Sen. Edward J. Markey (D-Mass.) and Rep. Joe Barton (R-Texas) have reintroduced their “Do Not Track Kids Act,” which, according to this press release, “amends the historic Children’s Online Privacy Protection Act of 1998 (COPPA), will extend, enhance and update the provisions relating to the collection, use and disclosure of children’s personal information and establishes new protections for personal information of children and teens.” I quickly scanned the new bill and it looks very similar to their previous bill of the same name that they introduced in 2011 and which I wrote about here and then critiqued at much greater length in a subsequent Mercatus Center working paper (“Kids, Privacy, Free Speech & the Internet: Finding The Right Balance”).

Since not much appears to have changed, I would just encourage you to check out my old working paper for a discussion of why this legislation raises a variety of technical and constitutional issues. But I remain perplexed by how supporters of this bill think they can devise age-stratified online privacy protections without requiring full-blown age verification for all Internet users. And once you go down that path, as I note in my paper, you open up a huge Pandora’s Box of problems that we have already grappled with for many years now. As I noted in my paper, the real irony here is that the “problem with these efforts is that expanding COPPA would require the collection of more personal information about kids and parents. For age verification to be effective at the scale of the Internet, the collection of massive amounts of additional data is necessary.”

But that’s hardly the only problem. How about the free speech rights of teens? They do have some, after all, but this bill could create new limitations on their ability to freely surf the Internet, gather information, and communicate with others.

In the end, I don’t expect this bill to pass; it’s mostly just political grandstanding “for the children.” But it’s a real shame that smart people waste their time with counter-productive and constitutionally suspect measures such as these instead of focusing their energy on more constructive educational efforts and awareness-building approaches to online safety and privacy concerns. Again, read my paper for more details on that alternative approach to these issues.

I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

Today over at the International Association of Privacy Professionals (IAPP) Daily Dashboard blog, I have a guest post entitled, “Let’s Not Place All Our Eggs in the Do Not Track Basket.” The essay builds on my Senate Commerce Committee testimony last week by arguing that:

If there’s one lesson I’ve learned in twenty-one years of covering information technology policy, it’s that there are no simple silver-bullet solutions to complex issues like online safety, hate speech, spam, cybersecurity, data breaches or digital privacy. Problems such as these demand a layered, multifaceted approach that incorporates many solutions, the first among these being education and awareness-based efforts.

I continue on to explain why that means we should be cautious about placing too much faith in privacy techno-fixes like Do Not Track, which won’t likely be any more successful than past silver bullet efforts. (Note: Justin Brookman of CDT will be offering a counterpoint to my essay next week on the IAPP blog. I look forward to seeing what he has to say. He also testified alongside me in the Senate last week.)

By the way, for those of you not familiar with the IAPP, it is “the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data. More than just a professional association, the IAPP provides a home for privacy professionals around the world to gather, share experiences and enrich their knowledge.” In my opinion, the IAPP is doing amazing work and deserves the attention of anyone who cares about the future of privacy and privacy policy. I strongly recommend you check out their excellent site and explore all the important resources they provide and other things they do.

Anyway, if you are interested in the issues discussed in my IAPP guest post, you might also want to check out some of the related essays down below the fold:

Additional Reading:

• Senate testimony of Adam Thierer on Do Not Track standard – Apr. 24, 2013
• A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
• On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
• Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
• Two Paradoxes of Privacy Regulation – Aug. 25, 2010
• Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
• When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011

Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:

1. First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
2. Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
3. Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

The testimony also contains 4 appendices elaborating on some of these themes.

Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”)

Testimony of Adam D. Thierer before the Senate Committee on Commerce, Science & Transportation hearing…

Some of My Recent Essays on Privacy & Data Collection

1. A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
2. On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
3. Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
4. Two Paradoxes of Privacy Regulation – Aug. 25, 2010
5. Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
6. When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011
7. Lessons from the Gmail Privacy Scare of 2004 – March 25, 2011
8. Who Really Believes in “Permissionless Innovation”? – March 4, 2013 (condensed from Minnesota Journal of Law, Science & Technology law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”)
9. The Problem of Proportionality in Debates about Online Privacy and Child Safety – Nov. 28, 2009
10. Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness– Jan. 5, 2011

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. [Update 4/16: It is now live on the site.] In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

The world does not owe targeted advertising networks a business model, so I am agnostic about Microsoft’s decision to ship Internet Explorer 10 with “Do-Not-Track” enabled by default. Ryan Singel has a good write-up on Threat Level that covers many dimensions of the issue.

Decisions like this are never driven by a single motivation, but I’m interested in the likelihood that Microsoft made this choice hoping to drive a dagger into Google’s business model. To the extent it did, it’s a nice illustration of how competition among companies can serve consumers’ privacy preferences. There is some demand for privacy, though less than most regulatory types believe. Microsoft saw an angle to get some pro-privacy PR, improve consumers’ privacy by a small margin, and hamstring a competitor. You go, girl. Er, Microsoft.

Now, consumers aren’t falling over themselves for protection from the benign practice of tracking for the purpose of delivering targeted ads. I suspect that counter-punches from ad networks and Google will send the Do Not Track header into the dustbin of privacy history right along with P3P. The idea of putting a signal into the header that says “please do not track” is clumsy, to put it charitably.

If you want to avoid tracking, you can do that already. Use Tracking Protection Lists.

At the Computers Freedom and Privacy conference, I moderated a panel on “Do Not Track.” I tried to make sure it was fun, and I think it was. Among other things, yes, I called Ed Felten, “baby.” Check it out.

This podcast, put together by the high-performance folks at the Performance Marketing Association, is pretty good, though I do use the word “hedonic” at one point, which is a bit much.

The Computers, Freedom and Privacy conference—the original privacy conference—is June 14th through 16th at the Georgetown University Law School here in D.C.

It has a neat layout this year, with a focus on each of the topics—computers, freedom, and privacy—on each of its three days. I’ve always found that it’s a rollicking conference at which the newest ideas and problems get aired. It’s got some big draws if you’re into that kind of thing: Senator Patrick Leahy (D-VT) will speak on Thursday. But there really is something for everyone. TLFer’s Ryan Radia and Berin Szoka will join yours truly and other experts on a panel entitled “Do Not Track: Yaaay or Boooh?”, which should be fun.

Check out the agenda, then register.

As Sonia Arrison mentioned here on Friday, the State of California is currently considering legislation that could, in the name of enhancing online privacy, impose burdensome new regulatory mandates on the Internet. Sonia has a nice column at TechNewsWorld discussing this. I also wrote about the same issue in my Forbes column this week, which is entitled, “The State of California Versus the Internet.” Specifically, I discuss SB 242, “The Social Networking Privacy Act,” and SB761, the so-called Do Not Track bill, and argue that: “What unifies these two measures is a general lack of understanding about the way the Internet and digital technology work. Both measures fail to appreciate the global nature of the Internet and would raise a host of unintended consequences.”

While the best of intentions drive these measures, they will be complicated to enforce in practice and could have a devastating impact on the California economy in the process. “If California wants to reestablish itself as the home of high-tech innovation,” I argue, “it needs to realize heavy-handed Net controls are not the ticket to either economic progress or job-creation.” Moreover, “These laws could be challenged in court since state-based regulation of the Internet raise constitutional issues. The Commerce Clause of the Constitution was designed to block the sort of parochial burdens on interstate commerce that these measures would establish.”

Jump over to Forbes to read the rest. Let’s hope California policymakers realize what a mistake they are making before it’s too late. If they don’t, Congress will need to preempt this regulation of interstate commerce if it’s not immediately challenged in Court and overturned.

Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of their forthcoming “Do Not Track Kids Act of 2011.”  I’ve only had a chance to give it a quick read, but the bill, which is intended to help safeguard kids’ privacy online, has two major regulatory provisions of interest:

(1) New regulations aimed at limiting data collection about children and teens, including (a) expansion of the Children’s Online Privacy Protection Act (COPPA) of 1998, which would build upon COPPA’s “verifiable parental consent” model; and (b) a new “Digital Marketing Bill of Rights for Teens;” and (c) limits on collection of geolocation information about both children and teens.

(2) An Internet “Eraser Button” for Kids to help kids wipe out embarrassing facts they have place online but later come to regret.  Specifically, the bill would require online operators “to the extent technologically feasible, to implement mechanisms that permit users of the website, service, or application of the operator to erase or otherwise eliminate content that is publicly available through the website, service, or application and contains or displays personal information of children or minors.” This is loosely modeled on a similar idea currently being considered in the European Union, a so-called “right to be forgotten” online.

