The security cost of cheap user interaction

Proceedings New Security Paradigms Workshop

Volumn , Issue , 2011, Pages 67-82

  Böhme, Rainer ^a   Grossklags, Jens ^b  

^a UNIVERSITY OF MÜNSTER   (Germany)

^b PENNSYLVANIA STATE UNIVERSITY   (United States)

Author keywords

attention economics; bounded rationality; HCI; interdisciplinary security and privacy; notice and consent; policy; security economics; security warnings; usable security

Indexed keywords

BOUNDED RATIONALITY; NOTICE AND CONSENT; SECURITY AND PRIVACY; SECURITY ECONOMICS; SECURITY WARNING; USABLE SECURITY;

COMPUTER PRIVACY; ECONOMICS; HUMAN COMPUTER INTERACTION; PUBLIC POLICY;

BEHAVIORAL RESEARCH;

EID: 84855681364     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2073276.2073284     Document Type: Conference Paper

References (122)

1. M. Ackerman, L. Cranor, and J. Reagle. Privacy in e-commerce: Examining user scenarios and privacy preferences. In Proceedings of the ACM Conference on Electronic Commerce (EC), pages 1-8, Denver, CO, Nov. 1999.
2. A. Acquisti and J. Grossklags. Privacy and rationality in individual decision making. IEEE Security & Privacy, 3(1):26-33, Jan.-Feb. 2005.
3. A. Acquisti and S. Spiekermann. Do interruptions pay off? Effects of interruptive ads on consumers' willingness to pay. Journal of Interactive Marketing, 25(4):226-240, Nov. 2011.
4. A. Adams and A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):41-46, Dec. 1999. (Pubitemid 129568045)
5. I. Ajzen. The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2):179-211, Dec. 1991.
6. J. Argo and K. Main. Meta-analyses of the effectiveness of warning labels. Journal of Public Policy & Marketing, 23(2):193-208, Fall 2004.
7. H. Beales, R. Craswell, and S. Salop. Efficient regulation of consumer information. Journal of Law & Economics, 24(3):491-539, Dec. 1981.
8. A. Beautement, A. Sasse, and M. Wonham. The compliance budget: Managing security behaviour in organisations. In Proceedings of the New Security Paradigms Workshop (NSPW), Lake Tahoe, CA, Sept. 2008.
9. L. Bebchuk and R. Posner. One-sided contracts in competitive consumer markets. Michigan Law Review, 104(5):827-835, Mar. 2006. (Pubitemid 43474653)
10. A. Besmer, J. Watson, and H. R. Lipford. The impact of social navigation on privacy policy configuration. In Proceedings of the Symposium On Usable Privacy and Security (SOUPS), page article 7, Redmond, WA, July 2010.
11. R. Böhme and S. Köpsell. Trained to accept? A field experiment on consent dialogs. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'10), pages 2403-2406, Atlanta, GA, Apr. 2010.
12. R. Böhme and S. Pötzsch. Collective exposure: Peer effects in voluntary disclosure of personal data. In Proceedings of the International Conference on Financial Cryptography and Data Security (FC'11), Rodney Bay, St. Lucia, Feb.-Mar. 2011.
13. J. Bouckaert and H. Degryse. Opt in versus opt out: A free-entry analysis of privacy policies. In Proceedings of the Workshop on the Economics of Information Security (WEIS), Cambridge, UK, June 2006.
14. L. Brandimarte, A. Acquisti, and G. Loewenstein. Privacy concerns and information disclosure: An illusion of control hypothesis. Under submission, 2010.
15. P. Breese and W. Burman. Readability of notice of privacy forms used by major health care institutions. Journal of the American Medical Association, 293(13):1593-1594, Apr. 2005. (Pubitemid 40476159)
16. J. Brustoloni and R. Villamarín-Salomón. Improving security decisions with polymorphic and audited dialogs. In Proceedings of the Symposium On Usable Privacy and Security (SOUPS), pages 76-87, Pittsburgh, PA, July 2007.
17. E. Brynjolfsson and L. Hitt. Computing productivity: Firm-level evidence. The Review of Economics and Statistics, 85(4):793-808, Nov. 2003. (Pubitemid 37417018)
