TPI President Tom Lenard filed comments with the Department of Commerce today regarding its proposed privacy framework.  His take: the Green Paper contains little data or analysis to show whether its framework will improve or reduce consumer welfare.  Moreover, the proposal “violates the spirit, if not the letter, of President Obama’s recent executive order on regulation, which stresses the need to evaluate both benefits and costs.”

Lenard strongly urges the agency to:

• Collect current data on the privacy and data management practices of major web sites.  It is impossible to make an informed policy decision without an accurate understanding of current privacy practices.  The most recent available data appear to be from 2001.
• Produce evidence showing that current practices are harming consumers. The agency’s privacy framework will only produce benefits to the extent it alleviates identified harms. 
• Review what we know about how consumers value privacy. In addition to referring to current studies, the agency should also perform additional studies as a basis for estimating the benefits of a new privacy framework.
• Estimate the costs of its privacy framework and alternative proposals. These estimates should include direct pecuniary costs to firms from devoting more resources to privacy and the indirect costs of having less information available.
• Produce sufficient evidence of a reasonable expectation that the benefits of its proposal are greater than the costs.  Otherwise the proposal should not be adopted.

Tom’s brief comments can be found here.

At a Senate Commerce Committee hearing last week, Federal Trade Commission Chairman Jon Liebowitz indicated that the agency is exploring the idea of a Do Not Track List that would allow consumers to block servers from tracking their online activities.  A Do Not Track List sounds like a good idea, because the Do Not Call List for telemarketing calls is popular.  Before moving forward with a Do Not Track List, however, the FTC should thoroughly analyze its benefits and costs and determine whether there are more cost-effective ways of achieving the same objective.  Here is my back-of- the-envelope assessment.

Benefits:

People who sign up for a Do Not Track List will do so because they derive some utility simply from knowing they are not being tracked.  This value is not easily quantifiable, but some people will surely be better off.

However, the more tangible benefits of the Do Not Call List – reducing unwanted marketing solicitations – are not there with a Do Not Track List.  Consumers would not necessarily receive fewer ads.  (Indeed, it would be difficult for them to know if the list were actually working)  They would just receive ads that are less-well-targeted to their interests.  There are ways that consumers can block ads on the Internet, but a Do Not Track List is not one of them.

Costs:

First, there are direct costs of implementation.  This would be a fairly major undertaking for the FTC, so these costs are probably not trivial.

Second, there are indirect costs in terms of the quantity and quality of services and content on the Internet.  These costs would be borne not only by Do Not Track List participants but by other Internet users as well.  A Do Not Track List (depending on how many people signed up) would reduce the value of the Internet as an advertising medium, and therefore would reduce the revenues available to support Internet content.  A Do Not Track List would also affect the quality of major Internet services, such as search engines, which use data on search histories to update and improve their algorithms, and to protect against threats such as search spam, click-fraud, malware and phishing.  If search engines have less data, they can’t do this as well.  In sum, there are positive externalities to the information generated by online tracking that support the services that everyone uses.  Consumers who signed up for a Do Not Track List would be free-riding off those consumers who allowed their data to be used.

Finally, consumers who signed up for a Do Not Track List would receive ads that were less-well-targeted and therefore less useful.  The cost of this would depend on the value these consumers place on advertising.

Cost-Effectiveness:

Even if one were to conclude that the benefits of a Do Not Track List were greater than the costs, there is still a cost-effectiveness question:  is this the least costly way for consumers to avoid being tracked?  The answer is probably not, because users can already adjust their browser settings to avoid being tracked.  Many (perhaps most) users don’t know how to do this, but it’s easy to learn if you want to.  It only takes a few clicks.  In fact, it would likely be just as easy to learn how to adjust your browser to avoid being tracked as to sign up for a Do Not Track List and it would be totally under the user’s control.  Why should the FTC set up a whole new program to do something that consumers can fairly easily do for themselves?  A better, more cost-effective alternative would be for the FTC to post an online tutorial showing consumers how to do it.

Of course, the fact that most consumers probably haven’t taken the trouble to learn how to adjust their browser settings may mean that they don’t place a very high value on not being tracked.  That suggests the benefits of a Do Not Track list would be small, likely far smaller than the costs.

The Internet has opened huge number of possibilities for information and communication.  As the medium evolves, clever people are continually finding new applications.  But as soon as someone comes up with a new way of using the web, we can be sure that “privacy advocates” will quickly be along to warn against the “dangers” of this application.

