There are a growing number of voices raising concerns about privacy rights and data security in the wake of news of data breaches and potential influence. The European Union (EU) recently adopted the heavily restrictive General Data Privacy Rule (GDPR) that favors individual privacy over innovation or the right to speak. While there has been some discussion of potential federal legislation related to data privacy, none of these attempts has truly gained traction beyond existing special protections for vulnerable users (like children) or specific information (like that of healthcare and finances). Some states, notably including California, are attempting to solve this perceived problem of data privacy on their own, but often are creating bigger problems and passing potentially unconstitutional and often poorly drafted solutions.

All states have at least minimal data breach laws and the quality of such laws both in effectiveness and impact on innovation varies. Normally states work as “laboratories of democracy” and are able to test out different regulatory schemes for new technologies with less demosclerosis than the federal process. Similarly, they are better able to account for different preferences in tradeoffs, and in some cases, they are more able to remove barriers to entry by reforming existing areas of law like licensure or products liability to accommodate a new technology. In areas like autonomous vehicles, telemedicine, and drone policy states are often leading the way to embrace these new technologies. However, a new trend in some states to formally regulate the Internet through laws aimed at data privacy or net neutrality to achieve what they perceive as failures of the federal government to act ignores the potential damage to the permissionless federal policy that made the Internet what it is today.

California has passed the California Consumer Privacy Act (CCPA) and other states are likely to follow suit. Unfortunately, these type of statutes are likely to impact innovation in a misguided attempt to correct issues with data privacy. However, these statutes could reach far beyond state borders and illustrate the potential risks of a fifty-state privacy patchwork.

These laws will likely lead to a problem in identifying what entities are covered by the privacy legislation. California’s recent CCPA defines those who are required to comply so ambiguously that a reasonable interpretation would imply the law applies so long as a single user is a resident of California whether they are accessing the website from California or not and no matter if the website purposefully avails itself of California or not.

State laws also unintentionally make it more difficult for small, local companies to compete with Internet giants. Large companies like Google and Facebook can afford the cost of additional compliance but it is more difficult for smaller and mid-size companies to cover such costs. As a result, if they are able to comply they often are more limited in their ability to fund future innovation as they instead invest resources in compliance. In a world of state based privacy laws, it’s inevitable that some would impose contradictory standards and as a result might actually make it worse rather than better as companies pick and choose which states to comply with. What is already playing out in Europe where small and mid-size companies are choosing to exit the market rather spend the cost in complying with new restrictions could play out for states with more restrictive data requirements. And it’s not just fledging startups that have difficulty, the L.A. Times and Chicago Tribune have been unavailable to Europeans since GDPR became effective as they had not completed compliance by the May deadline. In some cases companies have founded it easier to block or exclude effected users than to comply with onerous data restrictions.

In some cases, states making exceptions for companies below a certain number of user also may discourage investment at a certain point. For example the CCPA kicks in at 50,000 users. As a result there is a large marginal costs for gaining 50,001 ^st user as compliance with the standards are immediately required. This might lead to caps on certain newer platforms or encourage innovators to look for loopholes to avoid the high cost of compliance early on.

But even if states were able to create a sort of interstate compact that created an effectively uniform state level set of privacy laws, it would still be an inappropriate use of federalism for the state to govern data privacy due to its de facto impact on interstate commerce and the First Amendment.

The Internet by its very nature transcends states borders and any state laws aimed at impacting privacy are likely to have national and global impact. This is not what is intended by federalism and not just the case for states like California with a significant amount of tech companies. If there are 50 different state laws than new online intermediaries will have  develop 50 different compliance policies or the most restrictive state will become the de facto standard for everyone left in the industry. As Jeff Kosseff points out, a world of 50 variations of the same privacy law based on users would require out-of-state content creators would likely require significant changes to their existing systems and place an undue burden on content creators and users.

Additionally, there are legitimate concerns about the First Amendment rights to share information that may be in conflict with the way privacy rights are enforced under proposed laws. Requiring otherwise lawful content to be removed silences the speaker. For example, if a friend posts a picture from a party that includes you and you ask all your data be removed is that data yours or your friends. To remove the data would silence a speaker and value one individual’s right to privacy over another’s right to speak. In some cases it seems such tradeoffs could be reasonable such as speech that is not just merely offensive but causes clear harm to the person it is about such as revenge porn, but in many cases it is far less clear. Unfortunately when faced with the crippling potential sanctions of such laws, many companies take a remove first question second approach as has been seen with copyright under the Digital Millennium Copyright Act (DMCA).

