEMSService systems comprise service providers andcustomers coproducing value in complex anddynamic formations.5The various actors in servicesystems have diverse interests that are governed byvarious laws. Typically, the actors belong to one ofthe following groups: businesses (corporations forprofit), consumers (individuals), public entities(government, state officials, etc), and communities(informal groups of individuals, usually not forprofit). Service providers and customers may belongto any one of these groups.To analyze what sort of legal challenges servicesystems have, a set of case studies and scenarios arepresented herein. They are selected from numerousPITKÄNEN, VIRTANEN, AND KEMPPINEN IBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008144examples that we have analyzed. They include anexample of an advanced service framework, Mobi-Life Service Framework, that highlights challengesrelated to business-to-consumer (B2C) services.Business-to-business (B2B) case studies and asample public service are also included. A user-centric approach is illustrated, whereby the properlegal protection of user information is essential toensure healthy competition.Example 1: MobiLife service frameworkThe goal of the MobiLife project (which was fundedby the European Union’s sixth Framework programin 2004–2006) was to bring advances in mobileapplications and services within the reach of usersin their everyday lives by innovating and deployingnew applications and services. MobiLife introduceda mobile service framework that identified theessential functional blocks for the implementation ofnew mobile services and applications. The projectdeveloped several initial applications based on theframework.6The mobile application framework uses contextualinformation including low-level context data such aslocation, time, temperature, and noise, as well ashigher-level context data such as user situation (e.g.,in a meetingorwith friends). Context data gatheredfrom various sources influences which services areprovided to the user as well as how the services aredefined. The framework is able to personalizeapplications; that is, to acquire, manage, and usepersonal information about the user to adaptapplications’ behavior to specific user needs.The framework supports services that are controlledby a service provider as well as services that areprovided in an ad hoc manner between userswithout the control of a third party. The frameworkis not restricted to current provider-consumer valuechains, but is flexible regarding new ways of serviceprovisioning, such as new ways of incorporatingthird-party service providers.The framework supports relevant solutions forprivacy and trust issues, legacy as well as emergingapplications, context management, and seamlessservice access through multiple access technologies.It also provides service and component life-cyclesupport.The user-interface adaptation function of theframework uses available and relevant contextualinformation to facilitate user-interface adaptabilityfor services and applications. This function adaptsboth the input modalities of users as well as theoutput of the services. The user-interface adaptationfunction is also related to other functions, such asservice-quality adaptation.Example 2: Finnair’s check-in with BookITFinnair, the Finnish commercial airline, was the firstto enable passengers to use a text message to checkin for flights in advance. Finnair carried more thaneight million passengers in 2004. Especially duringpeak hours, serving passengers in person requiresextensive human resources and often results indelays.For the customers and staff of Finnair, the newBookIT check-in service provided welcome relief forthis problem.7The check-in service enables frequentflyers to go directly to the departure gate and bypassthe normal check-in procedure when travelling withhand baggage only. Before the departure, Finnairsends a check-in text message to the passenger’smobile phone. The passenger confirms the check-inby answering the message with a single letter. Afterconfirmation, a message detailing the necessary gateand seat information (as illustrated inFigure 1)issent.The service has improved customer service whilereducing costs. The service was very rapidly andwidely accepted by the passengers because it savestime, is easy to use, works on any GSM (GlobalSystem for Mobile communications) phone and isindependent of location and telecom service pro-vider. The penetration rate of the service has beenover 75 percent among frequent fliers.This service is an interesting combination of B2Band B2C features. BookIT, the company whichdeveloped the system, also acts as a service supplier,providing