The Mercatus Center at George Mason University has just released my latest working paper, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation.” The “Internet of Things” (IoT) generally refers to “smart” devices that are connected to both the Internet and other devices. Wearable technologies are IoT devices that are worn somewhere on the body and which gather data about us for various purposes. These technologies promise to usher in the next wave of Internet-enabled services and data-driven innovation. Basically, the Internet will be “baked in” to almost everything that consumers own and come into contact with.

Some critics are worried about the privacy and security implications of the Internet of Things and wearable technology, however, and are proposing regulation to address these concerns. In my new 93-page article, I explain why preemptive, top-down regulation would derail the many life-enriching innovations that could come from these new IoT technologies. Building on a recent book of mine, I argue that “permissionless innovation,” which allows new technology to flourish and develop in a relatively unabated fashion, is the superior approach to the Internet of Things.

As I note in the paper and my earlier book, if we spend all our time living in fear of the worst-case scenarios — and basing public policies on them — then best-case scenarios can never come about. As the old saying goes: nothing ventured, nothing gained. Precautionary principle-based regulation paralyzes progress and must be avoided.  We instead need to find constructive, “bottom-up” solutions to the privacy and security risks accompanying these new IoT technologies instead of top-down controls that would limit the development of life-enriching IoT innovations.

The better alternative is to deal with concerns creatively as they develop, using a balanced, layered approach  involving many different solutions, including: educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, torts and products liability law, and targeted enforcement of existing legal standards as needed.

Generally speaking, patience, humility, and forbearance by policymakers is crucial to allowing greater innovation and consumer choice in this arena. Importantly, policymakers should not forget that societal and individual adaptation will play a role here, just as it has during so many other turbulent technological transformations.

This article can be downloaded on my Mercatus Center page, on SSRN, or at Research Gate. I am hoping to find a law or policy journal interested in publishing this paper soon. If you with a journal and are interested, please contact me. [UPDATE 12/3/14: This paper has been accepted for publication in the Richmond Journal of Law & Technology, Vol. 21, Issue 6 (2015).]

Finally, if you are interested in this topic, you might want to flip through these slides I prepared for a presentation on this topic that I made at the Federal Communications Commission in September:

On Thursday, it was my great pleasure to present a draft of my forthcoming paper, “The Internet of Things & Wearable Technology: Addressing Privacy & Security Concerns without Derailing Innovation,” at a conference that took place at the Federal Communications Commission on “Regulating the Evolving Broadband Ecosystem.” The 3-day event was co-sponsored by the American Enterprise Institute and the University of Nebraska College of Law.

The 65-page working paper I presented is still going through final peer review and copyediting, but I posted a very rough first draft on SSRN for conference participants. I expect the paper to be released as a Mercatus Center working paper in October and then I hope to find a home for it in a law review. I will post the final version once it is released. [UPDATE:The final version of this working paper was released on November 19, 2014.]

In the meantime, however, I thought I would post the 46 slides I presented at the conference, which offer an overview of the nature of the Internet of Things and wearable technology, the potential economic opportunities that exist in this space, and the various privacy and security challenges that could hold this technological revolution back. I also outlined some constructive solutions to those concerns. I plan to be very active on these issues in coming months.

Additional Reading

• “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2012
• “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
• My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
• [Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)

I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:

1. First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
2. Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
3. Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

The testimony also contains 4 appendices elaborating on some of these themes.

Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”)

Testimony of Adam D. Thierer before the Senate Committee on Commerce, Science & Transportation hearing…

Some of My Recent Essays on Privacy & Data Collection

1. A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
2. On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
3. Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
4. Two Paradoxes of Privacy Regulation – Aug. 25, 2010
5. Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
6. When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011
7. Lessons from the Gmail Privacy Scare of 2004 – March 25, 2011
8. Who Really Believes in “Permissionless Innovation”? – March 4, 2013 (condensed from Minnesota Journal of Law, Science & Technology law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”)
9. The Problem of Proportionality in Debates about Online Privacy and Child Safety – Nov. 28, 2009
10. Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness– Jan. 5, 2011

Last week on his personal blog, Peter Fleischer, Global Privacy Counsel for Google, posted an interesting essay entitled “We Need a Better, Simpler Narrative of US Privacy Laws.” Fleischer says that Europe has done a better job marketing its privacy regime to the world than the United States and argues that “The US has to figure out how to explain its privacy laws on the global stage” since “Europe is convincing many countries around the world to implement privacy laws that follow the European model.” He notes that “in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws [while] not a single country, anywhere, has followed the US model.” Fleischer argues that this has ramifications for long-term trade policy and global Internet regulation more generally.