While there is a growing voice for data privacy, there seems to be little willingness on the part of consumers or regulators to make such tradeoffs. The so called “privacy paradox” where people do not undertake the necessary actions to match with their stated desire for increased data privacy and many willingly admit they prefer the convenience they receive in exchange for their data. If action on data privacy is necessary, it should occur at a federal level to avoid the patchwork problems that would result from inconsistent state laws. Any law must be narrowly tailored to respect the First Amendment rights of both users and platforms. We also must be aware of the tradeoffs that we are making between innovation and privacy when we see calls for a US GDPR. At the same time we should be concerned that as a result of the heavy burden of compliance with GDPR, a more regulated Internet where only those who can afford to comply survive may replace the permissionless start-up American driven version.

While federal preemption may be needed to address a patchwork of state privacy laws, we should be cautious and seek to avoid the mistakes of GDPR type privacy laws that place a value on individual privacy above innovation and knowledge sharing. Simple steps in providing more transparent information and requirements for notification are more likely to allow individuals to make the privacy choices that best fit their needs.

A privacy patchwork of state based “solutions” is likely to create more problems than it solves. The real solutions to our current dilemmas will come from conversations about how we balance the rewards of innovation with individual preferences for privacy.

Congress passed joint resolutions to rescind FCC online privacy regulations this week, which President Trump is expected to sign. Ignore the hyperbole. Lawmakers are simply attempting to maintain the state of Internet privacy law that’s existed for 20-plus years.

Since the Internet was commercialized in the 1990s, the Federal Trade Commission has used its authority to prevent “unfair or deceptive acts or practices” to prevent privacy abuses by Web companies and ISPs. In 2015, that changed. The Obama FCC classified “broadband Internet access service” as a common carrier service, thereby blocking the FTC’s authority to determine which ISP privacy policies and practices are acceptable.

Privacy advocates failed to convince the Obama FTC that de-identified browsing history is “sensitive” data. (The FTC has treated SSNs, medical information, financial information, precise location, etc. as “sensitive” for years and companies must handle these differently.) The FCC was the next best thing and in 2016 they convinced the FCC to say that browsing history is “sensitive data,” but it’s sensitive only when ISPs have it.

This has contributed to a regulatory mess for consumers and tech companies. Technological convergence is here. Regulatory convergence is not.

Consider a plausible scenario. I start watching an NFL game via Twitter on my tablet on Starbucks’ wifi. I head home at halftime and watch the game from my cable TV provider, Comcast. Then I climb into bed and watch overtime on my smartphone via NFL Mobile from Verizon.

One TV program, three privacy regimes. FTC guidelines cover me at Starbucks. Privacy rules from Title VI of the Communications Act cover my TV viewing. The brand-new FCC broadband privacy rules cover my NFL Mobile viewing and late-night browsing.

Other absurdities result from the FCC’s decision to regulate Internet privacy. For instance, if you bought your child a mobile plan with web filtering, she’s protected by FTC privacy standards, while your mobile plan is governed by FCC rules. Google Fiber customers are covered by FTC policies when they use Google Search but FCC policies when they use Yelp.

This Swiss-cheese approach to classifying services means that regulatory obligations fall haphazardly across services and technologies. It’s confusing to consumers and to companies, who need to write privacy policies based on artificial FCC distinctions that consumers disregard.

The House and Senate bills rescind the FCC “notice and choice” rules, which is the first step to restoring FTC authority. (In the meantime, the FCC will implement FTC-like policies.) 

Considering that these notice and choice rules have not even gone into effect, the rehearsed outrage from advocates demands explanation:  The theatrics this week are not really about congressional repeal of the (inoperative) privacy rules. Two years ago the FCC decided to regulate the Internet in order to shape Internet services and content. The leading advocates are outraged because FCC control of the Internet is slipping away. Hopefully Congress and the FCC will eliminate the rest of the Title II baggage this year.