Both of these proposals were originally floated by the child safety group Common Sense Media (CSM) in a report released last December.  It’s understandable why some policymakers and child safety advocates like CSM would favor such steps. They fear that there is simply too much information about kids online today or that kids are voluntarily placing far too much personal information online that could come back to haunt them in the future. These are valid concerns, but there are both practical and principled reasons to be worried about the regulatory approach embodied in the Markey-Barton “Do Not Track Kids Act”:

• It is very hard to imagine how most elements of this new “Do Not Track Kids” regulatory regime would work without requiring mandatory online age verification of all websurfers, which would raise serious constitutional issues. Previous efforts to age-verify websurfers (namely, The Child Online Protection Act or COPA) have been found to violate the First Amendment and also to raise different privacy concerns. By contrast, the Children’s Online Privacy Protection Act (COPPA) partially avoided this problem by limiting its coverage to kids 12 and under and did not mandate strict age verification. The Markey-Barton bill seems to imagine that the COPPA regime can simply be expanded without serious constitutional scrutiny (or economic cost, for that matter). The sponsors are wrong. Their bill puts COPPA on a collision course with COPA because it would necessitate expanded age verification in order to be effective.
• An Internet “Eraser Button” is similarly challenged by practical realities and principled concerns. It’s unclear how to even enforce such a notion. Moreover, if it could be enforced, it would raise profound free speech issues since it is tantamount to digital censorship and specifically threatens press freedoms. And the economic costs of such a mandate — especially on smaller operators — could be quite significant. See my recent Forbes essay for a discussion of those problems.
• Although some of the concerns that motivate the “Do Not Track Kids Act” are understandable, there are two very different models for how we might address these problems: ‘Legislate & Regulate’ vs. ‘Educate & Empower.’ The latter is the superior framework for dealing with these concerns in light of the practical and principled problems associated with the former.

I will expand upon these concerns in a follow-up post, but for now I would direct your attention to the 36-page white paper that Berin Szoka and I released two years ago on this topic:”COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.” It explains why this issue is so complicated and raises so many constitutional red flags.

Additional Reading:

on COPA:

• Son of COPA?: H.R. 4059, “The Online Age Verification and Child Safety Act” – by Adam Thierer
• Closing the Book on COPA? – by Adam Thierer
• COPA Struck Down (Part 1): Again! – by Adam Thierer
• COPA Struck Down (Part 2): The Effectiveness of Filtering & Age Verification – by Adam Thierer
• COPA Struck Down (Part 3): Implications for Age Verification & Social Networking – by Adam Thierer

on Eraser Button:

• Erasing Our Past On The Internet – by Adam Thierer [Forbes essay]
• Europe Reimagines Orwell’s Memory Hole – by Larry Downes
• “Privacy” as Censorship: Fleischer Dismantles the EU’s “Right to Forget” – by Berin Szoka
• The Conflict Between a “Right to Be Forgotten” & Speech / Press Freedoms – by Adam Thierer

I’ve already Tweeted about it, but if you are following Internet privacy debates and have not yet had the chance to read Lauren Weinstein‘s new paper, “Do-Not-Track, Doctor Who, and a Constellation of Confusion,” it is definitely worth a look.  Weinstein, founder of the Privacy Forum, zeroes in on two related issue that I have made the focus of much of my work on this issue: (1) the fact that Do Not Track is seemingly viewed by some as a silver-bullet quick fix to online privacy concerns but will really be far more complicated in practice to enforce, and (2) that Do Not Track regulation will likely have many unintended consequences, most of which are going unexplored by proponents.

For example, Weinstein says:

Do-not-track in actuality encompasses an immensely heterogeneous mosaic of issues and considerations, not appropriately subject to simplistic approaches or “quick fix” solutions.   Approaching this area without a realistic appreciation of such facts is fraught with risks and the potential for major undesirable collateral damages to businesses, organizations, and individuals. Attempts to portray these controversies as “black or white” topics subject to rapid or in some cases even unilaterally imposed resolutions may be politically expedient, but are ultimately both childish and dangerous. […] Above all, we should endeavor to remember that tracking issues both on and off the Internet are in reality part of a complicated whole, a multifaceted  set of problems — and very importantly — potentials as well. The decisions that we make now regarding these issues will likely have far-ranging implications and effects on the Internet for many years to come, perhaps for decades.

Absolutely correct. He also argues that:

Rather than view do-not-track and tracking in general as binary choices, or even as an overly simplistic one-dimensional continuum — with “no tracking” and “tracking” at the good and evil ends of the spectrum respectively — a multidimensional and so significantly more nuanced view would seem to make a great deal better logical sense. For each of us, our comfort levels with “tracking” as it may be most broadly defined — both in Internet and non-Internet contexts — will vary widely depending on specific details and circumstances.

Quite right. I made similar arguments in my February filing to the Federal Trade Commission as part of it Do Not Track proceeding.

Weinstein also asks an important question here:

Even while some divisions of government are proselytizing for the rapid adoption of risky and overly simplistic do-not-track mechanisms that are more akin to sledgehammers than balanced control methodologies, and aimed particularly at ad personalization networks — others in government are pushing hard for vast and comprehensive data retention laws that would require ISPs and Web services to record and maintain detailed records of virtually all Web browsing, email, and other activities. … Why is there such a focus on do-not-track in the relatively innocuous ad serving sector, but often so much hypocritical disregard of government’s desire for encompassing tracking in other contexts that carry enormously larger potentials for abuses?

To be fair, however, I do think that many of the advocates of Do Not Track regulation are also focused on government access to data but I think they sometimes fail to adequately distinguish between the “enormously larger potentials for abuses” associated with government data collection and what Weinstein rightly regards as the far less serious issue of “the relatively innocuous ad serving sector.”  There is a world of difference between what government collects and uses private data to accomplish versus what the private sector does with it. As I pointed out in my latest Forbes column this week, “Governments possess unique powers the private sector lacks, such as taxation, surveillance, fines, and imprisonment.” By contrast, private companies mostly collect data to sell us a better mousetrap at a better price.  It’s hard to see how that is a “harm” in the same league with what government officials and agencies would like to do with data. In fact, that’s really a benefit to consumers.

Anyway, make sure to read Weinstein’s entire essay.  I have not yet seen any responses to it but I very much look forward to seeing what proponents of Do Not Track regulation have to say about his very sharp piece.

FTC Commissioner J. Thomas Rosch puts the brakes on some of the Do-Not-Track excitement that has been bubbling up in this (wouldn’t you know it) Advertising Age piece.

The concept of do not track has not been endorsed by the commission or, in my judgment, even properly vetted yet. In actuality, in a preliminary staff report issued in December 2010, the FTC proposed a new privacy framework and suggested the implementation of do not track. The commission voted to issue the preliminary FTC staff report for the sole purpose of soliciting public comment on these proposals. Indeed, far from endorsing the staff’s do-not-track proposal, one other commissioner has called it premature.

Do-Not-Track does need more vetting and consideration. Don’t get your hopes up about being free of tracking anytime soon. (Do you even know what “tracking” is?)

If Do-Not-Track goes forward, don’t get your hopes up to be free of tracking either. When you take control of what your browser sends out over the Internet? Then you can rightly anticipate being free of unwanted tracking!

Today, the U.S. Senate Commerce Committee held a hearing on “The State of Online Consumer Privacy.”

The push for online privacy regulation has real momentum, as proposed privacy legislation from numerous lawmakers, a Department of Commerce report proposing a compulsory Do Not Track mechanism to regulate business marketing practices, and the Obama Administration’s proposed “Privacy Bill of Rights” all indicate.

However, Congress should be very wary of such proposals. A politically defined Do Not Track regime risks undermining targeted advertising, impeding business transactions that occur between strangers, and stifling mobile ecosystems that are barely out of the cradle. Rattling consumers needlessly by encouraging them to opt-out of largely beneficial information collection is an especially unwise idea in our uncertain economic climate – especially when major industry participants are developing such mechanisms on their own.

The opportunity to undermine online marketing – wrongly called “surveillance” – appeals to some, but such privacy purists have no right to call the shots for anyone but themselves and those who agree with them. The right to use information acquired through voluntary transactions is no less important than the right to decide whether to disclose information in the first place.

Competitive pressures to secure our personal information include rivals who promise more security, capital markets and business partners (like upstream suppliers and downstream customers who demand information security as a condition of doing business). Like all other technologies, privacy-enhancing services – from consulting to liability insurance to network monitoring – benefit from competition. Contracts to surf anonymously while paying a nominal fee to an ISP, a notion noted recently in a Wall Street Journal piece, are merely one example of such market innovations.

In light of such pressures, the term “self-regulation”—heard often in hearings such as today’s—is a misnomer: no business has that luxury in free enterprise.