I found this essay very interesting because I deal with some of these issues in my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing” (Harvard Journal of Law & Public Policy, vol. 36, no. 2, Spring 2013). In the article, I suggest that the U.S. does have a unique privacy regime and it is one that is very similar in character to the regime that governs online child safety issues. Whether we are talking about online safety or digital privacy, the defining characteristics of the U.S. regime are that it is bottom-up, evolutionary, education-based, empowerment-focused, and resiliency-centered. It focuses on responding to safety and privacy harms after exhausting other alternatives, including market responses and the evolution of societal norms.

The EU regime, by contrast, is more top-down in character and takes a more static, inflexible view of privacy rights. It tries to impose a one-size-fits-all model on a diverse citizenry and it attempts to do so through heavy-handed data directives and ongoing “agency threats.” It is a regime that makes more sweeping pronouncements about rights and harms and generally recommends a “precautionary principle” approach to technological change in which digital innovation is more “permissioned.”

Put simply, the U.S. regime is reactive in character while the E.U. regime is more preemptive.  The U.S. system focuses on responding to safety and privacy problems using a more diverse toolbox of solutions, some of which are governmental in character while others are based on evolving social and market norms and responses. To be clear, law does enter the picture here in the U.S., but it does so in a very different way than it does in the E.U.  Fleischer actually explains that point quite nicely in his essay:

[W]hat is the US model?  People in the privacy profession know that the US has a dense “patchwork” model of privacy laws: every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other “non-privacy” laws, like consumer protection laws, are regularly invoked in privacy matters.  Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions.

Indeed, in my new law review article, I summarize the litany of cases the FTC has brought recently on the data security and privacy front using its authority under Section 5 of the Federal Trade Commission Act to police “unfair and deceptive” practices. State AGs are active on this front as well, and there is plenty of class action activity every time there’s a privacy or data security screw-up.

Meanwhile, public officials continue to work collaboratively with privacy advocates, corporations, and educators to develop better education and awareness-building efforts, including “best practices” on safety, security, and privacy issues.

For more details on this U.S. model, please consult pages 436-454 of my article, in which I provide a comprehensive overview of what I refer to as America’s “3-E Approach” to dealing with online safety and digital privacy concerns. The “3-Es” refer to education, empowerment, and targeted enforcement of existing legal standards. As I note in the article:

[America’s “3-E Approach”] does not imagine it is possible to craft a single, universal solution to online safety or privacy concerns. It aims instead to create a flexible framework that can help individuals cope with a world of rapidly evolving technological change and constantly shifting social and market norms as they pertain to information sharing.

But what frustrates Fleischer is that the U.S model still doesn’t translate into a simple narrative for international audiences:

How on earth do you explain US privacy laws to an international audience?  How do you explain the role of class action litigation to people in countries where it doesn’t even exist?  The US privacy law narrative is convoluted. That’s a pity, since almost all of the global privacy professionals with whom I’ve discussed this issue agree with me that the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy.  (I didn’t say “perfect”, since laws never are, and I’m not grading them either.) By contrast, Europe’s privacy narrative is simple and appealing.  Its laws are very general, aspirational, horizontal and concise.  Critics could say they’re also inevitably vague, as any high-level law would have to be.  But, like the US Bill of Rights, they have a sort of simple and profound universality that has inspired people around the world.  And they are enforced (at least, on paper) by a single, identifiable, specialist regulator.

I understand the frustration Fleischer is expressing here regarding how to frame the U.S. model for broader audiences. But the crucial point here is that, as he correctly notes, “the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy,” even if it is the case that we will never achieve anything near perfection when it comes to online privacy (or online safety for that matter). But it is unfortunate that Fleischer ignores the many other moving pieces at work here that are important to the U.S. system, especially the diverse array of educational and awareness-building efforts as well as the astonishing array of empowerment tools that currently exist to help user protect their privacy to the degree they desire.

Of course, it should also be obvious that the U.S. regime is never going to appeal to a global audience as much as Europe’s privacy regime for the same reason that many other U.S. policy regimes don’t appeal to certain countries or their leaders: Our systems aren’t regulatory enough in character for them! But while those top-down, centralized, preemptive regulatory regimes will almost always be more “aspirational, horizontal and concise” — and, therefore, have greater appeal to activist-minded lawmakers and regulators — that also means those regimes will likely leave less breathing room for social evolution (i.e., evolving norms about safety and privacy) and economic innovation (new digital goods and services that potentially disrupt those regulatory expectations). That has real consequences for long-term growth and overall consumer welfare.

