Progress Snapshot 5.10 from The Progress & Freedom Foundation

A recent telephone poll conducted by professors at Berkeley and the University of Pennsylvania concluded, “Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interest.” The study’s authors claim that their poll is the “the first nationally representative telephone (wireline and cell phone) survey to explore Americans’ opinions about behavioral targeting by marketers.” They also assert that the poll indicates that “if Americans could vote on behavioral targeting today, they would shut it down.” Advocates of regulating online data collection have trumpeted this poll as evidence consumers demand legislation to protect their privacy. “This research gives the F.T.C. and Congress a political green light to go ahead and enact effective, but reasonable, rules and policies,” declared Jeff Chester, a leading critic of online advertising.

But what is most surprising about this poll is not that 66% of users said they do not want tailored online ads, but that 34% of users said they did! The key, initial question of “whether or not you want the websites you visit to show you ads that are tailored to your interests,” presents no trade-off. The fact that anyusers said “yes” indicates that many users paused to do the rough mental math about the unarticulated trade-off between the benefits of receiving tailored ads and the costs of that tailoring.

The methodology of opinion polls necessarily affects respondents’ mental calculations, rendering polls not just easily manipulated, but inherently unreliable as indicators of real preferences. Every poll reflects the bias of its authors to some degree by the way questions are worded, the order in which they are asked, the sample surveyed, etc. The easiest way to bias the results of a poll is to omit any mention of the trade-offs at issue. This poll simply buried the issue of trade-offs in a heavily loaded follow-up question: After telling respondents that marketers “often use technologies to follow the websites you visit and the content you look at in order to better customize ads,” the interviewer asked whether the respondent would allow advertisers to “follow [them] online in an anonymous way in exchange for free content.” Only 10% of users said they would allow this voluntary exchange.

What does this tell us about whether, and how, government should further regulate online advertising? Precious little: Not only does this poll overstate the costs of targeted advertising, understate its benefits, and ignore the tools available to users to address their privacy concerns but, like any opinion poll, this one tells us more about the psychology of decision-making under the artificial uncertainty of polls than about the choices users would actually make in the real world.

User Uncertainty About Concepts Like “Tailoring” and “Following”

Even the word “tailoring”—though benign compared to other words the study’s authors could have used ( e.g., “track,” “monitor,” “record”)—is so vague as to leave respondents wondering what it really entails. One can only speculate as to what users thought the word meant (since the poll did not ask), but it seems likely that some of these scarier words probably flashed through the minds of respondents in the instant before they answered the question. Indeed, the word “tailoring” conflates both the costs and benefits of personalized advertising in a single, vague word. Given this ambiguity, it’s hardly surprising that most users would say “no”—not just to receiving tailored advertising (66%), but also to receiving tailored discounts (49%) and news (57%). If users had been asked about receiving “relevant” (rather than “tailored”) ads, the responses probably would have turned out somewhat differently—just as an additional 17% of users agreed to receiving tailored “discounts,” whose value to users is more readily apparent: saving money on potential purchases.

The second set of questions asked users whether it “Would be OK… if these ads [discounts/news] were tailored for you based on following what you do on the website you are visiting… [24% said yes] OTHER websites you have visited… [34% said yes] and OFFLINE—for example, in stores? [25% said yes].” Again, the term “follow” was not defined. A third set of questions explained to respondents that marketers “often use technologies to follow the websites you visit and the content you look at in order to better customize ads.” The interviewer then asked whether the respondent would “definitely allow, probably allow, probably NOT allow, or definitely not allow advertisers” to “follow you online in an anonymous way in exchange for free content”—and only 10% of users said yes. Thus, it appears that users are more, not less, hostile to tailored advertising when reminded of the trade-offs involved (35% yes in the first set of questions, 10% yes in the third). What explains this paradox?

