The EU is apparently thinking of adopting common and highly restrictive privacy standards which would make use of information by firms much more difficult and would require, for example, that data be retained only as long as necessary. This is touted as pro-consumer legislation. However, the effects would be profoundly anti-consumer. For one thing, ads would be much less targeted, and so consumers would get less valuable ads and would not learn as much about valuable prodcts and services aimed at their interests. For another effect, fraud and identity theft would become more common as sellers could not use stored information to verify identity. Finally, costs of doing buisness would increase, and so we would expect to see fewer innovations aimed at the European market, and some sellers might avoid that market entirely.

(Cross-posted from the Truth on the Market blog.)

By now everyone is probably aware of the “tracking” of certain cellphones (Sprint, iPhone, T-Mobile, AT&T perhaps others) by a company called Carrier IQ.  There are lots of discussions available; a good summary is on one of my favorite websites, Lifehacker;  also here from CNET. Apparently the program gathers lots of anonymous data mainly for the purpose of helping carriers improve their service. Nonetheless, there are lawsuits and calls for the FTC to investigate.

Aside from the fact that the data is used only to improve service, it is also useful to ask just what people are afraid of.  Clearly the phone companies already have access to SMS messages if they want it since these go through the phone system anyway.  Moreover, of course, no person would see the data even if it were somehow collected.  The fear is perhaps that “… marketers can use that data to sell you more stuff or send targeted ads…” (from the Lifehacker site) but even if so, so what?  If apps are using data to try to sell you stuff that they think that you want, what is the harm? If you do want it, then the app has done you a service.  If you don’t want it, then you don’t buy it.  Ads tailored to your behavior are likely to be more useful than ads randomly assigned.

The Lifehacker story does use phrases like “freak people out” and “scary” and “creepy.”  But except for the possibility of being sold stuff, the story never explains what is harmful about the behavior.  As I have said before, I think the basic problem is that people cannot understand the notion that something is known but no person knows it.  If some server somewhere knows where your phone has been, so what?

The end result of this episode will probably be somewhat worse phone service.

(Cross posted from the Truth on the Market blog)

The Wall Street Journal had a long article-debate on privacy earlier this week.  The strongest pro-privacy is Christopher Soghoian of the Open Society Institute.  He confuses commercial privacy with government privacy:

“The dirty secret of the Web is that the “free” content and services that consumers enjoy come with a hidden price: their own private data. Many of the major online advertising companies are not interested in the data that we knowingly and willingly share. Instead, these parasitic firms covertly track our web-browsing activities, search behavior and geolocation information. Once collected, this mountain of data is analyzed to build digital dossiers on millions of consumers, in some cases identifying us by name, gender, age as well as the medical conditions and political issues we have researched online.”

When asked “Why is that a problem” he replies

“Many of the dangers posed by digital dossiers do not occur regularly, but are incredibly destructive to people’s lives when they do. An unlucky few will be stalked, fired, surveilled, arrested, deported or even tortured, all as a result of the data kept about them by companies and governments. Much more common are the harms of identity theft or public embarrassment. Even when companies follow best practices—and few do—it is impossible to be completely secure.”

Note that “parasitic firms” are collecting the data which is then used for arrest, deportation, and torture.  A bit of a disconnect. Identity theft is a problem, but the risk is decreasing and the costs are almost always low.  Moreover, identity thieves are crooks, not firms.

What is particularly interesting about the article is the survey data reported.  It demonstrates peoples’ confusion about the issues.  92% of the adults surveyed  “Think that there should be a law that requires websites and advertising companies to delete all stored information about an individual” but between 32% and 47% would like websites to provide information of some sort (ads: 32%, discounts: 47%, or news: 40%) “tailored to their interests.”  But of course these numbers are totally inconsistent.  If websites cannot keep any information about an individual, then they cannot provide tailored information since there will be nothing on which to base the tailoring.  The relevant questions are tradeoff questions, but the reported survey does not address these.

Cross-posted from the Truth on the Market blog

Senators Kerry and McCain released their long-awaited privacy bill yesterday afternoon – the Commercial Privacy Bill of Rights Act of 2011. After scanning through the bill summary and text, I thought I would add my initial thoughts to the mountain of reaction the bill is sure to produce.

First of all, it is clear that the Senators made an attempt at addressing calls for privacy regulation while acknowledging the importance of the free-flow of information in the marketplace.  Specifically, the Senators cite the importance of online advertising in funding the “free” online content and services we all enjoy.  Also encouraging is the bill’s call for opt-out consent requirement for behavior advertising or marketing, which would have much less impact on commerce than mandatory opt-in consent.

Still, the bill does raise some concerns, which I touch upon below.