The details of Tyler Clementi’s case are slowly revealing themselves. He was the Rutgers University freshman whose sex life was exposed on the Internet when fellow students Dharun Ravi and Molly Wei placed a webcam in his dorm room, transmitting the images that it captured in real time on the Internet. Shortly thereafter, Clementi committed suicide.

Whether Ravi and Wei acted out of anti-gay animus, titillation about Clementi’s sexual orientation, or simply titillation about sex, their actions were utterly outrageous, offensive, and outside of the bounds of decency. Moreover, according to Middlesex County, New Jersey prosecutors, they were illegal. Ravi and Wei have been charged with invasion of privacy.

This is what invasion of privacy looks like. It’s the outrageous, offensive, truly galling revelation of private facts like what happened in this case. Over the last 120 years, common law tort doctrine has evolved to find that people have a right not to suffer such invasions. New Jersey has apparently enshrined that right in a criminal statute.

The story illustrates how quaint are some of the privacy “invasions” we often discuss, such as the tracking of people’s web surfing by advertising networks. That information is not generally revealed in any meaningful way. It is simply being used to serve tailored ads.

This event also illustrates how privacy law is functioning in our society. It’s functioning fairly well. Law, of course, is supposed to reflect deeply held norms. Privacy norms—like the norm against exposing someone’s sexual activity without consent—are widely shared, so that the laws backing up those norms are rarely violated.

It is probably a common error to believe that law is “working” when it is exercised fairly often, fines and penalties being doled it with some routine. Holders of this view see law—more accurately, legislation—as a tool for shaping society, of course. Many of them would like to end the societal debate about online privacy, establishing a “uniform national privacy standard.” But nobody knows what that standard should be. The more often legal actions are brought against online service providers, the stronger is the signal that online privacy norms are unsettled. That privacy debate continues, and it should.

It is not debatable that what Ravi and Wei did to Tyler Clementi was profoundly wrong. That was a privacy invasion.

Progress Snapshot 5.10 from The Progress & Freedom Foundation

A recent telephone poll conducted by professors at Berkeley and the University of Pennsylvania concluded, “Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interest.” The study’s authors claim that their poll is the “the first nationally representative telephone (wireline and cell phone) survey to explore Americans’ opinions about behavioral targeting by marketers.” They also assert that the poll indicates that “if Americans could vote on behavioral targeting today, they would shut it down.” Advocates of regulating online data collection have trumpeted this poll as evidence consumers demand legislation to protect their privacy. “This research gives the F.T.C. and Congress a political green light to go ahead and enact effective, but reasonable, rules and policies,” declared Jeff Chester, a leading critic of online advertising.

But what is most surprising about this poll is not that 66% of users said they do not want tailored online ads, but that 34% of users said they did! The key, initial question of “whether or not you want the websites you visit to show you ads that are tailored to your interests,” presents no trade-off. The fact that anyusers said “yes” indicates that many users paused to do the rough mental math about the unarticulated trade-off between the benefits of receiving tailored ads and the costs of that tailoring.

The methodology of opinion polls necessarily affects respondents’ mental calculations, rendering polls not just easily manipulated, but inherently unreliable as indicators of real preferences. Every poll reflects the bias of its authors to some degree by the way questions are worded, the order in which they are asked, the sample surveyed, etc. The easiest way to bias the results of a poll is to omit any mention of the trade-offs at issue. This poll simply buried the issue of trade-offs in a heavily loaded follow-up question: After telling respondents that marketers “often use technologies to follow the websites you visit and the content you look at in order to better customize ads,” the interviewer asked whether the respondent would allow advertisers to “follow [them] online in an anonymous way in exchange for free content.” Only 10% of users said they would allow this voluntary exchange.

What does this tell us about whether, and how, government should further regulate online advertising? Precious little: Not only does this poll overstate the costs of targeted advertising, understate its benefits, and ignore the tools available to users to address their privacy concerns but, like any opinion poll, this one tells us more about the psychology of decision-making under the artificial uncertainty of polls than about the choices users would actually make in the real world.