The most obvious explanation is that, by the time the respondent got to the critical question about “allowing” tailored advertising, they had heard the word “follow” at least five times: once in each of the three questions about whether tailoring was OK, once in the introduction about how marketers customize ads and once in the question itself—each time increasing uncertainty as to how “tailoring” really works and more than negating any suggestion of “anonymity.” Furthermore, asking users whether something should be “allowed” implies that there are undisclosed reasons why it should not be. This much is simple psychology—obvious to anyone who wanted to craft a poll that would support a particular regulatory agenda.

But behavioral economics research tells us something even more profound about the way our brains work: human beings hate making choices, and loathe uncertainty even more. Indeed, such “mental accounting” or “mental transaction” costs appear to be the primary reason why, after a decade of efforts to develop a micropayments system that can fund online content and services, no such system has emerged—and thus why Internet publishers instead rely primarily on advertising revenues ($23.5 billion in 2008) to fund “free” offerings for consumers. In this case, merely forcing consumers to consider the costs of “tailoring” and being “followed,” and decide whether these things are “OK” or should even be “allowed” strongly tips the scales in favor of the outcome desired by the study’s authors because these considerations and decisions are significant psychological costs in themselves, which likely outweigh the diffuse benefits of tailored advertising, which users simply do not appreciate.

Indeed, the scale tips so strongly that the study suggests that 73% of Americans object to having ads tailored based on “what you do on the website you are visiting.” Would not this objection apply to purely contextual advertising “tailored” to the keywords entered by a user in a search engine or to the keywords that appear on a particular page to which a user has navigated within a site? If so, this study isn’t just about the bogeyman of “behavioral” advertising, but about essentially all online advertising, which is to some degree “tailored.” Indeed, must lawmakers protect us from the tailoring of news (71%) and discounts (62%) within websites? Or, if data collection is the real harm to consumers, what about the fact that hundreds of millions of people happily share far more personal information every day on social networks or using grocery discount cards? Opinion polls simply cannot answer these questions.

The Direct Benefit of Tailored Ads: Relevance

Whatever Americans tell pollsters about “tailored” ads, they also complain about irrelevant ads: A previous poll found that 72% of consumers “find online advertising intrusive and annoying when the products and services being advertised are not relevant to [their] wants and needs” and 85% say that less than 25% of the ads they see while browsing online are relevant to their wants and needs. Real-world experiments confirm that users reveal a clear preference for more relevant advertising. In a 2004 experiment, click-through rates (CTR) for behaviorally targeted ads were between 94% and 225% higher than for contextually targeted ads. A 2009 study found that the difference could be between 670% and 1000% percent, depending on how well-tailored the ads were. In other words, users in the real world were two to eleven times more likely to click on highly-tailored ads. Truly, actions speak louder than words: Users clearly “vote with their clicks” for ads they find relevant—i.e., they vote for “tailoring.”

Further reinforcing this conclusion is the fact that better tailoring increases not only click-through rates but also “conversion rates”—the percentage of users who actually complete the action desired by the advertiser, whether that be making a purchase or signing up for a list. A 2008 experiment found increased conversion rates of 400-900% (2008). This indicates that relevant ads really do help consumers find things they like—and that they like the fruits of tailoring, however they respond when asked about “tailoring” as an abstract concept that conflates costs (“How are they following me?”) and benefits (“What’s in it for me?”).

The Indirect Benefit of Tailored Ads: Free Content & Services

Even less apparent to poll respondents than the direct benefit of tailoring (increased relevance) are the indirect benefits: In particular, greater relevance to the user means more effective communication for the advertiser, and increased ad revenue for most online publishers per ad on their sites. Thus, there exists a clear quid pro quo: in effect, users “pay” for content and services by sharing information about their interests. Even more fundamentally, users “pay” for content by seeing ads. But both quid pro quos are implicit: Users can simply choose not to “pay” by using readily available tools in their browser to blocking ads and/or tracking. In essence, today’s system allows users who don’t like ads—tailored or otherwise—to opt out at little or no cost, much as if they simply decided not to pay for a product they bought at their local grocery store.

