Some Thoughts on the Obama Admin’s Privacy Plan

by on February 24, 2012 · 10 comments

Over at Forbes I have posted some thoughts on the new privacy framework (Consumer Data Privacy in a Networked World) that the Obama Administration released today. In my essay, “The Problem with Obama’s “Let’s Be More Like Europe” Privacy Plan,” I hammer home the same point I’ve made here before many times: Regulation is not a costless exercise. No matter how well-intentioned regulatory proposals may be, they can often have unforeseen, unintended consequences. This is equally true for privacy controls. I discuss how a new privacy regulatory regime could drive up prices for services that currently are free or inexpensive, limit new digital services and innovations, create barriers to entry for new entrants and entrepreneurs, negatively impact the competitiveness of existing U.S. Internet operators, and, more generally, increase the horizons of government power over the Internet.

For a more detailed analysis of these issues, I encourage you to check out my big Mercatus Center filing to the FTC last year on privacy and Do Not Track regulation. Also, here are few TLF essays that summarize my skepticism about expanded privacy controls:

SHARE: 10 comments

White House Ignores Real Bill of Rights in Call for Privacy Regulation of Internet Businesses

by on February 23, 2012 · 0 comments

The White House’s “Consumer Data Privacy in a Networked World” report outlines a revised framework for consumer privacy, proposes a “Consumer Privacy Bill of Rights,” and calls on Congress to pass new legislation to regulate online businesses. The following statement can be attributed to Berin Szoka, President of TechFreedom, and Larry Downes, TechFreedom Senior Adjunct Fellow:

This Report begins and ends as constitutional sleight-of-hand. President Obama starts by reminding us of the Fourth Amendment’s essential protection against “unlawful intrusion into our homes and our personal papers”—by government. But the Report recommends no reform whatsoever for outdated laws that have facilitated a dangerous expansion of electronic surveillance. That is the true threat to our privacy. The report dismisses it in a footnote.

Instead, the Report calls for extensive new regulation of Internet businesses to address little more than the growing pains of a vibrant emerging economy. “For businesses to succeed online,” President Obama asserts, “consumers must feel secure.”  Yet online businesses that rely on data to deliver innovative and generally free services are the one bright spot in a sour economy. Experience has shown consumers ultimately bear the costs of regulations imposed on emerging technologies, no matter how well-intentioned.

The report is a missed opportunity. The Administration should have called for increased protections against government’s privacy intrusions. Focusing on the real Bill of Rights would have respected not only the Fourth Amendment, but also the First Amendment. The Supreme Court made clear last year that the private sector’s use of data is protected speech—an issue also not addressed by this Report.

Szoka and Downes are available for comment at media@techfreedom.org.

SHARE: 0 comments

Wireless Industry Needs Spectrum, Not More Regulation

by on February 22, 2012 · 9 comments

Congress freed up much-needed electromagnetic spectrum for mobile communications services Friday (H.R. 3630), but it set the stage for years of wasteful lobbying and litigating over whether regulators should be allowed to pick winners and losers among mobile service providers.

The wireless industry has thrived in the near absence of any regulation since 1993.  But lately the Federal Communications Commission has been hard at work attempting to change that.

A leaked staff report in December helped sink AT&T’s attempted acquisition of T-Mobile.  And the commission has taken the extraordinary step of requesting public comments on an agreement between Comcast and Verizon Wireless to jointly market their respective cable TV, voice and Internet services, beginning in Portland and Seattle.  Nothing in the Communications Act prohibits cable operators and mobile phone service providers from jointly marketing their products.

FCC Chairman Julius Genachowski objected to a previous version of the spectrum bill which, among other things, would have prohibited the commission from manipulating spectrum auctions for the benefit of preferred entities.  The limitation was removed, and Sec. 6404 provides that nothing in the legislation “affects any authority the Commission has to adopt and enforce rules of general applicability, including rules concerning spectrum aggregation that promote competition.

Continue reading →

SHARE: 9 comments

When an Idea Become a Meme, and Why

by on February 21, 2012 · 1 comment

Ceci c’est un meme.

On Forbes today, I look at the phenomenon of memes in the legal and economic context, using my now notorious “Best Buy” post as an example. Along the way, I talk antitrust, copyright, trademark, network effects, Robert Metcalfe and Ronald Coase.

