The big news out of Europe today is that the European Court of Justice (ECJ) has invalidated the 15-year old EU-US safe harbor agreement, which facilitated data transfers between the EU and US. American tech companies have relied on the safe harbor to do business in the European Union, which has more onerous data handling regulations than the US. [PDF summary of decision here.] Below I offer some quick thoughts about the decision and some of its potential unintended consequences.

#1) Another blow to new entry / competition in the EU: While some pundits are claiming this is a huge blow to big US tech firms, in reality, the irony of the ruling is that it will bolster the market power of the biggest US tech firms, because they are the only ones that will be able to afford the formidable compliance costs associated with the resulting regulatory regime. In fact, with each EU privacy decision, Google, Facebook, and other big US tech firms just get more dominant. Small firms just can’t comply with the EU’s expanding regulatory thicket. “It will involve lots of contracts between lots of parties and it’s going to be a bit of a nightmare administratively,” said Nicola Fulford, head of data protection at the UK law firm Kemp Little when commenting on the ruling to the BBC. “It’s not that we’re going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications.” And by driving up regulatory compliance costs and causing constant delays in how online business is conducted, the ruling will (again, on top of all the others) greatly limits entry and innovation by new, smaller players in the digital world. In essence, EU data regulations have already wiped out much of the digital competition in Europe and now this ruling finishes off any global new entrants who might have hoped of breaking in and offering competitive alternatives. These are the sorts of stories never told in antitrust circles: costly government rulings often solidify and extend the market dominance of existing companies. Dynamic effects matter. That is certainly going to be the case here.

#2) Cross-border digital trade suffers: This conclusion follows from point #1, of course. Writing just before the decision was announced, lawyers as Norton Rose Fulbright’s Data Compliance Report blog noted that if the safe harbor was invalidated, “the impact on the world economy would be immense.” Well, here we are.  Dan Castro of ITIF hopes that EU and US officials can pull back from the brink of this impending disaster and “finish the process of creating a Safe Harbor 2.0 with terms that give comfort to all parties.” I suspect that many tech companies are hoping for the same miracle to occur. But don’t hold your breath. The Europeans have decided that this is the hill that they will die on. They haven’t shown too much interest in preserving an innovative tech market or enhancing global digital trade flows in the past due to heightened concerns about privacy, and there’s no reason to think they will back down now with a more measured approach. Importantly, as I noted in my earlier essay, “How Attitudes about Risk & Failure Affect Innovation on Either Side of the Atlantic,” this trans-Atlantic clash of vision transcends the debate over privacy law. It’s about broader cultural and political attitudes toward risk-taking and disruption. Most leaders in Europe value stability–both economic and cultural stability–more than US officials and citizens. This tension was always bound to reach a breaking point and the Digital Economy and data handling policies is where the you-know-what is finally hitting the fan.

#3) Web Balkanization accelerates: This is just another blow to the idea of a seamless global Internet. But as tech lawyer Tiffany C. Li pointed out on Twitter this morning in response to the decision, while Web pundits decry balkanization in other contexts, many of them seem to be cheering it on in this case because this decision deals with privacy and data regulation, which they favor more regulation of. But you can’t have your cake and eat it to. Indeed, the great irony of so many “Internet freedom” debates today is that pundits absolutely hate the idea of Internet control and Web balkanization… right up until the point where they absolutely love it! Think of this as the tech policy world’s selective morality problem. (I elaborated on these themes in my essays “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” and “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges.”)

Interesting that the same ppl who decried Russia’s data localization law now cheer EU upping extraterritorial data regulation. #SafeHarbor

— Tiffany C. Li (@tiffanycli) October 6, 2015

@AnupamChander @AdamThierer Yes, #Schrems opens up possibility that companies will now have to comply w/28 different DPAs applying 95/46/EC. — Tiffany C. Li (@tiffanycli) October 6, 2015

This is the beginning of the Balkanization of the Internet: http://t.co/mbFxxhN7tQ

— Dino A. Dai Zovi (@dinodaizovi) October 6, 2015

Another step toward the jurisdictional balkanization of the Internet https://t.co/83FIYvU2Sm — Milton Mueller (@miltonmueller) October 6, 2015

#4) But the big dogs won’t bolt out of Europe: But this should also be another reminder that there are no “John Galt moments” in the world of tech, as some tech libertarians hope. The biggest players won’t pack their bags and head home because there’s still too much money sitting on the table in Europe. Big firms will instead scramble to comply, just as they are trying to do with the so-called Right to Be Forgotten ruling. Of course, this just exacerbates problem #1 already discussed above: The big dogs stay and do their best to comply with the costly regulatory regime while smaller players get crushed by the rules and all the other potential new entrants just stay home.

#5) The decision ignores the real problem: widespread government surveillance: I don’t often find myself agreeing with Cory Doctorow on much, but he gets it exactly right when he notes that, “this doesn’t mean that Europeans won’t be subjected to mass surveillance, including mass surveillance by the NSA.” He elaborates:

If the European Court of Justice wants to end mass surveillance of Europeans, it can only do so by banning mass surveillance — by ruling that laws that treat foreigners’ data as fair game are unconstitutional. If US tech giants want to get loose from a farcical, expensive, and pointless exercise that continues to treat them as adjuncts to the world’s spy agencies, they need to lobby the US government to change the laws under which it treats foreigners as fair game.

Thus, it would certainly be nice if, as CDT suggested in response to the ruling, that the “EU Safe Harbour Ruling Should Reinvigorate Surveillance Reform Efforts.” Of course, that requires that tech companies muster the courage to stand up to public officials here in the States who always want them to (literally) hand over the keys to the kingdom. That’s why the current debate over crypto backdoors is so essential. It’s good to see a number of tech companies pushing back on that front and refusing to get rolled by law enforcement and national security agencies the way that far too many telecom and tech companies have been in the past. Following today’s ECJ ruling, tech companies are realizing just how serious this problem really is because now European officials are striking out against the safe harbor agreement as a surrogate for their general frustrations with US surveillance more generally. Indeed, in a press release following today’s ECJ ruling, the Internet Association, which represents major US tech firms, noted that, “The Internet industry has consistently supported surveillance reform” and the Association pushed for swift congressional action to clarify and limit existing surveillance powers. It remains to be seen whether the US tech sector and other related industries will be able to push back effectively against the growing surveillance state leviathan, but it’s more clear today than ever before why that’s a fight worth having.

This week I will again be attending the Family Online Safety Institute’s excellent annual summit. The 2-day affair brings together some of the world’s leading experts on online safety and privacy issues. It’s a great chance to learn about major developments in the field. As I was preparing for the session I am moderating on Thursday, I thought back to the first FOSI annual conference, which took place back in 2007. What is remarkable about that period compared to now is that there was a flurry of legislative and regulatory activity related to online child safety then that we simply do not see today.

In fact, just 3 1/2 years ago, John Morris of the Center for Democracy and Technology and I compile a legislative index [summary here] that cataloged the more than 30 legislative proposals that had been introduced in the the 110th session of Congress. There was also a great deal of interest in these issues within the regulatory community. Finally, countless state and local measures related to online safety and speech issues had been floated. Today, by contrast, it is hard for me to find any legislative measures focused on online safety regulation at the federal level, and I don’t see much activity at the agency level either. I haven’t surveyed state and local activity, but it seems like it has also died down.

Generally speaking, I think this is a good development since I am opposed to most proposals to regulate online speech, expression, or conduct. But let’s ignore the particular wisdom of such measures and ask a simple question: What explains the decline in Internet safety legislation and online content regulation? I believe there are three possible explanations:

1) The effectiveness of education and awareness-building strategies

I would like to believe that all the efforts made by various groups and individuals (including myself) to encourage policymakers to adopt  “Educate & Empower” approaches over “Legislative & Regulate” approaches are finally bearing fruit. The first instinct for many policymakers is to legislate immediately and then worry about the consequences later (if at all). But such approaches, no matter how well-intentioned, often backfire and have myriad unintended consequences (including the problem addressed next). So, perhaps it is the case that lawmakers and regulators are finally coming to realize that education and awareness approaches — married to empowerment-based efforts — are actually the more sensible approach compared to a flurry of legislative measures that ultimately accomplish very little.

2) The deterrent effect of inevitable and lengthy constitutional challenges

Here are two things I know for certain: First, almost every Internet-related measure faces a constitutional challenge, typically on First Amendment grounds (but sometimes also on Sec. 230 grounds). Second, most of those challenges succeed. I don’t have hard stats to back up this assertion, but I’d bet that there are few areas of modern law that have witnessed a higher percentage of successful constitutional challenges in recent years than the field of cyberlaw.  Taking that as a given, one must assume that at some point it becomes a deterrent to additional state action in this field.  Why waste years legislating and regulating if it is all enjoined and then overturned a short time later?

3) Resurgence of privacy as major policy issue and the emergence of cybersecurity as a policy issue

It could also be that case that privacy policy crowds out congressional interest in online safety legislation. In fact, it seems like these issues often move in opposing waves. When a wave of online safety legislative and regulatory activity is cresting, interest in privacy policy seems to fall. That certainly seemed to be the case between roughly 2005 and 2008 when online safety dominated congressional debates and privacy was hardly on the radar.  Today the reverse is true. Privacy has been the dominant Internet policy issue of the past year or so. It is sucking all the oxygen out of the room — whether that room is a congressional hearing room, a regulatory agency event, or even academic conferences.

Importantly, cybersecurity has rapidly emerged as a major new fault line in Internet policy debates. It, too, is eating up a lot of the “attention bandwidth” available among policymakers today.  And intellectual property matters always seem to be percolating out there.

It is my belief that because some of these Net policy issues are so complicated, policymakers are sometimes discouraged from doing a “deep dive” on them. To the extent they do, it seems unlikely that lawmakers are willing to invest serious time in more than a couple of these arcane matters at one time. Also, don’t forget how busy the relevant committees (Commerce and Judiciary) are with other, not tech policy-related matters. On any given legislative day, they could be handling a wide range of other policy issues that crowd out the amount of attention they can devote to Net policy matters, which are often far down the list of legislative priorities. Again, I’m generally pretty happy about that fact! I’d rather lawmakers go slow on these issues, whether the slow pace of the action is intentional or not.

So, what do you think? Are there other possible explanations for why we’ve seen less activity on the online safety / Internet content regulation front in recent years?

It seems peculiar to me that some of the same individuals and groups who so vociferously opposed a “broadcast flag” technological mandate in past years are now in a mad rush to have federal policymakers mandate a “Do Not Track” regulatory regime for privacy purposes. The broadcast flag debate, you will recall, centered around the wisdom of mandating a technological fix to the copyright arms race before digitized high-definition broadcast signals were effectively “Napster-ized.” At least that was the fear six or seven years ago. TV broadcasters and some content companies wanted the Federal Communications Commission (FCC) to recognize and enforce a string of code that would have been embedded in digital broadcast program signals such that mass redistribution of video programming could have been prevented.

