Online Privacy and Regulation by Default

by on September 17, 2009 · 17 comments

My colleague Jim Harper and I have been having a friendly internal argument about Internet privacy regulation that strikes me as having potential implications for other contexts, so I thought I might as well pick it up here in case it’s of interest to anyone else. Unsurprisingly, neither of us are particularly sanguine about elaborate regulatory schemes—and I’m sympathetic to the general tenor of his recent post on the topic. But unlike Jim, as I recently wrote here, I can think of two rules that might be appropriate: A notice requirement that says third-party trackers must provide a link to an ordinary-language explanation of what information is being collected, and for what purpose, combined with a clear rule making those stated privacy policies enforceable in court. Jim regards this as paternalistic meddling with online markets; I regard it as establishing the conditions for the smooth functioning of a market. What do those differences come down to?

First, a question of expectations. Jim thinks it’s unreasonable for people to expect any privacy in information they “release” publicly—and when he’s talking about messages posted to public fora or Facebook pages, that’s certainly right. But it’s not always right, and as we navigate the Internet our computers can be coaxed into “releasing” information in ways that are far from transparent to the ordinary user. Consider this analogy. You go to the mall to buy some jeans; you’re out in public and clearly in plain view of many other people—most of whom, in this day and age, are probably carrying cameras built into their cell phones. You can hardly complain about being observed, and possibly caught on camera, as you make your way to the store. But what about when you make your way to the changing room at The Gap to try on those jeans? If the management has placed an unobtrusive camera behind a mirror to catch shoplifters, can the law require that the store post a sign informing you that you’re being taped in a location and context where—even though it’s someone else’s property—most people would expect privacy? Current U.S. law does, and really it’s just one special case of the law laying down default rules to stabilize expectations.  I think Jim sees the reasonable expectation in the online context as “everything is potentially monitored and archived all the time, unless you’ve explicitly been warned otherwise.” Empirically, this is not what most people expect—though they might begin to as a result of a notice requirement.

Now, as Jim well knows, there are many cases in which the law sets defaults to stabilize expectations. Under the common law doctrine of implied warranty, when you go out and buy a toaster, you do not explicitly write out a contract in which it’s stipulated that the thing will turn on when you get home and plug it in, that it will toast bread without bursting into flames, and so on. Markets would not function terribly well if you did have to do this constantly. Rather, it’s understood that there are some minimal expectations built into the transaction—toasters toast bread!—unless the seller provides explicit notice that this is an “as is” sale. This brings us to a second point of divergence: Like Jim, I think the evolutionary mechanism of the common law is generally the best way to establish these market-structuring defaults. Unlike Jim, I think sometimes it’s appropriate to resort to statute instead. This story from Techdirt should suggest why:

It’s still not entirely clear what online agreements are actually enforceable and which aren’t. We’ve seen cases go both ways, with a recent ruling even noting that terms that are a hyperlink away, rather than on the agreement page itself, may be enforceable. But the latest case, involving online retailer Overstock went in the other direction. A court found that Overstock’s arbitration requirement was unenforceable, because, as “browserwrap,” the user was not adequately notified. Eventually, it seems that someone’s going to have to make it clear what sorts of online terms are actually enforceable (if any). Until then, we’re going to see a lot more lawsuits like this one.

Evolutionary mechanisms are great, but they’re also slow, incremental, and in the case of the common law typically parasitic on the parallel evolution of broader social norms and expectations. That makes it an uneasy fit with novel and rapidly changing technological platforms for interaction. The tradeoff is that, while it’s slow, the discovery process tends to settle on efficient rules. But sometimes having a clear rule is actually more important—maybe significantly more important—than getting the rule just right. These features seem to me to weigh in favor of allowing Congress, not to say what standards of privacy must look like, but to step in and lay down public default rules that provide a stable basis for informed consumers and sellers to reach their own mutually beneficial agreements.

Finally, there’s the question of whether it’s constitutionally appropriate for federal legislators, rather than courts, to make that kind of decision. I scruple to say how “the Founders intended” the Constitution to apply to e-commerce, but even on a very narrow reading of the Commerce Clause, this seems to fall safely within the purview of a power to “make regular” commerce between the several states by establishing uniform rules for transactions across a network that pays no heed to state boundaries. A patchwork of divergent standards imposed by judges and state legislators does not strike me as an especially market-friendly response to people’s online privacy concerns, but that appears to be the alternative. If there’s a way to address those concerns that’s both constitutionally appropriate and works by enabling informed choice and contract rather than nannying consumers or micromanaging business practices, then it seems to me that it makes sense for supporters of limited government to point that solution out.