Finnair with the service on a regular basis.On the other hand, most of the Finnair’s frequentflyers are business travelers whose trips are paid forby their employers. Thus, the service is a business-to-business service (BookIT to Finnair and Finnair tobusiness customers). The real success of the serviceis dependent on the end users: individuals decidewhether the service corresponds to their needs.Because travel information is personal data, dataprotection laws are applicable in this case. TheIBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008 PITKÄNEN, VIRTANEN, AND KEMPPINEN145European data protection law provides safeguardsfor subscribers against violations of their privacy byunsolicited commercial communications (e.g., thoseusing text messages). The European Union’s direc-tive on privacy and electronic communications8stipulates an opt-in policy: prior explicit consent ofthe recipients is required. In the Finnair case,frequent fliers give their consent by selecting theoption on Finnair’s Web site specifying that Finnairmay send them text messages.From the service provider’s viewpoint, the innova-tions that are implemented here are relativelystraightforward to copy and thus the competitiveadvantage can be easily lost. Therefore it is crucialto know to what extent the service can be protectedby law. The computer programs that are developedto implement the service can be protected bycopyright. The methods and devices that the serviceincludes may well include patentable inventions.Example 3: Thomas Cook—Outsourcing andconsolidationThe Thomas Cook Company of the United Kingdomand Ireland operated a holiday airline, nine touroperating brands, three call centers, and a populartravel Web site. It had three business units: sales,tour operations, and the airline. Each of them hadtheir own management, financial procedures, and ITinfrastructure. A majority of the internal operationsin these three business units were performedseparately, leading occasionally to the triplication ofback-office functions.9Owing to new low-cost airlines and travel services,the competitive environment in the travel industrymade it difficult to support office activities, leadingto annual losses for Thomas Cook. This, togetherwith the increasingly more difficult market forholiday tour operators in today’s heightened-secu-rity environment, made improvements in its internalprocesses and organization of critical importance.Thomas Cook hired Accenture to establish a cost-effective shared services center in Bangalore, India,with markedly lower personnel cost. The aim wasnot only to maintain the quality of services but alsoto consolidate the internal activities of the threebusiness units. Accenture identified the activitiesthat could be transferred and then designed (to-gether with Thomas Cook) a multi-process centerwhich brought together human resources manage-ment, project delivery, finance, and payroll func-tions along with integrated IT services. About 60percent of the total shared internal workload wastransferred to the new delivery center. The transi-tion took less than a year to achieve, together with asimultaneous redeployment program for those U.K.Figure 1Finnair BookIT text messaging check-in system0. Flight reservation 1. Message from Finnair2. Reply to Finnair3. Confirmation fromFinnairIntelligent SMS(short message service)is activated in customer profile(frequent flyer).PITKÄNEN, VIRTANEN, AND KEMPPINEN IBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008146and Ireland employees whose jobs had migrated toBangalore. Operation costs were reduced by 30percent in the first year and one-half (with respect toshared center services). The workforce had moretime to service the customers and the company wasable to concentrate on its core competence.With respect to legal issues, the contractualarrangement between Thomas Cook and Accenturerequired the provision of a long-time outsourcingagreement with the transfer of approximately 400workers from Thomas Cook to Accenture, givingresponsibility for operational management of ser-vice delivery and overall performance of the newcenter to Accenture. Accenture deployed automatedknowledge-transfer tools and processes to facilitatethe start-up and information sharing between theEuropean and overseas units. Several new technol-ogies, such as electronic invoicing, vendor paymentservices, and automated human resource adminis-tration systems were introduced.Several components and procedures of the solutioncall for intellectual property protection such ascopyrights for software and patents for devices andautomated processes, trade secrets, and the like. Thetransfer of large amounts of customer