This week, we’ve seen reports in both The New York Times (“Stage Set for Showdown on Online Privacy“) and The Wall Street Journal (“Watchdog Planned for Online Privacy“) that the Obama Administration is inching closer toward adopting a new Internet regulatory regime in the name of protecting privacy online. In this essay, I want to talk about information control regimes, not from a normative perspective, but from a practical one. In doing so, I will compare the relative complexities associated with controlling various types of information flows to protect against four theoretical information harms: objectionable content, defamation, copyright, and privacy.
From a normative perspective, there are many arguments for and against various forms of information control. Here, for example, are the reasons typically given for why society might want to impose regulations on the Internet (or other communications channels) to address each of the four issues identified above:
- Content control / Censorship: We must control information flows to protect children from objectionable content or all citizens against some other form of supposedly harmful speech (hate speech, terrorist recruitment, etc).
- Defamation control: We must control information flows to protect people’s reputations.
- Copyright control: We must control information flows to protect the property rights of creators against unauthorized use / distribution.
- Privacy control: We must control information flows to protect against information flows that include information about individuals.
Again, there are plenty of good normative arguments in the opposite direction, many of which are based on free speech considerations since, by definition, information control regimes limit the flow of forms of speech. For privacy, I discussed such speech-related considerations in my essay on “Two Paradoxes of Privacy Regulation.” But what about the administrative or enforcement burdens associated with each form of information control? I increasingly find that question as interesting as the normative considerations.
Let’s begin with a self-evident statement about which most of us can (hopefully) agree: Information control can be complex and costly. This was true even in the scarcity era with its physical and analog distribution methods of information dissemination. All things considered, however, the challenge of controlling information in the past paled in comparison to the far more formidable challenges nation-states face in the digital era when they seek to limit information flows.
The movement of bits across electronic networks and digital distribution systems creates unique problems I have previously discussed in my essay on “The End of Censorship.” To recap, efforts to control information today are greatly complicated by problems associated with:
- Convergence: Media content and information distribution outlets are blurring together today thanks to the rise of myriad new technologies and competitors. These new technologies and competitors generally ignore or reject the distribution-based distinctions and limitations of the past. In other words, convergence means that media content is increasingly being “unbundled” from its traditional distribution platforms and finding many paths to the consumers. As a result of these developments, it is now possible to disseminate, find, or consume the same content / information via multiple devices or distribution networks. In this way, convergence complicates efforts to create effective information control regimes.
- Scale: In the past, the reach of speech and information was limited by geographic, technological, and cultural / language considerations. Today, by contrast, media can now flow across the globe at the click of a button because of the dramatic expansion of Internet access and broadband connectivity. While restrictions by nation-states are still possible, the scale of modern digital speech and content dissemination greatly complicates government efforts to control information flows.
- Volume: The sheer volume of media and communications activity taking place today also complicates regulatory efforts. In simple terms, there is just too much stuff for regulators to police today relative to the past. As a 2002 blue ribbon panel assembled by the National Research Council to examine the regulation objectionable content concluded: “The volume of information on the Internet is so large — and changes so rapidly — that it is simply impractical for human beings to evaluate every discrete piece of information for inappropriateness.” While it may have been possible to oversee a handful of newspapers or TV and radio stations in each community or country in the past, today’s electronic media universe is so diverse and enormous—and evolving so quickly—that content controls significantly complicate enforcement burdens.
- Unprecedented individual empowerment / user-generation of content: In this new world in which every man, woman and child can be a one-person publishing house or self-broadcaster, restrictions on viewing, listening or uploading and downloading will be become increasingly difficult to devise and enforce. By comparison, few of those opportunities were available to the citizenry in the past.
Now, let’s go back to the four issues I identified above and think abut the implications. In terms of content controls, defamation, and copyright, it’s fairly clear how these considerations complicate enforcement efforts. Of course, some regulatory efforts have succeeded after governments pushed back aggressively enough, and I certainly don’t mean to suggest that governments are powerless to control information flows in the Informati0n Age. Read through Access Controlled and you’ll find plenty of examples of how nations across the globe are doing so using various methods of control: Surveillance, centralized filtering, strict liability regimes, government ownership of key facilities / companies, etc. Let me also make clear that I am not entirely against all information control efforts. Generally speaking, I want strict limits placed on governments efforts to control information flows, but I’ve also endorsed efforts to use some of these regulatory approaches to deal with child pornography and extreme forms of copyright piracy.
Anyway, I want to just make two more points here about how this relates to privacy regulation as an information control regime. First, while I think most people understand the complexities associated with information control efforts in the content, defamation, and copyright fields, I don’t think scholars or policymakers are spending nearly enough time considering the complexities of enforcing an information control regime for privacy. All too often, privacy advocates seem to suggest that privacy regulation will be frictionless and cost-free. Once they jump to the assumption that privacy is a “human right,” or must be protected in the name of “human dignity,” any discussion of enforcement hassles or the costs of regulation seemingly goes right out the window. In reality, of course, privacy regulation will have profound consequences for online sites and services by potentially undermining the goose that lays the Internet’s golden (and mostly free) eggs: online advertising and the data collection that powers it. Again, this is somewhat secondary to my point in this essay, which is just to suggest that the complexities associated with the mechanics of information control are not being fully considered in the privacy context. Either way, it’s time we stop pretending privacy regulation is a free lunch.
Second, I would like to suggest — but I cannot prove at this time — that enforcing a privacy information control regime will be more complex than the regimes needed to control information flows for content, defamation, and copyright. Now how can that possibly be, you ask? It requires a much deeper dive into the specifics of various privacy regulatory proposals, but consider two recent privacy-related regulatory regimes: a “Do Not Track” list and a “right to be forgotten.” Both sound simple enough in theory, but the details are quite devilish.
How, for example, would government go about verifying proper compliance with such regulations without also ensuring some sort of online authentication system is in place to verify people are who they say they are? Must every browser be retooled to comply and then regulated accordingly? What about apps downloaded on tablets or smartphones that don’t require browsers at all? Are IP addresses “personal information” that are also subject to regulation? Which agencies are responsible for creating authentication systems, policing online data flows, and reviewing new innovations and sites to ensure they are complying? Who in government has access to the data about individuals that is collected for such purposes, and what else are they doing with it? What systems will need to be put into place by online operators, large and small alike, to ensure compliance? And so on. Enforcement problems will also be complicated by the subjectivity of privacy norms from one individual to another as well as the fact that these norms change over time (and seem to be changing quite rapidly in recent years).
Again, more research needs to be done to better document the potential costs associated with a privacy information control regime, but I would hope we could begin by accepting that fact that it is an information control regime and that it will be complicated to enforce and will have costs — both in economic and speech-related terms. Advocates of such a regulatory regime for the Internet should at least be mature enough to admit that what they are proposing is comparable in complexity and cost to the censorship and copyright regulatory regimes they typically oppose.