User Uncertainty About Concepts Like “Tailoring” and “Following”

Even the word “tailoring”—though benign compared to other words the study’s authors could have used ( e.g., “track,” “monitor,” “record”)—is so vague as to leave respondents wondering what it really entails. One can only speculate as to what users thought the word meant (since the poll did not ask), but it seems likely that some of these scarier words probably flashed through the minds of respondents in the instant before they answered the question. Indeed, the word “tailoring” conflates both the costs and benefits of personalized advertising in a single, vague word. Given this ambiguity, it’s hardly surprising that most users would say “no”—not just to receiving tailored advertising (66%), but also to receiving tailored discounts (49%) and news (57%). If users had been asked about receiving “relevant” (rather than “tailored”) ads, the responses probably would have turned out somewhat differently—just as an additional 17% of users agreed to receiving tailored “discounts,” whose value to users is more readily apparent: saving money on potential purchases.

The second set of questions asked users whether it “Would be OK… if these ads [discounts/news] were tailored for you based on following what you do on the website you are visiting… [24% said yes] OTHER websites you have visited… [34% said yes] and OFFLINE—for example, in stores? [25% said yes].” Again, the term “follow” was not defined. A third set of questions explained to respondents that marketers “often use technologies to follow the websites you visit and the content you look at in order to better customize ads.” The interviewer then asked whether the respondent would “definitely allow, probably allow, probably NOT allow, or definitely not allow advertisers” to “follow you online in an anonymous way in exchange for free content”—and only 10% of users said yes. Thus, it appears that users are more, not less, hostile to tailored advertising when reminded of the trade-offs involved (35% yes in the first set of questions, 10% yes in the third). What explains this paradox?

The most obvious explanation is that, by the time the respondent got to the critical question about “allowing” tailored advertising, they had heard the word “follow” at least five times: once in each of the three questions about whether tailoring was OK, once in the introduction about how marketers customize ads and once in the question itself—each time increasing uncertainty as to how “tailoring” really works and more than negating any suggestion of “anonymity.” Furthermore, asking users whether something should be “allowed” implies that there are undisclosed reasons why it should not be. This much is simple psychology—obvious to anyone who wanted to craft a poll that would support a particular regulatory agenda.

But behavioral economics research tells us something even more profound about the way our brains work: human beings hate making choices, and loathe uncertainty even more. Indeed, such “mental accounting” or “mental transaction” costs appear to be the primary reason why, after a decade of efforts to develop a micropayments system that can fund online content and services, no such system has emerged—and thus why Internet publishers instead rely primarily on advertising revenues ($23.5 billion in 2008) to fund “free” offerings for consumers. In this case, merely forcing consumers to consider the costs of “tailoring” and being “followed,” and decide whether these things are “OK” or should even be “allowed” strongly tips the scales in favor of the outcome desired by the study’s authors because these considerations and decisions are significant psychological costs in themselves, which likely outweigh the diffuse benefits of tailored advertising, which users simply do not appreciate.

Indeed, the scale tips so strongly that the study suggests that 73% of Americans object to having ads tailored based on “what you do on the website you are visiting.” Would not this objection apply to purely contextual advertising “tailored” to the keywords entered by a user in a search engine or to the keywords that appear on a particular page to which a user has navigated within a site? If so, this study isn’t just about the bogeyman of “behavioral” advertising, but about essentially all online advertising, which is to some degree “tailored.” Indeed, must lawmakers protect us from the tailoring of news (71%) and discounts (62%) within websites? Or, if data collection is the real harm to consumers, what about the fact that hundreds of millions of people happily share far more personal information every day on social networks or using grocery discount cards? Opinion polls simply cannot answer these questions.

The Direct Benefit of Tailored Ads: Relevance

Whatever Americans tell pollsters about “tailored” ads, they also complain about irrelevant ads: A previous poll found that 72% of consumers “find online advertising intrusive and annoying when the products and services being advertised are not relevant to [their] wants and needs” and 85% say that less than 25% of the ads they see while browsing online are relevant to their wants and needs. Real-world experiments confirm that users reveal a clear preference for more relevant advertising. In a 2004 experiment, click-through rates (CTR) for behaviorally targeted ads were between 94% and 225% higher than for contextually targeted ads. A 2009 study found that the difference could be between 670% and 1000% percent, depending on how well-tailored the ads were. In other words, users in the real world were two to eleven times more likely to click on highly-tailored ads. Truly, actions speak louder than words: Users clearly “vote with their clicks” for ads they find relevant—i.e., they vote for “tailoring.”