informationbetween the cooperating parties concerning suchsensitive data as payment and credit details and theinformation required by security and aviation safetyofficials call for careful consideration of the relevantdata protection and privacy legislation.Example 4: Pre-filled and online tax return formsIn 2006, the prime minister of Finland gave theannual Information Society Award to the Finnish taxauthorities for successfully introducing a systemthat produces prefilled tax return forms for citizens.The system collects necessary information fromemployers, banks, and so on, calculates an estimate,and fills in the tax forms accordingly. The taxpayerchecks the calculations and makes corrections onlyif necessary. This saves a remarkable amount ofwork for both the taxpayers and the authorities.10The tax return forms are still in paper format, but itis expected that the next generation of this servicewill be electronic and online.Information on taxpayers’ income, expenses, prop-erty, and so on, is personal data, and so is subject todata protection laws. However, tax law and anumber of special stipulations override the generaldata protection law. Obviously, privacy is a concernand data protection needs to be maintained, but thespecial regulations concerning tax returns can beexploited to support this kind of useful service.LEGAL ANALYSISIn each service relationship, there are at least threelegal objectives that are of particular interest for thedevelopment of the service and consequently forservice science:to properly protect information concerning cus-tomers or end users and their needs;to promote competition by appropriately protect-ing the service provider’s competitive advantage,including information concerning the provider’sskills and inventions; andto secure the terms and conditions of the serviceand to address liability issues.Privacy and data protectionFrom the legal point of view, information on the enduser is subject to privacy and data protection. Inaddition to technical measures to protect privacyand personal information, other aspects of privacyprotection need to be considered: in particular, thelegal and moral standards of the society. Since it ispossible for technology to fail, it is important to havealternative means for protecting privacy.Surveys and experiments have uncovered a dichot-omy between stated attitudes and actual behavior ofindividuals facing decisions affecting their privacyand their personal information security. Mostindividuals are concerned about the security of theirpersonal information, but very few actually take anyaction to protect it.11Many business and govern-ment leaders have an unquestioned, optimistic,over-simplified faith in science and technology assolutions to social issues. Such leaders argue forunleashing technology and maximizing economicand security values.12Technologies as such have alimited direct effect on individuals’ behavior withrespect to personal information safety, but they havea very significant indirect effect.Technology has the potential to regulate behavior byenabling or disabling it, in contrast with law, whichregulates mainly by imposing sanctions. The lawhas significant other limitations as well. Manyundesirable phenomena are out of the reach of thelegal system: the law cannot effectively controlIBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008 PITKÄNEN, VIRTANEN, AND KEMPPINEN147issues that are hidden or that are not considered tobe within the subject matter of the legal system (butare, for example, ethical). Technology does not havethe same limitations: through technology, it is oftenpossible to control issues that

are out of the range ofthe law. Then again, the law can regulate behaviorby influencing the development of technology.Therefore, it is necessary to consider these ap-proaches simultaneously: should the law, thetechnology, or the socioeconomic environment andconditions be changed?13,14As computing and communication devices becomemore pervasive, they will become increasinglyembedded in everyday objects and places, connect-ed by communications networks. This developmentis called ubiquitous computing, ambient intelli-gence, or pervasive computing. Tiny pervasivecomputing devices will form the future technologyenvironment for services.12,15How will ubiquitouscomputing or ambient intelligence technologiesaffect privacy? Because of the proliferation ofdevices that are able to exchange information aboutpeople, the quantity of privacy problems is expectedto increase. However, at least three categories ofqualitative changes in privacy protection also seemprobable.First, current legislation, although it claims to betechnology-neutral, is