This creates a serious dilemma, given that advertising increasingly stands alone as the lifeblood of online content and services. Indeed, ads have long funded the costs of generating content for radio, television, and newspapers (with subscriptions paying only for distribution). The basic reason is simple economics: In competitive markets, prices tend to fall to the marginal cost of production. The Internet has simply borne this theory out in full:

1. Producing the first unit of content (e.g., a news story or video) remains costly, so while the marginal cost of every additional unit is essentially zero,average cost is not.
2. The failure of micropayments online seems to confirm that, no matter how low the technological transaction costs are, the mental transaction costs involved combined with even tiny payments will exceed the perceived value of most content.
3. The world of media scarcity in which consumers could choose from only a few sources of content (e.g., news, entertainment) has given way to a world of staggering media abundance and the choices of users are no longer constrained by the tyranny of physical limitations like distance and printing costs.
4. Because pure information cannot be copyrighted (and fair use allows significant referencing and quotation), very little content is so unique that users cannot find a ready substitute elsewhere if a site (or even cartel of sites) attempted to charge.

These forces have given birth to the world of “Free,” where few (if any) users will pay for something they can get for nothing. While there are a number of ways to fund content and services, advertising is far and away the leading business model for the new economy: Indeed, overall advertising market is expected nearly to double its share of total U.S. ad spending from 8.7% in 2008 ($23.4 billion) to 15.2% ($37.2 billion). But with 44% of advertising revenue going to search engines (which show highly “tailored” ads simply based on search terms), hundreds of thousands of publishers—from the mightiest to the tiniest—rely on $7.6 billion (33% of the total) in “display” ad revenue. Yet this base is tiny: Most websites earn a fraction of the revenue generated by offline ads: roughly $0.60 to $1.10 per thousand impressions (CPM) online versus average CPMs of $4.54 (radio) to $10.25 (broadcast). This unprofitability of online advertising, and the fact that certain kinds of online content (e.g., video and online services) does not provide the textual keywords necessary for basic contextual targeting is driving publishers to ad networks that offer behavioral targeting, which is expected to grow from $525 million in 2007 to $4.4 billion in 2012—when it will represent 25% of all display ad spending.

In short, advertising is indispensable to the future of online media, but it is also currently inadequate to sustain “Free” culture. As Adam Thierer and I warnedearlier this year: “The advocates of regulation pay lip service to the importance of advertising in funding online content and services but don’t seem to understand that this quid pro quo is a fragile one: Tipping the balance, even slightly, could have major consequences for continued online creativity and innovation… Something must give because there is no free lunch.” In 2001, long before Google mattered and before he worked for them, Kent Walker (now Google’s general counsel) put it best in a seminal law review article:

Privacy is both an individual and a social good. Still, the no-free-lunch principle holds true. Legislating privacy comes at a cost: more notices and forms, higher prices, fewer free services, less convenience, and, often, less security. More broadly, if less tangibly, laws regulating privacy chill the creation of beneficial collective goods and erode social values… Such regulation would likely increase both direct and indirect costs to the individual consumer, reduce consumer choice, and inhibit the growing trend of personalization and tailoring of goods and services.

Thus, as Jim Harper and Solveig Singleton concluded in their 2001 paper With a Grain of Salt: What Privacy Surveys Don’t Tell Us:

privacy surveys in particular… suffer from the “talk is cheap” problem. It costs a consumer nothing to express a desire for federal law to protect privacy. But if such law became a reality, it will cost the economy as a whole, and consumers in particular, significant amounts that surveys do not and cannot reveal.

We Need a Behavioral Economics Experiment, Not Just Another Poll

The Berkeley-Penn poll could certainly have done more to present these trade-offs to respondents and less to color their responses by inflating mental transaction costs. But even the most “fair” poll cannot meaningfully simulate the trade-offs inherent in the real world. If we really want to know how muchsubjective value consumers place on a particular aspect of their privacy, we must look to the preferences they reveal in the process of making real choices.

Of course, the best experiment is the one being conducted in the real world every day. No laboratory experiment can ever fully replicate all of the conditions of the real world, but a behavioral economics experiment could tell us more about the revealed preferences of Internet users than any poll. Unlike the real world, an economist could vary certain conditions in a lab experiment to tell us how various changes to current industry practice, user empowerment, or user education might actually affect real consumer choices. At a minimum, any experiment would require the following to inform policymaking about online advertising and privacy.