Further reinforcing this conclusion is the fact that better tailoring increases not only click-through rates but also “conversion rates”—the percentage of users who actually complete the action desired by the advertiser, whether that be making a purchase or signing up for a list. A 2008 experiment found increased conversion rates of 400-900% (2008). This indicates that relevant ads really do help consumers find things they like—and that they like the fruits of tailoring, however they respond when asked about “tailoring” as an abstract concept that conflates costs (“How are they following me?”) and benefits (“What’s in it for me?”).

The Indirect Benefit of Tailored Ads: Free Content & Services

Even less apparent to poll respondents than the direct benefit of tailoring (increased relevance) are the indirect benefits: In particular, greater relevance to the user means more effective communication for the advertiser, and increased ad revenue for most online publishers per ad on their sites. Thus, there exists a clear quid pro quo: in effect, users “pay” for content and services by sharing information about their interests. Even more fundamentally, users “pay” for content by seeing ads. But both quid pro quos are implicit: Users can simply choose not to “pay” by using readily available tools in their browser to blocking ads and/or tracking. In essence, today’s system allows users who don’t like ads—tailored or otherwise—to opt out at little or no cost, much as if they simply decided not to pay for a product they bought at their local grocery store.

This creates a serious dilemma, given that advertising increasingly stands alone as the lifeblood of online content and services. Indeed, ads have long funded the costs of generating content for radio, television, and newspapers (with subscriptions paying only for distribution). The basic reason is simple economics: In competitive markets, prices tend to fall to the marginal cost of production. The Internet has simply borne this theory out in full:

1. Producing the first unit of content (e.g., a news story or video) remains costly, so while the marginal cost of every additional unit is essentially zero,average cost is not.
2. The failure of micropayments online seems to confirm that, no matter how low the technological transaction costs are, the mental transaction costs involved combined with even tiny payments will exceed the perceived value of most content.
3. The world of media scarcity in which consumers could choose from only a few sources of content (e.g., news, entertainment) has given way to a world of staggering media abundance and the choices of users are no longer constrained by the tyranny of physical limitations like distance and printing costs.
4. Because pure information cannot be copyrighted (and fair use allows significant referencing and quotation), very little content is so unique that users cannot find a ready substitute elsewhere if a site (or even cartel of sites) attempted to charge.

These forces have given birth to the world of “Free,” where few (if any) users will pay for something they can get for nothing. While there are a number of ways to fund content and services, advertising is far and away the leading business model for the new economy: Indeed, overall advertising market is expected nearly to double its share of total U.S. ad spending from 8.7% in 2008 ($23.4 billion) to 15.2% ($37.2 billion). But with 44% of advertising revenue going to search engines (which show highly “tailored” ads simply based on search terms), hundreds of thousands of publishers—from the mightiest to the tiniest—rely on $7.6 billion (33% of the total) in “display” ad revenue. Yet this base is tiny: Most websites earn a fraction of the revenue generated by offline ads: roughly $0.60 to $1.10 per thousand impressions (CPM) online versus average CPMs of $4.54 (radio) to $10.25 (broadcast). This unprofitability of online advertising, and the fact that certain kinds of online content (e.g., video and online services) does not provide the textual keywords necessary for basic contextual targeting is driving publishers to ad networks that offer behavioral targeting, which is expected to grow from $525 million in 2007 to $4.4 billion in 2012—when it will represent 25% of all display ad spending.

In short, advertising is indispensable to the future of online media, but it is also currently inadequate to sustain “Free” culture. As Adam Thierer and I warnedearlier this year: “The advocates of regulation pay lip service to the importance of advertising in funding online content and services but don’t seem to understand that this quid pro quo is a fragile one: Tipping the balance, even slightly, could have major consequences for continued online creativity and innovation… Something must give because there is no free lunch.” In 2001, long before Google mattered and before he worked for them, Kent Walker (now Google’s general counsel) put it best in a seminal law review article:

Privacy is both an individual and a social good. Still, the no-free-lunch principle holds true. Legislating privacy comes at a cost: more notices and forms, higher prices, fewer free services, less convenience, and, often, less security. More broadly, if less tangibly, laws regulating privacy chill the creation of beneficial collective goods and erode social values… Such regulation would likely increase both direct and indirect costs to the individual consumer, reduce consumer choice, and inhibit the growing trend of personalization and tailoring of goods and services.

