Tomorrow, the Federal Trade Commission (FTC) will host an all-day workshop entitled, “Internet of Things: Privacy and Security in a Connected World.” [Detailed agenda here.] According to the FTC: “The workshop will focus on privacy and security issues related to increased connectivity for consumers, both in the home (including home automation, smart home appliances and connected devices), and when consumers are on the move (including health and fitness devices, personal devices, and cars).”
Where is the FTC heading on this front? This Politico story by Erin Mershon from last week offers some possible ideas. Yet, it still remains unclear whether this is just another inquiry into an exciting set of new technologies or if it is, as I worried in my recent comments to the FTC on this matter, “the beginning of a regulatory regime for a new set of information technologies that are still in their infancy.”
First, for those not familiar with the “Internet of Things,” this short new report from Daniel Castro & Jordan Misra of the Center for Data Innovation offers a good definition:
The “Internet of Things” refers to the concept that the Internet is no longer just a global network for people to communicate with one another using computers, but it is also a platform or devices to communicate electronically with the world around them. The result is a world that is alive with information as data flows from one device to another and is shared and reused for a multitude of purposes. Harnessing the potential of all of this data for economic and social good will be one of the primary challenges and opportunities of the coming decades.
The report continues on to offer a wide range of examples of new products and services that could fulfill this promise.
What I find somewhat worrying about the FTC’s sudden interest in the Internet of Things is that it opens to the door for some regulatory-minded critics to encourage preemptive controls on this exciting new wave of digital age innovation, based almost entirely on hypothetical worst-case scenarios they have conjured up. And plenty of those boogeyman scenarios are floating around already because the Internet of Things has created a potential perfect storm of four major information policy concerns: online safety, privacy, security, and even intellectual property issues. You can find concerned critics from each of those quarters already wringing their hands about what the Internet of Things means for their pet issues.
This is why in both my filing to the agency and in an upcoming eBook, I discuss the danger of letting “precautionary principle” reasoning trump the alternative paradigm of “permissionless innovation.” As I’ve explained here before as well in this longer law review article, the precautionary principle generally holds that, because a given new technology could pose some theoretical danger or risk in the future, public policies should control or limit the development of such innovations until their creators can prove that they won’t cause any harms.
The problem with letting such precautionary thinking guide policy is that it poses a serious threat to technological progress, economic entrepreneurialism, and human prosperity. Under an information policy regime guided at every turn by a precautionary principle, technological innovation would be impossible because of fear of the unknown; hypothetical worst-case scenarios would trump all other considerations. Social learning and economic opportunities become far less likely, perhaps even impossible, under such a regime. In practical terms, it means fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living.
For these reasons, to the maximum extent possible, the default position toward new forms of technological innovation should be innovation allowed. This policy norm is better captured in the well-known Internet ideal of “permissionless innovation,” or the general freedom to experiment and learn through trial-and-error experimentation.
Which leads back to the FTC workshop tomorrow. Which path will the agency head down? If the recent comments of FTC Chairwoman Edith Ramirez are any indication, there is certainly a healthy appetite for precautionary principle policymaking, at least as it pertains to “big data.” As I noted here in a critique of one of her recent speeches, Chairwoman Ramirez has offered “a rather succinct articulation of precautionary principle thinking as applied to modern data collection practices.”
She worried that “‘big data’ leads to the indiscriminate collection of personal information,” and that “the indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the offchance that it might prove useful is not consistent with privacy best practices,” she continued, and she went on to argue that “Information that is not collected in the first place can’t be misused” and then suggests a parade of horribles that will befall if such data collection is allowed at all. So, it would not be surprising to see her extend that sort of precautionary reasoning to the Internet of Things since all those fears would apply equally to it.