Market participants will make mistakes, but these pale in comparison to the mistakes made by government. Privacy regulation will grow so entrenched that it will preclude superior alternatives as it distorts the evolution of the digital marketplace. Attempts by politicians to define privacy are a dangerous business.

In this era of TSA body imaging, mass surveillance, the push for National ID, and ill-defined protections from governmental access to our mobile devices and cloud-stored data, what we really need isn’t for Washington to try and protect our privacy—we need Washington to allow it.

Rather than Do Not Track, a “Do Not Regulate” stance remains appropriate, for the sake of improved privacy.

It seems peculiar to me that some of the same individuals and groups who so vociferously opposed a “broadcast flag” technological mandate in past years are now in a mad rush to have federal policymakers mandate a “Do Not Track” regulatory regime for privacy purposes. The broadcast flag debate, you will recall, centered around the wisdom of mandating a technological fix to the copyright arms race before digitized high-definition broadcast signals were effectively “Napster-ized.” At least that was the fear six or seven years ago. TV broadcasters and some content companies wanted the Federal Communications Commission (FCC) to recognize and enforce a string of code that would have been embedded in digital broadcast program signals such that mass redistribution of video programming could have been prevented.

Flash forward to the present debate about mandating a “Do Not Track” scheme to help protect privacy online. As I noted in my filing last week to the Federal Trade Commission, at root, Do Not Track is just another “information control regime.” Much like the broadcast flag proposal, it’s an attempt to use a technological quick-fix to solve a complex problem. When it comes to such information control efforts, however, there aren’t many good examples of simple fixes or silver-bullet solutions that have worked, at least not for very long. The debates over Wikileaks, online porn, Internet hate speech, and Spam all demonstrate how challenging it can be to put information back into the bottle once it is released into the digital wild.

To be clear, I am not opposed to technological solutions like broadcast flag or Do Not Track, but I am opposed to forcing them upon the Internet and digital markets in a top-down, centrally-planned fashion. While I am skeptical that either scheme would work well in practice (whether voluntary or mandated), my concern in these debates is that forcing such solutions by law will have many unintended consequences, not the least of which will be the gradual growth of invasive cyberspace controls in these or other contexts. After all, if we can have “broadcast flags” and “Do Not Track” schemes, why not “flag” mandates for objectionable speech or “Do Not Porn” browser mandates?

From 2002-2005, when the broadcast flag wars were really raging, groups like the Electronic Frontier Foundation and Center for Democracy & Technology made several legitimate legal and practical arguments against a mandatory broadcast flag regime. But their principled case against broadcast flag mandates came down to an underlying fear about government encroachment on the Internet and the specter of more far-reaching regulation of cyberspace. For example, in a December 2003 report, CDT noted that even if other details could be worked out, “the [broadcast] flag approach will still pose unresolved concerns regarding technical regulation of computers and the Internet by the government [and] the impact of regulations on innovation and future consumer uses” was also problematic.

Importantly, EFF and CDT hammered broadcast flag proponents on the question of jurisdictional authority. They rightly asked where the FCC  got the authority to impose such rules at all and worried about the spillover effects of such arbitrary mandates in other Internet contexts. (The broadcast flag scheme was eventually tossed out by the D.C. Court of Appeals because of the FCC’s lack of authority.)

So, why wouldn’t these same concerns and arguments apply to Do Not Track regulation? CDT and EFF seem to care little that the Federal Trade Commission is aggressively pushing this new information control regime on the Internet.  Indeed, CDT and EFF are two of the biggest cheerleaders for FTC action in this regard.  Sorry, but I just don’t get it.  If it was misguided for regulators to push a broadcast flag regime upon cyberspace, isn’t it just as misguided for them to be pushing Do Not Track? I suspect this inconsistency has something to do with CDT and EFF being inherently skeptical of the benefits of most online copyright protection schemes while being more sympathetic to legal efforts aimed at protecting personal privacy online. Simply stated, they think there’s something to the notion of privacy “rights” and will bend over backward to engineer an information control regime to protect against the “unauthorized” flow of personal information online. When it comes to the “unauthorized” flow of copyrighted bits of information online, however, they aren’t nearly as interested in inviting the code cops in.

But even if one sympathizes with that distinction — absolute privacy “rights”  vs. minimal copy-“rights” — all the same concerns and criticisms that CDT and EFF raised earlier about the broadcast flag regulatory scheme would seemingly apply to the Do Not Track regime. Both regimes face formidable enforcement challenges and raise the specter of broader government control of cyberspace. There’s just no getting around that reality, and Do Not Track defenders who deny it are basically hiding from the ugly truth that they are greasing the skids for future information control efforts and regimes — both here and abroad.

I suppose that they might also argue that regulation is justified where it ensures more “choice” for consumers.  But forcing “choice” upon online markets isn’t exactly the same thing as allowing it evolve in a natural, non-destructive fashion. As I noted in my filing, many others besides me are concerned about what mandatory Do Not Track would mean for the online ecosystem of mostly “free” content and services. Lauren Weinstein, co-founder of People For Internet Responsibility (PFIR), worries that the “ability [of Do Not Track concepts] to cause major collateral damage to the Internet ecosystem of free Web services is being unwisely ignored or minimized by many Do Not Track proponents.” And in a brilliant Huffington Post column this week about the rise of a privacy techno-panic, Jeff Jarvis said, “I also worry that efforts to bring in a ‘Do Not Track’ list and other demonization of ad targeting could cripple the revenue of the media and news industries even as they struggle to find sustainability; it could kill news outlets and reduce journalism.”

Weinstein and Jarvis are right. There is no free lunch. While groups like EFF and CDT who support Do Not Track regulation are well-intentioned in their aims, the reality is that government regulation that attempts to create a cost-free opt-out for data collection and targeted online advertising will likely have damaging consequences for the future provision of online content and services. In terms of direct costs to consumers, Do Not Track could result in higher prices for service as paywalls go up or, at a minimum, advertising will become less relevant to consumers and, therefore, more “intrusive” in other ways.

Which leads to my final point. What is perhaps most perplexing about this is how many of the advocates of Do Not Track argue that such a regulatory scheme will slow the “arms race” in the privacy arena. For example, EFF has said “The header-based Do Not Track system appeals because it calls for an armistice in the arms race of online tracking.” And my favorite frenemy Chris Soghoian argues that “opt out mechanisms… [could] finally free us from this cycle of arms races, in which advertising networks innovate around the latest browser privacy control.”  At best, this is highly wishful thinking. At worst, it’s outright deceit aimed at sugar-coating the hard truth: If anything, a Do Not Track mandate will speed up the technological arms race and have many other unintended consequences. Online advertising will almost certainly become more “annoying” and even invasive as a result of such regulation.  And “tracking” techniques aren’t going to be stopped or even slowed as a result of Do Not Track. (Hello DPI!) Again, check out my filing to the FTC for more details.

The important point here is that one intervention will simply beget another and another in an attempt to address the “arms race” and to refine and rework Do Not Track to cover more and more online information flows. One wonders how expansive this new regulatory regime will need to be to deal with the growing scale and volume of online information flows. Really, does anyone think there will be less personal information online in coming years?  Unless we stop the unprecedented voluntary information-sharing and self-revelation of personal data that takes place on social networking sites and via user-generated content sites, there is simply no way in hell this problem is going to be curtailed. When 600 million people use Facebook as an open diary to the world (among many other examples I could cite), it’s hard to imagine we’ll ever be able to stop the mercurial flow of personal information across the Internet. Do Not Track certainly won’t stop it, but the cost of putting such a regulatory regime in place in an attempt to put the genie back in the bottle could be profound for the future of the Internet and online content and culture.

Again, this is essentially the same argument previously set forth against a broadcast flag mandate. As EFF once noted, “the technology mandate proposed… is unnecessary, ineffective, and unwise.”  I agree, and I invite Do Not Track defenders at CDT and EFF (or anyone else) to explain why, conceptually speaking, Do Not Track isn’t just broadcast flag in drag.

Today I filed roughly 30 pages worth of comments with the Federal Trade Commission (FTC) in its proceeding on “Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers.” [Other comments filed in the proceeding can be found here.] Down below, I’ve attached the Table of Contents from my filing so you can see the major themes I’ve addressed, and I’ve also attached the entire document in a Scribd reader. In coming days and weeks, I’ll be expanding upon some of these themes in follow-up essays.

In my filing, I argue that while it remains impossible to predict with precision the impact a new privacy regulatory regime will have the Internet economy and digital consumers, regulation will have consequences; of that much we can be certain.  As the FTC  and other policy makers move forward with proposals to expand regulation in this regard, it is vital that the surreal “something-for-nothing” quality of current privacy debate cease. Those who criticize data collection or online advertising and call for expanded regulation should be required to provide a strict cost-benefit analysis of the restrictions they would impose upon America’s vibrant digital marketplace.