Flash forward to the present debate about mandating a “Do Not Track” scheme to help protect privacy online. As I noted in my filing last week to the Federal Trade Commission, at root, Do Not Track is just another “information control regime.” Much like the broadcast flag proposal, it’s an attempt to use a technological quick-fix to solve a complex problem. When it comes to such information control efforts, however, there aren’t many good examples of simple fixes or silver-bullet solutions that have worked, at least not for very long. The debates over Wikileaks, online porn, Internet hate speech, and Spam all demonstrate how challenging it can be to put information back into the bottle once it is released into the digital wild.

To be clear, I am not opposed to technological solutions like broadcast flag or Do Not Track, but I am opposed to forcing them upon the Internet and digital markets in a top-down, centrally-planned fashion. While I am skeptical that either scheme would work well in practice (whether voluntary or mandated), my concern in these debates is that forcing such solutions by law will have many unintended consequences, not the least of which will be the gradual growth of invasive cyberspace controls in these or other contexts. After all, if we can have “broadcast flags” and “Do Not Track” schemes, why not “flag” mandates for objectionable speech or “Do Not Porn” browser mandates?

From 2002-2005, when the broadcast flag wars were really raging, groups like the Electronic Frontier Foundation and Center for Democracy & Technology made several legitimate legal and practical arguments against a mandatory broadcast flag regime. But their principled case against broadcast flag mandates came down to an underlying fear about government encroachment on the Internet and the specter of more far-reaching regulation of cyberspace. For example, in a December 2003 report, CDT noted that even if other details could be worked out, “the [broadcast] flag approach will still pose unresolved concerns regarding technical regulation of computers and the Internet by the government [and] the impact of regulations on innovation and future consumer uses” was also problematic.

Importantly, EFF and CDT hammered broadcast flag proponents on the question of jurisdictional authority. They rightly asked where the FCC  got the authority to impose such rules at all and worried about the spillover effects of such arbitrary mandates in other Internet contexts. (The broadcast flag scheme was eventually tossed out by the D.C. Court of Appeals because of the FCC’s lack of authority.)

So, why wouldn’t these same concerns and arguments apply to Do Not Track regulation? CDT and EFF seem to care little that the Federal Trade Commission is aggressively pushing this new information control regime on the Internet.  Indeed, CDT and EFF are two of the biggest cheerleaders for FTC action in this regard.  Sorry, but I just don’t get it.  If it was misguided for regulators to push a broadcast flag regime upon cyberspace, isn’t it just as misguided for them to be pushing Do Not Track? I suspect this inconsistency has something to do with CDT and EFF being inherently skeptical of the benefits of most online copyright protection schemes while being more sympathetic to legal efforts aimed at protecting personal privacy online. Simply stated, they think there’s something to the notion of privacy “rights” and will bend over backward to engineer an information control regime to protect against the “unauthorized” flow of personal information online. When it comes to the “unauthorized” flow of copyrighted bits of information online, however, they aren’t nearly as interested in inviting the code cops in.

But even if one sympathizes with that distinction — absolute privacy “rights”  vs. minimal copy-“rights” — all the same concerns and criticisms that CDT and EFF raised earlier about the broadcast flag regulatory scheme would seemingly apply to the Do Not Track regime. Both regimes face formidable enforcement challenges and raise the specter of broader government control of cyberspace. There’s just no getting around that reality, and Do Not Track defenders who deny it are basically hiding from the ugly truth that they are greasing the skids for future information control efforts and regimes — both here and abroad.

I suppose that they might also argue that regulation is justified where it ensures more “choice” for consumers.  But forcing “choice” upon online markets isn’t exactly the same thing as allowing it evolve in a natural, non-destructive fashion. As I noted in my filing, many others besides me are concerned about what mandatory Do Not Track would mean for the online ecosystem of mostly “free” content and services. Lauren Weinstein, co-founder of People For Internet Responsibility (PFIR), worries that the “ability [of Do Not Track concepts] to cause major collateral damage to the Internet ecosystem of free Web services is being unwisely ignored or minimized by many Do Not Track proponents.” And in a brilliant Huffington Post column this week about the rise of a privacy techno-panic, Jeff Jarvis said, “I also worry that efforts to bring in a ‘Do Not Track’ list and other demonization of ad targeting could cripple the revenue of the media and news industries even as they struggle to find sustainability; it could kill news outlets and reduce journalism.”

Weinstein and Jarvis are right. There is no free lunch. While groups like EFF and CDT who support Do Not Track regulation are well-intentioned in their aims, the reality is that government regulation that attempts to create a cost-free opt-out for data collection and targeted online advertising will likely have damaging consequences for the future provision of online content and services. In terms of direct costs to consumers, Do Not Track could result in higher prices for service as paywalls go up or, at a minimum, advertising will become less relevant to consumers and, therefore, more “intrusive” in other ways.

Which leads to my final point. What is perhaps most perplexing about this is how many of the advocates of Do Not Track argue that such a regulatory scheme will slow the “arms race” in the privacy arena. For example, EFF has said “The header-based Do Not Track system appeals because it calls for an armistice in the arms race of online tracking.” And my favorite frenemy Chris Soghoian argues that “opt out mechanisms… [could] finally free us from this cycle of arms races, in which advertising networks innovate around the latest browser privacy control.”  At best, this is highly wishful thinking. At worst, it’s outright deceit aimed at sugar-coating the hard truth: If anything, a Do Not Track mandate will speed up the technological arms race and have many other unintended consequences. Online advertising will almost certainly become more “annoying” and even invasive as a result of such regulation.  And “tracking” techniques aren’t going to be stopped or even slowed as a result of Do Not Track. (Hello DPI!) Again, check out my filing to the FTC for more details.

The important point here is that one intervention will simply beget another and another in an attempt to address the “arms race” and to refine and rework Do Not Track to cover more and more online information flows. One wonders how expansive this new regulatory regime will need to be to deal with the growing scale and volume of online information flows. Really, does anyone think there will be less personal information online in coming years?  Unless we stop the unprecedented voluntary information-sharing and self-revelation of personal data that takes place on social networking sites and via user-generated content sites, there is simply no way in hell this problem is going to be curtailed. When 600 million people use Facebook as an open diary to the world (among many other examples I could cite), it’s hard to imagine we’ll ever be able to stop the mercurial flow of personal information across the Internet. Do Not Track certainly won’t stop it, but the cost of putting such a regulatory regime in place in an attempt to put the genie back in the bottle could be profound for the future of the Internet and online content and culture.

Again, this is essentially the same argument previously set forth against a broadcast flag mandate. As EFF once noted, “the technology mandate proposed… is unnecessary, ineffective, and unwise.”  I agree, and I invite Do Not Track defenders at CDT and EFF (or anyone else) to explain why, conceptually speaking, Do Not Track isn’t just broadcast flag in drag.

As a cyber-libertarian, I’ve been lucky enough to work with people of all ideological stripes in pursuit of various public policy objectives.  I’ve made selective alliances with people on the Right on economic policy issues (like opposing Net Neutrality regulation, Internet taxes, etc) and also worked closely with folks on the Left on speech and culture issues (content controls, anonymity, online safety concerns, etc).

While engaging with with people on both sides of the political fence, I’m often struck by some of their internal inconsistencies.  Conservatives, for example, talk about a big game about personal responsibility on some issues, but quickly abandon that notion when they claim media content or online speech should be regulated by the State (typically “for the children.”)  In this essay, I’d like to discuss interesting inconsistencies on the political Left, especially among advocates of strong privacy regulation (most of whom tend to be Left-leaning in their worldview).  In particular, here are the two things I find most interesting about modern privacy advocates:

(1) Most privacy advocates are vociferous First Amendment supporters, yet they abandon their free speech values and corresponding constitutional tests when it comes to privacy regulation.  When it comes to proposals to regulate media content or online speech, most folks on the Left have a very principled, clear-cut position: people (or parents) should take responsibility for unwanted information flows in their lives (or the lives of their children). In particular, they rightly argue that the many user empowerment tools on the market (filters, monitoring software, other parental control technologies) constitute a so-called “less-restrictive means” of controlling content when compared to government regulation.

Advocacy groups that I have a great deal of respect for and work with quite closely on these issues–such as EFF, CDT and ACLU—all take this position.  Generally speaking, they argue that, when it comes to speech regulation, “household standards” (user-level controls) should trump “community standards” (government regulation). And in Court—where I frequently file joint amicus briefs with them—they repeatedly employ the “less-restrictive means” test to counter government efforts to regulate information flows.

But when it comes to privacy, they throw all this out the window!  For some reason, when the topic of debate shifts from concerns about potentially objectionable content to the free movement of personal information, personal responsibility and self-regulation become the last option, not the first.  What’s most troubling about this is the way these advocates of privacy regulation are unwittingly undermining the power of the “less-restrictive means” test, which is a vitally important barrier to greatly enhanced government control of cyberspace.  That is, when privacy advocates ignore, downplay, or denigrate user-empowerment tools, they are essentially saying self-help is the right answer in one context, but not the other.

That’s a shame because self-help tool work well in both contexts.  Indeed, I’ve spent years documenting the wide variety of user-empowerment tools on the child safety front, and more recently I have worked with colleagues at PFF to provide a similar inventory of “privacy solutions” that can help users control personal information flows.  Can privacy tools be confusing at times or difficult to set up? Yes, they can. But no more so that parental control tools.  Are privacy tools as effective as parental control tools?  I think they are actually more effective because in the case of parental controls, the person you are trying to “protect” (namely, kids) often have a stronger incentive to evade / defeat those tools.  Moreover, privacy-enhancing controls can be very effective—perhaps even too effective—at shutting down unwanted information flows.  Whether it’s ad-blocking tools, cookie controls, or encryption techniques, these tools can actually be far more effective blocks on information flows than, say, Internet filters meant to block porn or hate speech, which is also more subjective by nature.

Of course, no tool is perfect. But as the Supreme Court held in United States v. Playboy, empowerment tools need not be perfect to be preferable to government regulation. “Government cannot ban speech if targeted blocking is a feasible and effective means of furthering its compelling interests,” the Court held.  Moreover, “It is no response that voluntary blocking requires a consumer to take action, or may be inconvenient, or may not go perfectly every time.  A court should not assume a plausible, less restrictive alternative would be ineffective; and a court should not presume parents, given full information, will fail to act.”

So, then, why doesn’t the exact same principle hold for privacy regulation?  I believe it should, and because of that I get in some pretty heated fights with friends at EFF, CDT and ACLU when they abandon the user-empowerment regime on the privacy front and instead invite the government to come in and establish an information control regime.  Which leads to the second thing I find interesting about advocates or privacy regulation…

(2) Most privacy advocates bash copyright and claim it is an information control regime, yet privacy regulation would constitute a stronger information control regime by creating the equivalent of copyright law for personal information (which would, in turn, conflict mightily with the First Amendment).

While many libertarians oppose any form of copyright protection, I still find much worth praising in America’s copyright system.  Nonetheless, I do admit to my libertarian friends, as well as anti-copyright advocates on the Left, that copyright places limits on the flow of certain types of information.  After all, quite literally, copy-right deals with rights to copy information.  Of course, that’s the nature of all property rights—they foreclose and constrain alternative uses. But there’s typically a good reason for that: In the case of intangible property, it’s because we want to promote the creation of content/information in the first place.