18. J. Cacioppo and R. Petty. The need for cognition. Journal of Personality and Social Psychology, 42(1):116-131, Jan. 1982.
19. J. Camp and C. Wolfram. Pricing security. In Proceedings of the CERT Information Survivability Workshop, pages 31-39, Boston, MA, Oct. 2000.
20. J. Campbell, N. Greenauer, K. Macaluso, and C. End. Unrealistic optimism in internet events. Computers in Human Behavior, 23(3):1273-1284, May 2007. (Pubitemid 46073576)
21. C. Cannell, P. Miller, and L. Oksenberg. Research on interviewing techniques. Sociological Methodology, 16:389-437, 1981.
22. R. Casamiquela. Contractual assent and enforceability in cyberspace. Berkeley Technology Law Journal, 17(1):475-495, Fall 2002.
23. Center for Information Policy Leadership at Hunton & Williams. HIPAA privacy notice highlights template, February 2003. http://www.hunton.com/files/ tbl-s10News\%5CFileUpload44\%5C10102\%5CHIPAA-Template.pdf.
24. S. Chaiken. Heuristic versus systematic information processing and the use of source versus message cues in persuasion. Journal of Personality and Social Psychology, 39(5):752-766, Nov. 1980.
25. S. Chaiken and T. Yaacov. Dual-process Theories in Social Psychology. Guilford Press, New York, 1999.
26. N. Christin, S. Egelman, T. Vidas, and J. Grossklags. It's all about the Benjamins: An empirical study on incentivizing users to ignore security advice. In Proceedings of the Fifteenth International Conference on Financial Cryptography and Data Security (FC'11), Rodney Bay, St. Lucia, Feb.-Mar. 2011.
27. R. Cialdini, C. Kallgren, and R. Reno. A focus theory of normative conduct: A theoretical refinement and reevaluation of the role of norms in human behavior. Advances in Experimental Social Psychology, 24:201-234, 1991.
28. W. Clapp, M. Rubens, J. Sabharwal, and A. Gazzaley. Deficit in switching between functional brain networks underlies the impact of multitasking on working memory in older adults. Proceedings of the National Academy of Sciences, 108(17):7212-7217, Apr. 2011.
29. S. Clauß and M. Köhntopp. Identity management and its support of multilateral security. Computer Networks, 37(2):204-219, Oct. 2001.
30. Committee on Commerce, Science, and Transportation, Staff Report for Chairman Rockefeller. Aggressive sales tactics on the internet and their impact on american consumers, Nov 2009.
31. L. F. Cranor. P3P : Making privacy policies more useful. IEEE Security & Privacy, 1(6):50-55, Nov.-Dec. 2003.
32. R. Dhamija and J. Tygar. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium On Usable Privacy and Security (SOUPS), pages 77-88, Pittsburgh, PA, July 2005.
33. R. Dhamija, J. Tygar, and M. Hearst. Why phishing works. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'06), pages 581-590, Montreal, Canada, Apr. 2006.
34. P. DiGioia and P. Dourish. Social navigation as a model for usable security. In Proceedings of the Symposium On Usable Privacy and Security (SOUPS), pages 101-108, Pittsburgh, PA, July 2005.
35. S. Djamasbi, M. Siegel, T. Tullis, and R. Dai. Efficiency, trust, and visual appeal: Usability testing through eye tracking. In Proceedings of the 43rd Hawaii International Conference on System Sciences (HICSS), Kauai, HI, Jan. 2010.
36. B. Edelman. Adverse selection in online "trust" certifications and search results. Electronic Commerce Research and Applications, 10(1):17-25, Jan.-Feb. 2011.
37. S. Egelman, L. Cranor, and J. Hong. You've been warned: An empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'08), pages 1065-1074, Florence, Italy, Apr. 2008.
38. S. Egelman, J. Tsai, L. Cranor, and A. Acquisti. Timing is everything? The effects of timing and placement of online privacy indicators. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'09), pages 319-328, Boston, MA, Apr. 2009.