In particular, it should be clear that the debate over Do Not Track and online advertising regulation is fundamentally tied up with the future of online content, culture, and services. Thus, regulatory advocates must explain how the content and services supported currently by advertising and marketing will be sustained if current online data collection and ad targeting techniques are restricted.

The possibility of regulation also retarding vigorous marketplace competition—especially new innovations and entry—is also very real. Consequently, the Commission bears the heavy burden of explaining how such results would be consistent with its long-standing mission to protect consumer welfare and promote competition. Importantly, the “harm” that critics claim online advertising or data collection efforts gives rise to must be shown to be concrete, not merely conjectural. Too much is at stake to allow otherwise.

Finally, as it pertains to solutions for those who remain sensitive about their privacy online, education and empowerment should trump regulation. Regulation would potentially destroy innovation in this space by substituting a government-approved, “one-size-fits-all” standard for the “let-a-thousand-flowers-bloom” approach, which offers diverse tools for a diverse citizenry. Consumers can and will adapt to changing privacy norms and expectations, but the Commission should not seek to plan that evolutionary process from above.

Download my comments here or just scroll down and read them below.

Contents

I.       Introduction

II.      No Showing of Harm or Market Failure Has Been Made

1. How Do We Conduct Cost-Benefit Analysis When “Creepiness” Is the Alleged Harm?
2. Privacy Regulation & the Precautionary Principle.
3. On “Informed Consent” & Information as Currency
4. On “Commonly Accepted Practices”
5. The Mythical Harm of Consumer “Walk Aways”

III.    Privacy Regulation Is an Information Control Regime That Faces Formidable Enforcement Challenges

1. Media & Technological Convergence
2. Decentralized, Distributed Networking
3. Unprecedented Scale of Networked Communications
4. Explosion of the Overall Volume of Information
5. Unprecedented Individual Information Sharing Through User-Generation of Content and Self-Revelation of Data

IV.    The Commission’s Proposed “Do Not Track” Regime Creates Potential Risks to Consumers, Culture, Competition, and Global Competitiveness

1. Potential Direct Cost to Consumers
2. Potential Indirect Costs / Impact on Content & Culture
3. Competition & Market Structure
4. International Competitiveness
5. “Silver-Bullet” Solutions Rarely Adapt or Scale Well
6. Implications of This New Regime in Other Contexts

V.     Privacy Regulation Raises Serious Free Speech & Press Freedom Issues

VI.    Better, Less-Restrictive Solutions Exist to Privacy-Related Concerns

1. Education, Empowerment & Self-Regulation
2. Simplified” Privacy Policies, Enhanced Notice & “Privacy by Design”
3. Increased Sec. 5 Enforcement, Targeted Statutes & the Common Law

VII.  Conclusion

Comment in FTC Do Not Track Proceeding (Adam Thierer – Mercatus Center) http://d1.scribdassets.com/ScribdViewer.swf

Rep. Jackie Speier introduced legislation today that would require the Federal Trade Commission to establish standards for a “Do Not Track” mechanism and require online data collectors to obey consumer opt-outs through such a tool.

As I’ll explain in more detail in my comments on the FTC’s privacy report (due next Friday), I’ve argued for the last two and half years that user empowering users to make their own choices about online privacy is, in combination with education and enforcement of existing laws, the best way to start adddressing online privacy concerns. In principle, some kind of “Do Not Track” mechanism could be a valuable user empowerment tool.

But actually implementing “Do Not Track” without killing advertising won’t be easy. Just as consumers need to be empowered to make effective privacy choices, so too must publishers of ad-supported websites be able to make explicit today’s implicit quid pro quo: Users who opt-out of tracking might have to see more ads, pay for content and so on.

Government cannot design a “marketplace for privacy” from the top down, nor predict the costs of forcing an explicit quid pro quo. It would be sadly ironic—as Adam Thierer and I pointed out over a year ago—if the same FTC that has agonized so much about the future of journalism wound up killing advertising, the golden goose that has sustained free media in this country for centuries.

The market is evolving quickly here, with two very different “Do Not Track” tools debuting in Internet Explorer 9 and Firefox 4 just this week. Ultimately, it is the Internet’s existing standards-setting bodies, not Congress or the FTC, that have the expertise to resolve such differences and make a “Do Not Track” mechanism work for both consumers and publishers, as well as advertisers and ad networks.

You have to read all the way to the end to get exactly what the New York Times is getting at in its Sunday editorial, “Netizens Gain Some Privacy.”

Congress should require all advertising and tracking companies to offer consumers the choice of whether they want to be followed online to receive tailored ads, and make that option easily chosen on every browser.

That means Congress—or the federal agency it punts to—would tell authors of Internet browsing software how they are allowed to do their jobs. Companies producing browser software that didn’t conform to federal standards would be violating the law.

In addition, any Web site that tailored ads to their users’ interests, or the networks that now generally provide that service, would be subject to federal regulation and enforcement that would of necessity involve investigation of the data they collect and what they do with it.

Along with existing browser capabilities (Tools > Options > Privacy tab > cookie settings), forthcoming amendments to browsers will give users more control over the information they share with the sites they visit. That exercise of control is the ultimate do-not-track. It’s far preferable to the New York Times‘ idea, which has the Web user issuing a request not to be tracked and wondering whether government regulators can produce obedience.

[I got enough push-back to a recent post arguing the existence of market nimbleness in the browser area that I’m unsure of the thesis I expressed there. The better explanation of what’s going on may be that regulatory pressure is moving browser authors and others to meet the peculiar demands of the pro-regulatory community. The reason they have waited to act until now is because they do not perceive consumers’ interests to be met by protections against tailored advertising. The question of what meets consumers’ interests won’t be answered if regulation supplants markets, of course.]

Today the Mercatus Center has released a short new paper I have authored on “Unappreciated Benefits of Advertising and Commercial Speech.”  I begin the piece by noting that:

Federal policy makers, state legislators, and state attorneys general have recently shown interest in regulating commercial advertising and marketing. Several new regulatory initiatives are being proposed, or are already underway, that could severely curtail or restrict advertising or marketing on a variety of platforms. The consequences of these stepped-up regulatory efforts will be profound and will hurt consumer welfare both directly and indirectly.

I go on to note that “advertising can be an easy target for politicians or regulatory activist groups who make a variety of (typically unsubstantiated) claims about its negative impact on society,” but then continue on to explain how “the role of commercial speech in a free-market economy is often misunderstood or taken for granted.” I outline how, despite regulators’ concerns, consumers actually derive three important types of benefits from advertising and marketing: (1) Informational / Educational Benefits; (2) Market Choice / Pro-Competitive Benefits; and (3) Media Promotion / Cross-Subsidization.  After discussing each benefit, I conclude that:

For these reasons, a stepped-up regulatory crusade against advertising and marketing will hurt consumer welfare since it will raise prices, restrict choice, and diminish marketplace competition and innovation—both in ad-supported content and service markets, and throughout the economy at large.  Simply stated, there is no free lunch.

Read the entire 1,800-word essay here.  I have also embedded the document down below in a Scribd reader.

Unappreciated Benefits of Advertising and Commercial Speech (Adam Thierer – Mercatus Center) http://d1.scribdassets.com/ScribdViewer.swf

Via @csoghoian (who can be wrathful if you don’t attribute), Adobe buries the lede in its blog post about privacy improvements to the Flash player. They’re working with the most popular browser vendors on integrating control of “local shared objects”—more commonly known as “Flash cookies”—into the interface. Users control of Flash cookies will soon be similar to control of ordinary cookies.

It doesn’t end there:

Still, we know the Flash Player Settings Manager could be easier to use, and we’re working on a redesign coming in a future release of Flash Player, which will bring together feedback from our users and external privacy advocates. Focused on usability, this redesign will make it simpler for users to understand and manage their Flash Player settings and privacy preferences. In addition, we’ll enable you to access the Flash Player Settings Manager directly from your computer’s Control Panels or System Preferences on Windows, Mac and Linux, so that they’re even easier to locate and use. We expect users will see these enhancements in the first half of the year and we look forward to getting feedback as we continue to improve the Flash Player Settings Manager.

Mysterious, sinister “Flash cookies” were Exhibit A in the argument for a Do Not Track regulation. There is no way that people can cope with the endless array of tracking technologies advertisers are willing to deploy, the argument went, so the government must step in, define what it means to be “tracked,” and require it to stop—without kneecapping the free Internet. (Good luck with that!)