For many copyright critics, however, this is an intolerable trade-off. Any limits on reproduction/reuse—even if those rights incentivize artistic/scientific creativity—are regarded as an unjust form of information control.  But if they believe that to be the case for copyright, why do they not feel the same of privacy rights?  After all, there are some striking similarities between the regimes.

In his new book, Skating on Stilts, Stewart Baker reminds us that the famous 1890 Brandeis and Warren Harvard Law Review essay on “The Right to Privacy“–which is like a sacred text to many modern privacy advocates–was heavily influenced by copyright law.  As Baker explains:

Brandeis wanted to extend common law copyright until it covered everything that can be recorded about an individual. The purpose was to protect the individual from all the new technologies and businesses that had suddenly made it easy to gather and disseminate personal information: “the too enterprising press, the photographer, or the possessor of any other modern device for rewording or reproducing scenes or sounds.”  […] Brandeis thought that the way to ensure the strength of his new right to privacy was to enforce it just like state copyright law. If you don’t like the way “your” private information is distributed, you can sue  everyone who publishes it.

Incidentally, it’s important to recall that the Brandeis and Warren’s call for such a regime was essentially driven by their desire to control the press. In their article, they argued that:

The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.

So angered were Brandeis and Warren by reports in daily papers of specifics from their own lives that they were led to conclude that:

man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.

Let’s ignore their hyperbolic claim that invasions of privacy could cause more harm than “mere bodily injury.”  No, wait, let’s not!  Seriously, can you believe men of this stature could utter such nonsense?  I’d love to hear a modern privacy advocate defend this notion and explain how, exactly, one could have greater “pain and distress” inflicted by words than “by mere bodily injury.”  That’s a doozy of a claim.  Nonetheless, they said it—in the law review article that quite literally gave birth to American privacy law.  And it only follows, then, that they would want fairly draconian controls on free speech / press rights if they felt this strongly.

Taken to the extreme, however, giving such a notion the force of law would put privacy “rights” on a direct collision course with the First Amendment and freedom of speech/communication.  As Eugene Volokh argued in a 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You“:

The difficulty is that the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

Indeed, how could a journalist even conduct their business in such a world? By their very nature, good reporters are nosy and disregard the privacy rights of the people and institutions they report on. But in a world where privacy “rights” trump other rights, free speech would be forced to take a back seat.

To be clear, I’m not opposed to all privacy “rights.” But as I noted in my lengthy review of Daniel Solove’s Understanding Privacy, we need to begin with a theory of rights and then figure out what privacy “harms” we are trying address/rectify.  Generally speaking, I am skeptical of most claims about harms coming from people talking about us or knowing more about us and I believe that freedom of speech / communications should trump such rights claims. But that’s because I subscribe to a libertarian theory of rights/justice that–as the name implies–places human liberty at the core of that theory of rights.  If liberty isn’t your cup of tea, I can see how “privacy” might be viewed as co-equal in your theory of rights.  Nonetheless, I would hope such people would acknowledge that, at the end of the day, such a theory requires trade-offs and that, much like making an allowance for copyright in a libertarian system, information flows might be limited by these assertion of privacy rights.   What I’m asserting here, however, is that privacy regulation would entail far greater restrictions on liberty–especially freedom of speech/communication–than copyright law. After all, as Volokh notes, we are talking about “a right to have the government stop people from speaking about you.”

Addendum: I failed to mention that my fellow TLF blogger Tom Bell has said all of this much more elloquently in his 2001 Cato white paper, “Internet Privacy and Self-Regulation: Lessons from the Porn Wars.”

Common Sense Media (CSM) is a media “watchdog” group that provides a terrifically useful service to the public through independent reviews of popular media content (movies, music, TV, games, and more). As a parent, I find their service indispensable and, as a policy analyst, I have praised their rating system and their media literacy / digital citizenship programs again and again, including numerous endorsements in my special report on Parental Controls & Online Child Protection and other testimony and filings before Congress and federal regulatory agencies.

Thus, being such a big fan of CSM, I was quite dismayed to see the comments they just submitted to the Federal Trade Commission (FTC) as part of the agency’s review of the Children’s Online Privacy Protection Act (COPPA). They advocate not just expanded educational efforts, which are great, but also expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.”  For all the background on the law and the FTC’s resulting COPPA rule, see this beefy paper Berin Szoka and I authored last year and this testimony and follow-up submission Berin did for the Senate Commerce Committee. And then read the joint submission made by PFF, CDT, and EFF in the same FTC proceeding that CSM just filed in.

Sadly, it’s clear to me that Common Sense Media didn’t take anything we warned about in those papers or filings seriously—or perhaps that they just didn’t bother to read them very carefully, if at all. Their filing is a classic example of good intentions gone wrong. I understand that they want to take additional steps to protect children online, but they completely ignore the practical realities of COPPA expansion and its associated trade-offs:

1. CSM never clearly identifies or quantifies the supposed harm that requires such a significant expansion of Internet regulation. Why the need for a massive expansion of federal regulation in this area?  CSM never makes it clear. Of course, this is becoming old hat here in Washington. Just whisper the word “privacy” and people scream “the sky is falling” and start calling for regulation of all sorts. But are there real harms here? Are there corresponding benefits to be considered? Aren’t other values or principles at stake here. No answer from CSM.
2. CSM never stops to consider the profound free speech implications of their proposals. Don’t they realize that simply extending COPPA to cover older teens will require websites used by large numbers of adults to age verify all users? This raises the same First Amendment concerns about government interference with anonymous communication that caused the 1998 Child Online Protection Act (COPA) to be struck down by the courts as unconstitutional.
3. CSM doesn’t acknowledge that — in the name of protecting privacy – they are essentially demanding a massive amount of additional information be collected to facilitate the regulatory regime they would apparently endorse. Expanded age verification mandates would mean more information has to be collected about kids and their parents, but also about adults who have to prove they aren’t children!
4. CSM never acknowledges that COPPA covers any potential site or tool that allows sharing of personal information by children and that expansion of this regulatory regime in an era of widespread user-generated content, online gaming, texting, and other forms of digital interaction make “expanded verifiable parental consent” a formidable regulatory problem.
5. CSM is essentially treating older teens as if they have no speech rights and are utterly incapable of making decisions for themselves until the day they turn 18.  Never mind that most U.S. states set their age of consent at 16 or 17, for example.  In other words, these aren’t Dora and Diego fans we’re talking about here. These are people who will shortly be in college and eligible to vote and serve in our Armed Forces.
6. CSM never bothers exploring the profound economic impact their proposal will likely have on smaller websites that cater to kids & teens. If expanded regulation crowds out smaller start-ups, the resulting level of creativity and innovation in this market will suffer. Thus, COPPA expansion could lead to unnecessary industry consolidation as smaller operators are forced to sell to bigger player who can cover regulatory compliance costs.
7. CSM never bothers exploring the potential cost to consumers / parents. Expanding verifiable parental consent requirements will no doubt burden the creators or various sites and services, but those costs will ultimately be borne by the public when they are passed along in the form of a fee for services, many of which were previously free of charge.
8. Finally, and perhaps most surprisingly, CSM spends little time focusing on the many beneficial steps being taken by site operators today that make kids safer online. I have said it again and again and again here and elsewhere: If we assume that COPPA is the most important approach to keeping kids safe online, we are making a huge mistake. COPPA is probably one of the least important things that keeps kids safe online. It’s what sites do after kids get into their communities that is really important because—guess what!—kids are going to get in to social networking communities and other sites.  There are many important steps being taken by countless online sites and communities take to make sure they offer more safe and secure environments for kids. In particular, beyond basic parental controls, moderation and intervention efforts by site operators are increasing within social networking sites, virtual worlds, and many other sites to ensure that they offer such “well lit” neighborhoods. We should be encouraging a lot more of that and working to find new “oversight and intervention” methods to deal with problems when they pop up. Common Sense Media has done a lot of great work on this front and should have focused on how those methods could be improved instead of how the create a more cumbersome, intrusive, expensive, and ultimately unworkable age verification regulatory regime for the Internet.

And there are many, many other issues left unexplored by the CSM filing. They’ve simply called for expansion of a regulatory regime without any reference to these challenges, costs, and trade-offs. Again, good intentions can’t excuse sloppy, half-hearted policy analysis.

I’m really quite troubled by this filing and I hope my friends at Common Sense Media will take the time to take a second look at the paper Berin Szoka and I authored last year (“COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech”) as well as the CDT-EFF-PFF joint filing we just submitted to the FTC.  Regulation has consequences and in this case those consequences will be quite profound. CSM has utterly failed to acknowledge them in this filing.

Today’s Online Safety Technical Working Group (OSTWG) meeting included some heated debate about whether online intermediaries should be doing more to assist law enforcement to help track down child predators and those producing and distributing child pornography. (It’s not clear whether or when NTIA will actually put the archived video or a transcript online at this point).

Most interesting was the third panel of the day (agenda), which devolved into a shouting match as Dr. Frank Kardasz (resume) of the Arizona Internet Crimes Against Children (ICAC) Task Force basically accused Internet intermediaries of being willing accomplices in crimes of sexual abuse against children—and suggested that they could be charged as co-defendants in child porn prosecutions. A few industry folks in the room expressed their outrage at such slander. A retired law enforcement officer perhaps put it best when he said that he had never dealt with an ISP that didn’t sincerely want to help law enforcement stop this monstrous crime.

Apart from those pyrotechnics, and a superb morning presentation by the Pew Internet Project’s Amanda Lenhart about “Social Media & Young Adults,” the most interesting part of the day concerned data retention mandates. Even as a debate rages in Washington about how much collection and use of online data should be permitted, Dr. Kardasz suggested online service providers should be required to hold user data for 5 years. A number of attendees noted the staggering costs of such a mandate given the sheer volume of information shared every day by use, especially for startups for whom building monitoring and compliance infrastructure can be a significant barrier to entry. Of course, practical objections are always answered with practical counter-solutions—in this case, several attendees asked why we couldn’t just provide tax incentives or stimulus money to defray such costs. One attendee joked that we’d have to devote the entire state of Montana just to house all the necessary server farms.

But the strongest objection came from John Morris of the Center for Democracy & Technology, who rightly noted that no amount of government subsidies for data retention could prevent leakage of sensitive private data. For this reason and because of the basic civil liberties at stake whenever the government has access to large pools of data about its citizens, Morris argued that we need to strike a balance between how we protect children & the values of free society. Dave McClure of the US Internet Industry Association (USIIA) seconded this point powerfully: If such vast data is retained, it will be abused.

Then the riposte from advocates of data retention mandates: Aren’t online intermediaries already retaining huge amounts of consumer information? If they can do that, why can’t they retain the data we need to track down child predators and child porn distributors?

John Morris and the ACLU’s Chris Calabrese patiently explained just how different these two kinds of data retention really are. Advertisers don’t care who you are—just what you’re likely to be interested in. So it simply isn’t worth the cost for them to retain the massive logs of data tracking every site a user has been to and when, or even tying that information to an IP address. All the advertiser wants is to be able to correlate information about likely interests with a cookie that uniquely identifies a computer (which likely, but not necessarily, corresponds to a user). I couldn’t have explained this difference better myself!