biased toward existing tech-nical solutions, such as personal computers. Ac-cording to the European Directive on privacy andelectronic communications,8services must consis-tently provide the option, using a simple means andfree of charge, of temporarily refusing the process-ing of certain personal data for each connection tothe network or for each transmission of a commu-nication. It would be quite easy to fulfill suchrequirements with a PC-based system, but verydifficult with a tiny ubiquitous computing devicethat has a minimal user interface.Second, people’s notions of privacy are evolving. Inthe future, people may have different notions ofprivacy and they may be content with reducedprivacy in exchange for the enhanced conveniencethat more elaborate services and security provide.Third, information and communication technologieswill no longer affect only informational privacy, butother types of privacy as well. One well-knownexample is Professor Kevin Warwick at the Univer-sity of Reading, who has been implanted with awireless device connecting him to a computernetwork. He has shown how the use of implanttechnology is rapidly diminishing the distancebetween humans and intelligent networks. Hisexample shows how technology can be used toobserve and control human beings through com-puter networks from a distance. It is possible even toaffect his brain’s decision-making process.16Untilnow, developing information and communicationtechnology has threatened only informational pri-vacy. Professor Warwick’s example shows that theemerging technologies can also jeopardize othercomponents of privacy, and in extreme scenarioseven physical or mental integrity. This implies amajor qualitative change in privacy problems.Intellectual property rights and digital rightsmanagementCopyrights will play a central role in the informationsociety. Many business models will increasinglydepend on them. To date, the most important part ofcopyrights has been the exclusive right to makecopies. However, the way computers, networks, andother digital devices operate results in the constantcopying of information. It is no longer essential oreven possible to restrict copying, but rather to try tomanage information access. This occurs in practiceusually by controlling rights of distribution andcommunication to the public or alternatively rightsof display and performance to the public.Copyrights may provide the copyright owner withthe right to object to content modifications. It isillegal to distribute adapted copyrighted contentwithout permission of the owner or to modify awork in a way which would be prejudicial to theauthor’s reputation. Many content owners areconcerned about unauthorized adaptations not onlyfor moral reasons, but also because poor adapta-tions spoil their brands. A purely technical modifi-cation that does not affect the information content,but only data, is typically legal, but notable changesto the information require the copyright owner’spermission. In some jurisdictions, modificationrights are not separate, independent rights, buteither part of distribution rights or moral rights. Thedetails of the right to modify a work depend on thecountry. In the United States, the owner of copyrighthas the exclusive right to prepare derivative worksbased upon the copyrighted work.PITKÄNEN, VIRTANEN, AND KEMPPINEN IBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008148Another issue related to adapting content concernsthe laws many countries currently have that protectnetwork operators from being liable for illegalcontent. These‘‘safe harbor’’rules usually requirethat the operator acts as a simple conduit and doesnot alter the information. If an operator or anotherservice provider begins to adapt content, the safeharbor rules may cease to apply and the operatormay also become liable for distributing illegalcontent.Copyrights also provide the author with moralrights. For many people, especially amateurs, it isnot vital to make money from the works they havecreated, but to be credited as an author. Thus,copyrights can be important for nonprofit commu-nities.Copyrights protect the expression of original andcreative works. They do not protect ideas andinventions. For example, a computer program isoften copyrightable, but others may freely use thesame ideas and simply re-implement the code aslong as they do not directly copy the originalprogram. Copyright alone typically does not ade-quately protect innovative services.Digital rights management(DRM) refers to thetechnical protection of copyrighted content. Often, itdoes not appear to be sufficient for the authors orpublishers that the law stipulates the rights of thecopyright owner. The