But Flash cookies are now quickly taking their place as a feature that users can control from the browser (or OS), customizing their experience of the Web to meet their individual privacy preferences. This is not a panacea, of course: People must still be made aware of the importance of controlling Flash cookies, as well as regular cookies. New tracking technologies will emerge, and consumer-friendly information controls meeting those challenges will be required in response.

But if this is what the drawn-out “war” against tracking technologies looks like, color me pro-war!

In a few short months, Adobe has begun work on the controls needed to put Flash cookies under peoples’ control. The Federal Trade Commission—prospective imposer of peace through complex, top-down regulation—took more than a year to produce a report querying whether a Do Not Track regulation might be a good idea. This problem will essentially be solved (and we’ll be on to the next one) before the FTC would have gotten saddled up.

Yes, Adobe may have acted because of the threat of damaging government regulation. That seems always to be what gets these companies moving. Of course it does, when the primary modus operandi of privacy advocacy is to push for government regulation. Were the privacy community to work as assiduously on boycotts as acting through intermediary government regulators, change might come even faster.

We could do without the standing army of regulators. Having a government sector powerful enough to cow the business sector is costly, both in terms of freedom and tax dollars.

With the failure of Do Not Track, the vision of a free and open Internet—populated by aware, empowered individuals—lives on.

I laughed out loud when I read the following line in Harlan Yu’s post, “Some Technical Clarifications About Do Not Track“:

“[T]he Do Not Track header compels servers to cooperate, to proactively refrain from any attempts to track the user.”

(Harlan’s a pal, but I’m plain-spoken with friends just like everyone else, so here goes, buddy.)

To a policy person, that’s a jaw-dropping misstatement. An http header is a request. It has no coercive power whatsoever. (You can learn this for yourself: Take 30 minutes and write yourself a plug-in that charges ten cents to every site you visit. Your income will be negative 30 minutes of your time.)

Credit goes to the first commenter on his post who said, “What if they ignore the header? . . . Wouldn’t there also need to be legal penalties in place for violations, in order for this to work? (To encourage advertising companies to put in those lines of code.) Is this in the works?”

Of course there would be. That is the hard stuff. Just what behaviors amount to “tracking” anyway? It’s easy to say you don’t want to be tracked—hard to say what that is, especially given the fluidity of information flows and business models in the online environment. Once a definition is in place, might there be some tracking that consumers want, necessitating an exceptions system? Yes.

And what domains would be subject to the Do Not Track regulation after its years of development? The FTC’s jurisdiction is very broad in the United States (very narrow elsewhere), so every U.S. company with a web presence—large and small—would have to monitor the regulation’s development to determine whether they were going to be subject to the rules. Web-business would hold off on development to make sure they’re not building to an illegal business model. What if foreign countries write similar rules—but not identical. Pity the businesses trying to comply with multiple national Do Not Track regimes.

Coders find it really easy to trivialize coding.

On the server-side, adding code to detect the header is also a reasonably easy task—it takes just a few extra lines of code in most popular Web frameworks. It could take more substantial work to program how the server behaves when the header is “on,” but this work is often already necessary even in the absence of Do Not Track.

It’s easy, right? Except that people in every web-based business will have to understand what this means and how it might affect them. Just how broadly will server-side coding have to be implemented?

If you’re new to public policy, you’ve caught me overstating the scope of the regulation. Because we all know that it’s just going to be ad networks, right? Yeah, and the Social Security Number is only for administering the Social Security system. Have you ever seen Congress act without careful consideration? Have you ever seen it shrink the scope of a regulatory requirement? Come and stay awhile. You’ll see one but not the other.

Put all these issues aside, though. Let’s say you’ve taken the years it takes to get a rule in place, and you’ve got all the legitimate sites subject to the rule re-tooled and prepared to obey. Privacy is a little bit better prote—Wait! We just begged a key question: Which are the legitimate sites and which are not?

To solve that problem, you have to have some permanent institutionalized patrolling of the Internet—much of the information economy, actually—looking for business behavior that is inconsistent with fealty to the Do Not Track regulation. The FTC, or consumer groups and private attorneys general hunting legal fees, will go creating false identities and salting them into website log files hoping to get some tailored advertising. A-ha! Tracking!

But how will they really know it’s a product of tracking? It might make the most sense to give the FTC the power to subpoena data held by web sites. Much of it will be personally identifiable, but . . . oh, crap. We’ve just created a system where databases of information have to be handed over to the government to ensure that the information remains private…

This is a quick and slightly careless dash through the myriad issues that are involved in Do Not Track on the regulatory side, but perhaps it illustrates that the “technical” issues are the easy ones. The recipe for frosting is not the wedding cake.

I get what our tech-side friends are saying. There are lots of tracking technologies, and more to come in the future. They don’t want to fight a drawn-out war to protect people from receiving customized advertising. (Put aside whether that’s even a good idea.)

The war doesn’t end because you can write code to implement a signal in the http header. It shifts to a different venue. That venue—do you really need to be told?—is crawling with mercenary soldiers who work for the ones with the money. That is generally the business sector. If you push the problem on Washington, D.C., you’ll be even less satisfied than if you have to watch the market slowly discover and build the technologies that actually deliver privacy protection on the terms people want, and that do so by controlling information.

[Here’s an oped of mine that recently ran on Reuters.  Readers will recognize many of these themes and arguments since I have developed them here on the TLF many times before.]

Privacy Regulation and the “Free” Internet

by Adam Thierer, Mercatus Center at George Mason University

Would you like to pay $20 a month for Facebook, or a dime every time you did a search on Google or Bing?  That’s potentially what is at stake if the Obama administration and advocates of stepped-up regulation of online advertising get their way.

The Internet feels like the ultimate free lunch.  Once we pay for basic access, a cornucopia of seemingly free services and content is at our fingertips.  But those services don’t just fall to Earth like manna from heaven.  What powers the “free” Internet are data collection and advertising. In essence, the relationship between consumers and online content and service providers isn’t governed by any formal contract, but rather by an unwritten  quid pro quo: tolerate some ads or we’ll be forced to charge you for service.  Most consumers gladly take that deal—even if many of them gripe about annoying or intrusive ads, at times.

Nonetheless, calls for regulation persist, especially as advertising grows more sophisticated.  More targeted forms of online advertising hold the promise of better ads more closely tailored to consumers’ interests.  But that also raises anxieties among some Web surfers who fear their privacy might be undermined by increased data collection or “tracking.”

To address those concerns, the Federal Trade Commission (FTC) and the Department of Commerce have stepped-up activity in this arena and has suggested that new rules may be needed. Earlier this month, the FTC released a report endorsing a new regulatory framework, including a so-called “Do Not Track” mechanism to allow easier consumer opt-outs of online data collection and advertising.  Last Thursday, the Commerce Department followed suit with a new report calling for expanded oversight and a new Privacy Policy Office within Commerce.  Meanwhile, discussion continues in Congress about a new “baseline” privacy law.

The stakes in the debate are significant since regulation could fundamentally alter the nature of online commerce and the future of how digital content and services are provided.  Curtailing data collection and online advertising could be killing the goose that lays the Internet’s golden eggs.  Such regulation will likely have a particularly deleterious impact on small publishers and service providers, who depend almost entirely upon online advertising.  In turn, this could curtail new entry and innovation—and new forms of speech and culture.

Some regulatory advocates don’t hide their desire to move the U.S. in the direction the European Union has charted with its “data directives” and more stringent forms of privacy regulation.  But America’s refusal thus far to walk down that more regulatory path offers scholars the chance to evaluate Europe’s more restrictive approach and study whether America’s lead in the global digital marketplace might be tied to its more “hands-off” approach to online regulation. A recent study by Avi Goldfarb and Catherine Tucker found that “after the [European Union’s] Privacy Directive was passed [in 2002], advertising effectiveness decreased on average by around 65 percent in Europe relative to the rest of the world.” They argue that because regulation decreases ad effectiveness, “this may change the number and types of businesses sustained by the advertising-supporting Internet.” Regulation of advertising and data collection for privacy purposes, it seems, can affect the global competitiveness of online firms.

Regulatory efforts will be complicated by the fact that privacy is a highly subjective condition and definitions of consumer “harm” vary widely.  Many of us don’t much worry about data collection or advertising online; we merrily go along our way surfing free sites, services, and content.  But a handful of vocal pro-regulatory privacy advocates and organizations have successfully convinced many policymakers that the hyper-sensitive concerns of a small minority should trump all other considerations.