They didn’t specifically get into this example, but even a company like Phorm, which offers behavioral advertising based on inspecting packets sent back and forth by an Internet user doesn’t actually retain the kind of “digital dossier” of a user’s browsing activity that some advocates of increased data regulation fear–or that law enforcement wants. Instead, Phorm examines certain kinds of pages visited by users (e.g., no HTTPS or email) and looks for keywords (excluding sensitive things like phone numbers, social security numbers and credit card numbers) that suggest the user might be interested in a particular marketing category. The data about where the user has visited is then discarded, leaving only the marketing categories matched to that user’s unique ID (e.g., dog-owner, fly-fisher).

So even when it comes to the much-feared “Deep Packet Inspection,”what advertisers want is profoundly different from the kind of data retention mandates proposed by Kardasz and others in law enforcement. Moreover, given the costs entailed in data storage and processing, the mere fact that something is theoretically possible doesn’t mean advertisers are willing to pay for it just to try to tell you about their product! That critical point has been missing from most of the ongoing conversation about regulating “targeted” advertising, which tend to focus on the theoretical possibility of a particular data collection/use/aggregation practice rather than whether it’s actually being done or even whether it would make economic sense to do so. So I’m glad to see John Morris and Chris Calabrese making these vital points.

I don’t mean to pull a “gotcha!” on them as representatives of two organizations that have also been outspoken in calling for restrictions on the private use of data (especially since I can’t do justice them by quoting them precisely here without a transcript of the event or the ability to go back and listen to this fascinating exchange again). I’m sure they would respond that the potential for abuse still exists when private companies collect data about users for advertising purposes: Some companies might collect so much data that it could be tied back to a particular user and cause actual harm if released, which is always a possibility. That would be a fair response, but it would at least place us in a constructive debate between reasonable people about the costs and benefits of data sharing and whether government regulation is really the best way to address privacy concerns.

The important point is that they recognize the difference in kind between the collection of limited amounts of data for advertising purposes and the kind of comprehensive data mandates proposed by Kardasz and others. If nothing else, that difference means that one can take a principled stance—as I do—against data retention mandates as a governmental invasion of our privacy but also in favor of reliance on user empowerment, education, targeted enforcement of existing laws, etc. as less restrictive alternatives to government regulation of private data use, just as with parental control and empowerment over parentalist censorship.  As Adam Thierer and I have argued, because there are significant costs to regulation for consumers, free speech and culture, any government mandates should be narrowly tailored to addressing real, demonstrable harms rather than vague, unsubstantiated fears or amorphous concepts like “dignity interests.”

The other critical part of our “layered approach” to privacy concerns is building a higher “Wall of Separation Between Web and State.” Concretely, that means opposing such onerous data retention mandates and reforming ECPA—a subject mentioned only at the end of today’s meeting. In the comments I filed recently on the Notice written by CDT for the FCC, I praised CDT’s work in this area and look forward to working with them (and the ACLU and groups like EFF) on that cause in the future, despite our differences on private data use regulation.

I’ll be heading to Oxford University this week to participate in an Oxford Internet Institute (OII) forum on the subject of “Child Protection, Free Speech and the Internet: Mapping the Territory and Limitations of Common Ground.”  It’s being led by several experts from the OII as well as my good friends John Morris and Leslie Harris of the Center for Democracy & Technology (CDT).  The aims of this forum are:

• To facilitate a dialogue between NGOs campaigning to protect respectively, child protection and children’s rights online, and freedom of speech and other civil liberties online.
• To promote a better understanding of each others’ positions, to share perspectives and information with a view to identifying areas of common ground and areas of disagreement.
• To identify any shared policy goals, and possible tools to support the achievement of those goals.
• To publicize the findings of the forum in international policy debates about Internet governance and regulation.

Conference participants were asked to submit a 2-3 pg summary of their views on a couple of questions that will be discussed at this event.  I have listed those questions, and my answers, down below the fold.  It’s my best attempt to date to succinctly outline my views about how to balance content concerns and free speech issues going forward. 

What is the nature of your interest or experience in this field?

I have spent the last 18 years covering the intersection of child safety concerns and free speech issues at four different think tanks.  In recent years, I have tied together all my research in a constantly updated Progress & Freedom Foundation special report entitled, “Parental Controls & Online Child Protection: A Survey of Tools & Methods.” The 4^th edition of this 250-page report was released in August.

Are there particular values or principles which underlie your work?

The goal of my research has been to explore the tension between free speech and child protection and to identify methods of striking a sensible balance between these two important values.   It is my hope and belief that we are now in a position to more fully empower parents such that government regulation of content and communications will be increasingly unnecessary.

In the past, it was thought to be too difficult for families to enforce their own “household standard” for acceptable content. Thus, many believed government needed to step in and create a baseline “community standard” for the entire citizenry.  Unfortunately, those “community standards” were quite amorphous and sometimes completely arbitrary when enforced through regulatory edicts.  Worse yet, those regulatory standards treated all households as if they had the same tastes or values—which is clearly not the case in most pluralistic societies.

If it is the case that families now have the ability to effectively tailor media consumption and communications choices to their own preferences—that is, to craft their own “household standard”—then the regulatory equation can and should change.  Regulation can no longer be premised on the supposed helplessness of households to deal with content flows if families have been empowered and educated to make content determinations for themselves.  Luckily, that is the world we increasingly live in today. Parents have more tools and methods at their disposal to help them decide what constitutes acceptable media content in their homes and in the lives of their children.

Going forward, our goal should be to ensure that parents or guardians have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information.  Optimally, those tools and methods would give them the ability to not only block objectionable materials, but also to more easily find content they feel is appropriate for their families. In my work, I refer to this as the “household empowerment vision.”

Will we ever be able to achieve a world of perfect parental control over all online content and communications?  That is unlikely since both content and technology will continuously evolve and make that goal elusive. But government regulation of speech should yield where less restrictive alternatives such as household-based controls and strategies exist.  Given the value associated with free speech and the danger of government censorship, these alternatives need not be perfect to be preferable to government regulation.

What are the issues/policies or laws which you see as most problematic in terms of creating or illustrating a conflict between online child protection and free speech?

It is essential that policymakers resist the temptation to extend traditional broadcast industry regulatory statutes and standards to new media outlets and digital technologies.  In a world of media convergence and increasing user empowerment, traditional regulatory rationales make increasingly less sense.  Nonetheless, many ongoing social problems and challenges remain to achieving the “household empowerment vision” I outlined above, including:

• The “lack of awareness” problem: Some parents remain unaware of empowerment tools.
• The “bad parent” problem: Some parents don’t use tools even when aware of them.
• The “bad neighbor” problem: “Good” parents fear what happens when their kids visit other kids with more permissive parents.
• The “generation gap” problem: Kids sometimes know more about new digital technologies than their parents.
• The “technological surprise” problem: Rapid emergence and diffusion of new digital technologies can catch some parents by surprise.
• The “bad corporate actor” problem: Most companies self-regulate, but a handful push the boundaries of good taste in ways that create social concerns that reflect on industry generally.
• The “user-generated content” problem: Even when “professional” content can be managed, it is difficult to control “amateur” expression and creations.
• The “peer-on-peer bullying” problem: While many are concerned about predators, the real online safety problem turns out to be cyber-bullying among peers.

Because of these ongoing social challenges or concerns, legal and regulatory proposals will continue to be put forward. But each has serious downsides:

• Future of filtering: Centralized, network-based or decentralized, user-based?  The former creates serious censorship threats, as we see in China and other repressive states. The latter is more consistent with the household empowerment vision.
• Middleman deputization: Should online intermediaries be required to police the Net for various social ills?  If so, as hand-maidens of the state, they could become over-zealous speech regulators.
• Universal content ratings: Can policymakers mandate unified (or “scientific”) content media ratings?  Doing so puts regulators in a position to dictate content standards—for better or worse.  Moreover, this does nothing to address user-generated “amateur” content.
• Mandatory online age / identity verification: Potentially threatens anonymity, privacy, and free speech rights.  Moreover, to the extent “bad guys” continue to get into “secured” environments it creates a false sense of security for parents and kids.
• Expanded data retention: Although it would help facilitate some law enforcement goals, it also gives rise to new privacy and data breach risks.

Might any of these conflicts be avoidable, e.g. through the use of improved legislative instruments or greater clarity and accountability in processes of self-regulation?

For the above reasons, it makes more sense to put our energies into finding new self-regulatory mechanisms, social norms, and user empowerment strategies to solve ongoing social problems instead of focusing on regulatory solutions or mandates.  Instead of providing greater clarity, legislative instruments are more likely to instead create greater ambiguity, or at least uncertainty, for content creators and consumers alike. This is because, as was noted above, “community standards” are notoriously subjective; they are ham-handed attempts to gloss over the diverse needs and values of a diverse citizenry. By contrast, self-regulation, social norms, and empowerment strategies are evolutionary in character and more responsive to differences among cultures and households.

What are the issues where you think there might be most scope for finding some common ground?

In two words: empowerment and education. Because reliance on legislation is perilously difficult and enforcement of regulatory mandates is complicated (and sometimes impossible in an increasingly borderless world), efforts to better empower families and educate both kids and parents offer the most sensible path forward.  All stakeholders involved in child safety and free speech debates can generally agree that empowerment efforts, media literacy programs, awareness-building programs, and so on, are both effective and unobjectionable.

At the international level, are there certain key principles which we ought to be defending above all others?

Because of the “values clash” at the international level, it’s hard to imagine we’ll ever achieve consensus on some of these issues.  Countries vary widely in their sensitivities about speech, making any attempt to devise “universal principles” complicated.  For example, Europeans generally deride America’s prudish ways when it comes to matters of sexuality or “indecency.”  By contrast, most Americans cannot understand European concerns about “hate speech” or violently-themed media.  Meanwhile, governments in many other parts of the world are still busy trying to quell political or religious dissent.  “Harmonization” among those competing cultural norms remains complicated, therefore, and it would be a mistake if international harmonization was accomplished by sacrificing free speech rights for countries and cultures who cherish them.

On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

• Parry Aftab, Executive Director, WiredSafety.org
• Todd Haiken, Senior Manager of Policy, Common Sense Media
• Jim Halpert, Partner, DLA Piper
• Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description:

Online child safety, privacy, and free speech remain hotly debated issues at both the federal and state level. Bills introduced in Congress to address cyberbullying concerns propose either educational initiatives or a criminalization approach. Access to objectionable content also remains a concern and a new, government-mandated task force is looking into those issues. Meanwhile, state officials, including many state attorneys general, continue to explore age verification mandates for social networking sites and some have considered building on the federal Children’s Online Privacy Protection Act (COPPA) to expand “parental notification” mandates. The Federal Trade Commission (FTC) has recently announced an expedited review of COPPA to see if it is keeping up with new developments. The FTC is also exploring child safety in virtual worlds. New concerns about “sexting,” or the sending of sexual explicit images over mobile devices, has also raised new concerns led some lawmakers to ponder penalties.

How serious are these concerns? Is legislation or regulation needed to address them? What free speech issues are at stake? Should Congress take the lead or leave it to the States to experiment with different models? These and other issues were discussed by a panel of leading experts in the field of online safety and privacy policy.