The bill requires that firms provide individuals access to information collected and mechanisms to correct the information.  This has the potential to create a host of issues.  First of all, anytime an individual accesses such information, it is an opportunity for a security breach or even fraud, which runs counter to the bill’s intention to improve information security.  Second, it is unclear if an individual is allowed to change any and all information a firm may have collected.  What about in instances where an individual may want to remove something they deem as negative, but still accurate?  Because of the vagueness of the language, these concerns are not addressed in the bill but they should be considered.  CORRECTION: It was just pointed out to me that the bill does allow a firm to deny access and correction, as long as they allow an individual to request that the firm stop using or distributing that information. 

Also of concern is the bill’s requirement to only collect information that is needed to deliver a specific service, but allow the use of this information to research and development for a “reasonable amount of time.”  There are real trade-offs when the flow of information is restricted.  In this case, restriction of information, including the length of time information can be held, will result in hindering innovation, especially in online services.  It is unclear if consumers value this restriction of information more than innovation in services, but their actual behavior in the marketplace suggests a willingness to give up information in return for services and content. 

Finally, the bill raises an overarching concern that has been reiterated many times by TPI’s esteemed leader, Tom Lenard: “Where’s the data?“  Indeed, the influx of privacy bills and reports of late seem to be based much on feeling and opinions – with not a real analysis of costs and benefits among them.  Without a cost-benefit analysis of these proposed regulations and identification of the actual harms the regulation is trying to address, it’s impossible to tell if any of these proposals will actually make consumers better off.   Since the commercial use of information has been a vital component of the wide array of services offered on the internet, it is imperative that any policy regulating the use of this information is supported by real data and analysis going forward.

I filed comments today on the FTC staff report on privacy, which sadly is another in a long line of privacy policy proposals without any supporting data or empirical analysis.  So much for data-driven policy.

Although the report asserts that “industry must do better,” it contains no systematic data on what industry is doing now.  So, how can we know that industry needs to do better?  Policymakers can’t make informed decisions without understanding what the baseline is – what’s going on now in the marketplace.  The last systematic study of privacy practices of commercial web sites appears to be a 2001 survey (one that I was involved with) undertaken by The Progress & Freedom Foundation and Ernst & Young.

The FTC staff proposal is based on “the major themes and concepts” developed through their roundtables.  Themes and concepts are interesting, but they are not a substitute for data and analysis.  Without an analysis of benefits and costs there is no way to know whether the proposal or any of its elements would improve consumer welfare.  The staff acknowledges the need to assess the costs and benefits of its most prominent proposal, a Do-Not-Track mechanism, but then endorses the proposal without having done such an assessment.  This violates the spirit, if not the letter of President Obama’s recent executive order on regulation, which stresses the need to evaluate both benefits and costs.

The commercial use of information online is a critical part of the Internet, supporting a wide array of content and producing other benefits.  The FTC is the expert agency on privacy issues, yet its staff has proposed a major new regulatory framework for this sector without any data.  We need much more to inform the policy discussion.

TPI President Tom Lenard filed comments with the Department of Commerce today regarding its proposed privacy framework.  His take: the Green Paper contains little data or analysis to show whether its framework will improve or reduce consumer welfare.  Moreover, the proposal “violates the spirit, if not the letter, of President Obama’s recent executive order on regulation, which stresses the need to evaluate both benefits and costs.”

Lenard strongly urges the agency to:

• Collect current data on the privacy and data management practices of major web sites.  It is impossible to make an informed policy decision without an accurate understanding of current privacy practices.  The most recent available data appear to be from 2001.
• Produce evidence showing that current practices are harming consumers. The agency’s privacy framework will only produce benefits to the extent it alleviates identified harms. 
• Review what we know about how consumers value privacy. In addition to referring to current studies, the agency should also perform additional studies as a basis for estimating the benefits of a new privacy framework.
• Estimate the costs of its privacy framework and alternative proposals. These estimates should include direct pecuniary costs to firms from devoting more resources to privacy and the indirect costs of having less information available.
• Produce sufficient evidence of a reasonable expectation that the benefits of its proposal are greater than the costs.  Otherwise the proposal should not be adopted.

Tom’s brief comments can be found here.

At a Senate Commerce Committee hearing last week, Federal Trade Commission Chairman Jon Liebowitz indicated that the agency is exploring the idea of a Do Not Track List that would allow consumers to block servers from tracking their online activities.  A Do Not Track List sounds like a good idea, because the Do Not Call List for telemarketing calls is popular.  Before moving forward with a Do Not Track List, however, the FTC should thoroughly analyze its benefits and costs and determine whether there are more cost-effective ways of achieving the same objective.  Here is my back-of- the-envelope assessment.

Benefits:

People who sign up for a Do Not Track List will do so because they derive some utility simply from knowing they are not being tracked.  This value is not easily quantifiable, but some people will surely be better off.