Thus, as Jim Harper and Solveig Singleton concluded in their 2001 paper With a Grain of Salt: What Privacy Surveys Don’t Tell Us:

privacy surveys in particular… suffer from the “talk is cheap” problem. It costs a consumer nothing to express a desire for federal law to protect privacy. But if such law became a reality, it will cost the economy as a whole, and consumers in particular, significant amounts that surveys do not and cannot reveal.

We Need a Behavioral Economics Experiment, Not Just Another Poll

The Berkeley-Penn poll could certainly have done more to present these trade-offs to respondents and less to color their responses by inflating mental transaction costs. But even the most “fair” poll cannot meaningfully simulate the trade-offs inherent in the real world. If we really want to know how muchsubjective value consumers place on a particular aspect of their privacy, we must look to the preferences they reveal in the process of making real choices.

Of course, the best experiment is the one being conducted in the real world every day. No laboratory experiment can ever fully replicate all of the conditions of the real world, but a behavioral economics experiment could tell us more about the revealed preferences of Internet users than any poll. Unlike the real world, an economist could vary certain conditions in a lab experiment to tell us how various changes to current industry practice, user empowerment, or user education might actually affect real consumer choices. At a minimum, any experiment would require the following to inform policymaking about online advertising and privacy.

First, the experiment should vary the mechanisms by which notice is provided to users as to how tailoring works ( e.g., placement, interface, wording) and what those notices actually say.

Second, test subjects must make real choices in real use of the Internet with trade-offs in real money and their own time between either paying for access to a particular site or getting access for free in exchange for receiving tailored ads based on at least the three variables presented as questions in the Berkeley-Penn study: (i) users’ browsing activity on that site; (ii) their browsing activity on other sites; and (iii) offline activity or demographic information.

The second variable is critical because it addresses the value created by behaviorally tailored ads, which could be wiped out by regulation. Search engines are able to sell highly effective advertising based solely on information provided directly to the site (search keywords, which are highly indicative of user interest), and some sites can sell lucrative advertising based on purely contextual targeting because their content contains keywords that advertisers value highly ( e.g., a site for digital camera enthusiasts). But the vast majority of websites, and especially non-commercial websites, would produce little ad revenue if advertisers could only guess at the likely interests of visitors based on the keywords on that site. This, in a nutshell, is why so many sites stand to gain so much from behavioral targeting—particularly in the Internet’s “Long Tail.” To be useful, an experiment must reflect this dynamic.

In the real world, of course, it might be possible for the user to opt-out of tracking without losing access to content because today’s quid pro quo is implicit and most sites operate on a “No Cost Opt-Out” basis for tracking and even seeing ads. But in order to tell us how much consumers really care about tracking, the experiment must place some value on access to content that is supported by free content and services.

Third, the experiment must examine the extent to which user empowerment affects user choice: If some users are uncomfortable with having their browsing activity tracked, is it because they are concerned about all tracking or only tracking of certain sensitive activities, such as researching medical issues or—everyone’s favorite—viewing pornography? How does the availability of privacy management tools change user choices about ad-tailoring? Do Americans really want tailoring banned, or do they just want the ability to exercise easy choice about when they want to participate? How would those choices change when they come at a cost (e.g., seeing more ads) and privacy-sensitive users cannot simply free-ride off the value created by users whodon’t opt-out of targeted advertising (and also don’t block ads)?

Such an experiment would, by its very nature, be imperfect—but far less imperfect than any poll about opinions on privacy. Until a proper experiment is conducted by trained behavioral economists, all we can say with confidence is the following:

1. Users don’t understand exactly how ads are tailored;
2. Users seem to be concerned about “tailoring” or “following” in the abstract;
3. Users are generally unwilling to pay for online content and services; and
4. Better tailoring of ads means more funding for content and services.

There is only one approach that can address all these concerns: educate users about how online advertising works and how they can implement their own privacy preferences, while constantly striving to further empower users to make privacy management easier.