Transcript PFF Online Child Safety Privacy Hill Event (7-27-2009) http://d.scribd.com/ScribdViewer.swf?document_id=18756666&access_key=key-1blb7az1ag406howibuk&page=1&version=1&viewMode=

What Unites Advocates of Speech Controls & Privacy Regulation? [pdf]

by Adam Thierer & Berin Szoka The Progress & Freedom Foundation, Progress on Point No. 16.19

Anyone who has spent time following debates about speech and privacy regulation comes to recognize the striking parallels between these two policy arenas. In this paper we will highlight the common rhetoric, proposals, and tactics that unite these regulatory movements. Moreover, we will argue that, at root, what often animates calls for regulation of both speech and privacy are two remarkably elitist beliefs:

1. People are too ignorant (or simply too busy) to be trusted to make wise decisions for themselves (or their children); and/or,
2. All or most people share essentially the same values or concerns and, therefore, “community standards” should trump household (or individual) standards.

While our use of the term “elitism” may unduly offend some understandably sensitive to populist demagoguery, our aim here is not to launch a broadside against elitism as Time magazine culture critic William H. Henry once defined it: “The willingness to assert unyieldingly that one idea, contribution or attainment is better than another.”^[1] Rather, our aim here is to critique that elitism which rises to the level of political condescension and legal sanction. We attack not so much the beliefs of some leaders, activists, or intellectuals that they have a better idea of what it in the public’s best interest than the public itself does, but rather the imposition of those beliefs through coercive, top-down mandates.

That sort of elitism—elitism enforced by law—is often the objective of speech and privacy regulatory advocates. Our goal is to identify the common themes that unite these regulatory movements, explain why such political elitism is unwarranted, and make it clear how it threatens individual liberty as well as the future of free and open Internet. As an alternative to this elitist vision, we advocate an empowerment agenda: fostering an environment in which users have the tools and information they need to make decisions for themselves and their families.

I. The Elitism of Speech Regulation

First, consider how those two elitist beliefs identified above are on display when lawmakers or regulatory advocates make efforts to control speech or content.^[2] Calls to regulate free speech are often premised on the belief that something must be done to “protect The Children.”^[3] Personal and parental responsibility ^[4] are regarded as inadequate safeguards ^[5] since some parents will inevitably fall down on the job by not adequately shielding their children’s eyes and ears from potentially objectionable (or supposedly harmful) speech. Therefore, government must regulate content that is indecent, profane, excessively violent, and so on. The definition of those things is then left to unelected bureaucrats and judges to make on our behalf.

But it’s not just about “The Children.” Some regulatory advocates believe that even the choices made by consenting adults must be disregarded because some people fail to understand the supposedly destructive nature of the speech they are consuming. Government must act to protect people from making what some regulatory advocates regard as destructive or even immoral choices that could bring harm to them or their loved ones.

In sum, regulatory advocates are essentially saying that people cannot be trusted or left to their own devices and, therefore, government must intervene and establish a baseline “community standard” on behalf of the entire citizenry to tell them what‘s best for them.^[6] Even if those citizens have tools and information at their disposal to make sensible decisions about objectionable content, that’s not good enough because they might not do the job properly. Government must do it for them!

II. The Elitism of Privacy Regulation

This same mentality motivates calls for privacy regulations. Those who call for government interventions to “protect privacy” often claim that people too willingly surrender personal information about themselves and that they don’t understand the adverse consequences of those actions.^[7] Alternatively, regulatory advocates claim that advertising and marketing efforts are inherently “manipulative” and that people do not realize they are being duped into surrendering personal information or into buying products or services they supposedly don’t need.^[8] Of course, those regulatory advocates rarely pause to explain to us how it is that they were not also duped and manipulated by the same things—again revealing their deeply-rooted elitism! (As discussed below, this makes it clear how the psychological phenomenon of “third-person effect hypothesis” is driving much of this debate.)

“Protecting The Children” is also used as a rhetorical cover for regulation here, but not as often in debates over speech controls.^[9] Instead, regulatory advocates mostly focus on adults who are presumed not to know what is in their own best interest—necessitating paternalistic government intervention on their behalf.

III. Intellectual Schizophrenia on Both the Left & Right

What is particularly interesting about all this is the way these two issues expose a sort of intellectual schizophrenia at work on both the Left and Right of the political spectrum. Left-leaning policymakers and intellectuals typically decry censorship efforts (except where “commercial speech,” “hate speech” and “bias” are at issue), but are quick to rally around proposals to layer privacy regulations on the Internet. The opposite is often true of many on the Right of the political spectrum: They typically declare privacy regulations to be paternalistic and antithetical to free enterprise (or perhaps just erosive of efforts to legislate morality),^[10] but in the next breath advocate controls on content they find objectionable.

Few on either side stop to consider the relationship between speech and privacy. In fact, they are but two sides of the same coin. After all, what is your “right to privacy” but a right to stop me from observing you and speaking about you?^[11] “Protecting privacy,” therefore, typically means restricting speech rights in the process. Advocates of privacy regulation often insist that the use, processing and collection of information are “conduct” unprotected by the First Amendment, but in fact, the First Amendment broadly protects the gathering and distribution of information as part of the process of communication (“speech”).^[12] Similarly, attempts to “clean up” speech or “protect The Children,” often require regulations that would betray the privacy of adults by expanding the role of government, and impose serious burdens on businesses and markets—such as age verification mandates ^[13] or extensive data retention requirements.^[14]

IV. Common Tactics & Regulatory Mechanisms

The two movements also share common political tactics and regulatory approaches. Privacy advocates generally favor “opt-in” mandates as the federal “baseline standard” for any website collecting information about users, especially their browsing habits (regardless of whether the information is “personally identifiable”). In other words, the law would create a property right in such “personal information” (ironically, many advocates of this approach criticize or reject intellectual property.) In a similar vein, many advocates of speech controls push for mandatory parental control tools or restrictive default settings.^[15] That is, if government won’t censor speech outright, regulatory advocates want lawmakers to at least (1) require that media, computing and communications devices be shipped to market with parental controls embedded or included (as proposed in Australia and with China’s “Green Dam” filter),^[16] and possibly, (2) that such controls be defaulted to their most restrictive position—forcing users to opt-out of the controls later if they want to consume media rated above a certain threshold.

More sophisticated advocates of speech controls and privacy regulation will likely argue that their paternalism is less elitist or intrusive because they merely want to “nudge” the public into making “better” decisions. Economist Richard Thaler and legal scholar Cass Sunstein (director of President Obama’s Office of Information and Regulatory Affairs, responsible for analyzing most new federal regulations) popularized this approach with their 2008 book Nudge: Improving Decisions about Health, Wealth, and Happiness. Based on behavioral economics studies, they argue that both government and private actors must inevitably make decisions about “choice architecture” and that, by setting defaults, incentives and rules smartly, “choice architects” can and should improve decision-making without blocking, fencing-off or significantly burdening choices.^[17]

In this regard, Sunstein and Thaler’s approach parallels the work of Lawrence Lessig, one of the most influential Internet policy thinkers. Lessig has argued that the “architecture” of “code” (how software is written) “regulates” all online activities and requires government oversight and intervention to keep in check. Otherwise, he warned ominously a decade ago, “Left to itself, cyberspace will become a perfect tool of control.”^[18] Lessig’s hyper-pessimistic predictions have proven unwarranted, however. Far from fostering a world of “perfect control,” code and cyberspace have proven remarkably difficult to regulate, but nonetheless has generally benefited consumers and citizens without centralized direction.^[19] Still, Lessig, Sunstein, and others of this ilk persist in their advocacy of “nudges” of many varieties to impose their will on cyberspace through mandates from above.

But while it might be possible to define “better decisions” and argue that poor choice architecture leads people to choose things they clearly don’t want in contexts like investment decisions and mortgages, how can elites know what other people really want in highly subjective contexts like privacy and speech? Should they rely on opinion polls—the highly subjective results of which depend heavily on “choice architecture” of question-crafting—to guess what the right default should be?^[20] Was the Chinese proposal to mandate deployment of “Green Dam” just a harmless “nudge” because users weren’t barred from uninstalling the filtering software that must accompany their computers (i.e., “opting-out”)? The problem becomes even more difficult where trade-offs among competing values are inevitable. For example, data collection about Internet users raises privacy concerns for some but benefits all, creating more funding for “free” content (i.e., speech) and services users prefer by making more valuable the advertising that supports online publishers. In short, regulations of speech and privacy are likely to be pure paternalism, even when billed as “libertarian paternalism as Thaler and Sunstein label their approach.^[21]

What might be called “regulatory blackmail” is also a time-honored tradition among both advocates of speech controls and privacy regulation. When censorship advocates have previously been impeded by the First Amendment, they have worked behind the scenes with lawmakers or regulatory agencies to use indirect pressure and strong-arming tactics to extract “voluntary concessions” from companies or others.^[22] For example, in 2004, the FCC strong-armed radio giant Clear Channel into agreeing to a “voluntary” consent decree that involved taking Howard Stern off the air.^[23] Similarly, in 2008, XM and Sirius Satellite Radio finally agreed to set aside 4% of their system capacity for use by politically favored racial minorities (a kind of speech control) as a “voluntary condition” of their merger—after the FCC had sat on their application for nearly 16 months.^[24] This race-based preference would have been unconstitutional if the FCC had imposed it directly.^[25] While the FTC has been far less prone to such abuse and actually plays a key role in holding companies to their promises, its current Chairman, Jon Leibowitz, has hung the “regulatory sword of Damocles” over the heads of the online advertising industry, threatening them with a “day of reckoning” if he doesn’t get what he wants from industry self-regulatory efforts.”^[26] The sword could actually fall if the FTC turns self-regulation into the European model of “co-regulation,” where the government steers and industry simply rows.^[27]

V. The Crisis Mentality that Drives Regulation

Speech and privacy regulatory advocates share another trait in common: an affinity for the use of a crisis mentality as a method of spurring political action. In his 1995 book The Vision of the Anointed: Self-Congratulation as a Basis for Social Policy, political philosopher and economist Thomas Sowell formulated a model that he argued drives ideological crusades to expand government power over our lives and economy. “The great ideological crusades of the twentieth-century intellectuals have ranged across the most disparate fields,” noted Sowell. But what they all had in common, he argued, was “their moral exaltation of the anointed above others, who are to have their different views nullified and superseded by the views of the anointed, imposed via the power of government.”^[28] These government-expanding crusades shared several key elements, which Sowell identified as follows:

1. Assertion of a great danger to the whole society, a danger to which the masses of people are oblivious.
2. An urgent need for government action to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many, in response to the prescient conclusions of the few.
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes.

We see this model at work on a daily basis today with our government’s various efforts to reshape our economy, but the model is equally applicable to debates over speech controls and privacy regulation. In particular, the various “technopanics”^[29] we have witnessed in recent years fit this model. For example, consider how this model plays out in the debate over online social networking:

1. Assertion of a great danger to the whole society [online sexual predators], a danger to which the masses of people are oblivious.
2. An urgent need for government action [such as mandatory online age verification ^[30] or the Deleting Online Predators Act ^[31]] to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many [must stop kids and adults from being online together on same sites], in response to the prescient conclusions of the few [some state Attorneys General].^[32]
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes [child safety researchers and others are told that their research is meaningless or offbase].^[33]

We also see this model in play in other debates, such as efforts to regulate “excessively violent” video games and television programming.^[34] And consider how this model plays out on the privacy front:

1. Assertion of a great danger to the whole society [amorphous privacy violations], a danger to which the masses of people are oblivious.
2. An urgent need for government action [“baseline federal privacy regulation”] to avert impending catastrophe.
3. A need for government to drastically curtail the dangerous behavior of the many [anyone who shares information online], in response to the prescient conclusions of the few [a handful of privacy advocacy groups].
4. A disdainful dismissal of arguments to the contrary as either uninformed, irresponsible, or motivated by unworthy purposes [any suggestion that privacy concerns are being overblown and that most information-sharing is socially beneficial is dismissed out-of-hand].