39. H. Esser. Können Befragte lügen? Zum Konzept des "wahren Wertes" im Rahmen der handlungstheoretischen Erklärung von Situationseinflüssen bei der Befragung. Kölner Zeitschrift für Soziologie und Sozialpsychologie, 38:314-336, 1986.
40. J. Falkinger. Attention economies. Journal of Economic Theory, 133(1):266-294, Mar. 2007.
41. Federal Trade Commission. Fair information practice principles. http://www.ftc.gov/reports/privacy3/fairinfo.shtm.
42. I. Fried. Criticism mounting over Windows 7 security, February 2009. http://news.cnet.com/8301-13860-3-10156617-56.html.
43. B. Friedman, D. Howe, and E. Felten. Informed consent in the Mozilla browser: Implementing value sensitive design. In Proceedings of the 35th Hawaii International Conference on System Sciences (HICSS), Big Island, HI, Jan. 2002.
44. N. Fultz and J. Grossklags. Blue versus red: Towards a model of distributed security attacks. In R. Dingledine and P. Golle, editors, Financial Cryptography, volume 5628 of Lecture Notes in Computer Science, pages 167-183, Berlin Heidelberg, 2009. Springer.
45. S. Furnell, P. Bryant, and A. Phippen. Assessing the security perceptions of personal Internet users. Computers & Security, 26(5):410-417, Aug. 2007. (Pubitemid 47079135)
46. N. Good, R. Dhamija, J. Grossklags, S. Aronovitz, D. Thaw, D. Mulligan, and J. Konstan. Stopping spyware at the gate: A user study of privacy, notice and spyware. In Proceedings of the Symposium On Usable Privacy and Security (SOUPS), pages 43-52, Pittsburgh, PA, July 2005.
47. N. Good, J. Grossklags, D. Mulligan, and J. Konstan. Noticing notice: A largescale experiment on the timing of software license agreements. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2007), pages 607-616, San Jose, CA, Apr.-May 2007.
48. J. Grossklags and N. Good. Empirical studies on software notices to inform policy makers and usability designers. In Proceedings of the International Workshop on Usable Security (USEC'07), pages 341-355, Scarborough, Trinidad and Tobago, Feb. 2007.
49. G. Hardin. The tragedy of the commons. Science, 162(3859):1243-1248, Dec. 1968.
50. R. Haveman. Common property, congestion, and environmental pollution. Quarterly Journal of Economics, 87(2):278-287, May 1973.
51. C. Herley. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the New Security Paradigms Workshop (NSPW), Oxford, UK, Sept. 2009.
52. M. Hochhauser. Lost in the fine print: Readability of nancial privacy notices, July 2001. http://www.privacyrights.org/ar/GLB-Reading.htm.
53. M. Hochhauser. Compliance v communication. Clarity: Journal of the International Movement to simplify legal language, 50:11-19, Nov. 2003.
54. M. Hochhauser. Readability of HIPAA privacy notices, March 2008. http://benefitslink.com/articles/hipaareadability.pdf.
55. K. Höök, D. Benyon, and A. J. Munro, editors. Designing Information Spaces: The Social Navigation Approach, Berlin Heidelberg, 2003. Springer-Verlag.
56. B. Huberman and F. Wu. The economics of attention: Maximizing user value in information-rich environments. Advances in Complex Systems, 11(4):487-496, Aug. 2008.
57. S. Iyengar and M. Lepper. When choice is demotivating: Can one desire too much of a good thing? Journal of Personality and Social Psychology, 79(6):995-1006, Dec. 2000.
58. C. Jensen and C. Potts. Privacy policies as decision-making tools: An evaluation on online privacy notices. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'04), pages 471-478, Vienna, Austria, Apr. 2004.
59. C. Jensen, C. Potts, and C. Jensen. Privacy practices of internet users: Self-reports versus observed behavior. International Journal of Human-Computer Studies, 63(1-2):203-227, July 2005. (Pubitemid 40753499)