Ironically, many of those privacy advocates bash copyright law and claim it is an information control regime, yet privacy regulation would constitute a stronger information control regime by creating the equivalent of copyright for personal information (which would, in turn, conflict mightily with the First Amendment).  In essence, privacy regulations limit the right of people to talk about other people, or communicate facts about them.  This raises serious free speech concerns and has particularly troubling ramifications for press freedoms.  Restrictions on advertising could also have an effect on non-commercial speech, such as political ads or non-profit communication.

Some proposed privacy regulations, such as a “Do Not Track” mandate, would also require a re-architecting of the Internet and the potential regulation of every Web browser to ensure compliance.  If our experience with attempting to eradicate email spam through regulation proves anything, it’s that such schemes are unlikely to work given the Net’s borderless nature.

There is a better path to balancing privacy interests and economic growth than through an onerous privacy regulatory regime. Educating and empowering consumers with more, and better, privacy-enhancing tools can help alleviate much of the concern about data collection or advertising intrusiveness.  The most-downloaded add-on for both the Firefox and Chrome web browsers is AdBlock Plus, which blocks advertising on most sites. A host of other tools are available to block or limit various types of data collection, and every major browser has privacy control tools and anonymous surfing modes to help users limit data collection.

Again, because privacy is a subjective condition, not everyone takes advantage of these empowerment tools.  The crucial point, however, is that the tools exist and they need not be perfect to be preferable to government regulation, which, in this case, could decimate the “free” Internet as we know it.

Adam Thierer is a senior research fellow at the Mercatus Center at George Mason University where he works with the Technology Policy Program. Thierer covers technology, media, Internet, and free speech policy issues with a particular focus in online child safety and digital privacy policy issues. The views expressed are his own.

Advocates of regulation will credit regulators for the fact that major browser providers Microsoft and Mozilla are going after online “tracking.” In forthcoming versions of their browsers, they will provide controls that protect against unwanted monitoring even better than the controls that now exist.

When consumer advocates cluster in Washington, D.C., asking federal agencies to solve consumer issues, of course, any progress on the issues will be credited to the threat of coercion. But experiments like these have no controls.

Decisions about the qualities of goods and services are made out at the leading edge of consumer demand, where producers work to anticipate developing public interests. Meeting demand after it has been realized is a recipe for business failure because competitors getting there before the others win market share and profits. Laggards are losers.

You can tell when regulators push for something that does not match up with consumer demand as perceived in the business sector. The regulators get nowhere. That would be the FTC’s call a decade ago for a suite of regulations requiring “notice, choice, access, and security.” The current push for “tracking” controls does appear to meet up with consumer demand, and, again, the browser providers are working on it years ahead of what any regulation would have required.

I’ve put “tracking” in scare quotes because the open question is just what anyone means by the word. The report linked above notes a comment from Google, provider of the Chrome browser:

“The idea of ‘Do Not Track’ is interesting, but there doesn’t seem to be consensus on what ‘tracking’ really means, nor how new proposals could be implemented in a way that respects people’s current privacy controls,” said the company…

Maybe Google will be the laggard and loser for not moving on “tracking” as fast as its competitors. That’s one approach, while Microsoft and Mozilla will each take a different tack to the problem. The result will be an experiment that does have controls. The browser provider that meets up with consumer interests, in the consumer-friendliest way, wins. Such would not be the case if a federal regulation—yes, one-size-fits-all—determined what “tracking” was and how browsers or others would provide protection against it.

Marketplace competition will do better than any other known method for determining what “tracking” means to consumers and what to do about it. There is no privacy advocate, there is no technologist, no advocacy group, nor academic who knows what to do here.

The one thing I recommend is that do-not-track efforts should control the content of the header and the domains the browser communicates with. Simply putting a “do-not-track” signal in the header would punt the problem back to regulators and the cadre that surrounds them. This group would come up with something that satisfies itself, the regulatory community, but that does not digest and reconcile actual consumers’ competing interests in privacy, convenience, access to content, and so on.

This is a response to Nick Carr’s recent piece, “The Attack on Do Not Track,” in which he goes after me for some comments I made in this essay about the trade-offs at work in the privacy and online advertising debates.  In his critique of my essay, he argues:

What the FTC is suggesting is that the unwritten quid pro quo be written, and that the general agreement be made specific. Does Thierer really believe that invisible tradeoffs are somehow better than visible ones? Shouldn’t people know the cost of “free” services, and then be allowed to make decisions based on their own cost-benefit analysis? Isn’t that the essence of the free market that Thierer so eloquently celebrates?

My response to Nick follows.

Nick…  Did I anywhere suggest that “invisible tradeoffs are somehow better than visible ones?” I can’t remember saying that anywhere, so perhaps you can point to where I did.  I don’t think you’ll find anything when you conduct your search since I know for a fact that I have never suggested such a thing.

That being said, strict contracting and consent models are not always possible in a free market economy, even if they are ideal.  In essence, much of the history of advertising and marketing is built on the sort of “unwritten quid pro quos” you deride in your essay.  Are you against radio or television advertising on similar grounds? Print ads? Direct mail?  Billboards?  There are steps you can take to avoid advertising and marketing in those contexts, but few of us would expect any sort of formal contact and consent form to be delivered to our attention beforehand.  And opt-ing out of them entirely is very difficult.  So, while I agree that, generally speaking, “people [should] know the cost of ‘free’ services, and then be allowed to make decisions based on their own cost-benefit analysis,” let’s understand that such ideal textbook models of perfect information and informed consent aren’t always possible.

I will admit, however, that the difference with online advertising is that personal information may be collected about the consumer of the advertising in question.  That did not always occur as part of those previous advertising “quid pro quos.”  Understandably, this raises the blood pressure of those who want to “property-tize” personal information and, in essence, apply a copyright-like permissions-based regime to any collection or reproduction of such information.  Such an information control regime will be challenging to enforce, especially in light of the significant amounts of personal information that we voluntarily place online about ourselves.  [See my earlier essay, “Privacy as an Information Control Regime: The Challenges Ahead” for further discussion.]

Nonetheless, an ideal world would be one in which trade-offs were more visible and consent / contracting was easier, whether we are talking about privacy, copyrighted material, or anything else.  For example, in the context of online child safety and potentially objectionable media content, I have long argued that:

The ideal state of affairs, therefore, would be a nation of fully empowered parents who have the ability to perfectly tailor their family’s media consumption habits to their specific values and preferences. Specifically, parents or guardians would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information. Importantly, those tools and methods would give them the ability to not only block objectionable materials, but also to more easily find content they feel is appropriate for their families.

My former colleague Berin Szoka has applied this same ‘ideal world’ model to privacy in this filing to the Federal Trade Commission:

In an ideal world, adults would be fully empowered to tailor privacy decisions, like speech decisions, to their own values and preferences (“household standards”).  Specifically, in an ideal world, adults (and parents) would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information.  Importantly, those tools and methods would give them the ability to block the things they don’t like—annoying ads or the collection of data about them, as well as objectionable content.

Again, this would move us close to an explicit contracting / consent regime for the media content in question in both cases.  Is it desirable? You bet.  Is it possible?  Likely not.  Can we strive to get closer to the ideal state?  Yes, but not without costs. And that’s the key point I was trying to get across in my earlier essay on Do Not Track.  The trade-offs here are real and could be quite profound for online content and culture.   If we move toward a more rigorous information control regime to restrict personal information flows in the name of protecting privacy, we should not be surprised when that trade-off becomes more explicit–and expensive.

One final point.  You argue that “the suggestion that people shouldn’t be allowed to make informed choices about their privacy because some businesses may suffer as a result of those choices is ludicrous and even offensive.”  Again, I’ve already said that we can strive for more and better informed consent models, but you are pretending here it’s far simpler than it is in reality.  And I’ve already noted that the important point here is not protecting businesses, per se, but rather understanding that online content and culture is currently primarily subsidized by advertising business models that will be forcibly broken by regulation, and that we should consider the trade-offs that entails.  Finally, is there any role for personal responsibility in your view?  After all, there are steps that websurfers can take to address unwanted advertising and data collection techniques. Here’s a short list of privacy solutions that my former PFF colleagues put together.  If we expect consumers to exercise some personal responsibility to avoid unwanted content or communications in the free speech / online child safety context, why not here in the privacy context as well?

