On this week’s John Stossel show on Fox Business Network, I debated Internet privacy, advertising, and data collection issues with Michael Fertik of Reputation.com. In the few minutes we had for the segment, I tried to reiterate a couple of keep points that we’ve hammered repeatedly here in the past:

• There’s no free lunch. All the free sites and service we enjoy online today are powered by advertising and data collection. [see this op-ed]
• There is no clear harm in most cases, or what some argue is harm also can have many benefits that are rarely discussed. [see this paper.]
• There’s little acknowledgement of the trade-offs involved in having government create an information control regime for the Internet. [see this filing and these three essays: 1, 2, 3.]
• The ultimate code of “fair information practices” is the First Amendment, which favors free speech, openness, and transparency over secrecy and information control. [see this piece.]
• “Hands Off the Net” is a policy that has served us well. There are dangerous ramifications for our economy and long-term Internet freedoms if we continue down the road of “European-izing” privacy law here in the States. [see this essay and this filing.]
• At some point, personal responsibility needs to come into the equation. With so many privacy enhancing empowerment tools already on the market, it begs the question: If consumers don’t take steps to use those tools, why should government intervene and take action for them?

Anyway, here’s the 7-min video of the debate between Fertik and me:

September 8 — this Tuesday — is the deadline for filing objections against the Google Book Settlement. A number of trade associations, corporations, authors, and advocacy groups have weighed in, including the Electronic Frontier Foundation and the American Civil Liberties Union. They argue that approving the Google Book Settlement in its current form, without explicitly spelling out data collection practices, would endanger user privacy. EFF and ACLU have threatened to file an objection to the Settlement unless Google commits to a stringent privacy policy for Google Book Search.

I think the privacy risks posed by Google Book Search are being blown out of proportion, as I explained in the Examiner Opinion Zone last month. While EFF and others have raised some legitimate fears about the possibility of government getting its hands on Google Book Search user data, these privacy concerns are not unique to Google Book Search, nor are they legitimate grounds for the court to reject the Google Book Settlement.

In a letter I submitted yesterday as an amicus curiae brief to U.S. District Judge Denny Chin, who is presiding over the Google Books case, I argue that privacy concerns should not determine the court’s evaluation of the Settlement:

Competitive Enterprise Institute Letter http://d.scribd.com/ScribdViewer.swf?document_id=19440943&access_key=key-2o4o6jm42x4fvx9dyiwp&page=1&version=1&viewMode=

Jeff Jonas has published an important post: “Your Movements Speak for Themselves: Space-Time Travel Data is Analytic Super-Food!”

More than you probably realize, your mobile device is a digital sensor, creating records of your whereabouts and movements:

Mobile devices in America are generating something like 600 billion geo-spatially tagged transactions per day. Every call, text message, email and data transfer handled by your mobile device creates a transaction with your space-time coordinate (to roughly 60 meters accuracy if there are three cell towers in range), whether you have GPS or not. Got a Blackberry? Every few minutes, it sends a heartbeat, creating a transaction whether you are using the phone or not. If the device is GPS-enabled and you’re using a location-based service your location is accurate to somewhere between 10 and 30 meters. Using Wi-Fi? It is accurate below 10 meters.

The process of deploying this data to markedly improve our lives is underway. A friend of Jonas’ says that space-time travel data used to reveal traffic tie-ups shaves two to four hours off his commute each week. When it is put to full use, “the world we live in will fundamentally change. Organizations and citizens alike will operate with substantially more efficiency. There will be less carbon emissions, increased longevity, and fewer deaths.”

This progress is not without cost:

A government not so keen on free speech could use such data to see a crowd converging towards a protest site and respond before the swarm takes form — detected and preempted, this protest never happens. Or worse, it could be used to understand and then undermine any political opponent.