Cross-posted from Cato-at-Liberty.

  • http://srynas.blogspot.com/ Steve R.

    When you are out in public you should not have an expectation of privacy. As your surf the net, you leave a trail of data crumbs that others can use to construct a virtual “you” for a variety of purposes, such as targeted advertising. Please see my response to <a http://techliberation.com/2009/09/15/ftc-announ… Announces Roundtables on “Evolving Consumer Privacy Issues”.

    My continued concern with the “privacy/regulation” debate is that it ignores, through its silence, the issue who has the “right-to-privacy”. It is the person who is being contacted who has the “right-to-privacy”, not the person who is initiating the contact. And yes I know that there is no actual explicit right to privacy, but we are supposed to be a civil society and unsolicited demands on your time are not good manners. This concept, I believe is implied by David Boaz's article at the CATO Institute: Key Concepts of Libertarianism.

    What does this have to do with the “privacy/regulation” debate. The collection of your “private” data can't be stopped nor would I advocate some elaborate regulatory scheme to prevent data collection. As I have previously expressed, I don't have a problem with targeted adverting collected from my data crumbs and some data collection (cookies) actually help me surf the web. Nevertheless, those who collect the data should be prohibited from giving/selling/trading or whatever that data with any partner/affiliate/accomplice or whatever.

    Moreover, passive advertising, such as ads on the side of your webage are OK. After all you are visiting their site. But active intrusive solicitations, such as telemarketing/junk-mail, should be prohibited (unless the recipient has agreed). After all, one should not have an entitlement to virtually invade your home and use your resources to make a sales pitch.

    Any regulations deemed necessary in the privacy debate should reflect the viewpoint that the recipient's private information will not be sold/traded/leased/rented to any Tom, Dick, or Harry who will pay for the data. To paraphrase, “What happens in Vegas, stays in Vegas”

  • http://www.timothyblee.com/ Tim Lee

    Julian,

    How does this analysis cash out in practice? What's an example of a kind of information that your browser discloses by default but website operators should be legally bound to keep in confidence?

  • juliansanchez

    Obviously I was unclear… I'm not arguing for a legal obligation to keep information in confidence — only to provide notice of information collection. Things I expect many ordinary users don't understand: that third-party Flash ads can be used to track you across multiple sites even if you've set your browser to deny ordinary third-party cookies. That the “visited” tag can be used to infer the contents of your browser history. Presumably software as-yet-uncoded will be found to either intentionally or unintentionally reveal information in ways that aren't necessarily transparent to the user.

  • http://www.emergentchaos.com/ adam shostack

    I think we've had an explicit notice practice for over a decade, and the notices provided as “privacy policies” are dense legalese that we've trained everyone to ignore.

    What evidence would you want to say that notice isn't working to adjust people's expectations?

    A related question–do you really think that the reasonable expectation approach delivers the overall results we'd like from the 4th amendment, in terms of how it limits the power of the government to search us? (I'm thinking of things like the 3rd party doctrine and IR cameras, trash searches, and low flying planes.)

    And a final question, as I fill out your form: why is email required, and where do I go to find out what you'll do with that email address?

  • http://www.emergentchaos.com/ adam shostack

    I think we've had an explicit notice practice for over a decade, and the notices provided as “privacy policies” are dense legalese that we've trained everyone to ignore.

    What evidence would you want to say that notice isn't working to adjust people's expectations?

    A related question–do you really think that the reasonable expectation approach delivers the overall results we'd like from the 4th amendment, in terms of how it limits the power of the government to search us? (I'm thinking of things like the 3rd party doctrine and IR cameras, trash searches, and low flying planes.)

    And a final question, as I fill out your form: why is email required, and where do I go to find out what you'll do with that email address?

  • Pingback: “On Notice” @Cato — Technology Liberation Front

  • Pingback: Cato and the Kochs: A Presignation Letter

  • Pingback: Battle For Control Of Cato Institute Reveals Conservative-Libertarian Divide

  • Pingback: When Libertarians Go to Work… « Corey Robin

  • Pingback: Thoughts on a Thinktank War | The New Student Union

  • Pingback: Collective Conscious » Cato & the Kochs

  • Pingback: Thoughts on a Thinktank War (Alex Biles) « ( iN )

  • Pingback: consultation free phentermine

  • Pingback: Buy Phen375 In Stores

  • Pingback: navigate to this web-site

  • Pingback: boucle d'oreille homme

  • Pingback: online football manager

Previous post:

Next post: