Articles by Jim Harper

Jim HarperJim is the Director of Information Policy Studies at The Cato Institute, the Editor of Web-based privacy think-tank Privacilla.org, and the Webmaster of WashingtonWatch.com. Prior to becoming a policy analyst, Jim served as counsel to committees in both the House and Senate.


I was astounded to see the misstatements and misapplication of math in a recent Atlantic blog post called “How Much Is Your Data Worth? Mmm, Somewhere Between Half a Cent and $1,200.”

For his back-of-envelope calculations about the value of personal data, Alexis Madrigal writes, “User profiles — slices of our digital selves — are sold in large chunks, i .e. at least 10,000 in a batch. On the high end, they go for $0.005 per profile, according to advertising-industry sources.”

The dollar value isn’t crazy—a CPM rate of about five cents is on the low end—but he has got the nature of the transaction precisely wrong. Advertisers place ads with content providers like Facebook, Google, and ad networks. The latter direct those ads to their visitors, trying to get ads to the people the advertiser wants to reach. They do not sell the information they use to guess at what interests consumers—consumers’ profiles, to whatever extent they exist.

If content providers sold data about their visitors to advertisers, this would undercut their own role in the advertising business. There wouldn’t be a second sale to make. And doing so would require a radical re-engineering of targeted advertising, which is largely cookie-based. The purchaser of the profile wouldn’t know how to find the subject of the profile in order to deliver an ad.

Madrigal repeats several times that “profiles” are “sold.” It’s a highly misleading characterization, creating the impression that dossiers of information about people are circulating the Internet on a strange black market. On the contrary, profiles are held—not sold—by content providers and advertising networks. There are privacy concerns enough with that business model. We don’t need it mis-described.

I probably would have let this pass. Madrigal isn’t the first to get the advertising business model wrong. (And he hasn’t repeated the error that I know of.) But then comes the bad math.

Writes Madrigal:

[L]et’s not forget the rest of the Internet advertising ecosystem either, which the Internet Advertising Bureau says supported $300 billion in economic activity last year. That’s more than $1,200 per Internet user and much of the online advertising industry’s success is predicated on the use of this kind of targeting data.

Personal information is one input into part of the online advertising. It makes no sense to assign all the value from the entire ecosystem to that one input. The auto industry is about a $400 billion industry, and there are about 250 million car tires sold in the U.S. each year. This does not mean that tires are worth over $2,000 each.

The idea, evidently, is to make the case that consumers are losing a lot in the advertising ecosystem today. That may or may not be true. I’d like to see it shown in the success of a company like Personal or others in the Personal Data Ecosystem, which could re-jigger the personal-data > free-content bargain. But I don’t think that misstating how advertising works and exploding the value of personal data is a good way to make the case for change.

Paying close attention to language can reveal what’s going on in the world around you.

Note the simple but important differences between the phrases “open government” and “open government data.” In the former, the adjective “open” modifies the noun “government.” Hearing the phrase, one would rightly expect a government that’s more open. In the latter, “open” and “government” modify the noun “data.” One would expect the data to be open, but the question whether the government is open is left unanswered. The data might reveal something about government, making government open, or it may not.

David Robinson and Harlan Yu document an important parallel shift in policy focus through their paper: “The New Ambiguity of ‘Open Government.'”

Recent public policies have stretched the label “open government” to reach any public sector use of [open] technologies. Thus, “open government data” might refer to data that makes the government as a whole more open (that is, more transparent), but might equally well refer to politically neutral public sector disclosures that are easy to reuse, but that may have nothing to do with public accountability.

It’s a worthwhile formal articulation and reminder of a trend I’ve noted in passing once or twice.

There’s nothing wrong with open government data, but the heart of the government transparency effort is getting information about the functioning of government. I think in terms of a subject-matter trio—deliberations, management, and results—data about which makes for a more open, more transparent government. Everything else, while entirely welcome, is just open government data.

Given the importance of privacy self-help—that is, setting your browser to control what it reveals about you when you surf the Web—I was concerned to hear that Google, among others, had circumvented third-party cookie blocking that is a default setting of Apple’s Safari browser. Jonathan Mayer of Stanford’s Center for Internet and Society published a thorough and highly technical explanation of the problem on Thursday.