However, the more tangible benefits of the Do Not Call List – reducing unwanted marketing solicitations – are not there with a Do Not Track List.  Consumers would not necessarily receive fewer ads.  (Indeed, it would be difficult for them to know if the list were actually working)  They would just receive ads that are less-well-targeted to their interests.  There are ways that consumers can block ads on the Internet, but a Do Not Track List is not one of them.

Costs:

First, there are direct costs of implementation.  This would be a fairly major undertaking for the FTC, so these costs are probably not trivial.

Second, there are indirect costs in terms of the quantity and quality of services and content on the Internet.  These costs would be borne not only by Do Not Track List participants but by other Internet users as well.  A Do Not Track List (depending on how many people signed up) would reduce the value of the Internet as an advertising medium, and therefore would reduce the revenues available to support Internet content.  A Do Not Track List would also affect the quality of major Internet services, such as search engines, which use data on search histories to update and improve their algorithms, and to protect against threats such as search spam, click-fraud, malware and phishing.  If search engines have less data, they can’t do this as well.  In sum, there are positive externalities to the information generated by online tracking that support the services that everyone uses.  Consumers who signed up for a Do Not Track List would be free-riding off those consumers who allowed their data to be used.

Finally, consumers who signed up for a Do Not Track List would receive ads that were less-well-targeted and therefore less useful.  The cost of this would depend on the value these consumers place on advertising.

Cost-Effectiveness:

Even if one were to conclude that the benefits of a Do Not Track List were greater than the costs, there is still a cost-effectiveness question:  is this the least costly way for consumers to avoid being tracked?  The answer is probably not, because users can already adjust their browser settings to avoid being tracked.  Many (perhaps most) users don’t know how to do this, but it’s easy to learn if you want to.  It only takes a few clicks.  In fact, it would likely be just as easy to learn how to adjust your browser to avoid being tracked as to sign up for a Do Not Track List and it would be totally under the user’s control.  Why should the FTC set up a whole new program to do something that consumers can fairly easily do for themselves?  A better, more cost-effective alternative would be for the FTC to post an online tutorial showing consumers how to do it.

Of course, the fact that most consumers probably haven’t taken the trouble to learn how to adjust their browser settings may mean that they don’t place a very high value on not being tracked.  That suggests the benefits of a Do Not Track list would be small, likely far smaller than the costs.

The Internet has opened huge number of possibilities for information and communication.  As the medium evolves, clever people are continually finding new applications.  But as soon as someone comes up with a new way of using the web, we can be sure that “privacy advocates” will quickly be along to warn against the “dangers” of this application.

One relatively new way in which people are using the Internet is that patients with particular medical conditions are able to find and communicate with each other.  A recent New York Times article has addressed this type of communication: “When Patients Meet Online, Are There Side Effects?”, Natasha Singer, May 28, 2010.

Some of the article is positive and discusses the benefits of such information sharing:  “Members can seek out patients of the same age, sex, and disease progression, whose profiles are displayed on the site, to see which drugs or doses worked for them. Drug makers can pinpoint subgroups — say, severely depressed middle-aged men — who reported the greatest improvement on a particular medication.”

But as is common with any article about information on the internet, the article quickly begins discussing what it views as negatives. Even the title references “Side Effects” and not benefits.  Moreover, many of these sites have various connections with drug makers.  To the Times, this raises some questions:

 “But pharmaceutical crowd-sourcing also raises important questions about the trade-off between the benefits of information sharing and the risk of patient exploitation.

 “Some people share their health information for the sake of the greater good. Yet they typically have no way of knowing whether their health profiles contribute directly to the development of more effective treatments — or are simply mined to create more effective drug marketing.”

These two paragraphs contain lots of hidden assumptions.  By patient “exploitation,” it appears that the author means selling patients drugs, but selling someone something that they want and that may provide benefits is not “exploitation.”   Moreover, marketing is contrasted with “development of more effective treatments,” implying that one is good but the other bad.  But creation of more effective drug marketing generally means finding out ways in which to better match patients and treatments – a socially useful activity.

Of course, one of usual suspects among privacy advocates is also quoted:  “’We are talking about a digital pharma stealth economy that is emerging,’ says Jeff Chester, the director of the Center for Digital Democracy, a nonprofit group that works to safeguard user privacy.”  The Times sees no need to quote anyone who takes a different view on information and privacy.  Apparently, one side is enough to represent.

The FDA  also appears to be concerned about this “digital pharma stealth economy” and has been looking into the drug advertising market.  According to the article, the FDA “is still developing a policy on drug marketing through social media.”  We can only hope that the FDA does not stifle this very useful set of tools because of the fears of the privacy advocates and others with similar beliefs.