It’s now been a month and a half since I wrote that electronics retailer Best Buy was going out of business…gradually.  The post, a preview of an article and future book that I’ve been researching on-and-off for the last year, continues to have a life of its own.

Commentary about the post has appeared in online and offline publications, including The Financial Times, The Wall Street Journal, The New York Times, TechCrunch, Slashdot, MetaFilter, Reddit, The Huffington Post, The Motley Fool, and CNN. Some of these articles generated hundreds of user comments, in addition to those that appeared here at Forbes.
Continue reading →

SHARE: 1 comment

David Weinberger on knowledge

by on February 21, 2012

On the podcast this week, David Weinberger, senior researcher at Harvard Law’s Berkman Center for the Internet & Society and Co-Director of the Harvard Library Innovation Lab at Harvard Law School, discusses his new book entitled, “Too Big to Know: Rethinking Knowledge Now That the Facts Aren’t the Facts, Experts Are Everywhere, and the Smartest Person in the Room Is the Room.” According to Weinberger, knowledge in the Western world is taking on properties of its new medium, the Internet. He discusses how he believes the transformation from paper medium to Internet medium changes the shape of knowledge. Weinberger goes on to discuss how gathering knowledge is different and more effective, using hyperlinks as an example of a speedy way to obtain more information on a topic. Weinberger then talks about how the web serves as the “room,” where knowledge seekers are plugged into a network of experts who disagree and critique one another. He also addresses how he believes the web has a way of filtering itself, steering one toward information that is valuable.

Related Links

To keep the conversation around this episode in one place, we’d like to ask you to comment at the webpage for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

SHARE:

Did Google Defeat People’s Privacy Preferences?

by on February 19, 2012 · 3 comments

Given the importance of privacy self-help—that is, setting your browser to control what it reveals about you when you surf the Web—I was concerned to hear that Google, among others, had circumvented third-party cookie blocking that is a default setting of Apple’s Safari browser. Jonathan Mayer of Stanford’s Center for Internet and Society published a thorough and highly technical explanation of the problem on Thursday.

The story starts with a flaw in Safari’s cookie blocking. Mayer notes Safari’s treatment of third-party cookies:

Reading Cookies Safari allows third-party domains to read cookies.
Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.
Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari.

Mayer says Google was exploiting this yet-to-be-closed loophole to install third-party cookies, the domain of which Safari would then allow to write cookies. After describing “(relatively) straightforward” cookie synching, Mayer says:

But we noticed a special response at the last step for Safari browsers. … Instead of responding with the “_drt_” cookie, the server sends back a page that includes a form and JavaScript to submit the form (using POST) to its own URL.

Third-party cookie blocking evaded, and users’ preferences frustrated.

Ars Technica has published Google’s response, which doesn’t seem to have gone up on any of its blogs, in full. Google says they created this functionality to deliver better services to their users, but doing so inadvertently allowed Google advertising cookies to be set on the browser.

I don’t know that I’m technically sophisticated enough to register a firm judgement, but it looks to me like Google was faced with an interesting dilemma: They had visitors who were signed in to their service and who had opted to see personalized ads and other content, such as ‘+1’s but those same visitors had set their browsers contrary to those desires. Google chose the route better for Google, defeating the browser-set preferences. That, I think, was a mistake.

I wonder if there isn’t some Occam’s Razor that a Google engineer might have applied at some point in this process, thinking, “Golly, we are really going to great lengths to get around a browser setting. Are we sure we should be doing this?” Maybe it would have been more straightforward to highlight to Safari users that their settings were reducing their enjoyment of Google’s services and ads, and to invite those users to change their settings. This, and urging Apple to fix the browser, would have been more consistent with the company’s credo of non-evil.

Now, to the ideological stuff, of which I can think of two items:

1) There is a battle for control of earth out there—well, a battle over whether third-party cookie blocking is good or bad. Have your way advocates. I think the consuming public—that is, the market—should decide.

2) There is a battle to make a federal case out of every privacy transgression. An advocacy group called Consumer Watchdog (which has been prone to privacy buffoonery in the past) hustled out a complaint to the Federal Trade Commission. I think the injured parties should be compensated in full for their loss and suffering, of which there wasn’t any. De minimis non curat lex, so this is actually just a learning opportunity for Google, for browser authors, and for the public.

