I wanted to draw your attention to yet another spectacular speech by Maureen K. Ohlhausen, a Commissioner with the Federal Trade Commission (FTC). I have written here before about Commissioner Ohlhausen’s outstanding speeches, but this latest one might be her best yet.

On Tuesday, Ohlhausen was speaking at U.S. Chamber of Commerce Foundation day-long event on “The Internet of Everything: Data, Networks and Opportunities.” The conference featured various keynote speakers and panels discussing, “the many ways that data and Internet connectiviting is changing the face of business and society.” (It was my honor to also be invited to deliver an address to the crowd that day.)

As with many of her other recent addresses, Commissioner Ohlhausen stressed why it is so important that policymakers “approach new technologies and new business models with regulatory humility.” Building on the work of the great Austrian economist F.A. Hayek, who won a Nobel prize in part for his work explaining the limits of our knowledge to plan societies and economies, Ohlhausen argues that:

regulators face a fundamental knowledge problem that limits the effective reach of regulation. A regulator must acquire knowledge about the present state and future trends of the industry being regulated. The more prescriptive the regulation, and the more complex the industry, the more detailed knowledge the regulator must collect. But, regulators simply cannot gather all the information relevant to every problem. Such information is widely distributed and therefore very expensive to collect. Even when a regulator manages to collect information, it quickly becomes out of date as a regulated industry continues to evolve. Obsolete data is a particular concern for regulators of fast-changing technological fields like the Internet of Things. This knowledge problem means that centralized problem solving cannot make full use of the available knowledge about a problem. Therefore, centralized regulation generally offers worse solutions when compared to distributed or emergent constraints such as social norms.

She continued on to explain the dangers of “precautionary principle” thinking as applied to new technologies, noting that, far too often, policymakers seek to impose preemptive, top-down controls on new sectors and technologies based on “concern over largely hypothetical future harms.” That’s a point I have stressed repeatedly in my own work on the importance of “permissionless innovation.” As I note in my book of the same title, living in constant fear of worst-case scenarios—and premising public policy upon them—means that best-case scenarios will never come about. When public policy is shaped by precautionary principle reasoning, it poses a serious threat to technological progress, economic entrepreneurialism, social adaptation, and long-run prosperity.

What’s the better alternative to precautionary controls to address potential risks? As Commissioner Ohlhausen noted in her speech to the Chamber of Commerce, regulators should “focus on identifying and addressing real, not speculative, consumer harm.” She explains how the FTC already has the tools to do so:

At the FTC, this focus is part of our statute. Congress charged us in Section 5 of the FTC Act with preventing deceptive or unfair acts and practices. Deceptive acts violate Section 5 only if they are material – that is, if they actually harm consumers. And practices are only unfair if there is a substantial harm that consumers cannot avoid and that outweighs any benefits to consumers or competition. In both cases, the law concerns itself with addressing actual consumer harms. Likewise the FTC carefully evaluates consumer welfare (or, its corollary, consumer harm) when it exercises its antitrust authority.

Importantly, she noted, the focus in this regard is on  ex post enforcement, not highly prescriptive ex ante regulation. “This incremental approach, which we have been using for nearly 100 years, has significant benefits,” Ohlhausen argued, and it is “consistent with Hayek’s thesis about the knowledge problem.” Namely, regulators should not be acting based on limited knowledge to address hypothetical future threats. Doing so derails opportunities for innovation and leads to myriad unintended consequences.

But the best part of Commissioner Ohlhausen’s speech was her embrace of what author Matt Ridley calls “rational optimism”:

Over the past two centuries, humankind has proven its ability to transform innovation into widespread prosperity. Fueled by supportive social attitudes and free market institutions, businesses have been the engines of this prosperity. Regulators who don’t want to stall these engines of innovation should remember the long history of beneficial innovation, remain humble about what they can know and accomplish, focus on addressing real consumer harm, and apply tools appropriate to the harms that do arise.

Critics will protest that innovation can just be too darn disruptive and that we have to preemptively legislate or regulate to counter those effects. But Ohlhausen has a powerful response to those critics:

innovation can, and will, be unnerving or unsettling. By its very nature, innovation changes things. Change is uncomfortable. That is why, as long as there has been innovation, there have been detractors and doomsayers. William Petty, the economist and doctor, said, “When a new invention is first propounded, in the beginning every man objects and the poor inventor runs the gauntloop of all petulant wits.” And he was talking in 1679! Pessimism about innovation sells newspapers and books. It also has a surprising intellectual caché. “The man who despairs when others hope is admired by a large class of persons as a sage,” said John Stuart Mill. But if the past 200 years of innovation have any lesson, it is this: society has repeatedly and quickly integrated and greatly benefited from innovation. The somber doomsday “sages” – from the Luddites in 19th century England to critics of credit card technology in the 1970s – have been wrong about the general effects of innovation. The many benefits have far outweighed the few costs. I am quite optimistic that the disruption of the Internet of Everything will continue the trend and greatly promote our prosperity.

Preach it, sister! That is exactly right.