Very few want government to be able to use this data as Jonas describes, and not everybody wants to participate in the information economy quite so robustly. But the public can’t protect itself against what it can’t see. So Jonas invites holders of space-time data to reveal it:

[O]ne way to enlighten the consumer would involve holders of space-time-travel data [permitting] an owner of a mobile device the ability to also see what they can see:

(a) The top 10 places you spend the most time (e.g., 1. a home address, 2. a work address, 3. a secondary work facility address, 4. your kids school address, 5. your gym address, and so on);

(b) The top three most predictable places you will be at a specific time when on the move (e.g., Vegas on the 215 freeway passing the Rainbow exit on Thursdays 6:07 – 6:21pm — 57% of the time);

(c) The first name and first letter of the last name of the top 20 people that you regularly meet-up with (turns out to be wife, kids, best friends, and co-workers – and hopefully in that order!)

(d) The best three predictions of where you will be for more than one hour (in one place) over the next month, not counting home or work.

Google’s Android and Latitude products are candidates to take the lead, he says, and I agree. Google collectively understands both openness and privacy, and it’s nimble enough still to execute something like this. Other mobile providers would be forced to follow this innovation.

What should we do to reap the benefits while minimizing the costs? The starting point is you: It is your responsibility to deal with your mobile provider as an adult. Have you read your contract? Have you asked them whether they collect this data, how long they keep it, whether they share it, and under what terms?

Think about how you can obscure yourself. Put your phone in airplane mode when you are going someplace unusual – or someplace usual. (You might find that taking a break from being connected opens new vistas in front of your eyes.) Trade phones with others from time to time. There are probably hacks on mobile phone system that could allow people to protect themselves to some degree.

Privacy self-help is important, but obviously it can be costly. And you shouldn’t have to obscure yourself from your mobile communications provider, giving up the benefits of connected living, to maintain your privacy from government.

The emergence of space-time travel data begs for restoration of Fourth Amendment protections in communications data. In my American University Law Review article, “Reforming Fourth Amendment Privacy Doctrine,” I described the sorry state of the Fourth Amendment as to modern communications.

The “reasonable expectation of privacy” doctrine that arose out of the Supreme Court’s 1967 Katz decision is wrong—it isn’t even founded in the majority holding of the case. The “third-party doctrine,” following Katz in a pair of early 1970s Bank Secrecy Act cases, denies individuals Fourth Amendment claims on information held by service providers. Smith v. Maryland brought it home to communications in 1979, holding that people do not have a “reasonable expectation of privacy” in the telephone numbers they dial. (Nevermind that they actually have privacy—the doctrine trumps it.)

Concluding, apropos of Jonas’ post, I wrote:

These holdings were never right, but they grow more wrong with each step forward in modern, connected living. Incredibly deep reservoirs of information are constantly collected by third-party service providers today.

Cellular telephone networks pinpoint customers’ locations throughout the day through the movement of their phones. Internet service providers maintain copies of huge swaths of the information that crosses their networks, tied to customer identifiers. Search engines maintain logs of searches that can be correlated to specific computers and usually the individuals that use them. Payment systems record each instance of commerce, and the time and place it occurred.

The totality of these records are very, very revealing of people’s lives. They are a window onto each individual’s spiritual nature, feelings, and intellect. They reflect each American’s beliefs, thoughts, emotions, and sensations. They ought to be protected, as they are the modern iteration of our “papers and effects.”

FTC Chairman Jon Leibowitz warned yesterday that companies involved in Web advertising face their “last chance” to “voluntarily” adopt stricter policies governing the use and collection of consumer information, Reuters reports. This isn’t the first time the FTC has threatened the advertising industry with regulation, but it signals a sense of immediacy that may pressure industry leaders to change their practices in coming weeks.

Leibowitz presumably wants to quell widespread concern that Internet companies like Google and AT&T have “excessive control” over consumer information. But what’s excessive about using information that individuals have voluntarily handed over for marketing purposes, subject to legally enforceable rules laid out from the get-go?

Users ultimately control their data, not firms. After all, only data that users transmit can be collected. When a user visits a website, their IP address may be recorded, and when a user submits a query to a search engine, the search term can be logged. This is how the Internet has always worked.