First, the experiment should vary the mechanisms by which notice is provided to users as to how tailoring works ( e.g., placement, interface, wording) and what those notices actually say.

Second, test subjects must make real choices in real use of the Internet with trade-offs in real money and their own time between either paying for access to a particular site or getting access for free in exchange for receiving tailored ads based on at least the three variables presented as questions in the Berkeley-Penn study: (i) users’ browsing activity on that site; (ii) their browsing activity on other sites; and (iii) offline activity or demographic information.

The second variable is critical because it addresses the value created by behaviorally tailored ads, which could be wiped out by regulation. Search engines are able to sell highly effective advertising based solely on information provided directly to the site (search keywords, which are highly indicative of user interest), and some sites can sell lucrative advertising based on purely contextual targeting because their content contains keywords that advertisers value highly ( e.g., a site for digital camera enthusiasts). But the vast majority of websites, and especially non-commercial websites, would produce little ad revenue if advertisers could only guess at the likely interests of visitors based on the keywords on that site. This, in a nutshell, is why so many sites stand to gain so much from behavioral targeting—particularly in the Internet’s “Long Tail.” To be useful, an experiment must reflect this dynamic.

In the real world, of course, it might be possible for the user to opt-out of tracking without losing access to content because today’s quid pro quo is implicit and most sites operate on a “No Cost Opt-Out” basis for tracking and even seeing ads. But in order to tell us how much consumers really care about tracking, the experiment must place some value on access to content that is supported by free content and services.

Third, the experiment must examine the extent to which user empowerment affects user choice: If some users are uncomfortable with having their browsing activity tracked, is it because they are concerned about all tracking or only tracking of certain sensitive activities, such as researching medical issues or—everyone’s favorite—viewing pornography? How does the availability of privacy management tools change user choices about ad-tailoring? Do Americans really want tailoring banned, or do they just want the ability to exercise easy choice about when they want to participate? How would those choices change when they come at a cost (e.g., seeing more ads) and privacy-sensitive users cannot simply free-ride off the value created by users whodon’t opt-out of targeted advertising (and also don’t block ads)?

Such an experiment would, by its very nature, be imperfect—but far less imperfect than any poll about opinions on privacy. Until a proper experiment is conducted by trained behavioral economists, all we can say with confidence is the following:

1. Users don’t understand exactly how ads are tailored;
2. Users seem to be concerned about “tailoring” or “following” in the abstract;
3. Users are generally unwilling to pay for online content and services; and
4. Better tailoring of ads means more funding for content and services.

There is only one approach that can address all these concerns: educate users about how online advertising works and how they can implement their own privacy preferences, while constantly striving to further empower users to make privacy management easier.

Internet policy Shame Artist extraordinaire Chris Soghoian has struck again! Chris recently shamed the online advertising industry into improving their privacy practices with his Targeted Advertising Cookie Opt-Out (TACO) plug-in for Firefox. Now Chris has set his sight on the security practices of cloud service providers.

A letter released this morning, signed by 37 leading online security experts (and organized by Chris), calls on Google to offer persistent SSL (HTTPS) encryption by default for all Google services—or at the very least, to make more visible the option currently given to users to opt-in to use SSL for all communications. Google, in its response, indicated that it was already “looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”

While Google’s response identifies some clear problems with implementing persistent SSL for all users (esp. connection speed), few would deny that it makes sense for webmail providers to encrypt all traffic using SSL, rather than sending email data “in the clear,” which risks interception by hackers. We at PFF hold no brief for Google, in fact we have found ourselves disagreeing with them on many other occasions on a range of issues (most notably net neutrality mandates). Nonetheless, on this front, Google has long been a leader, having offered SSL since Gmail launched and having begun providing the persistent HTTPS option last summer while most of their competitors still use SSL only for the initial authentication that occurs when a user first signs in. While the letter focuses on Google and webmail in particular, this issue has far broader implications for all online cloud service providers.