Regardless, to the extent we need “a better, simpler narrative for U.S. privacy policy” as Fleischer suggests, I believe we can boil it down to a few words: bottom-up, evolutionary, flexible, and reactive. What this means for public policy is clear: We need diverse tools and solutions for a diverse citizenry, while leaving plenty of breathing room for ongoing innovation and the evolution of social norms and market responses. Whether it’s online safety or digital privacy, public policy should take into account the extraordinary diversity of citizen needs and tastes and leave the ultimate decision about acceptable online content and interactions to them. We should look to educate and empower citizens so that they can make decisions about their online safety and privacy for themselves so that policymakers are not constantly trying to make decisions on their behalf.

This is a model worth defending, even if it is sometimes hard to delineate its contours.  Please read my HJLPP article for a fuller exploration of that model and a defense of it.

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. [Update 4/16: It is now live on the site.] In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

[UPDATE 4/30/13: This article was subsequently published in Volume 65, Issues 2 of the Federal Communications Law Journal in April 2013. The links below now point to the final FCLJ version.]

The Mercatus Center at George Mason University has just released a new paper by Brent Skorup and me entitled, “Uncreative Destruction: The War on Vertical Integration in the Information Economy.”  Brent, who is the research director for the Information Economy Project at the George Mason University School of Law, and I have been working on this paper since the Spring and we are looking forward to getting it published in a law review shortly. The paper focuses on Tim Wu’s “separations principle” for the digital economy, something I’ve spent some time critiquing here in the past. Here’s the introduction from the 44-page paper that Brent and I just released:

Are information sectors sufficiently different from other sectors of the economy such that more stringent antitrust standards should be applied to them preemptively? Columbia Law School professor Tim Wu responds in the affirmative in his book The Master Switch: The Rise and Fall of Information Empires. Having successfully pushed net-neutrality regulation into the policy spotlight, Wu has turned his attention to what he regards as excessive market concentration and threats to free speech throughout the entire information economy.To support his call for increased antitrust intervention, Wu explains his view of competition in the information economy—a view that deviates substantially from current mainstream antitrust theory. First, Wu contends that “information monopolies” are pervasive in the information economy. Wu’s “monopolists” include Facebook, Apple, Google, and even Twitter. In The Master Switch and essays like “In the Grip of the New Monopolists,” Wu argues that these so-called monopolies are increasing their market power and require more aggressive oversight and regulation.Second, Wu argues that traditional antitrust analysis is not sufficient for information systems because they carry speech. He claims, “Information industries… can never be properly understood as ‘normal’ industries,”and traditional forms of regulation, including antitrust enforcement, “are clearly inadequate for the regulation of information industries.”Wu believes that because information industries “traffic in forms of individual expression” and are “fundamental to democracy,” they should be subject to greater regulatory treatment.Third, in contrast to current competition law’s focus on horizontal relationships, Wu desires a reinvigorated regulatory enforcement that addresses “the corrupting effects of vertically integrated power” in the information sectors.He is particularly concerned about private threats to free speech arising from such vertical integration.The solution, he says, is preventing vertical mergers in the information economy and the mandatory divestiture of vertically integrated companies. To implement this, Wu proposes a Separations Principle for the information economy, which would segregate information providers into three buckets, which we have labeled information creators, information distributors, and hardware makers.This article outlines Wu’s separations proposal, explains why his fears regarding vertical relationships should be rejected by regulatory and antitrust policymakers, and illustrates the legal and practical problems his Separations Principle poses. Wu justifies his Separations Principle by citing monopolies and market power in the information economy. He also advocates using U.S. antitrust authorities to enforce his Principle. We argue that the antitrust harms he fears are not present, and we highlight scholarship on the accepted benefits of vertically integrated firms. We show that Wu’s remedies are policy preferences wrapped in the language of competition law. In fact, the information economy is largely competitive and does not warrant interventionist regulatory enforcement. Since much of American economic vitality flows from the information economy and technology, policymakers should reject a radical antitrust remedy like Wu’s preemptive Separations Principle.

The paper can be downloaded from the Mercatus website, SSRN, or Scribd.