Not all consumers understand what information is gathered about them as they browse online. The best way to protect such users is not through regulation, but by educating — and, therefore, empowering — users. Volumes have been written on privacy and data security, and the ongoing TLF series “Privacy Solutions” offers a growing body of tips on how consumers can achieve the level of privacy that suits them.

Understandably, some people are uncomfortable with their queries being logged, and would prefer that websites simply not track any data. Some sites are willing to do just that — Cuil, a search engine launched in 2008, promises to never log IP addresses or even use cookies (as Jim has noted). Other anonymity solutions rely on secure virtual tunnels that can mask users’ actual IP addresses.

Still, no matter what the FTC does, transmitting data in plaintext over the Internet will never be truly “safe.” Robust end-to-end encryption is the only surefire method of ensuring information cannot be seen by anybody except the sender and the recipient. Even then, information is only as safe to the extent that the party at the other end of the line can be trusted.

Any new FTC mandates on data collection would almost certainly impose a privacy ceiling that would offer some, if not most, people too much privacy. This may sound impossible at first, but think of people who document their every move on Twitter, open for the world to see. Different people have wildly different privacy preferences, and there is no way a single set of rules-however well-conceived-could satisfy everyone.

Privacy mandates will place shackles on the still-young Internet advertising industry, stifling promising opportunities for making money from online content. Strict rules governing data collection will deprive publishers — especially small ones — of ad revenue at a time when it is sorely needed. Rigid mandates will also prolong “dumb” Web ads by delaying the evolution of targeting technologies capable of making advertisements more relevant and, therefore, more interesting to users.

Online advertising is the lifeblood of Web content, as Berin, Adam, and others have explained time and time again. The alternative to advertiser subsidies — charging consumers for access to content — has proven relatively unpopular with consumers. Who wants to take out their credit card when all content creators pine for is a pair of eyeballs?

Advertising will fuel the growth of online content, but only if regulators let the market work.

I’ve been quite depressed to witness Bruce Schneier’s ongoing conversion from opponent of government intervention in the high-tech economy (at least on encryption) to vociferous proponent (at least in terms of privacy regulation).  Anyway, his latest cheerleading piece for government privacy regulation in The Wall Street Journal includes lots of fear-mongering about private website data collection for, God forbid, purposes of trying to better target advertising and market us products we might actually want.

Schneier uses the term “deceptive” several times in the piece to refer to privacy policies that don’t make it explicitly clear that some of the information you leave on a site, or that is collected preemptively by them, will be used to craft more targeted marketing efforts.  Like many other would-be privacy regulators, Schneier seemingly wants companies to fly blimps over your desk as you surf the Net with big signs that basically say: ‘Hey stupid, your info may be used to market you stuff.’  It’s hard to be against more disclosure, of course — and most sites spell out what they do with data in their privacy policies — but it never seems to be good enough for most privacy advocates, who paint consumers out to be mindless sheep who cannot be trusted to make wise decisions for themselves.  Sorry, but I just don’t buy it.

Specifically, I think there’s a pretty easy solution to the concern Schneier articulates about cloud computing when he says:

Cloud computing services like Google Docs, and social networking sites like RealAge and Facebook, bring with them significant privacy and security risks over and above traditional computing models. Unlike data on my own computer, which I can protect to whatever level I believe prudent, I have no control over any of theses sites, nor any real knowledge of how these companies protect my privacy and security.  I have to trust them.

Huh?  Why do you just “have to trust them”?  How about just not using those services?!  Or, use privacy self-help solutions when possible to manage your privacy preferences.  And for God’s sake Bruce, you wrote the definitive textbook on cryptography!  How about using encryption if you’re so concerned about who might be collecting your data online??

Meanwhile, Schneier doesn’t bother telling us what economic engine is going to power the Internet economy going forward once the privacy regulations he favors get on the books and make targeted advertising and data collection a federal crime.  Should we expect all these free Internet sites and services to just fall like manna from heaven?  Again, while the supposed harms from private data collection are largely conjectural, the harm to the Internet economy from heavy-handed, top-down privacy regulations would be all too real.  As we always say here, there is no free lunch.