content industry in particularhas demanded technical tools that give themadditional protection. DRM technologies are usuallybased on encryption: data is encrypted in a way thatmakes unauthorized access to information difficult.A DRM system allows the end user to access theinformation only in accordance with the licenseterms that are expressed in machine-readable rightsexpression language (REL). The most importantlicense term is usually that the end user must pay forthe usage in advance. Also, the license terms mayrestrict how many copies of the product the end usermay produce, and in how many devices those copiescan be used.DRM technologies cannot completely protect data. Itis always possible to circumvent the protection.Sometimes the circumvention is difficult and re-quires special skills; at other times it is very easy.The content industry has lobbied for anti-circum-vention rules. In recent years, copyright law hasbeen amended to include this legal protection forDRM.DRM is often considered to be harmful for con-sumers and other end users, yet there are situationsin which an ordinary person may benefit from DRMtechnologies. If individuals and nonprofit commu-nities want to be sure that their moral rights arerespected, they may apply lightweight DRM tech-nologies that do not necessarily limit access to theinformation but make sure that the work isattributed to its creators. DRM technologies mayalso engender serious privacy issues. Although DRMis meant to ensure copyright protection, it oftenmanages information about end users, their behav-ior, and their preferences. Therefore, DRM systemsmust comply with data protection laws.The patent system was developed to protectinventions that are related to tangible industrialproducts. Because of this history, it is often difficultto apply patent law to intangible services. Thesubject matter of patent law has been graduallyextending: computer programs are already largelypatentable, and many countries, most notably theUnited States, also allow business method patents.Therefore, it seems that regardless of problems,patenting service-related inventions is a growingoption. Arguably, the patent system has many flaws,and some opponents claim that the system as awhole is mostly harmful and hinders development.However, if society considers it useful to promoteinventions with such a system, there should be noreason not to introduce a similar protection forservice-related inventions. It should, however, beused to promote competition and not to developunnecessary monopolies. The legal protection ofservices needs to be developed carefully to balancethe various interests.Other intellectual property rights, including data-basesui generisrights (i.e., protection for databasesthat do not meet the originality criteria for copyrightprotection) and domain name protections willremain important, as will trademarks, but they falloutside the scope of this paper.17,18Contractual relations and consumer protectionNew information and communication technologiesintroduce new kinds of contractual challenges.When users with many kinds of wireless devices aremoving, their network access points keep changing,IBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008 PITKÄNEN, VIRTANEN, AND KEMPPINEN149and it can be increasingly difficult to identify whothe user is. From the contractual viewpoint, it istroublesome if one contracting party is not able toidentify the other party. This can be addressed byusing, for example, digital signatures that arecertified by a trusted third party. However, thisrequires technological solutions that will not beavailable in the near future.One important topic related to contracts is the levelof service that the service provider is committed toperform. Service-level agreements (SLAs) describethe minimum service levels to be provided and statethe consequences if the provider fails to achievethese levels. The general problem with SLAs is indefining the correct measures to assess services. Ifincorrect characteristics are used as measures, it mayappear that service levels are acceptable and that theservice provider has legally fulfilled its obligations,even if the actual user needs are not satisfied. On theother hand, the satisfaction of user needs is oftendifficult to measure directly. It is therefore critical tobase service levels on a quantity that is measurableand adequately reflects real needs.Consumer protection laws protect individualsagainst unfair trade and credit practices. Theyensure not only the safety of goods and services, butalso the economic and legal protections that enableconsumers to shop with confidence. The EuropeanUnion’s 2005 directive on unfair business-to-con-sumer