No Free Lunch: The Costs of Encryption Gmail, Yahoo! Mail, Hotmail, etc. are, of course, “free” ( i.e., ad-supported). Google in particular has lead the way in increasing the functionality offered in Gmail, not just constantly increasing the total storage space provided to every user (now over 7GB), but regularly adding innovative new features—at no charge to users.

Offering persistent SSL is resource-intensive, because encryption requires computing power on the server side. Google currently spends billions on the servers that run all Google’s services, including Gmail — $2.4 billion back in 2007, when the company was much smaller. Google’s pricing for their App Engine offers some insight into cost, putting a cost of $0.10/CPU computing cycle. But without knowing what their actual cost is or how many CPU computing cycles the average Gmail user might consume per year using persistent SSL, it’s difficult to translate this price into an actual estimate of the cost of providing persistent SSL. Thus, while there are no hard numbers on how much Gmail costs Google to provide or how much more it would cost to provide persistent SSL for every user by default, both costs are clearly substantial. Chris himself provides a shot-in-the-dark guess that SSL-encrypted communications might require as much as six times the server resources as unencrypted communications. I’d love to know where Chris came up with that guess, whether the upper-bound might be even higher, and how he thinks smaller operators would pay for that cost.

Indeed, Chris’s letter does not discuss the cost of providing SSL at all, mentioning the word “cost” just once, and in a completely different sense: “Other Google applications demonstrate that security need not come at the cost of performance.” This is perfectly consistent with Chris’s general response to the costs of regulation: “Your broken business model is not my problem” (which sounds more charming in Chris’s elegant British English).

But just as Chris is correct that “Defaults matter,” it is even more true that “Costs matter.” Google appears to take the question of how much it costs to provide SSL off the table: “in this case, the additional cost of offering HTTPS isn’t holding us back.” But this is by no means a dismissal of the importance of costs. Rather, Google is simply saying that it has already decided that the advantage of providing persistent SSL are worth the costs. Every advantage to users in terms of greater security is, of course, also an advantage to Google as it competes for customers. While Gmail may have the highest profile among webmail companies, it still lags far behind Yahoo! Mail and Microsoft’s Hotmail in market share: As of February, Yahoo!’s market share was 56%, Microsoft’s 19% and Google’s 11%. Offering increased security, as Google already does with the full-SSL opt-in, is simply a way for Google to gain a competitive advantage over its rivals. One can only imagine the barrier to entry such an expensive default, if mandated or simply expected, will create for new, smaller competitors to Google, Microsoft, Yahoo! and other web titans across a wide range of cloud services.

Google’s apparent agreement with Chris and his band of cybersecurity experts conceals a more fundamental difference of perspectives. While I consider Chris a good friend, what separates us him, and what separates him from Google, is the question of trade-offs. Chris exemplifies what the economist and philosopher Thomas Sowell called the “Vision of the Anointed.” As the best and brightest in society (“the talented few”), the Anointed are often right, as Chris certainly is here on some level: Persistent SSL is a great thing and most Gmail users would probably be better off with it once Gmail irons out all the kinks in implementing it. (Indeed, I had already opted-in to using persistent SSL reading before Chris’s letter.)

No, the problem with the Anointed is not that they are necessarily wrong, but that they focus on “Solutions” to problems, while those with the “Tragic Vision” focus on the “Trade-offs” inherent in the constraints of reality. For the Anointed, seeking to impose their preferences on others, Sowell notes:

it is simply a question of choosing the best solution, while to those with the tragic vision the more fundamental question is: Who is to choose? And by what process, and by what consequences for being wrong? … it is so easy to be wrong—and to persist in being wrong—when the costs of being wrong are paid by others. (pp. 135-36).

Google’s response focuses on one important trade-off: that made by users deciding between added security and a slower Gmail connection. Individual preferences on this choice might vary, even among fully-informed users: For example, some Gmail power users may prefer speed over security, knowing that the risks addressed by are lessened because they do not take their desktop PCs to unsecure Wi-Fi hotspots at, say, the local coffee shop.