Kudos and thanks are due to Jonathan Mayer, as well as ★★★★★ and Ashkan Soltani, for exposing this issue.

SHARE: 3 comments

The FTC, Mobile Apps, Kids’ Privacy, Prices & Competition

by on February 16, 2012 · 19 comments

Today the Federal Trade Commission released a new report entitled, “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing,” which concludes that “confusing and hard-to-find disclosures do not give parents the control that they need in this area. The FTC argues that “parents need consistent, easily accessible, and recognizable disclosures regarding in-app purchase capabilities so that they can make informed decisions about whether to allow their children to use apps with such capabilities.”

It’s hard to be against the FTC’s “the more disclosure, the better” policy recommendation and I’m not about to come out against it here. But the question is: how much disclosure is enough? Reading through the report and seeing how hard the FTC hammers this point home makes me think the agency wants our app store checkout process to be littered with the pages of fine print disclosure policies that now accompany our credit card statements and home mortgage payments! Seriously, would that make us better off?

As a parent of two kids who both download countless apps on my Android phone, my wife’s iPhone, and our family’s Android tablet, I appreciate a certain amount of disclosure about what sort of information apps are collecting and how they are using it. I think Google’s Android marketplace strikes a nice balance here, providing us with the most crucial facts about what the application will access or share. Apple could do more on disclosure but the company also prides itself (to the dismay of some!) on its rigorous pre-screening process to make sure the apps in the App Store are safe and don’t violate certain privacy and security policies. Yet, as the FTC correctly points out, “the details of this screening process are not clear.” Of course, most Apple users simply don’t give a damn. They’re all too happy to let Apple just take care of it for them even if they’re not really sure what’s happening to their data behind the scenes. The more privacy-sensitive crowd wants greater disclosure and control, of course, and I’m sympathetic to that plea.  But again, how much disclosure is enough? Are you going to wade through pages of disclosure policies and privacy opt-ins before downloading that latest iteration of “Angry Birds” or “Cut the Rope”? Yeah, I didn’t think so.

Anyway, I don’t want to dwell on that. The more interested findings in the survey relate to price and market dynamics and I am hoping people don’t ignore them. Continue reading →

SHARE: 19 comments

Some (hopefully constructive) thoughts on cybersecurity

by on February 16, 2012 · 0 comments

Ahead of today’s cybersecurity hearing in the Senate, I wanted to jot down some thoughts on the issue. For over a year now, I’ve been questioning the need for federal intervention in cybersecurity and calling for a slower and more deliberate process. Perhaps I come across as a refusenik, but I hope that I’m at least lending some balance to the debate.

First, let me say that I fully recognize that the U.S. faces serious cyber threats. [Here is](http://selil.com/archives/2985) one of the best (and most honest) cases for being worried that I’ve seen. I get it.

That said, what I try to point out is that the existence of a threat [does not necessarily mean](http://techliberation.com/2012/02/16/too-big-to-face-incentives/) that regulation is necessary. In many cases, the threat [can be internalized](http://techliberation.com/2012/01/24/is-there-a-market-failure-in-cybersecurity-its-not-an-open-and-shut-case/) by affected private actors. Even if we determine that some private actors are not internalizing the costs, prescriptive regulation can sometimes do more harm than good. The best thing we can do is not try to prevent harm at all costs, but instead make sure that we are resilient so that no single threat can destroy us. And we [may be more anti-fragile](http://mercatus.org/publication/beyond-cyber-doom)–more resilient and more capable of adaptation–than we’re led to believe.

That brings me to the other thing I try to point out: that the rhetoric surrounding cybersecurity is often unnecessarily alarmist. Introducing the Cybersecurity Act of 2012, Sen. Rockefeller equated the cyber threat with the nuclear threat. I’m sorry, but I don’t think that’s right. It does scare people, however, and I’m afraid that we will be sold an expensive bill of goods based on fear.