commercial practices19addresses these is-sues. The scenarios and applications based onExample 1 depict a future world in which variousapplications and services are provided throughnetworks by numerous providers. It will be chal-lenging for a consumer to determine which provid-ers are trustworthy and with whom it is safe totransact. Consumer protection law will have adifficult but increasingly important role in increasingconsumers’ trust and enabling business.International and cross-border issuesThere are no international laws that govern the legaltopics discussed previously, only a variety ofnational laws. As discussed previously, nationallaws can be quite different, and services, which arebecoming increasingly international, may faceproblems when trying to cope with multiplejurisdictions.Intellectual property rights, like copyrights andpatents, have been addressed by internationaltreaties, but there are important differences betweencountries that may harm service providers. Privacyand data protection laws are coordinated in theEuropean Union, but not worldwide. Thereforemany other countries, like the United States, areconsidered insecure, and transferring personal datato them is limited. Contract law is based on thefreedom of contract in most countries and therefore,in principle, all the agreements that are legal in onecountry are enforceable also in other countries, butlegal details (such as those related to consumerprotection) can be very different.To summarize, service providers could benefit fromworldwide borderless digital markets, but thecurrent legal system does not support it. To fosterservice provisioning and to promote fair globalcompetition, it is essential to reduce the problemsthat differences between national laws introduce.CONCLUSIONSeveral legal areas are important within the contextof service science. In particular, privacy and dataprotection law have been highlighted in the previousdiscussion. The examples given support the con-clusion that privacy and data protection will be verysignificant legal topics in relation to emergingservices.The examples highlight issues related to personali-zation and adaptation. User profiles are oftenpersonal data that needs to be processed inaccordance with privacy and data protection law.Personalization is usually an acceptable purpose forcollecting data. If data is collected for anotherpurpose, it should not be further processed in a waywhich is incompatible with that purpose, and noinadequate, irrelevant, or excessive data in relationto the purpose should be processed. Therefore, oneneeds to be careful if personalization uses data thatis collected for other purposes and is related toidentifiable people. Also, care must be taken thatany major decisions are not made based on incorrector incomplete information.The examples emphasize the personalization ofcontent based on device properties, context, userpreferences, and so on. DRM and copyright techni-cal protection pose issues in relation to bothintellectual property law and data protection law.Other legal areas, like tax law, may need to bemodified to adapt to emerging services. However,PITKÄNEN, VIRTANEN, AND KEMPPINEN IBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008150based on our analysis, it seems that those kinds ofmodifications are more random and perhaps notcentral to service science.To conclude, the most important legal topics thatshould be studied further are:1.Privacy and data protectionThe challenges that new technologies pose toprivacy and data protection lawThe contradictions between technology-based laws and the services based on newtechnologiesThe changing notions of privacy and howthey affect legislationTechnologies such as implants that mayrequire the area of law to be widenedbecause they not only gather informationabout us, but can actually affect us physically2.Intellectual property rightsCopyrights, especially the changing focusfrom copying to modifyingDRM with respect to servicesProtection of inventions related to intangibleservices, since the current patent system fitsthem poorly3.ContractsThe adjustments that contracts require fornew technologiesIn business-to-consumer markets, the revi-sions that consumer protection law requiresCITED REFERENCES1.Services Sciences,Management and Engineering, IBMCorporation, http://www.research.ibm.com/ssme.2. H. Chesbrough and J. Spohrer,‘‘A Research Manifesto forServices Science,’’Communications of the ACM49, No. 7,35–40 (2006).3. L. D. Paulson,‘‘Services Science: A New Field for Today’sEconomy,’’IEEE Computer39, No. 8, 18–21 (2006).4. J. Spohrer and P. P. Maglio,The Emergence of ServiceScience: Toward Systematic Service Innovations