60. F. Keukelaere, S. Yoshihama, S. Trent, Y. Zhang, L. Luo, and M. Zurko. Adaptive security dialogs for improved security behavior of users. In T. Gross et al., editor, Proceedings of the International Conference on Human-Computer Interaction (INTERACT 2009), volume 5726 of Lecture Notes in Computer Science, pages 510-523, Berlin Heidelberg, 2009. Springer.
61. N. Kim. 'Wrap contracts and privacy. In M. Genesereth, R. Vogl, and M.-A. Williams, editors, AAAI Spring Symposium on Intelligent Privacy Management, pages 110-112, Menlo Park, CA, Mar. 2010.
62. Kleimann Communication Group. Evolution of a prototype financial privacy notice: A report on the form development project, February 2006.
63. R. Kraut, S. Sunder, R. Telang, and J. Morris. Pricing electronic mail to solve the problem of spam. Human-Computer Interaction, 20(1):195-223, June 2005. (Pubitemid 41158326)
64. J. Krosnick. Response strategies for coping with the cognitive demands of attitude measures in surveys. Applied Cognitive Psychology, 5(3):213-236, May-Jun. 1991.
65. J. Krosnick and D. Alwin. An evaluation of a cognitive theory of response-order effects in survey measurement. Public Opinion Quarterly, 51(2):201-219, Summer 1987.
66. P. Kumaraguru and L. Cranor. Privacy indexes: A survey of Westin's studies. Available as ISRI Technical Report CMU-ISRI-05-138, 2005.
67. S. Laforet and X. Li. Consumers' attitudes towards online and mobile banking in China. The International Journal of Bank Marketing, 23(5):362-380, May 2005. (Pubitemid 41240294)
68. E. Langer. The illusion of control. Journal of Personality and Social Psychology, 32(2):311-328, Aug. 1975.
69. R. Larose and N. Rifon. Promoting i-safety: Effects of privacy warnings and privacy seals on risk assessment and online privacy behavior. The Journal of Consumer Affairs, 41(1):127-149, Summer 2007.
70. Y. Lee and K. Kozar. Investigating factors affecting the adoption of anti-spyware systems. Communications of the ACM, 48:72-77, Aug. 2005. (Pubitemid 41101418)
71. A. Levy and M. Hastak. Consumer comprehension of financial privacy notices: A report on the results of the quantitative testing, December 2008. http://www.ftc.gov/privacy/privacyinitiatives/Levy-Hastak-Report.pdf.
72. G. Lindgaard, G. Fernandes, C. Dudek, and J. Brown. Attention web designers: You have 50 milliseconds to make a good first impression! Behaviour & Information Technology, 25(2):115-126, Mar.-Apr. 2006.
73. T. Loder, M. van Alstyne, and R. Wash. An economic answer to unsolicited communication. In Proceedings of the ACM Conference on Electronic Commerce (EC), pages 40-50, New York, NY, May 2004.
74. N. Lundblad and B. Masiello. Opt-in dystopias. SCRIPTed, 7(1):155-165, Apr. 2010.
75. B. Mai, N. Menon, and S. Sarkar. No free lunch: Price premium for privacy seal-bearing vendors. Journal of Management Information Systems, 27(2):189-212, Fall 2010.
76. F. Marotta-Wurgler. Competition and the quality of standard form contracts: An empirical analysis of software license agreements. Journal of Empirical Legal Studies, 5(3):447-475, Sept. 2008.
77. M. Masnick. Supreme court chief justice admits he doesn't read online EULAs or other 'fine print', October 2010.
78. M. Masson and M. Waldron. Comprehension of legal contracts by nonexperts: Effectiveness of plain language redrafting. Applied Cognitive Psychology, 8:67-85, Feb. 1994.
79. A. McDonald and L. Cranor. The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society, 4(3), 2008.
80. G. McGraw and E. Felten. Securing Java: Getting down to business with mobile code. John Wiley & Sons, New York, NY, 1999.
81. G. Milne, M. Culnan, and H. Greene. A longitudinal assessment of online privacy notice readability. Journal of Public Policy & Marketing, 25(2):238-249, Fall 2006.