One relatively new way in which people are using the Internet is that patients with particular medical conditions are able to find and communicate with each other.  A recent New York Times article has addressed this type of communication: “When Patients Meet Online, Are There Side Effects?”, Natasha Singer, May 28, 2010.

Some of the article is positive and discusses the benefits of such information sharing:  “Members can seek out patients of the same age, sex, and disease progression, whose profiles are displayed on the site, to see which drugs or doses worked for them. Drug makers can pinpoint subgroups — say, severely depressed middle-aged men — who reported the greatest improvement on a particular medication.”

But as is common with any article about information on the internet, the article quickly begins discussing what it views as negatives. Even the title references “Side Effects” and not benefits.  Moreover, many of these sites have various connections with drug makers.  To the Times, this raises some questions:

 “But pharmaceutical crowd-sourcing also raises important questions about the trade-off between the benefits of information sharing and the risk of patient exploitation.

 “Some people share their health information for the sake of the greater good. Yet they typically have no way of knowing whether their health profiles contribute directly to the development of more effective treatments — or are simply mined to create more effective drug marketing.”

These two paragraphs contain lots of hidden assumptions.  By patient “exploitation,” it appears that the author means selling patients drugs, but selling someone something that they want and that may provide benefits is not “exploitation.”   Moreover, marketing is contrasted with “development of more effective treatments,” implying that one is good but the other bad.  But creation of more effective drug marketing generally means finding out ways in which to better match patients and treatments – a socially useful activity.

Of course, one of usual suspects among privacy advocates is also quoted:  “’We are talking about a digital pharma stealth economy that is emerging,’ says Jeff Chester, the director of the Center for Digital Democracy, a nonprofit group that works to safeguard user privacy.”  The Times sees no need to quote anyone who takes a different view on information and privacy.  Apparently, one side is enough to represent.

The FDA  also appears to be concerned about this “digital pharma stealth economy” and has been looking into the drug advertising market.  According to the article, the FDA “is still developing a policy on drug marketing through social media.”  We can only hope that the FDA does not stifle this very useful set of tools because of the fears of the privacy advocates and others with similar beliefs.

Ever since Facebook introduced its new personalization programs, users, privacy groups, and lawmakers have complained that Facebook’s privacy controls are overly complex and change too frequently.  Thus, users who are not sufficiently alert may unintentionally release personal information to people who shouldn’t have that information.  A lot of people are rapidly becoming more alert.

In response to the flurry of criticism and, perhaps, to forestall government action, Facebook just announced that it will introduce new privacy controls that it hopes will be more transparent and easier to navigate. Google, faced with a similar problem a few months ago with its new feature, Buzz, also changed its privacy controls in response to vocal criticism.

So we see companies and users struggling to find where social networking ends and privacy intrusions begin.  The question for those of us concerned with public policy is whether the government can be helpful in this type of situation – for example, by providing guidelines as suggested by Senator Schumer.

Whatever one thinks of Facebook’s actions, it’s hard to envision how the FTC or any government agency could do anything that wouldn’t seriously interfere with the ability of businesses in young and fast-changing industries like social networking to introduce new services and try new business models.  The exception would be if Facebook misrepresents to its users what it is doing.  In that case, the FTC might have reason to bring an enforcement action under the current law.

So, despite the missteps, Facebook’s privacy practices are best left to be worked out between the site and its users.  Notwithstanding its rapid growth, the company ultimately will not succeed if it isn’t responsive to its users’ privacy concerns.

What is interesting about the recent Facebook and Google Buzz privacy episodes is that the discussions have mostly not been about the use of information for targeted advertising.  This strikes me as a positive development in that perhaps it will make people more aware of the real differences between information on social networking sites and the use of information for targeted advertising.  People are understandably concerned about the unintentional dissemination of personal information about themselves, including potentially to people they know, and they therefore need to pay close attention to the privacy controls.  That particular concern is not present with targeted advertising, because advertisers use information anonymously (see article by Paul Rubin and myself).  Indeed, even the latest news about Facebook and other social networking sites sending information to advertisers about the last webpage a user visited before clicking on an ad, which could be the user’s profile page, is not particularly a cause for concern.  (In any event, the sites have addressed the problem).  The process of targeting advertising based on users’ interests does not involve human beings looking at any individual’s data.  It is entirely automated.

I am not suggesting that targeted advertising has no connection to the new features being introduced by Facebook, Google and others for whom advertising is the major, often the sole, revenue source.  These companies are trying to increase the number of eyeballs, the amount of time the eyeballs spend on their sites, and the quality of information available in order to better target advertising and thus increase revenues.  Presumably, however, the information people make available is valuable for targeted advertising only when it is used anonymously.