In response to Professor Jonathan Zittrain’s op-ed in The New York Times last Monday about online privacy and open platforms (which Adam thoroughly refuted last week) I have a letter to the editor in today’s The New York Times:

To the Editor: Re “Lost in the Cloud” (Op-Ed, July 20): In discussing the privacy risks that have accompanied the growth of the Internet, Prof. Jonathan Zittrain rightly bemoans the willingness of governments to violate individuals’ privacy rights. Unfortunately, he proposes new legal restrictions that would stifle online innovation while doing little to enhance consumer privacy. Mr. Zittrain proposes a “fair practices law” that would require companies to release personal data back to users upon request. Such a rule may sound workable, but purging specific data across globally dispersed server farms is no simple endeavor. Who is to pay for the implementation of such privacy procedures — especially for free services like Facebook or Twitter that have yet to turn a profit? A better approach to online privacy is to educate users on safeguarding personal information. Ultimately, however, the only foolproof approach to protecting sensitive data online is to simply not disclose it.

To clarify my last point, I don’t think that universal nondisclosure of sensitive data online is necessarily a wise approach to privacy. Rather, my point is that it’s important to remember that transmitting data on the Internet — a very public network — entails some degree of risk, no matter how strong the encryption or how diligent the party at the other end. And free services like Facebook and Twitter are all about making personal information public — they simply aren’t designed to provide ironclad data security or anything remotely resembling it. Other online services, like bank websites or enterprise-grade Web collaborative tools, are able to offer far stronger privacy assurances backed by strong terms of service. Privacy is not a black and white matter. It involves shades of gray, which is one reason why legislation is such an ineffective means of dealing with privacy challenges.

FTC Chairman Jon Leibowitz warned yesterday that companies involved in Web advertising face their “last chance” to “voluntarily” adopt stricter policies governing the use and collection of consumer information, Reuters reports. This isn’t the first time the FTC has threatened the advertising industry with regulation, but it signals a sense of immediacy that may pressure industry leaders to change their practices in coming weeks.

Leibowitz presumably wants to quell widespread concern that Internet companies like Google and AT&T have “excessive control” over consumer information. But what’s excessive about using information that individuals have voluntarily handed over for marketing purposes, subject to legally enforceable rules laid out from the get-go?

Users ultimately control their data, not firms. After all, only data that users transmit can be collected. When a user visits a website, their IP address may be recorded, and when a user submits a query to a search engine, the search term can be logged. This is how the Internet has always worked.

Not all consumers understand what information is gathered about them as they browse online. The best way to protect such users is not through regulation, but by educating — and, therefore, empowering — users. Volumes have been written on privacy and data security, and the ongoing TLF series “Privacy Solutions” offers a growing body of tips on how consumers can achieve the level of privacy that suits them.

Understandably, some people are uncomfortable with their queries being logged, and would prefer that websites simply not track any data. Some sites are willing to do just that — Cuil, a search engine launched in 2008, promises to never log IP addresses or even use cookies (as Jim has noted). Other anonymity solutions rely on secure virtual tunnels that can mask users’ actual IP addresses.

Still, no matter what the FTC does, transmitting data in plaintext over the Internet will never be truly “safe.” Robust end-to-end encryption is the only surefire method of ensuring information cannot be seen by anybody except the sender and the recipient. Even then, information is only as safe to the extent that the party at the other end of the line can be trusted.

Any new FTC mandates on data collection would almost certainly impose a privacy ceiling that would offer some, if not most, people too much privacy. This may sound impossible at first, but think of people who document their every move on Twitter, open for the world to see. Different people have wildly different privacy preferences, and there is no way a single set of rules-however well-conceived-could satisfy everyone.

Privacy mandates will place shackles on the still-young Internet advertising industry, stifling promising opportunities for making money from online content. Strict rules governing data collection will deprive publishers — especially small ones — of ad revenue at a time when it is sorely needed. Rigid mandates will also prolong “dumb” Web ads by delaying the evolution of targeting technologies capable of making advertisements more relevant and, therefore, more interesting to users.

Online advertising is the lifeblood of Web content, as Berin, Adam, and others have explained time and time again. The alternative to advertiser subsidies — charging consumers for access to content — has proven relatively unpopular with consumers. Who wants to take out their credit card when all content creators pine for is a pair of eyeballs?

Advertising will fuel the growth of online content, but only if regulators let the market work.