Worse yet, regulatory intervention in these cases simply begets more and more intervention to correct the inevitable failures of, or dissatisfaction with, previous interventions.^[35] Thus, the “crisis” cycle never ends.

VI. Third-Person Effect Hypothesis as an Explanation

Something more profound than simple political elitism seems to be at work here, however. A phenomenon psychologists refer to as the “third-person effect hypothesis” can explain many calls for government intervention, especially in the media world.^[36] Simply stated, speech and privacy critics sometimes seem to only see and hear in media or communications what they want to see and hear—or what they don’t want to see or hear. When they encounter perspectives or preferences that are at odds with their own, they are more likely to be concerned about the impact of those things on others throughout society and come to believe that government must “do something” to correct those perspectives. Many people desire regulation because they think it will be good for others, not necessarily for themselves. The regulation they desire has a very specific purpose in mind: “re-tilting” speech or market behavior in their desired direction.

The third-person effect hypothesis was first formulated by W. Phillips Davison in a seminal 1983 article:

In its broadest formulation, this hypothesis predicts that people will tend to overestimate the influence that mass communications have on the attitudes and behavior of others. More specifically, individuals who are members of an audience that is exposed to a persuasive communication (whether or not this communication is intended to be persuasive) will expect the communication to have a greater effect on others than on themselves.^[37]

Davison used this hypothesis to explain how media critics on both the Left and Right seemed to simultaneously find “bias” in the same content or reports when they couldn’t possibly both be correct. In reality, their own personal preferences were biasing their ability to fairly evaluate that content. Davison’s article prompted further research by many other psychologists, social scientists, and public opinion experts to test just how powerful this phenomenon was in explaining calls for censorship and other social phenomena.^[38] In these studies, third-person effect has been shown to be the primary explanation for why many people fear—or even want to ban—various types of speech or expression, including news,^[39] misogynistic rap lyrics,^[40] television violence,^[41] video games,^[42] and pornography.^[43] In each case, the subjects surveyed expressed strong misgivings about allowing others to see or hear too much of the speech or expression in question, but greatly discounted the impact of that speech on themselves. Such studies thus reveal the strong paternalistic instinct behind proposals to regulate speech. As Davison notes:

Insofar as faith and morals are concerned… it is difficult to find a censor who will admit to having been adversely affected by the information whose dissemination is to be prohibited. Even the censor’s friends are usually safe from the pollution. It is the general public that must be protected. Or else, it is youthful members of the general public, or those with impressionable minds.^[44]

It’s easy to see how this same phenomenon is at work in debates about privacy. Regulatory advocates imagine their preferences are “correct” (right for everyone) and that the masses are being duped by external forces beyond their control or comprehension, even though the advocates themselves are somehow immune from the brain-washing and privy to some higher truth that the hoi polloi simply cannot fathom. Again, this is Sowell’s “Vision of the Anointed” at work.

Consider the flare-up in 2004 over the introduction of Gmail, Google’s free email service. At a time when Yahoo! mail (then as now the leading webmail provider) offered customers less than 10 megabytes of email storage, Gmail offered an astounding gigabyte of storage that would grow over time (now over 7 GB). Rather than charging some users for more storage or special features, Google paid for the service by showing advertisements next to each email “contextually” targeted to keywords in that email—a far more profitable form of advertising than “dumb banner” ads previously used by other webmail providers.^[45] Self-appointed (or, to extend Sowell’s framework, “self-anointed”) privacy advocates howled that Google was going to “read users’ email,” and led a crusade to ban such algorithmic contextual targeting.^[46] Thierer responded to these critics by pointing out that the service was purely voluntary and noted:

you don’t speak for me and a lot of other people in this world who will be more than happy to cut this deal with Google. So do us a favor and don’t ask the government to shut down a service just because you don’t like it. Privacy is a subjective condition and your value preferences are not representative of everyone else’s values in our diverse nation. Stop trying to coercively force your values and choices on others. We can decide these things on our own, thank you very much.^[47]

Interestingly, however, the frenzy of hysterical indignation about Gmail was followed by a collective cyber-yawn: Users increasingly understood that algorithms, not humans, were doing the “reading” and that, if they didn’t like it, they didn’t have to use it. Today, nearly 150 million of people around the world use Gmail, and it has a steadily growing share of the webmail market. Even though cyber-consumers have embraced the service, some privacy advocates persist in their effort to shut down Gmail. They appear determined to stop at nothing to impose their will on others—the essence of political elitism—even if that means cutting off free email service for 150 million people!^[48]

A similar debate has played out more recently regarding targeted online advertising in general. Advertising on search engines is, much like Gmail, targeted “contextually” based on search terms entered by users and most advertising on other websites is based on the nature of content on a site or page. But certain data is collected about users as they browse to make that advertising more effective—by measuring its performance, reducing fraud, preventing over-exposure, etc. Some privacy advocates have insisted that industry self-regulation of such practices (even if enforced by the FTC) is inadequate and have called for preemptive regulation. They are even more offended by “behavioral advertising” which allows publishers whose content would have little value as the basis for contextually targeting advertising on their own sites to compete for more highly valued advertising by showing ads to users based on other sites they’ve visited. In both cases, data collection can increase the funding available to publishers to produce more of the content and services preferred by users, thus conferring an enormous indirect benefit on users, but also directly benefits users by increasing the relevance of the advertising they see.^[49] For some of the more extreme advocates of privacy regulation, however, there are no trade-offs, only absolutist “solutions:” To them, privacy is so obviously desirable that they feel at ease in deciding what’s best for everyone else. Such absolutists often respond with righteous indignation and conspiratorial fulmination when challenged to identify the harm against which they’re protecting consumers, while disdainfully dismissing all talk of the benefits of online advertising as self-serving industry propaganda.^[50]

VII. The Principled Alternative: Trust People & Empower Them

There is an alternative to this elitist mentality: freedom and personal responsibility. Individuals should be permitted to live a life of their own, even if they sometimes make mistakes or choices that are at odds with what elites think is best for them. ^[51]

Of course, the world isn’t perfect. In an ideal world, adults would be fully empowered to tailor speech and privacy decisions to their own values and preferences. Specifically, in an ideal world, adults (and parents) would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information. Importantly, those tools and methods would give them the ability to not only block the things they don’t like—objectionable content, annoying ads or the collection of data about them—while also finding the things they want.

Achieving that ideal is likely impossible, but the good news is that we are moving closer to it with each passing day. Citizens have more tools and methods at their disposal than ever before which enable them to make decisions for themselves and their families. And this is true for both parental controls ^[52] and privacy controls.^[53]

Of course, some speech and privacy elitists will argue that we can’t trust empowerment tools ( e.g., filters, rating systems, or other controls) that are created by companies or other affected parties. But rather than trying to enhance those tools and educate users about how to use them, these elitists skip right past user empowerment and channel their energies into regulations that would impose a top-down, one-size-fits all standard on all adults and families—or even into trying to craft the perfect “nudge” that will help users make what elites believe to be the “right” decisions. Of course, these tools can, and should, be improved. Those groups worried about speech/content and privacy issues should focus on how we might drive such protections from the bottom-up by empowering individuals instead of government bureaucrats. The goal in both cases should be a “let-a-thousand-flowers-bloom” approach, which offers diverse tools and strategies for our diverse citizenry.^[54] We need not accept “one-size-fits” all approaches, whether they be regulatory mandates or “nudges,” based on the presumption that elites know best.

Finally, it is vital not to lose sight of what’s ultimately at stake here. If regulatory approaches trump the empowerment agenda we have described, the future of a free and open Internet—indeed, as technology converges, the future of all media—is at risk.^[55] By imposing technological solutions from the top-down that can never keep pace with technological change, regulation necessarily forecloses freedom and innovation.^[56] By contrast, individual empowerment allows innovation to flourish. The better approach across the board is education, not regulation.^[57] Empowerment, not elitism, is the path forward. The digital elite should be leading this effort by developing and promoting technologies of empowerment, not crafting regulatory mandates to force their will upon us.^[58]

#

Adam Thierer is a Senior Fellow with The Progress & Freedom Foundation and the director of its Center for Digital Media Freedom. Berin Szoka  is a Senior Fellow with PFF and the Director of PFF’s Center for Internet Freedom.

[1] . William A. Henry, In Defense of Elitism (1995) at 2-3.

[2] . See Adam Thierer, The Progress & Freedom Foundation, Congress, Content Regulation, and Child Protection: The Expanding Legislative Agenda, Progress Snapshot 4.4, Feb. 2008, www.pff.org/issues-pubs/ps/2008/ps4.4childprotection.html. Like American courts, we use the term “speech” as a broad catch-all for communications, including both actual speaking as well as other forms of transmitting, as well as receiving, information (“content”).

[3] . See generally Adam Thierer, Don’t Scapegoat Media, USA Today, Dec. 4, 2008, www.pff.org/issues-pubs/ps/2008/ps4.24scapegoatmedia.html; Marjorie Heins, Not in Front of the Children, “Indecency,” Censorship, and the Innocence of Youth (2001); Karen Sternheimer, It’s Not the Media: The Truth about Pop Culture’s Influence on Children (2003); Karen Sternheimer, Kids These Days: Facts and Fictions about Today’s Youth (2006).

[4] . See Adam Thierer, The Progress & Freedom Foundation, FCC Violence Report Concludes that Parenting Doesn’t Work, PFF Blog, Apr. 26, 2007, http://blog.pff.org/archives/2007/04/fcc_violence_re.html.

[5] . See Adam Thierer, The Progress & Freedom Foundation, Sen. Rockefeller Gives Up on Parenting at Senate Violence Hearing, PFF Blog, June 26, 2007, blog.pff.org/archives/2007/06/sen_rockefeller_1.html.

[6] . Adam Thierer, Conservatives, Porn, and “Community Standards,” The Technology Liberation Front, March 2, 2009, http://techliberation.com/2009/03/02/conservatives-porn-and-community-standards.

[7] . Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, Online Advertising & User Privacy: Principles to Guide the Debate, Progress Snapshot 4.19, Sept. 2008, www.pff.org/issues-pubs/ps/2008/ps4.19onlinetargeting.html.

[8] . Jeff Chester, for decades the great gadfly of American advertising, has decried “the system … developed to track each and every one of us and our behavior for one-on-one marketing efforts” as “manipulative, intrusive and un-democratic.” Wendy Melillo, Q&A: Chester Writes the Book on Privacy, Dec. 11, 2007, www.gfem.org/node/227. For instance, Chester and other leading “privacy advocates” ridicule the idea of smart phones as a “liberating technology” and insist that,

Despite the glowing words about customization and personalized service, what marketers and advertisers are increasingly offering consumers is merely the illusion of free choice. Mobile operators offer their various options and services, not on an individual basis, but preconfigured according to segmented demographic profiles.