to Accel-erate Co-creation of Value. IBM Almaden ResearchCenter, Almaden, CA (2006), http://www.almaden.ibm.com/asr/SSME/jspm.pdf.5. J. Spohrer, P. Maglio, J. Bailey, and D. Gruhl,‘‘StepsToward a Science of Service Systems,’’IEEE Computer40,No. 1, 71–77 (2007).6.IST Project Fact Sheet, Information Society Technologies,http://cordis.europa.eu/fetch?CALLER¼IST_UNIFIEDSRCH&ACTION¼D&DOC¼6&CAT¼PROJ&QUERY¼1189537502606&RCN¼71853.7. BookIT, http://www.bookit.net.8.Directive on privacy and electronic communications,European Parliament and the Council of the EuropeanUnion, directive 2002/58/EC (July 12, 2002).9.Co-Sourcing UK Shared Service Center, Thomas Cook UK,http://www.accenture.com/Global/Outsourcing/Business_Process_Outsourcing/Accenture_Finance_Solutions/Client_Successes/ThomasCenter.htm.10. Verohallinto Tax Administration, http://www.vero.fi/default.asp?article¼5460&domain¼VERO_ENGLISH&path¼488,493,745&language¼ENG.11. A. Acquisti and J. Grossklags,‘‘Privacy Attitudes andPrivacy Behavior: Losses, Gains, and Hyperbolic Dis-counting,’’inThe Economics of Information Security,J.Camp and S. Lewis, Editors, Kluwer Academic Press,Norwell, MA (2004).12. M. Friedewald, P. Alahuhta, I. Maghiros, S. Gutwirth,and D. Wright,‘‘Report on the Final Conference,’’Safeguards in a World of Ambient Intelligence (SWAMI)(March 2006), http://publica.fraunhofer.de/eprints/N-43485.pdf.13. S. Gutwirth, P. De Hert, A. Moscibroda, and W. Schreurs,‘‘The Legal Aspects of the SWAMI Project,’’Safeguards ina World of Ambient Intelligence (SWAMI)(March 2006),http://is.jrc.es/pages/TFS/documents/Deliverable5-ReportonConference.pdf.14. L. Lessig,Code and Other Laws of Cyberspace, BasicBooks, New York (1999).15. G. A. Gow,‘‘Privacy and Ubiquitous Network Societies,’’International Telecommunication Union Workshop onUbiquitous Network Societies(2005), http://www.itu.int/osg/spu/ni/ubiquitous/Presentations/8_gow_privacy.pdf.16. K. Warwick,‘‘Wiring in Humans. Advantages andProblems as Humans Become Part of the MachineNetwork via Implants,’’Safeguards in a World ofAmbient Intelligence (SWAMI)(March 2006),http://is.jrc.es/pages/TFS/documents/Deliverable5-ReportonConference.pdf.17. O. Pitkänen,Legal Challenges to Future InformationBusinesses, Helsinki Institute for Information Technology(HIIT), Helsinki, Finland (2006).18. O. Pitkänen,Legal and Regulation Framework Specifica-tion: Competence within Mobile Families and Ad-hocCommunities, Information Society Technologies docu-ment IST-2004-511607 MobiLife, D11 (2006).19.Directive on Unfair Commercial Practices, EuropeanParliament and the council of the European Union,directive 2005/29/EC (May 11, 2005).Accepted for publication March 25, 2007.Olli PitkänenHelsinki Institute for Information Technology (HIIT), HelsinkiUniversity of Technology, and University of Helsinki, Finland,P.O. Box 9800, 02015 TKK, Finland. (olli.pitkanen@hiit.fi).Dr. Pitkänen is a research scientist at HIIT. He holds adoctorate in information technology, a master’s degree insoftware engineering, and a master’s degree in laws. He hasworked as a researcher and a teacher at the HelsinkiUniversity of Technology and at HIIT since 1993. From 1999 to2001, and during 2003, he was a visiting scholar at theUniversity of California at Berkeley. His research interestsinclude legal issues related to digital services, and informationIBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008 PITKÄNEN, VIRTANEN, AND KEMPPINEN151.Published online January24,2008and communication technologies (ICT). Prior to academia heworked as a software engineer in several companies andpracticed law.Perttu VirtanenHelsinki Institute for Information Technology (HIIT), HelsinkiUniversity of Technology, University of Helsinki, andLappeenranta University of Technology, Finland, P.O. Box9800, 02015 TKK, Finland. (perttu.virtanen@hiit.fi).Dr.Virtanen is a research scientist at HIIT. He holds Doctor ofPhilosophy, Master of European Law, and Master of Lawdegrees.Jukka KemppinenHelsinki Institute for Information Technology (HIIT), HelsinkiUniversity of Technology, University of Helsinki, andLappeenranta University of Technology, Finland, P.O. Box9800, 02015 TKK, Finland. (jukka.kemppinen@hiit.fi).Dr.Kemppinen is a professor of information law, a former judgefor the Court of Appeals, an author (of poetry, fiction, andnonfiction), and a translator. He holds a doctorate degree inphilosophy. Dr. Kemppinen has written over 1,000 articles inreviews, journals, magazines, and newspapers. His blog,http://kemppinen.blogspot.com (mostly in Finnish, occa-sionally in English), is very popular.&PITKÄNEN, VIRTANEN, AND KEMPPINEN IBM SYSTEMS JOURNAL, VOL 47, NO 1, 2008152

Thursday, Jan 03, 2008