This morning, the Federal Trade Commission (FTC) released its eagerly-awaited Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. As expected, the agency has generally endorsed an expanded regulatory regime to govern online data collection and advertising efforts in the name of protecting consumer privacy.  More specifically, the agency endorsed a so-called “Do Not Track” mechanism that would supposedly help consumers block unwanted data collection or advertising.  Here’s how the agency describes it:

Such a universal mechanism could be accomplished by legislation or potentially through robust, enforceable self-regulation.  The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements.  To be effective, there must be an enforceable requirement that sites honor those choices. (p. 66)

I’m sure we’ll have plenty more to say here about the issue in coming weeks and months (comments on the FTC report are due by Jan. 31), but we’ve already commented on this proposal here before. See 1, 2, 3.  To briefly summarize a few of those concerns:

• Ironically, depending on how it’s implemented, a “Do Not Track” mechanism could potentially require individuals to surrender more personal information about themselves to companies or the government for purposes of authentication and enforcement of the rule.
• It would also require a re-architecting of the Internet and the potential regulation of every web browser to ensure compliance.  This will give the FTC and other lawmakers far greater control over the Internet’s architecture.
• For that reason, one can easily imagine would-be Net censors using the “Do Not Track” mechanism being used as a blueprint to regulate other types of online speech.
• One also wonders if mandatory browser controls opens up a potential new back-door for government surveillance snoops to exploit.
• Most importantly, if “Do Not Track” really did work as billed, it could fundamentally upend the unwritten quid pro quo that governs online content and services:  Consumers get lots of “free” sites, services, and content, but only if we generally agree to trade some data about ourselves and have ads served up.  After all, as we’ve noted many times before here, there is no free lunch. The cornucopia of seemingly free services and content at our fingertips didn’t just fall to Earth like manna from heaven.  Data collection and advertising made that all happen.  If we undercut this goose that lays the Internet’s golden eggs, consumers could see charges on many services that they currently pay little to nothing for.  Do you want to pay $20 a month for your favorite social networking site?  A dime per search on your preferred search engine?  Well, that’s the future that could await us if we continue down this regulatory road.

Again, more analysis to come.

Chris Soghoian has responded to my recent post lauding his Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). We’re agreed in the main on user empowerment. The interesting stuff is on the margin: He disagrees with me that blocking third party cookies as I do (and he does too) is a satisfactory approach to suppressing tracking by advertisers.

There are a couple of points worth making about the discussion.

The first has to do with our slightly differing objectives. Chris is deeply focused on advertisers and his dislike of being tracked by advertisers. Though it is not absolute, I have a preference against tracking by anyone other than sites that I know, like, and trust. I’m no more worried about advertisers than any entity that would track my surfing – and there are many.

Again, TLF readers, I ask you to try setting your browser to query you before setting cookies. It’s a real insight into the dozens of entities getting a look at you as you surf, including a bunch of social networks and news sites.

If “advertisers” are what you seek to harness, that seems like a group that can be captured through some kind of centralized control mechanism. (I don’t think it actually is.) But if your goal is privacy as against all comers, you don’t attempt to centrally plan or decide who is good and who is bad. Responsibility rests with the end user.

Let the goal be “advertisers,” though. And I ask: Those social networks and news aggregators – are they “advertisers”? If you’re going to require a subset of Web communicators to obey opt-out cookies, you have to be able to define that subset – a problem Chris doesn’t seem to have thought about yet.

Lots of different publishers, sites, and networks have data that is entirely fungible with the tracking data advertisers collect. What do you get if you push down on the “officially advertisers” part of the balloon? Workarounds.

But I’ve backed into the second point – the means to these ends. Chris soft-pedals how he would get at tracking, but as far as I can tell it’s a law that says “advertisers” have to obey opt-out cookies.

Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.

Is it by magic that they “cannot ignore” opt-out cookies? No, it’s by law.

With the right law in place, Chris appears to believe, “[t]he Federal Trade Commission and Congress would likely take an interest” when advertisers tried to skirt opt-out cookies, using other technologies to glean information about Web surfers’ interests.

His hope is to end the “arms race” in which users have to constantly chase the shifting tactics advertisers use to track them. It’s a fair point: There is a constant, rolling change in how the Web is used by publishers, advertisers, and consumers to interact and trade the data each produces.

That is an “arms race” only if you’ve adopted the rigid, war-like stance that tracking by advertisers is inherently wrong. It’s not. Berin and Adam, who have done a lot more work than me on this lately, have done a good write-up of the subtleties. What Chris calls an “arms race” is better thought of as a constantly unfolding negotiation among all parties about the terms of the content-for-advertising bargain.

I believe, as a person who dislikes third-party cookies, that offering them to my computer in the hopes of gleaning some information is not wrong. Some people think it’s horribly wrong. Most people are indifferent.

Who’s right? Everyone and nobody. There doesn’t have to be one answer.

But should the terms of use for the Web be written by a vociferous minority (i.e. Chris) that can’t persuade the public to refuse tracking using the tools available to them? Perhaps the demand for control comes because the public won’t be persuaded.

Now that would be wrong – regulating cookies to force “protection” on a public that could seek it for itself, but won’t. That would deprive “advertisers” – we still don’t know who they are – of freedom and communications channels, it would deny publishers revenues, and it would deny consumers content they want and enjoy.

But let’s talk about arms races. Chris seeks exit from the so-called arms race on the technical and user side in favor of an arms race in the legislative and regulatory world. The law he imagines – so perfect as it resides there in his head – would have to be passed by Congress and implemented by a regulatory agency like the Federal Trade Commission.

Each of these regulatory bodies is under constant, well, “siege” by phalanxes of lobbyists, paid to advocate the views of their clients, including ” advertisers.” There is no realistic hope that Chris’ opt-out cookie law would make it through that in the form he wants. Defining what one means by “advertisers” is a gruesome task, with likely First Amendment problems. Instead of the clean bill Chris imagines, it would be perverted (from Chris’ perspective) by lobbying and special-interest influence. Remember when Congress passed a law alleging it would prevent spam?

Chris would transfer the arms race we’re in now – where consumers are in control, if apathetic – to a field where consumers are not in control and very apathetic, believing that they are protected by the government. This is the approach preferred by victims of the fatal conceit, who think that they can design society better than society can design itself. (Berin has done a terrific job of lambasting the Center for Democracy and Technology for its similarly conceited, blindly pro-regulatory armchair quarterbacking on the online advertising issue.)

Plenty of people dream about regulation that works, of course. The SEC’s failure to protect investors in the Madoff case provides one more example among many where law and regulation failed utterly to protect consumers – and by its existence encouraged their irresponsibility.

It is damaging folly to try protecting consumers from the tracking advertisers do when consumers can just as well protect themselves.

The Progress & Freedom Foundation has just launched the new Center for Internet Freedom.  CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights.  We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment.  Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.  

Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows: 

• Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
• Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
• Protecting online speech and expression both in the U.S. and abroad;
• Defending Section 230 immunity for Internet intermediaries;
• Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
• Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.

By Berin Szoka & Adam Thierer Progress Snapshot 4.19 (PDF)

Since the fall of 2008, a debate has raged in Washington over “targeted online advertising,” an ominous-sounding shorthand for the customization of Internet ads to match the interests of users.  Not only are these ads more relevant and therefore less annoying to Internet users than untargeted ads, they are more cost-effective to advertisers and more profitable to websites that sell ad space.  While such “smarter” online advertising scares some—prompting comparisons to a corporate “Big Brother” spying on Internet users—it is also expected to fuel the rapid growth of Internet advertising revenues from $21.7 billion in 2007 to $50.3 billion in 2011-an annual growth rate of more than 24%. Since this growing revenue stream ultimately funds the free content and services that Internet users increasingly take for granted, policymakers should think very carefully about what’s really best for consumers before rushing to regulate an industry that has thrived for over a decade under a layered approach that combines technological “self-help” by privacy-wary consumers, consumer education, industry self-regulation, existing state privacy tort laws, and Federal Trade Commission (FTC) enforcement of corporate privacy policies.

In an upcoming PFF Special Report, we will address the many technical, economic, and legal aspects of this complicated policy issue-especially the possibility that regulation may unintentionally thwart market responses to the growing phenomenon of users blocking online ads.

We will also issue a three-part challenge to those who call for regulation of online advertising practices:

1. Identify the harm or market failure that requires government intervention.
2. Prove that there is no less restrictive alternative to regulation.
3. Explain how the benefits of regulation outweigh its costs.

The Online Advertising Market

While there are other forms of targeted advertising based on who you are (“demographic”) or where you are (“locational”), the most important varieties are based on what you’re searching for, seeing or doing online at any particular moment (“contextual”) and the pattern of what you’re searching for, seeing or doing over time (“behavioral”). The bulk of Internet advertising falls into one or both of these last two categories, with behavioral advertising growing rapidly.