Center for Digital Democracy and U.S. Public Interest Research Group, Complaint and Request for Inquiry and Injunctive Relief Concerning Unfair and Deceptive Mobile Marketing Practices, Jan. 13, 2009 (emphasis original), www.democraticmedia.org/files/FTCmobile_complaint0109.pdf. See generally Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, Targeted Online Advertising: What’s the Harm & Where Are We Heading?, Progress on Point 16.2, Feb. 2009, www.pff.org/issues-pubs/pops/2009/pop16.2targetonlinead.pdf.

[9] . Berin Szoka & Adam Thierer, The Progress & Freedom Foundation, COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, Progress on Point 16.11, May 2009, www.pff.org/issues-pubs/pops/2009/pop16.11-COPPA-and-age-verification.pdf.

[10] . The Supreme Court has used a “right to privacy” to strike down laws against the use of contraception by married couples, Griswold v Connecticut, 381 U.S. 479 (1965), and abortion, Roe v. Wade, 410 U.S. 113 (1973).

[11] . Eugene Volokh, Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People From Speaking About You, 52 Stanford L. Rev. 1049 (2000), available at www.pff.org/issues-pubs/pops/pop7.15freedomofspeech.pdf.

[12] . See , Amicus Brief for Association Of National Advertisers, Cato Institute, Coalition For Healthcare Communication, Pacific Legal Foundation And The Progress & Freedom Foundation In Support Of Appellants, IMS Health v. Sorrell, No. 09-1913-cv(L), 09-2056-cv(CON) (2nd Cir. 2009), available at www.pff.org/issues-pubs/filings/2009/071309-Brief-Amici-Curiae-ANA-et-al-Second-Circuit-(09-1913-cv).pdf.

[13] . See Adam Thierer, The Progress & Freedom Foundation, Social Networking and Age Verification: Many Hard Questions; No Easy Solutions, Progress on Point No. 14.5, March 2007, www.pff.org/issues-pubs/ pops/pop14.8ageverificationtranscript.pdf; www.pff.org/issues-pubs/pops/pop14.5ageverification.pdfAdam Thierer, The Progress & Freedom Foundation, Statement Regarding the Internet Safety Technical Task Force’s Final Report to the Attorneys General, Jan. 14, 2008, www.pff.org/issues-pubs/other/090114ISTTFthiererclosingstatement.pdf; Nancy Willard, Why Age and Identity Verification Will Not Work—And is a Really Bad Idea, Jan. 26, 2009, www.csriu.org/PDFs/digitalidnot.pdf; Jeff Schmidt, Online Child Safety: A Security Professional’s Take, The Guardian, Spring 2007, www.jschmidt.org/AgeVerification/Gardian_JSchmidt.pdf.

[14] . Adam Thierer, The Progress & Freedom Foundation, Mandatory Data Retention: How Much is Appropriate, PFF Blog, June 26, 2006, http://blog.pff.org/archives/2006/06/mandatory_data.html

[15] . Adam Thierer, The Progress & Freedom Foundation, The Perils of Mandatory Parental Controls and Restrictive Defaults, Progress on Point 14.4, Apr. 11, 2008, www.pff.org/issues-pubs/pops/2008/pop15.4defaultdanger.pdf.

[16] . Adam Thierer, China’s Green Dam Filter and the Threat of Rising Global Censorship, PFF Blog, June 17, 2009, http://blog.pff.org/archives/2009/06/chinas_green_dam_filter_and_threat_of_rising_globa.html

[17] . They define choice architecture as follows: “A structure designed by a choice architect(s) to improve the quality of decisions made by homo sapiens. Often invisible, choice architecture is the specific user-friendly shape of an organization’s policy or physical building when homo sapiens come into contact with it. Examples of choice architecture include a voter ballot, a procedure for handling well-meaning people who forget a deadline, or a skyscraper.” Nudge Glossary of Terms, www.nudges.org/glossary.cfm.

[18] . Lawrence Lessig, Code and Other Laws of Cyberspace (1999) at 6.

[19] . See Adam Thierer, Code, Pessimism, and the Illusion of “Perfect Control,” Cato Unbound, May 2009, www.cato-unbound.org/2009/05/08/adam-thierer/code-pessimism-and-the-illusion-of-perfect-control

[20] . See Solveig Singleton & Jim Harper, With A Grain of Salt: What Consumer Privacy Surveys Don’t Tell Us, 2001, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=299930.

[21] . As Cato Institute scholar Will Wilkinson has argued, the book’s “agreeably banal doctrine of choice-preserving helpfulness” blurs the lines between paternalism and libertarianism, and thus “the thrust of the conceptual renovation behind the term libertarian paternalism is to empower, not limit, political elites.” Why Opting Out Is No “Third Way,” Reason, October 2008, www.reason.com/news/show/128916.html. See also Adam Thierer, The Progress & Freedom Foundation, Sunstein’s “Libertarian Paternalism” is Really Just Paternalism, PFF Blog, April 7, 2008, http://blog.pff.org/archives/2008/04/sunsteins_liber.html.

[22] . See Robert Corn-Revere, “’Voluntary’ Self-Regulation and the Triumph of Euphemism,” in Rationales & Rationalizations: Regulating the Electronic Media (Robert Corn-Revere, ed., 1997), at 183-208.

[23] . Telecom Policy Report, Commission Settles Indecency Charges, But At What Cost?, June 30, 2004, http://findarticles.com/p/articles/mi_m0PJR/is_25_2/ai_n6091525.

[24] . See Adam Thierer, XM-Sirius, Regulatory Blackmail, and Diversity, June 17, 2008, http://blog.pff.org/archives/2008/06/xmsirius_regula.html.

[25] . See Comments of W. Kenneth Ferree on Implementation of Sirius-XM Merger Condition, The Progress & Freedom Foundation, MB Docket No. 07-57, March 30, 2009, www.pff.org/issues-pubs/filings/2009/033009siriusXMconditionfiling.pdf.

[26] . See Szoka & Adam Thierer, supra note 8 at 3.

[27] . See id. at 2.

[28] . Thomas Sowell, The Vision of the Anointed: Self-Congratulation as a Basis for Social Policy (1995) at 5.

[29] . Alice Marwick, To Catch a Predator? The MySpace Moral Panic, First Monday, Vol. 13, No. 6-2, June 2008, www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/2152/1966; Wade Roush, The Moral Panic over Social Networking Sites, Technology Review, Aug. 7, 2006, www.technologyreview.com/communications/17266; Anne Collier, Why Techopanics are Bad, Net Family News, April 23, 2009, www.netfamilynews.org/2009/04/why-technopanics-are-bad.html; Adam Thierer, Parents, Kids & Policymakers in the Digital Age: Safeguarding Against ‘Techno-Panics,’ Inside ALEC, July 2009, at 16-17, www.alec.org/am/pdf/Inside_July09.pdf; Adam Thierer, Progress & Freedom Foundation, Technopanics and the Great Social Networking Scare, PFF Blog, June 10, 2008, http://techliberation.com/2008/07/10/technopanics-and-the-great-social-networking-scare.

[30] . Supra note 13.

[31] . In the 109th Congress, former Rep. Michael Fitzpatrick (R-PA) introduced the Deleting Online Predators Act (DOPA), which proposed a ban on social networking sites in public schools and libraries. DOPA passed the House of Representatives shortly thereafter by a lopsided 410-15 vote, but failed to pass the Senate. The measure was reintroduced just a few weeks into the 110th Congress by Senator Ted Stevens (R-AK), the ranking minority member and former chairman of the Senate Commerce Committee. It was section 2 of a bill that Sen. Stevens sponsored titled the “Protecting Children in the 21st Century Act” (S. 49), but was later removed from the bill. See Declan McCullagh, Chat Rooms Could Face Expulsion, CNet News.com, July 28, 2006, http://news.com.com/2100-1028_3-6099414.html?part=rss&tag=6099414&subj=news.

[32] . See Emily Steel & Julia Angwin, MySpace Receives More Pressure to Limit Children’s Access to Site, Wall Street Journal, June 23, 2006, online.wsj.com/public/article/SB115102268445288250-YRxkt0rTsyyf1QiQf2EPBYSf7iU_20070624.html; Susan Haigh, Conn. Bill Would Force MySpace Age Check, Yahoo News.com, March 7, 2007, www.msnbc.msn.com/id/17502005.

[33] . See, e.g., Letter of Henry McMaster, Attorney General, South Carolina to Attorney General Richard Blumenthal and Attorney General Roy Cooper Regarding Internet Safety Task Force (“ISTTF”) Report, January 14, 2009, www.scag.gov/newsroom/pdf/2009/internetsafetyreport.pdf

[34] . See Adam Thierer, The Progress & Freedom Foundation, Video Games and “Moral Panic,” PFF Blog, Jan. 23, 2009, http://blog.pff.org/archives/2009/01/video_games_and_moral_panic.html ; Adam Thierer, The Progress & Freedom Foundation, Fact and Fiction in the Debate over Video Game Regulation, Progress Snapshot 13.7, March 2006, www.pff.org/issues-pubs/pops/pop13.7videogames.pdf.

[35] . “All varieties of interference with the market phenomena not only fail to achieve the ends aimed at by their authors and supporters, but bring about a state of affairs which—from the point of view of their authors’ and advocates’ valuations—is less desirable than the previous state affairs which they were designed to alter. If one wants to correct their manifest unsuitableness and preposterousness by supplementing the first acts of intervention with more and more of such acts, one must go farther and farther until the market economy has been entirely destroyed and socialism has been substituted for it.” Ludwig von Mises, Human Action, at 858 (3rd ed. 1963) (1949).

[36] . See generally Adam Thierer, The Progress & Freedom Foundation, Media Myths: Making Sense of the Debate over Media Ownership (2005) at 119-123, www.pff.org/issues-pubs/books/050610mediamyths.pdf (Explaining how the third-person effect serves as a powerful explanation for the heated backlash that followed an FCC effort to moderately liberalize media ownership rules in 2003-04).

[37] . W. Phillips Davison, The Third-Person Effect in Communication, 47 Public Opinion Quarterly 1, Spring 1983, at 3.

[38] . For the best overview of third-person effect research, see Douglas M. McLeod, Benjamin H. Detenber, and William P. Eveland., Jr., Behind the Third-Person Effect: Differentiating Perceptual Processes for Self and Other, 51 Journal of Communication, Vol. 51, No. 4, 2001, at 678-695.

[39] . Vincent Price, David H. Tewksbury & Li-Ning Huang, Third-person Effects of News Coverage: Orientations Toward Media, Journalism & Mass Communications Quarterly, Vol. 74, at 525-540.

[40] . Douglas M. McLeod, William P. Eveland & Amy I. Nathanson, Support for Censorship of Violent and Misogynic Rap Lyrics: And Analysis of the Third-Person Effect, Communications Research, Vol. 24, 1997, at 153-174.

[41] . Hernando Rojas, Dhavan V. Shah, and Ronald J. Faber, For the Good of Others: Censorship and the Third-Person Effect, International Journal of Public Opinion Research, Vol. 8, 1996, at 163-186.