The story starts with a flaw in Safari’s cookie blocking. Mayer notes Safari’s treatment of third-party cookies:

Reading Cookies Safari allows third-party domains to read cookies.
Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.
Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari.

Mayer says Google was exploiting this yet-to-be-closed loophole to install third-party cookies, the domain of which Safari would then allow to write cookies. After describing “(relatively) straightforward” cookie synching, Mayer says:

But we noticed a special response at the last step for Safari browsers. … Instead of responding with the “_drt_” cookie, the server sends back a page that includes a form and JavaScript to submit the form (using POST) to its own URL.

Third-party cookie blocking evaded, and users’ preferences frustrated.

Ars Technica has published Google’s response, which doesn’t seem to have gone up on any of its blogs, in full. Google says they created this functionality to deliver better services to their users, but doing so inadvertently allowed Google advertising cookies to be set on the browser.

I don’t know that I’m technically sophisticated enough to register a firm judgement, but it looks to me like Google was faced with an interesting dilemma: They had visitors who were signed in to their service and who had opted to see personalized ads and other content, such as ‘+1’s but those same visitors had set their browsers contrary to those desires. Google chose the route better for Google, defeating the browser-set preferences. That, I think, was a mistake.

I wonder if there isn’t some Occam’s Razor that a Google engineer might have applied at some point in this process, thinking, “Golly, we are really going to great lengths to get around a browser setting. Are we sure we should be doing this?” Maybe it would have been more straightforward to highlight to Safari users that their settings were reducing their enjoyment of Google’s services and ads, and to invite those users to change their settings. This, and urging Apple to fix the browser, would have been more consistent with the company’s credo of non-evil.

Now, to the ideological stuff, of which I can think of two items:

1) There is a battle for control of earth out there—well, a battle over whether third-party cookie blocking is good or bad. Have your way advocates. I think the consuming public—that is, the market—should decide.

2) There is a battle to make a federal case out of every privacy transgression. An advocacy group called Consumer Watchdog (which has been prone to privacy buffoonery in the past) hustled out a complaint to the Federal Trade Commission. I think the injured parties should be compensated in full for their loss and suffering, of which there wasn’t any. De minimis non curat lex, so this is actually just a learning opportunity for Google, for browser authors, and for the public.

Kudos and thanks are due to Jonathan Mayer, as well as ★★★★★ and Ashkan Soltani, for exposing this issue.

My seen-it-all cool was shaken yesterday when I examined how a Senate cybersecurity bill would scythe down legal protections for privacy. Anyone participating in government “cybersecurity exchanges” would have nearly total immunity from liability under any law. No Privacy Act, no ECPA, no E-Government Act, no contract law, no privacy torts. The scuttlebutt is that Senator Reid (D-NV) may push this especially hard as payback to the Internet for the SOPA/PIPA debacle.

In the push for cybersecurity legislation, Congress is driven far more by its desire to act (and D.C. lobbyists’ desire to have Congress act) than by any plausible contribution it can make to the difficult problem of securing computers, networks, and data. That’s why this cybersecurity bill, and all others I have seen, have greater costs than benefits.

Read about the devastation for privacy and the rule of law on offer in a current draft in “The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy.”

I honestly don’t know. I haven’t been following his work, and, by saying I don’t know, I don’t imply that he didn’t achieve anything. But it’s utterly unclear from this interview with Nancy Scola what he achieved as chief technology officer in the Obama Administration the last few years.

I was piqued by the amusing—almost comical—claims to specificity he makes, right from the outset:

What is the elevator pitch on what you’ve been doing since you were named Chief Technology Officer of the United States?
What I do is advance the president’s innovation agenda by incorporating his bottom-up theory of change. To be very specific about it, I execute the president’s innovation strategy in a manner that taps into the expertise of the American people to solve big problems.

There is nothing specific about, “I execute the president’s innovation strategy in a manner that taps into the expertise of the American people to solve big problems.” If you were to look up “vague” in the dictionary, that sentence would illustrate the first definition of the word.