Anyway, make sure to read Commissioner Ohlhausen’s entire speech. It is absolutely spectacular. I wish every regulatory approached their jobs with the same degree of humility, patience, and “rational optimism” that Commissioner Ohlhausen does.

Last year, my PFF colleague Adam Thierer asked whether State AGs + NCMEC = The Net’s New Regulators? Adam noted that NCMEC, the National Center for Missing and Exploited Children, a private non-profit organization, was playing a law enforcement role in regulating child pornography—but without any clear mechanisms for ensuring its accountability and effectiveness. Adam’s point wasn’t just that transparency is a good thing, but that when it comes to a cause as important as protecting children from exploitation, it’s vital to ensuring that we’re that we’re actually doing a good job at it!

Yesterday, Emmanuel Lazaridis commented on that post:

Given the increasing regulatory and investigative powers of the NCMEC, it is no longer clear whether or not the [Freedom of Information Act] applies to NCMEC records. We are about to find out. I am right now bringing a case against the NCMEC in federal court for access to records under the FOIA and, failing that, for discovery under 28 U.S.C. § 1782(a).

Mr. Lazaridis’s complaint in the D.C. District Court claims that Lazaridis (a Greek national) has been unfairly deemed a fugitive from U.S. justice for having taken his daughter to Greece over the objections of the girl’s American mother, Lazaridis’s ex-wife. NCMEC got involved by placing the girl on their MissingKids.com registry of abducted children. Lazaridis wants the court to recognize his custody, deem him not to be a fugitive, and to order NCMEC to turn over all their records on the girl.

This is, of course, just one side of the story (and such cases are usually so complicated as to be indecipherable to outsiders). But even if Lazaridis’s case were wholly without merit, his basic argument would be a sound one: Why shouldn’t NCMEC, in exercising any of its essentially governmental functions, be subject to the same accountability requirements through FOIA as the FBI would be?

When the issue is the Lazaridis family’s trans-Atlantic custody battle, it may seem easy to ignore this question. But when NCMEC is essentially making policy regarding filtering Internet content, blacklisting websites, turning over user logs to law enforcement, or “cleaning up” Craigslist, the question of NCMEC’s accountability under FOIA cannot be avoided as a critical decision about the future of Internet governance.

On heels of Adam’s piece last year, controversialist Chris Soghoian suggested one answer: Given its status as a sacred cow, we cannot expect any politician pay heed to calls to overhaul NCMEC or subject it to oversight. However, what we can do, is call for the nationalization of the National Center for Missing and Exploited Children.

Think of it this way: We have a drug czar, a war czar, a copyright czar, and will likely have a cybersecurity czar and car czar under the next administration. Why not throw a child porn czar into the mix? Nationalize NCMEC, make all of its workers federal employees, with good health care and job security, and perhaps even expand its budget–after all, it does good work, right? NCMEC’s job is simply too important to be entrusted to a nonprofit group–such a task can only be performed by a fully trained and funded law enforcement agency (one, which conveniently enough, is subject to the Freedom of Information Act, congressional oversight, and constitutional requirements for due process.)

Despite my differences with Chris, he’s often right and may be here, too. He’s certainly right that Congress is unlikely to address the problem of NCMEC’s accountability given the sensitivity of the issue of child protection.

But, fortunately, we live in a republic, not a pure democracy: Our third branch of government, the courts, exists to enforce the rule of law; being somewhat insulated from political pressure, the courts provide a final check on the authority even of the almighty NCMEC. So while Chris’s nationalization proposal might well be the ideal solution, it hasn’t happened yet—nine months later to the day, and it’s probably not high on the Obama administration’s list of czarist reforms.

But simply by ordering NCMEC to comply with FOIA, the Lazaridis court could, with the stroke of a pen, bring accountability to NCMEC’s law enforcement functions. The legal question is simple: Does NCMEC qualify as an “agency,” which FOIA defines as an “authority of the Government of the United States?”

If so, NCMEC must not only respond to requests for certain of its “records,” but it must also follow a rule-making process akin to that required of federal agencies when they make policy decisions, offering the public appropriate notice and the opportunity to comment on proposed regulations—instead of, say, threatening Internet companies behind closed doors (sometimes the same companies that later make generous donations to NCMEC) or cutting deals with state attorneys general.

It turns out that this is not a new issue. Federal courts have had to decide whether a number of quasi-governmental entities qualify as “agencies” over the years, especially given the trend towards privatization over the last three decades. Some organizations, like the Smithsonian Institution, have decided to comply with FOIA even though courts have held that they’re not required to do so. NCMEC could have allayed all these concerns years ago by doing the same thing, but absent a change in management at the organization, it seems only a court order will force the organization to open its “black box” of decision-making to public inquiry.

In a number of other circumstances, courts have required nominally private organizations to comply with the federal FOIA or its state equivalents. A thorough (if dated) treatment of this issue can be found in the 1999 law review article, Privatization and the Freedom of Information Act: An Analysis of Public Access to Private Entities Under Federal Law by Craig Feiser, Florida’s deputy solicitor general and an adjunct at FSU Law. Feiser explains:

When Congress amended FOIA in 1974, it added section 552(f)(1) and broadened the definition of “agency” to include entities not explicitly mentioned under the APA, but which “perform governmental functions and control information of interest to the public.”