But there is a more fundamental trade-off at stake: While Google already offers persistent SSL for free to all users and says that they intend to make this the default setting in the near future, using SSL for everyone will be expensive and that cost will ultimately be borne by consumers as well as by Google (and other webmail operators that follow suit). The cost of providing SSL might mean, for example, that Google will provide less storage space or other innovative Gmail features than it would otherwise have done, because while the politicians in Washington can simply print more money to put a “chicken in every pot” (and a mortgage in every subprime borrower’s hands), Google’s resources are necessarily limited. In short, even in the world of “Free!” content and services, there is no free lunch! In a world of scarce resources (a/k/a reality, even the reality of the digital economy), we must make trade-offs.

Again, Chris may well be correct that the security benefits of SSL are worth this particular trade-off but it’s important to distinguish between two different kinds of decisions. Again, Sowell makes the point brilliantly:

trade-offs must be incremental rather than categorical, if limited resources are to produce optimal results in any social system as a whole. Despite the importance of incremental trade-offs, the language of politics is filled with categorical rhetoric about ‘setting priorities,” “providing basic necessities.” or “assuring safety” in foods, medicines, or nuclear power. But incremental decisions differ as much from categorical decisions as trade-offs differ from solutions. If faced with a categorical choice between food and music, every sane person would choose food, since one can live without music but not without food. But if faced with an incremental choice, the decision could easily be just the opposite. If food were categorically more important than music, then we would never reach a point where we were prepared to sacrifice resources that could be used to produce food, in order to produce music. Given this premise, Beethoven, Brahms, and Bach should all have been put to work growing potatoes, instead of writing music, if food were categorically more important.

Online “security” (like online “privacy”) is, like food or physical safety, undeniably a good thing. But we must still make trade-offs between security and the other things with which is necessarily competes. Google currently runs vast server farms, but still has only a certain number of CPU cycles to use for a variety of competing purposes. Spending that scarce resource (and the money that ultimately pays for it) on persistent SSL necessarily means being able to offer less of other things across the wide range of services Google offers. It is in recognition of such unintended consequences that Sowell concludes that:

many a sound and beneficial principle becomes a dangerous absurdity when it becomes a fetish. That is why any categorical principle must be assess not only in terms of its soundness as a principle, but also in terms of what happens when that principle is applied categorically.

So, what would happen if this insistence on persistent SSL were “applied categorically?”

Impact on the Competitive Landscape While Google may be able to “eat” the cost of persistent SSL for all its Gmail users, mandating the use of persistent SSL may create a significant barrier to entry that could keep smaller providers out of the market. Even shaming a leading webmail provider like Google into voluntarily increasing their security offering may accomplish the same result by raising consumer expectations. Indeed, this is what competition is all about!

For a large webmail provider like Yahoo!-already struggling to find its way in a rapidly evolving competitive landscape for web content, services and advertising despite its 56% webmail market share-the cost of providing persistent SSL for their enormous installed base of users will necessarily reduce their resources available to compete with Google in webmail and on other fronts. For Microsoft, every dollar spent on upgrading Hotmail security could have been spent on improving Bing, Microsoft’s new search engine, which seems capable of posing a significant challenge to Google in the search market.

In general, increasing the cost of providing a service will necessarily tend to make that service less competitive. If there are fewer companies competing to offer webmail (and other related products like calendar services), there will be less pressure on each of them to compete in non-price terms such as…. security and privacy protection. Thus, in the real world, fetishizing security can actually lead to less security.

The Cost/Benefit Approach to Security Improvements Indeed, while the full use of SSL is an obvious way to improve the security of webmail, it is not obvious that it is the most cost-efficient way to do so. If the precise costs of using persistent SSL for all users are substantial but unclear, it is impossible to evaluate whether user security might be improved more by prioritizing scarce resources to deal with other threats.