Ever notice how people say, “I don’t mean to interrupt,” when they are interrupting? How they say, “to make a long story short,” when it’s already too late? Chopra says he’s going to be specific as he heads into empty generalities. Further along in the interview , he talks about his role and his involvement, which would be interesting meta-information if it set the stage for describing accomplishment.

So the question stands: What things happened under Aneesh Chopra that wouldn’t have happened in his absence?

Caveats: Aneesh Chopra seems like a nice guy. I don’t doubt his sincerity or intention to have done good things. I don’t think he’s unique among bureaucrats in not having identifiable achievements. I am open to learning what he did achieve. He just hasn’t explained it himself.

This line of questioning also may seem disrespectful. Chopra has acted as a public servant the last few years and deserves credit for that, some would argue. But I disagree that the claim to “public service” should act as insulation against being held to account for performance. What did Aneesh Chopra achieve?

on the Google privacy policy change.

The idea that people should be able to opt out of a company’s privacy policy strikes me as ludicrous.

Plus she embeds a valuable discussion among her Xtranormal friends.

Read the whole thing. Watch the whole thing. And, if you actually care, take some initiative to protect your privacy from Google, a thing you are well-empowered to do by the browser and computer you are using to view this post.

A new report says the opposite, though perhaps “legacy” entertainment companies are failing to keep up.

By any measure, it appears that we are living in a true Renaissance era for content. More money is being spent overall. Households are spending more on entertainment. And a lot more works are being created.

Good news! Check out: “The Sky is Rising.”

President Obama’s third full year in office came to an end last week, and I’ve reviewed how well he’s doing with one particular campaign promise on the Cato@LIberty blog. “Sunlight Before Signing” is the moniker for the president’s campaign promise to post online the bills Congress sends him for five days before signing them.

As we start the fourth year, he’s at just over 50% on fulfillment of the promise. Far less if you measure based on the number of pages that got the sunlight he promised.

From Cato’s “Job Opportunities” page:

Policy Analyst, Telecommunications and Internet Governance

The Cato Institute seeks a policy analyst to work on telecommunications and Internet governance issues. The suitable candidate will have several years of work experience in the field of telecommunications and Internet law and policy. An advanced degree in law or economics is preferred

Sought-after qualifications include: familiarity with or practice before the Federal Communications Commission; familiarity with the technical and governance bodies of the Internet; familiarity with and/or work experience on Capitol Hill; a solid background in the First Amendment and other civil liberties; familiarity with classical liberal history and scholarship; strong analytical reasoning skills; the ability to simplify complex issues in oral and written communications; and good interpersonal skills. Responsibilities include monitoring developments in government regulation and oversight of telecommunications and Internet governance at all governmental levels; researching and writing on these topics in all formats (research papers, policy briefs, editorials, blogposts, etc.); and public speaking. Candidates must support Cato’s mission of promoting individual liberty, free markets and limited government.

Information on how to apply here.

Here’s the notice I’ve been getting the last few days when, logged into Facebook from a computer, I try to post a comment or update my status.

Clever observers will note that the recommendation to log in from a computer is misplaced, as I get it when I’m logged in from a computer. Facebook gives me no instructions when I log in (or when I log out and log in again), though it did once ask me to change my password, which I did.

Most likely, Facebook’s algorithms believe I’ve violated some part of the Terms of Service, such as by repetitive posting or other spammy behavior. My exclusion from the site began contemporaneous with my attempt to post a single comment that failed for reasons I couldn’t discern in several tries.

Undoubtedly, my friends at Facebook will leap to my aid and clear this up for me in short order, feeling slightly stung that I “went public” with the problem rather than going to them. But I wanted to experience this as an ordinary consumer, not as a member of the digerati with insider access to people at important companies. In the past, I’ve used insider access with services like PayPal and (the now defunct) Bitcoin7 to get help that an ordinary user couldn’t have gotten. Bully for me that I can do that, but my experience is atypical and no basis for observing how the world works.

Some observations: Continue reading →