Search engines deliver contextual ads on search results pages based on the search keywords entered by a user, while third-party advertising networks (some of which also run search engines) deliver contextual ads on behalf of website operators who sell ad space to the network, with the ads displayed on each page chosen according to keywords on that page. Contextual advertising is far “smarter” than displaying the same “dumb” untargeted banner ads to every user, because the contextual ad uses keywords to “guess” what the user is interested in based on the context of each page. But the purely contextual ad network doesn’t “remember” what the user has looked at in the past, so its insights into what the user would find relevant are very limited, especially for some websites. Online behavioral advertising (OBA) solves this problem and increases the value of advertising space on all websites by targeting ads based on a “profile” of the user created by tracking websites the user has visited—as well as limiting the number of times a user is shown a particular ad.

The Perceived Harm Driving Calls for Regulation

For a decade, the basic technology behind OBA has changed little: When a user visits the typical webpage, they download not only the webpage contents but also a small piece of code that allows the website to distinguish that user’s browser from other browsers (a “cookie”)—without personally identifying the user. Some cookies are required to make sites work properly (“site cookies”) while others (“tracking cookies”) are used by the third party ad network in which that site participates to recognize that browser across multiple sites participating in the ad network, and thus create a “profile” of what the user might be interested in. Even though such profiles themselves are anonymous, many privacy advocates have pointed to four reasons why online profiling is becoming “too invasive:” (i) It is sometimes possible to infer the actual identity of the user; (ii) though all browsers allow users to opt-out of tracking by “cleaning out” their tracking cookies, a website may be able to restore deleted tracking cookies through the use of cookie alternatives such as “Flash cookies”; (iii) certain vulnerabilities in current browser design make it theoretically possible to “sniff” a user’s browsing history, cache or bookmarks; and (iv) the use of “packet inspection” by Internet Service Providers (ISPs) (instead of the use of cookies) to track online browsing amounts to illegal wiretapping.

The other concerns expressed by the advocates of regulation vary significantly. Some fear that browsing profiles could be captured by hackers, somehow associated with personally identifying information, and used for identity theft. These advocates demand limits on data retention as well as data security mandates. Others demand that users have access to their own profiles—a goal inherently in tension with data security. Most share a vague queasiness about “being tracked” and about advertising in general, while downplaying the effectiveness of self-regulation or user self-help.

Perhaps most legitimately, others fear that the real “Big Brother”—the government—will gain access to a “honeypot” of surveillance data that might be associated with individual users. A variety of other solutions have been proposed to what is, for the most part, a poorly defined problem, including a government-run “Do Not Track” registry to make it easier for users to block tracking cookies; mandating opt-in for some or all forms of profiling; and banning completely the collection of tracking data about sensitive subjects, cross-referencing of data sets, and use of packet inspection data for OBA.

The Less Restrictive Means: A Layered Approach

But how should policymakers decide which, if any, of these interventions are really necessary–or would even be effective? Ironically, those who demand immediate OBA regulation to protect user privacy are often the first to insist on less burdensome approaches whenever a policy “problem” involves purely non-commercial speech. For example, emphasizing personal and parental responsibility is often favored as the more sensible approach to dealing with free speech and child protection concerns. But, as Chapman University Law Professor Tom Bell has asked, why not apply the same standard across the board? Why not expect those especially privacy-sensitive users who object to OBA to do something about it? To the extent effective self-help privacy tools exist, they provide a means of solving policy problems that is not only “less restrictive” than government regulation but generally more effective and customizable as well. Why settle for one-size-fits-all solutions of incomplete effectiveness when users can quite easily and effectively manage their own privacy? Indeed, those who advocate personal responsibility and industry self-regulatory approaches to free speech and child protection issues should be advancing the same position with regards to privacy.

Fortunately, a wide variety of self-help tools and “technologies of evasion” are readily available to all users and can easily thwart traditional cookie-based tracking, as well as more sophisticated tracking technologies such as packet inspection. While cookie management tools that allow users to delete their cookies have been standard in browsers for some time, the latest generation of browsers incorporates far more advanced control over what kind of cookies browsers will accept from websites in the first place. Furthermore,  the extensible nature of modern browsers allows any freelance software developer who sees a way to improve a browser to do so by writing an add-on that “plugs in” to the browser using standard programming interfaces designed by each browser developer.  Many such add-ons are wildly popular, but even those users who never install a single one benefit from the acceleration of browser evolution made possible by add-ons.  We will be documenting examples of these tools in our upcoming Special Report and in an ongoing  series of blog essays.

The Benefits of Smarter Advertising

The “free” Internet economy is based on a simple value exchange: Users get access to an ever-expanding collection of content and services at no cost from websites that are able to generate revenue from “eyeballs” on their pages by selling space on their sites to advertisers, usually through ad networks. The smarter that advertising, the more free content and services it can support. This is the same value exchange that has supported free, over-the-air television and radio content for decades. The only difference is technological: Because websites can connect directly with the user, they need not rely on crude profiling tools such as Nielsen ratings.

There are larger economic benefits of smarter online advertising. First, it makes the overall economy more open and competitive by allowing small market entrants to reach consumers with messages about their products. Second, those who attack the use of packet inspection by ISPs for OBA fail to see that it is precisely the kind of “game-changer” that could disrupt Google’s currently dominant market position. Third, the involvement of ISPs in OBA could help defer broadband costs: Even if OBA revenue does not completely subsidize monthly service costs, smarter advertising could at least keep prices in check and potentially lower them significantly going forward.

But smarter advertising isn’t just about selling products or services. It is ultimately about making all kinds of speech more cost-effective. The ability to “target” listeners more narrowly also increases the ability of political and other not-for-profit speakers to communicate their messages. In short, smarter advertising means more voices, more choices, and more speech. The line between “advertising” and “content” is already blurring rapidly, as the technologies used to customize advertising are also used to customize webpages and ad networks themselves are used to deliver content.

The Larger Implications of Potential Regulation

As if reducing the advertising revenue generated by each web ad didn’t do enough to reduce the total amount of funding for free web content and services, government regulation of targeted online advertising could reduce advertising revenues even further by aggravating the problem of adblocking in two ways. First, the less relevant ads are, the more annoying users will find them, and the more likely users are to try to block them. Increased relevance is perhaps the most important remedy for adblocking and the best way to maintain the implicit value exchange that currently supports free Internet content and services

Second, regulation could short-circuit the eternal battle of technological one-upmanship between online advertisers and those users who rely on the technologies of evasion to “opt-out” of seeing ads or being tracked. Such privacy-conscious users are “free-riding” off of those users who don’t opt-out, since (at present) they generally don’t lose access to the free content and services supported by the targeted advertisements that other users do see. The user who blocks tracking, but not ads, is still free-riding off those users who don’t opt-out of tracking. On a large enough scale, such self-help has the potential to disrupt the value exchange of the Internet, just as automatic commercial-skipping has already disrupted the value exchange of television. As with all “Spy v. Spy” battles, this long-term trend is inevitable: As more sophisticated technologies of evasion are incorporated seamlessly into browsers and can be used without significantly degrading the browsing experience, their use will become increasingly mainstream. But ultimately, just as with television commercial-skipping, market forces can and will, if permitted, respond through technological means and the development of new business models. Today’s implicit quid pro quo may become, of necessity, explicit: Websites and ad networks will have to find increasingly creative ways to grant access to certain content and services for users who do not block ads or the tracking that makes ad space more valuable. Policymakers should take care not to ban such technologies or cripple such business models (e.g., through requiring opt-in), which may rely on more sophisticated forms of targeting such as the use of packet inspection data.

As users face an increasingly clear choice between (i) getting content and services for free supported by behavioral advertising and (ii) paying to receive those same services and content without tracking or even without ads altogether, policymakers will finally see whether users are really as bothered by profiling as the advocates of OBA regulation insist. Given the ongoing and widespread replacement of fee- or subscription-supported web business models with ad-supported models, it seems likely that the vast majority of consumers will continue to choose ad-supported models, including profiling.

Conclusion

The questions raised above—about the harm that supposedly requires intervention, the availability of less restrictive means, and the cost/benefit analysis of regulation—are vital considerations for the future of the Internet. Indeed, if smarter online advertising will not fund the Internet’s future, what will? As both the desire for “free” services and content and the need for bandwidth expand, OBA has the potential to offer important new revenue sources that can help support the entire ecosystem of online content creation and service innovation, while also providing a new source of funding for Internet infrastructure and making ads less annoying and more informative. That would certainly seem preferable to increased user fees or other “pay-per-view” pricing models for Internet content and services.

But looming legislative and regulatory action could stop all of that by replacing the current regime—in which the FTC merely enforces industry self-regulatory policies—with one in which the government preemptively dictates how data may be collected and used. The more enlightened approach is a “layered” approach to privacy protection that combines industry self-regulation, enforcement of industry-established privacy policies, consumer education, and user “self-help” solutions. These and other issues will be addressed in greater detail in our upcoming PFF Special Report.