A better approach can be found in some remarks delivered by Ramirez’s fellow FTC Commissioner Maureen K. Ohlhausen. In an important speech last month entitled, “The Internet of Things and the FTC: Does Innovation Require Intervention?” Ohlhausen noted that, “The success of the Internet has in large part been driven by the freedom to experiment with different business models, the best of which have survived and thrived, even in the face of initial unfamiliarity and unease about the impact on consumers and competitors.” This reflects Ohlhausen’s general embrace of permissionless innovation reasoning and a rejection of the precautionary principle mindset articulated by FTC Chairwoman Ramirez.
More importantly, in her speech, Commissioner Ohlhausen went on to highlight another crucial point about why the precautionary mindset is dangerous when enshrined into laws or regulations. Put simply, many elites and regulatory advocates ignore regulator irrationality or regulatory ignorance. That is, they spend so much time focused on the supposed irrationality of consumers and their openness to persuasion or “manipulation” that they ignore the more concerning problem of the irrationality or ignorance of those who (incorrectly) believe they are always in the best position to solve every complex problem. Regulators simply do not possess the requisite knowledge to perfectly plan for every conceivable outcome. This is particularly true for information technology markets, which generally evolve much more rapidly than other sectors, and especially more rapidly that law itself.
That insight leads Ohlhausen to issue a wise word of caution to her fellow regulators:
It is  vital that government officials, like myself, approach new technologies with a dose of regulatory humility, by working hard to educate ourselves and others about the innovation, understand its effects on consumers and the marketplace, identify benefits and likely harms, and, if harms do arise, consider whether existing laws and regulations are sufficient to address them, before assuming that new rules are required.
That is absolutely right and this again makes it clears how Commissioner Ohlhausen’s approach to technological innovation is consistent with the permissionless innovation approach while Chairwoman Ramirez’s is based on precautionary principle thinking. This conflict of visions dominates almost all policy debates over new technology today, even if it is not always on such vivid display as it is in this case.
This also makes it abundantly clear just what is at stake as the FTC embarks on its exploration of the Internet of Things. Will we continue to embrace and defend the philosophy that made America’s digital economy the envy of the world (i.e., “permissionless innovation”), or will we be paralyzed by fear of the unknown and hypothetical worst-case scenarios. As I have said here many times before, living in constant fear of such worst-case scenarios — and premising public policy upon them — means that best-cast scenarios will never come about.
So, stay tuned. The fight over the Internet of Things promises to be one of the most important public policy battles in the technology policy arena for many years to come.
This issue will be the focus of my forthcoming eBook, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom,” but until that is released, here are a few other recommended readings on the topic:
- “Who Really Believes in ‘Permissionless Innovation’?” Technology Liberation Front, March 4, 2013.
- “What Does It Mean to ‘Have a Conversation’ about a New Technology?” Technology Liberation Front, May 23, 2013.
- “Planning for Hypothetical Horribles in Tech Policy Debates,” Technology Liberation Front, August 6, 2013.
- “On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.
- “Edith Ramirez’s ‘Big Data’ Speech: Privacy Concerns Prompt Precautionary Principle Thinking,” Technology Liberation Front, August 29, 2013.
- “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” Technology Liberation Front, April 29, 2011.
- “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” Technology Liberation Front, April 10, 2012.
- “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013.
Testimony / Filings:
- Senate Testimony on Privacy, Data Collection & Do Not Track, April 24, 2013
- Comments of the Mercatus Center to the FTC in Privacy & Security Implications of the Internet of Things, May 31, 2013.
- Comments of the Mercatus Center to FAA on commercial domestic drones (with Jerry Brito and Eli Dourado) , April 23, 2013.
Journal articles & book chapters:
- “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology, Vol. 14, (2013): 309-386.
- “The Pursuit of Privacy in a World Where Information Control Is Failing,” Harvard Journal of Law & Public Policy, Vol. 36, (2013): 409-455.
- “A Framework for Benefit-Cost Analysis in Digital Privacy Debates,” George Mason University Law Review, Vol. 20, No. 4 (Summer 2013): 1055-1105.