82. T. Moore, A. Friedman, and A. Procaccia. Would a 'cyber warrior' protect us? Exploring trade-offs between attack and defense of information systems. In Proceedings of the New Security Paradigms Workshop (NSPW), Concord, MA, Sept. 2010.
83. S. Motiee, K. Hawkey, and K. Beznosov. Do Windows users follow the principle of least privilege? Investigating user account control practices. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), pages 1-13, Redmond, WA, July 2010.
84. National Cyber Security Alliance, Norton by Symantec, and Zogby International. 2010 NCSA / Norton by Symantec Online Safety Study, October 2010.
85. A. Oulasvirta, J. Hukkinen, and B. Schwartz. When more is less: The paradox of choice in search engine use. In Proceedings of the 32nd International ACM SIGIR Conference on Research and Development in Information Retrieval, pages 516-523, Boston, MA, July 2009.
86. M. Overly and J. Kalyvas. Software Agreements Line by Line: A Detailed Look at Software Contracts and Licenses & How to Change Them to Fit Your Needs. Aspatore Books, Boston, MA, 2004.
87. S. Peltzman. The effects of automobile safety regulation. Journal of Political Economy, 83(4):677-726, Aug. 1975.
88. R. Petty and J. Cacioppo. Communication and Persuasion: Central and Peripheral Routes to Attitude Change. Springer, New York, 1986.
89. W. Poole. Financial analyst meeting 2005, July 2005. http://www. microsoft.com/msft/speech/FY05/PooleFAM2005.mspx.
90. R. Reeder, E. Kowalczyk, and A. Shostack. Helping engineers design NEAT security warnings. In Proceedings of the Symposium On Usable Privacy and Security (SOUPS), Pittsburgh, PA, July 2011.
91. M. Reichenbach, H. Damker, H. Federrath, and K. Rannenberg. Individual management of personal reachability in mobile communication. In L. Yngström and J. Carlsen, editors, Information Security in Research and Business (IFIP SEC '97), volume 92 of IFIP Conference Proceedings, pages 164-174, 1997.
92. M. Russinovich. PsExec, User Account Control and security boundaries, February 2007. http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/ 638372.aspx.
93. M. Salganik and D. Watts. Leading the herd astray: An experimental study of self-fulfilling prophecies in an artificial cultural market. Social Psychology Quarterly, 71(4):338-355, Dec. 2008.
94. R. Schechter. The unfairness of click-on software licenses. Wayne Law Review, 4(46):1735-1803, Winter 2000.
95. S. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 51-65, Oakland, CA, May 2007.
96. S. Schuman and S. Presser. Questions and Answers in Attitude Surveys. Sage, Thousand Oaks, 1996.
97. M. Schunter and C. Powers. The enterprise privacy authorization language (EPAL 1.1), 2003. http://www.zurich.ibm.com/security/enterprise-privacy/epal/.
98. B. Schwartz. The Paradox of Choice: Why More Is Less. Ecco Press (HarperCollins Publishers), New York, NY, 2004.
99. C. Shapiro and H. R. Varian. Information Rules. A Strategic Guide to the Network Economy. Harvard Business School Press, 1998.
100. D. Sharek, C. Swofford, and M. Wogalter. Failure to recognize fake internet popup warning messages. In Proceedings of the 52nd Annual Meeting of the Human Factors and Ergonomics Society, pages 557-560, New York, NY, Sept. 2008.
101. H. Simon. Designing organizations for an information rich world. In M. Greenberger, editor, Computers, Communications and the Public Interest, pages 38-52. John Hopkins Press, 1971.
102. C. Sims. Rational inattention: A research agenda. http://sims.princeton. edu/yftp/RIplus/RatInattPlus.pdf, 2006.
103. J. Sobey, R. Biddle, P. van Oorschot, and A. Patrick. Exploring user reactions to new browser cues for extended validation certificates. In Proceedings of the 13th European Symposium on Research in Computer Security (ESORICS), pages 411-427, Malaga, Spain, Oct. 2008.