This week, we’ve seen reports in both The New York Times (“Stage Set for Showdown on Online Privacy“) and The Wall Street Journal (“Watchdog Planned for Online Privacy“) that the Obama Administration is inching closer toward adopting a new Internet regulatory regime in the name of protecting privacy online.  In this essay, I want to talk about information control regimes, not from a normative perspective, but from a practical one.  In doing so, I will compare the relative complexities associated with controlling various types of information flows to protect against four theoretical information harms: objectionable content, defamation, copyright, and privacy.

From a normative perspective, there are many arguments for and against various forms of information control.  Here, for example, are the reasons typically given for why society might want to impose regulations on the Internet (or other communications channels) to address each of the four issues identified above:

1. Content control / Censorship: We must control information flows to protect children from objectionable content or all citizens against some other form of supposedly harmful speech (hate speech, terrorist recruitment, etc).
2. Defamation control: We must control information flows to protect people’s reputations.
3. Copyright control: We must control information flows to protect the property rights of creators against unauthorized use / distribution.
4. Privacy control: We must control information flows to protect against information flows that include information about individuals.

Again, there are plenty of good normative arguments in the opposite direction, many of which are based on free speech considerations since, by definition, information control regimes limit the flow of forms of speech.  For privacy, I discussed such speech-related considerations in my essay on “Two Paradoxes of Privacy Regulation.”  But what about the administrative or enforcement burdens associated with each form of information control?  I increasingly find that question as interesting as the normative considerations.

Let’s begin with a self-evident statement about which most of us can (hopefully) agree: Information control can be complex and costly.  This was true even in the scarcity era with its physical and analog distribution methods of information dissemination.  All things considered, however, the challenge of controlling information in the past paled in comparison to the far more formidable challenges nation-states face in the digital era when they seek to limit information flows.

The movement of bits across electronic networks and digital distribution systems creates unique problems I have previously discussed in my essay on “The End of Censorship.” To recap, efforts to control information today are greatly complicated by problems associated with:

• Convergence: Media content and information distribution outlets are blurring together today thanks to the rise of myriad new technologies and competitors. These new technologies and competitors generally ignore or reject the distribution-based distinctions and limitations of the past. In other words, convergence means that media content is increasingly being “unbundled” from its traditional distribution platforms and finding many paths to the consumers. As a result of these developments, it is now possible to disseminate, find, or consume the same content / information via multiple devices or distribution networks.  In this way, convergence complicates efforts to create effective information control regimes.
• Scale: In the past, the reach of speech and information was limited by geographic, technological, and cultural / language considerations. Today, by contrast, media can now flow across the globe at the click of a button because of the dramatic expansion of Internet access and broadband connectivity.  While restrictions by nation-states are still possible, the scale of modern digital speech and content dissemination greatly complicates government efforts to control information flows.
• Volume:  The sheer volume of media and communications activity taking place today also complicates regulatory efforts. In simple terms, there is just too much stuff for regulators to police today relative to the past. As a 2002 blue ribbon panel assembled by the National Research Council to examine the regulation objectionable content concluded: “The volume of information on the Internet is so large — and changes so rapidly — that it is simply impractical for human beings to evaluate every discrete piece of information for inappropriateness.”  While it may have been possible to oversee a handful of newspapers or TV and radio stations in each community or country in the past, today’s electronic media universe is so diverse and enormous—and evolving so quickly—that content controls significantly complicate enforcement burdens.
• Unprecedented individual empowerment / user-generation of content: In this new world in which every man, woman and child can be a one-person publishing house or self-broadcaster, restrictions on viewing, listening or uploading and downloading will be become increasingly difficult to devise and enforce.   By comparison, few of those opportunities were available to the citizenry in the past.

Now, let’s go back to the four issues I identified above and think abut the implications.  In terms of content controls, defamation, and copyright, it’s fairly clear how these considerations complicate enforcement efforts.  Of course, some regulatory efforts have succeeded after governments pushed back aggressively enough, and I certainly don’t mean to suggest that governments are powerless to control information flows in the Informati0n Age.  Read through Access Controlled and you’ll find plenty of examples of how nations across the globe are doing so using various methods of control: Surveillance, centralized filtering, strict liability regimes, government ownership of key facilities / companies, etc.   Let me also make clear that  I am not entirely against all information control efforts.  Generally speaking, I want strict limits placed on governments efforts to control information flows, but I’ve also endorsed efforts to use some of these regulatory approaches to deal with child pornography and extreme forms of copyright piracy.