In deciding whether a private organization qualifies as an agency subject to FOIA, courts have considered two factors.

One factor asks whether the entity has substantial independent authority in performing a function of the government, making it the functional equivalent of the government. The other factor asks whether the government substantially controls the entity’s day-to-day operations or organizational framework. In using either factor, the court is essentially asking to what degree the entity is performing a government function. In one case, the government is pulling nearly all of the strings; in the other case, the entity is making decisions independently for the government.

Financially, NCMEC is largely a creature of government: 70% of NCMEC’s $42 million budget in 2007 came from the government. But as Feiser notes, funding does not always mean control. Government control over NCMEC’s internal decisions is unclear. Indeed, the very lack of government control over an organization essentially regulating the Internet and imposing criminal sanctions that could follow convicted “sex offenders” for life would by itself be an enormous problem.

But given what NCMEC actually does, it obviously qualifies as an “agency” subject to FOIA under the “functional equivalence factor,” which as Feiser explains,

basically represents the opposite situation from the control factor. Here, the entity is functioning independently, but making decisions for the government, as opposed to having its decisions made by the government. In effect, it is the functional equivalent of the federal government, and, therefore, it should be an “agency” under the FOIA.

I’ll be watching the Lazaridis case closely, hoping that the court sees NCMEC for what it is: a private organization tasked with implementing not just any government function, but the enforcement of laws against the most vulnerable victims in society. Absent such a recognition, NCMEC will continue to grow into an unaccountable regulator for the Internet.

Today, the only public oversight of NCMEC required by law is the requirement that NCMEC (like any non-profit with federal tax-exempt 501(c)(3) non-profit status) file a Form 990 each year disclosing basic information about its finances. That report does not list NCMEC’s donors, because donors have a First Amendment right to remain anonymous, but a more transparent organization would, like my own think tank, at least identify its major donors. The 2006 and 2007 Form 990s do reveal a few interesting things, though, about what NCMEC does with its budget (70% of which comes from the taxpayer):

• NCMEC’s CEO, Ernie Allen, was paid $359,191 plus $411,636 in benefits in 2006 (PDF p. 46) and $409,821 plus $426,540 in benefits in 2007 (PDF p. 19), for a total of $1.6 million in two years (roughly $800,000/year);
• Not counting Allen, NCMEC spent $778,564 on its top five highest-paid employees in 2006 ($155,713/employee), and $875,657 in 2007 ($175,131/employee) (PDF p. 10 in both);
• 31% of NCMEC’s 2006 revenues and 35% of its 2007 revenues went to salaries (PDF pp. 1 & 2 in both); and
• NCMEC had 104 employees paid over $50,000 in 2006 (PDF p. 10) and 116 in 2007 (PDF p. 10).

I’d be reluctant to suggest that anyone at NCMEC was more interested in money than in protecting children, but if given the choice, we’d all prefer to do well while doing good. So if Allen were smart, he’d realize that a court order subjecting NCMEC to FOIA might be the best of all possible worlds: Requiring real accountability would neutralize calls for nationalizing NCMEC, allowing the organization to continue operating as a non-profit that can pay quite a bit better than the Federal civil service. Even the Senior Executive Service, for agency heads, maxes out at a measly $177,000/year.

Of course, if NCMEC’s records and decisions to regulate the Internet were subject to FOIA, the organization might not be able to… “convince” the Internet companies it essentially regulates to write large checks to NCMEC. But even this tax-hating libertarian would be hard-pressed to argue against funding the enforcement of laws against child pornography, abduction and exploitation with taxpayer dollars.

As the grandson of an FBI agent, whose framed credentials hang in a place of pride in my office (stamped “RETIRED” after his 25 years of loyal service), I can’t help but wonder how many more agents the FBI could employ to combat child porn with an extra $1.6 million/year in funding (the salary of Allen and NCMEC’s top-five highest paid employees). It seems that FBI agents today make roughly $48,000-87,000/year. Let’s call it an average of $67,500 and throw in 20% for overhead. That works out to $81,000/year—or:

• 20 new agents for what NCMEC is paying its top six employees; or
• 368 new agents for the $29.82 million NCMEC received in government support in 2007.

I’m sure the solution is far more complicated than simply hiring more FBI agents, and that NCMEC does much good work in the service of a noble cause. But until NCMEC is either nationalized as a direct arm of law enforcement or made significantly more accountable as a private organization, we won’t really have any way of knowing whether the money being spent on NCMEC is being spent in the most effective manner possible to deal with the problems of child pornography, abduction and exploitation. We also won’t know whether draconian alternatives to direct enforcement ( e.g., hiring more FBI agents) like network-level filtering mandates are truly necessary, despite their unintended consequences for the free speech and privacy rights of law-abiding Internet users.