104. S. Spiekermann, J. Grossklags, and B. Berendt. E-privacy in 2nd generation e-commerce: Privacy preferences versus actual behavior. In Proceedings of the ACM Conference on Electronic Commerce (EC), pages 38-47, Tampa, FL, Oct. 2001.
105. B. Stone-Gross, R. Abman, R. Kemmerer, C. Kruegel, and D. Steigerwald. The underground economy of fake antivirus software. In Workshop on the Economics of Information Security (WEIS), Fairfax, VA, June 2011.
106. F. Strack and L. Martin. Thinking, judging, and communicating: A process account of context effects in attitude surveys. In H.-J. Hippler, editor, Social Information Processing and Survey Methodology, pages 123-148. Springer, New York, 2. edition, 1988.
107. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying wolf: An empirical study of ssl warning effectiveness. In Proceedings of the 18th USENIX Security Symposium, pages 399-416, Montreal, Canada, Aug. 2009.
108. P. Torr. Demystifying the threat modeling process. IEEE Security & Privacy, 3(5):66-70, Sep.-Oct. 2005.
109. R. Tourangeau, L. Rips, and K. Rasinski. The Psychology of Survey Response. University Press, Cambridge, 2000.
110. M. van Eeten and J. Bauer. Economics of Malware: Security Decisions, Incentives and Externalities. STI Working Paper 2008/1, Information and Communication Technologies. OECD, 2008.
111. H. Varian. System reliability and free riding. In L. Camp and S. Lewis, editors, Economics of Information Security (Advances in Information Security, Volume 12), pages 1-15. Kluwer Academic Publishers, Dordrecht, The Netherlands, 2004.
112. H. Varian. Computer mediated transactions. American Economic Review, 100(2):1-10, May 2010.
113. C. Viecco, A. Tsow, and J. Camp. A privacy-aware architecture for a web rating system. IBM Journal of Research and Development, 53(2):7:1-7:16, Mar. 2009.
114. T. Vila, R. Greenstadt, and D. Molnar. Why we can't be bothered to read privacy policies: Models of privacy economics as a lemons market. In L. Camp and S. Lewis, editors, Economics of Information Security (Advances in Information Security, Volume 12), pages 143-153. Kluwer Academic Publishers, Dordrecht, The Netherlands, 2004.
115. R. Villamarín-Salomón and J. Brustoloni. Using reinforcement to strengthen users' secure behaviors. In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'10), pages 363-372, Atlanta, GA, Apr. 2010.
116. H. Wang, Y. Hu, C. Yuan, Z. Zhang, and Y. Wang. Friends troubleshooting network: Towards privacy-preserving, automatic troubleshooting. In Proceedings of the 3rd International Workshop on Peer-to-Peer Systems (IPTPS), pages 184-194, San Diego, CA, Feb. 2004.
117. A. Whitten and D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, pages 169-184, Washington, DC, Aug. 1999.
118. B. Whitworth. Politeness as a social software requirement. International Journal of Virtual Communities and Social Networking, 1(2):65-84, 2009.
119. P. Wilson. Second-hand knowledge: An inquiry into cognitive authority. Greenwood, Westport, CT, 1983.
120. F. Wu and B. Huberman. Novelty and collective attention. Proceedings of the National Academy of Sciences, 104(45):17599-17601, Nov. 2007. (Pubitemid 350210881)
121. M. Wu, R. Miller, and S. Garfinkel. Do security toolbars actually prevent phishing attacks? In Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI'06), pages 601-610, Montreal, Canada, Apr. 2006.
122. M. Zurko, C. Kaufman, K. Spanbauer, and C. Bassett. Did you ever have to make up your mind? What Notes users do when faced with a security decision. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), pages 371-381, Las Vegas, NV, Dec. 2002.