The threat posed by unauthorized account access via cookie stealing and packet sniffing appears to be far smaller than other less obvious security threats, such as permitting the use of weak passwords, duplicating passwords across accounts, reliance on poor secret questions, the accessing of accounts at unsecured public terminals, and the failure of users to log out. Likewise, threats to end-user security and privacy such as cross-site scripting attacks or cross-site forgery requests account for a far greater portion of internet-related security incidents. There may be no technological “silver bullet” for these problems, but they may represent the “low hanging fruit” for improving security at a much lower cost.

Again, the question is not just whether the Anointed are right, but who is to decide among various options such as persistent SSL, user education and changes in user interface design.

HTTPS Über Alles: Where is This Going? Google indicated that they’re exploring turning on persistent SSL (HTTPS) for all Gmail users, but says nothing about other Google services. Chris’s letter, however, asks Google to adopt HTTPS for Google Docs and Calendar, and goes on to mention Facebook and MySpace as companies that leave their users “vulnerable to data theft and account hijacking” because they do not use HTTPS.

So just how far should the adoption of HTTPS go? Chris’s draft “Caught in the Cloud” paper repeatedly argues that all cloud services should adopt persistent SSL. Yet even he recognizes that e-mail may be uniquely sensitive:

While most users’ word processing documents or photo collections may not be that valuable to a fraudster, an email account can have considerable value – due to the fact that inboxes routinely contain passwords and account information for other websites. For example, many Web sites will resend a password to a user’s email address in the event that the user forgets her password. Thus, a poorly secured email account can be leveraged to gain access to a victim’s bank account, brokerage account or online health records. (p. 15)

Here, Chris seems to recognize the need to make real trade-offs. But his coalition letter draws no such distinction, and even if it did, the more important point is that the Anointed think they know better how to draw these distinctions than anyone else —especially the companies who actually offer cloud services.

So what about Facebook messaging, Twitter tweets, and other social networking communication tools? How should “we” decide which of these services really merits persistent SSL? More important, who is this “we,” anyway?
Who’s actually going to make these decisions? Rather than trusting in the “systemic process” of competition among cloud computing companies, for whom security can be an element of non-price competition, the Anointed presume to make these decisions for everyone else.

Paying for SSL In a world of trade-offs, it’s important to look not just at the opportunity cost of providing features like persistent SSL, but also at the additional sources of revenue that could cover the costs of cloud computing features like SSL. If we can “grow the pie,” the trades-offs made to support persistent SSL will not be so painful. Two potential revenue streams seem obvious.

First, Google and other cloud service providers could simply charge for persistent SSL. For instance, Google currently charges $50/year/user for customized, ad-free Google Apps email accounts.

Second, if the advertising that supports webmail and other cloud services were more profitable, Google could afford more “guns and butter”: persistent SSL for everyone and continued expansion of storage space and roll-out of new Gmail features. This is precisely why Google, Yahoo! and other online advertising companies want to offer “Interest-Based Advertising” that is tailored to a user’s interests based on data about their web surfing. Unfortunately, the Anointed have so fetishized “User Privacy” that they are blind to these trade-offs, and fail to recognize that limiting targeted advertising in the name of “Privacy” may compromise “Security,” just as mandating “Security” protections may actually reduce competitive pressures to increase “Privacy” protections.

Thus, as Sowell emphasizes, we must understand that trade-offs cannot be made in isolation because “What can be afforded seriatim vastly exceeds what can be afforded simultaneously.” That is, we must make “trade-offs within an overall system constrained by inherent limitations of resources, knowledge, etc.” It is precisely because that task is so challenging that we must proceed cautiously and resist the insistence of the Anointed that there is an “urgent need for action to avert impending catastrophe.”

Other Options: User Empowerment & Education Chris’s letter calls for persistent SSL by default in the belief that users do not know enough to protect themselves. In the alternative, the letter suggests four steps Google could take to help users make more fully informed choices. These suggestions seem generally reasonable, and it might well make sense to adopt them, but there are other means to address the ignorance of the “Benighted” than by presuming to decide which trade-offs Google should make in how it designs the user interface of Gmail for all users.