So I’m happy to see that both the Senate and the House have begun to take more realistic approaches to cybersecurity. For example, the [Rockefeller-Snowe bill](http://www.opencongress.org/bill/111-s773/show) from last congress would have required the Department of Commerce to develop “a national licensing, certification, and periodic recertification program for cybersecurity professionals,” and would have made certification mandatory for anyone engaged in cybersecurity. I’m happy to see that’s gone in the new bill. I’m glad that there is no “[Internet kill switch](http://techliberation.com/2011/02/19/the-internet-kill-switch-debate/).” I’m also happy to see that the bill includes a way for private industry to appeal its inclusion in the regulatory regime.

Where do I think there may be a role for government? Information sharing certainly comes to mind. There is no doubt that there’s a lot that the public and private sectors can learn from each other. And to the extent that private actors are prevented by privacy laws to cooperate on cybersecurity, there should be a way to facilitate cooperation without endangering consumer protections. Additionally, requiring disclosure of security breaches is not a bad idea. It would allow insurance markets and other markets serve as an alternative to regulation, or as Cass Sunstein calls it, regulation through transparency.

SHARE: 0 comments

Too big to face incentives

by on February 16, 2012 · 1 comment

Here, in one sentence, is what’s wrong with [Stewart Baker’s testimony](http://www.skatingonstilts.com/skating-on-stilts/2012/02/testifying-about-cybersecurity-legislation.html) on cybersecurity before the Senate Homeland Security committee today:

>If an asset is not designated as “covered critical infrastructure,” then the owner has no obligation under the bill to guard against attack by hackers, criminals, or nation states, leaving those who depend on the asset unprotected.

The logic here is that if a private network is not forced by government to protect itself, then it will be left unprotected and wide open for attack. There is no private incentive to secure one’s investment, the argument seems to be. If you’d like an explanation of why this isn’t logical, see Eli Dourado’s [paper on cybersecurity market failure](http://mercatus.org/publication/there-cybersecurity-market-failure-0).

One more thing: according to Baker, present network insecurity “could easily cause the United States to lose its next serious military confrontation.” I understand asymmetric threats, but here is a l[isting of military spending by country](http://en.wikipedia.org/wiki/List_of_countries_by_military_expenditures). “Easily” doesn’t come to mind.

SHARE: 1 comment

It might be good to try a little harder on copyright

by on February 15, 2012 · 20 comments

Kevin Drum and Tim Lee have been having an [interesting](http://motherjones.com/kevin-drum/2012/02/should-idiots-be-allowed-regulate-internet) [exchange](http://arstechnica.com/tech-policy/news/2012/02/copyright-enforcement-and-the-internet-we-just-havent-tried-hard-enough.ars) about whether those of us who oppose granting copyright holders stronger enforcement powers feel this way because we are ideologically opposed to IP protection. Tim points out that copyright owners have, as a matter of fact, received greater and greater enforcement powers–almost on an annual basis. As a result, Tim says, “most of us are not anti-copyright; we just think enough is enough, and that the menu of enforcement tools Congress has already given to copyright holders is more than sufficient.”

Sufficient for what, though? Sufficient to significantly reduce piracy online? That’s certainly not the case. Piracy is rampant on the net. Some would say, though, that the only meaningful ways left to enforce copyright would (dare I say it?) break the Internet as we know it.

So I think that when Tim says that the powers copyright holders now have are “more than sufficient,” I think he means sufficient to provide an incentive to create. After all, the purpose of copyright is to “promote the progress of science,” not to protect some Lockean notion of property. It may be the case that while owners’ rights are no doubt being violated, a further reduction in piracy won’t affect the incentive to create.

This is why many, including [Julian Sanchez](http://www.cato.org/pub_display.php?pub_id=14028), [Tim O’Reilly](https://plus.google.com/107033731246200681024/posts/BEDukdz2B1r), [Mike Masnick](http://www.techdirt.com/blog/?tag=sky+is+rising) and [Jonathan Coulton](http://surprisinglyfree.com/2012/02/14/jonathan-coulton/), question whether piracy is really a problem at all. That is, they don’t believe it may be the case that the present level of piracy doesn’t hurt content owners’ bottom lines because it’s clear that not every infringement would have otherwise been a sale. If that’s the case, then the costs of new enforcement powers would outweigh any benefits. So, the argument goes, we should do nothing.

Continue reading →

SHARE: 20 comments

← Previous Entries

Next Entries →