Anyway, I want to just make two more points here about how this relates to privacy regulation as an information control regime.  First, while I think most people understand the complexities associated with information control efforts in the content, defamation, and copyright fields, I don’t think scholars or policymakers are spending nearly enough time considering the complexities of enforcing an information control regime for privacy.  All too often, privacy advocates seem to suggest that privacy regulation will be frictionless and cost-free.  Once they jump to the assumption that privacy is a “human right,” or must be protected in the name of “human dignity,” any discussion of enforcement hassles or the costs of regulation seemingly goes right out the window.  In reality, of course, privacy regulation will have profound consequences for online sites and services by potentially undermining the goose that lays the Internet’s golden (and mostly free) eggs: online advertising and the data collection that powers it.  Again, this is somewhat secondary to my point in this essay, which is just to suggest that the complexities associated with the mechanics of information control are not being fully considered in the privacy context.  Either way, it’s time we stop pretending privacy regulation is a free lunch.

Second, I would like to suggest — but I cannot prove at this time — that enforcing a privacy information control regime will be more complex than the regimes needed to control information flows for content, defamation, and copyright.  Now how can that possibly be, you ask?  It requires a much deeper dive into the specifics of various privacy regulatory proposals, but consider two recent privacy-related regulatory regimes: a “Do Not Track” list and a “right to be forgotten.” Both sound simple enough in theory, but the details are quite devilish.

How, for example, would government go about verifying proper compliance with such regulations without also ensuring some sort of online authentication system is in place to verify people are who they say they are?  Must every browser be retooled to comply and then regulated accordingly?  What about apps downloaded on tablets or smartphones that don’t require browsers at all?  Are IP addresses “personal information” that are also subject to regulation? Which agencies are responsible for creating authentication systems, policing online data flows, and reviewing new innovations and sites to ensure they are complying?  Who in government has access to the data about individuals that is collected for such purposes, and what else are they doing with it?  What systems will need to be put into place by online operators, large and small alike, to ensure compliance?  And so on.  Enforcement problems will also be complicated by the subjectivity of privacy norms from one individual to another as well as the fact that these norms change over time (and seem to be changing quite rapidly in recent years).

Again, more research needs to be done to better document the potential costs associated with a privacy information control regime, but I would hope we could begin by accepting that fact that it is an information control regime and that it will be complicated to enforce and will have costs — both in economic and speech-related terms.  Advocates of such a regulatory regime for the Internet should at least be mature enough to admit that what they are proposing is comparable in complexity and cost to the censorship and copyright regulatory regimes they typically oppose.

Like James Gattuso, I have a lot of questions about the Federal Trade Commission’s new “Guides Concerning the Use of Endorsements and Testimonials in Advertising,” especially as they apply to bloggers. (And over at Silicon Angle, Mark ‘Rizzn’ Hopkins has been doing a great job keeping tabs on the many questions and hypothetical situations that others have been posing about the new rules). But the one thing I just can’t wrap my head around is how the FTC plans to enforce these rules against those speakers or media outlets who have print publications which are fully protected by the First Amendment.  So, I was pleased to see my favorite press critic Jack Shafer of Salon, ask the same question in his latest column on “The FTC’s Mad Power Grab”:

Because of a pesky thing called the First Amendment, the guidelines don’t apply to news organizations, which receive thousands of free books, CDs, and DVDs each day from media companies hoping for reviews. But if the guidelines don’t apply to established media like the New York Review of Books, which also happens to publish reviews on the Web, why should they apply to Joe Blow’s blog? Regulating bloggers via the FTC while exempting establishment reporters looks like a back-door means of licensing journalists and policing speech.

Exactly.  Is the FTC just going to ignore such speakers or media organizations but enforce against everyone else?  Isn’t that just a bit silly and radically unfair?  Moreover, might such a policy end up incentivizing some folks to create token print publications to get around such the regulations?  I doubt it, but you never know.

Regardless, as Shafer notes, the rules are so hopelessly open-ended and arbitrary that they are bound to pose problems for whomever they are enforced against:

The guidelines have to be read to be believed. They are written so broadly that if you blog about a good and service in such a way that the FTC construes as an endorsement, the commission has a predicate to investigate. The only way stay on the FTC’s good side is with a “clearly and conspicuously” posted disclosure of the “sponsors” who provided you with the good or service (or money) to blog about the good or service. As I read the guidelines, the FTC could investigate you if you did disclose but it was not satisfied with the disclosure.

I really do wonder if the FTC realized what they’ve gotten themselves into here.  The enforcement nightmare associated with all this cannot be underestimated.