First, Google could present more information and a cleaner choice about persistent SSL during the initial account set-up process. In other words, when a user creates a new Google account, they would be told the pros and cons of persistent SSL and could then make a more informed decision about whether to use persistent SSL or SSL only for authentication. Since Gmail currently has only an 11% share of the webmail market, the vast majority of potential users would have to make these decisions at the point of initial sign-up, while the user interface for existing users would not be further complicated. This example illustrates just one way in which Google might be able to able to make better decisions about the trade-offs at issue than the Anointed, however well-deserved their credentials in the field of web security.

Second, Google could add more discussion of SSL to its existing online educational resources about user privacy and security. Google could expand its Privacy Center on YouTube to include detailed discussions about the potential risks of not using persistent SSL and easy-to-follow video tutorials about the pros and cons of HTTPS.

The Politics of Shame A final word about tactics: I call Chris a “Shame Artist” in the best sense of the term. Shaming corporations is a key part of the reputational marketplace —something my colleague Adam Thierer has emphasized in his work [PDF p. 30] on online parental controls and child protection. People like Chris play a critical role in helping to raise public awareness of genuine problems, and to encourage companies to improve their practices. This dynamic has never worked as well, or as quickly, as it does in the online marketplace. But there are two important caveats to the beneficial role played by shame artists.

First, there is a fine line between (i) shining the spotlight of public attention on a problem and bringing reputational pressure to bear on the company responsible, and (ii) threatening such a company with regulation if you don’t get what you want. Here, as is often the case, Chris is playing dangerously close to that line. Chris’s “Lost in the Cloud” paper calls first for companies to change their practices voluntarily, then for mandating disclosure of SSL choices and risks, and then for mandates:

the government [could] regulate providers of cloud computing services, as it has already done in the banking and health industries. Banks are simply not permitted to let customers to make encryption a “choice,” just as car manufacturers are no longer permitted to make seat belts optional. We would prefer that regulators first forced cloud computing providers to display clear educational warnings before regulators go down the path of mandating specific technologies. However, if educational warnings failed to provoke a sufficient market response, stronger regulation might be appropriate.

At the very least, Chris is hanging the regulatory “Sword of Damocles” over the necks of cloud computing providers: The sword hasn’t fallen yet, but it threatens to drop at any moment if industry doesn’t cooperate.

Second, pressuring providers of free (ad-supported) services to offer more features risks increasing the deeply-rooted assumption that users of these services are somehow entitled to them, including whatever specific functionality the Anointed think ought to be included in the service. In fairness to Chris and his coalition, their letter does not specify how persistent SSL should be provided and he seems to be content with the idea that Google might charge for the service—a recognition of a trade-off that separates him from the more extreme among the Anointed. But once Congress, AGs and other government officials start rushing in to do Chris’s bidding, subtly or not-so-subtly coercing cloud service providers, I hope he isn’t surprised when they come back knocking on those same doors asking for more favors in the name of “Internet security.” With one hand they giveth (what Chris wants); with the other they might eventually take away (something Chris and his comrades find important).

But anytime a company is pressured to give away even more of what it’s already giving away for free, the expectation of a getting a “Free Lunch” grows. (“Free dessert, too?
Don’t mind if I do!“) Worse, if companies appear to cave in to this pressure without acknowledging the trade-offs involved, they both add to that expectation and encourage future attacks by shame artists, since they are signaling a willingness to cave-in. This is essentially the same moral hazard problem as created by negotiating with terrorists. I certainly don’t mean to compare either Chris’s goals or his methods to those of violent extremists or to trivialize his arguments. But the dynamic created by weak responses to shaming in this context is nonetheless analogous: Every time a company says “Why not? Cost is no issue!,” they make it that much more difficult for themselves and others to say, in the future, that cost sometimes will require more obvious trade-offs like charging users for the feature demanded by the Anointed. At some point, such “upsells” may become so politically untenable that the practical choices are (i) not offering the feature at all and (ii) offering it to everyone for free (the costs of which will be borne somewhere else). I fear we may already have reached that point.