[42] . James D. Ivory, Addictive, But Not For Me: The Third-Person Effect and Electronic Game Players’ Views Toward the Medium’s Potential for Dependency and Addiction, University of North Carolina at Chapel Hill, School of Journalism and Mass Communication, Aug. 2002.

[43] . Albert C. Gunther, Overrating the X-rating: The Third-person Perception and Support for Censorship of Pornography, Journal of Communication, Vol. 45, No. 1, 1995, at 27-38

[44] . Supra note 37 at 14. Along these lines, a December 2004 Washington Post article documented the process by which the Parents Television Council, a vociferous censorship advocacy group, screens various television programming. One of the PTC screeners interviewed for the story talked about the societal dangers of various broadcast and cable programs she rates, but then also noted how much she personally enjoys HBO’s “The Sopranos” and “Sex and the City,” as well as ABC’s “Desperate Housewives.” Apparently, in her opinion, what’s good for the goose is not good for the gander! See Bob Thompson, Fighting Indecency, One Bleep at a Time, The Washington Post, Dec. 9, 2004, at C1, www.washingtonpost.com/wp-dyn/articles/A49907-2004Dec8.html.

[45] . See Chris Anderson, Free: The Future of a Radical Price at 112-118 (2009).

[46] . See Letter from Chris Jay Hoofnagle, Electronic Privacy Information Center, Beth Givens, Privacy Rights Clearinghouse, Pam Dixon, World Privacy Forum, to California Attorney General Lockyer, May 3, 2004, http://epic.org/privacy/gmail/agltr5.3.04.html.

[47] . See email from Adam Thierer to Declan McCullaugh on Politech Email discussion group, April 30, 2004, http://lists.jammed.com/politech/2004/04/0083.html (emphasis added).

[48] . See Complaint and Request for Injunction of the Electronic Privacy Information Center against Google, Inc., March 17, 2009, http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf; see also Ryan Radia, Should the FTC Shut Down Gmail and Google Docs Because of an Already-Fixed Bug?, Technology Liberation Front Blog, March 18, 2009, http://techliberation.com/2009/03/18/should-the-ftc-shut-down-gmail-and-google-docs-because-of-an-already-fixed-bug/.

[49] . See Berin Szoka & Mark Adams, The Progress & Freedom Foundation, The Benefits of Online Advertising & the Costs of Regulation, PFF Working Paper, forthcoming.

[50] . Anti-advertising crusader Jeff Chester often resorts to questioning the motives of those who question whether his regulatory prescriptions would actually benefit consumers, see, e.g., http://techliberation.com/2009/06/17/behavioral-advertising-industry-practices-hearing-some-issues-that-need-to-be-discussed/#comment-11698840. See generally Jeff Chester, Digital Destiny: New Media and the Future of Democracy (2007).

[51] . “The only freedom which deserves the name is that of pursuing our own good in our own way, so long as we do not attempt to deprive others of theirs or impede their efforts to obtain it. Each is the proper guardian of his own health, whether bodily or mental and spiritual.” John Stuart Mill, On Liberty (Penguin Classics, 1859, 1986) at 72.

[52] . Adam Thierer, The Progress & Freedom Foundation, Parental Controls & Online Child Protection, Special Report, Version 4.0, Summer 2009, www.pff.org/parentalcontrols.

[53] . Adam Thierer, Berin Szoka & Adam Marcus, The Progress & Freedom Foundation, Privacy Solutions, PFF Blog, Ongoing Series, http://blog.pff.org/archives/ongoing_series/privacy_solutions.

[54] . Comments of Adam Thierer, The Progress & Freedom Foundation, In the Matter of Implementation of the Child Save Viewing Act; Examination of Parental Control Technologies for Video or Audio Programming; MB Docket No. 09-26, April 16, 2009, www.pff.org/issues-pubs/filings/2009/041509-%5bFCC-FILING%5d-Adam-Thierer-PFF-re-FCC-Child-Safe-Viewing-Act-NOI-(MB-09-26).pdf.

[55] . See Adam Thierer, FCC v. Fox and the Future of the First Amendment in the Information Age, Engage, Feb. 20, 2009, www.fed-soc.org/doclib/20090216_ThiererEngage101.pdf

[56] . “To act on the belief that we possess the knowledge and the power which enable us to shape the processes of society entirely to our liking, knowledge which in fact we do not possess, is likely to make us do much harm.” Friedrich von Hayek, “The Pretence of Knowledge,” in The Essence of Hayek, (Hoover Inst., 1984), at 276.

[57] . Adam Thierer, The Progress & Freedom Foundation, Two Sensible, Education-Based Legislative Approaches to Online Child safety, Progress Snapshot 3.10, Sept. 2007, www.pff.org/issues-pubs/ps/2007/ps3.10safetyeducationbills.pdf.

[58] . See, e.g., Berin Szoka, Google, CDT, Online Advertising & Preserving Persistent User Choice Across Ad Networks Through Plug-ins, Technology Liberation Front Blog, March 13, 2009, http://techliberation.com/2009/ 03/13/google-cdt-online-advertising-preserving-persistent-user-choice-across-ad-networks-through-plug-ins/.

We often talk about the problem of having all 50 states impose different regulatory requirements on the Internet, with the most restrictive standard effectively applying to all Internet actors.Fortunately, in the U.S. such efforts can be stamped down either by invoking the “Dormant Commerce Clause” (DCC) in court or by passing “preemptive federal regulation.”  (Unfortunately, most who complain about patchwork approaches, both in industry and the advocacy community, usually forget about the DCC and move right to federal legislation.)

But what about the 195 independent countries in the world (to say nothing of their regional/local subdivisions)? What if they each tried regulating Internet activity? Our friends at the Center for Democracy at Technology report on a scary precedent set by a Belgian court in March when it ruled that Belgian law applied to Yahoo! merely because Belgian citizens could access Yahoo! Mail. Thus, the court ruled that Yahoo! violated Belgian law when the company refused to hand over user data in response to an email from a Belgian prosecutor. CDT rightly applauds Yahoo! for insisting that the Belgians “follow established diplomatic and legal processes in order to gain access to user information.” But as the post notes, the really scary prospect is that of one country asserting authority over every site or service on the Internet that can be accessed in their country.

If this precedent stands, it’s likely to cause, at the very least, many companies to limit access to their sites or services by persons from countries with burdensome regulatory approaches. Even if those foreign laws are well-intentioned and laudable—such as efforts to punish fraud (as in the Belgian case) or to crack down on, say, child porn or protect user privacy)—the result could be to balkanize Internet services.  This would be especially unfortunate, given the incredible importance of services that might previously have seemed “un-serious” like Twitter or Facebook as “technologies of freedom.” CDT notes the danger to Internet freedom:

To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.

by Berin Szoka & Adam Thierer

This morning, the House Energy & Commerce Committee will hold a hearing on “Behavioral Advertising: Industry Practices And Consumers’ Expectations.” If nothing else, it promises to be quite entertaining:  With full-time Google bashers Jeff Chester and Scott Cleland on the agenda, the likelihood that top Google officials will be burned in effigy appears high!

Chester, self-appointed spokesman for what one might call the People for the Ethical Treatment of Data (PETD) movement, is sure to rant and rave about the impending techno-apocalypse that will, like all his other Chicken-Little scenarios, befall us all if online advertisers were permitted to better tailor ads to consumers’ liking. After all, can you imagine the nightmare of less annoying ads that might actually convey more useful information to consumers? Isn’t serving up “untargeted” dumb banner ads for Viagra to young women and Victoria’s Secret ads to Catholic school kids the pinnacle of modern online advertising?  Gods forbid we actually make advertising more relevant and interest-based!  (Those Catholic school boys may appreciate the lingerie ads, but few will likely buy bras.)

Anyway, according to National Journal’s Tech Daily Dose, the hearing lineup also includes:

• Charles Curran, Executive Director, Network Advertising Initiative
• Christopher Kelly, Chief Privacy Officer, Facebook
• Edward Felten, Director, Center for IT Policy, Princeton University
• Anne Toth, Chief Privacy Officer & Vice President, Policy, Yahoo!
• Nicole Wong, Deputy General Counsel, Google

That’s an interesting group and we’re sure that they will say interesting things about the issue. Nonetheless, because four of them have a corporate affiliation that fact will inevitably be used by some critics to dismiss what they have to say about the sensibility of more targeted or interest-based forms of online advertising. So, we’d like to offer a few thoughts and pose a few questions to make sure that Committee members understand why, regardless of what it means for any particular online operator, targeting online advertising is very pro-consumer and essential to the future of online content, culture, and competition.  As Wall Street Journal technology columnist Walt Mossberg has noted, “Advertising is the mother’s milk of all the mass media.”  Much of the “free speech” we all cherish isn’t really free, but ad-supported!

Our Approach

We have previously set forth a framework for analyzing advertising policy issues in two PFF reports: “Online Advertising & User Privacy: Principles to Guide the Debate” and “Targeted Online Advertising: What’s the Harm & Where Are We Heading?” At root, our model depends heavily on two common-sense, and inter-related, principles:

1. We live in a world of trade-offs; and
2. There is no free lunch.

Their Approach

We are deeply concerned that too few people are talking about—or even understand the relevance of—those two principles in the debate over targeted online advertising. It seems that too many who wish to retard the further evolution of the advertising marketplace are living a lie based upon the antithesis of our model. Many privacy advocates seem to imagine that regulatory actions don’t have consequences and that Congress can simply mandate new privacy standards for the Internet without having any impact on the free flow of ideas supported by, and direct facilitated through, advertising.

Simply put, the privacy critics often imagine that their values are indicative of everyone’s values. Our blogging colleague Jim Harper of the Cato Institute has referred to this as “preference imposition” but we’ll use a simpler term: Elitism. In essence, privacy advocates seem to believe that:

1. People are too ignorant, busy or just plain stupid, and cannot be trusted to make wise decisions for themselves (or their children); and/or
2. Everyone shares the same values or concerns when it comes to privacy such that a national “baseline” regulatory standard (namely, mandatory “opt-in” regulations for data collection and use) should govern the entire online marketplace.

Let’s be clear: Such a mandate, and the thinking behind it, would greatly impoverish the future Internet economy. Too many people think of the Internet as a magic box that just keeps cranking out free goodies. But something powers that box of goodies: advertising.  More than anything else, it’s advertising that keeps the Internet “Free, Innovative & Open,” to borrow the slogan of our friends at CDT, which seems to flirt with joining the PETD movement, despite their well-earned reputation for pragmatic skepticism of government interference with the Internet.

The regulatory advocates complain that giving consumers the right to opt-out of data collection and use isn’t meaningful because very few consumers will exercise the opt-out.  Again, they presume that this must be because users just don’t know what’s good for them because of course if they really understood what was being done with “their data,” they would never choose to just “give it away” for a few scraps from the advertisers’ table.  It never occurs to them that (i) many, perhaps most, users just don’t care and that (ii) that their “ignorance” about the all specific details of “how the sausage is made” (online data collection and use practices for targeting advertising) may be completely rational.

But just as importantly, would-be privacy regulatory don’t seem to understand—or perhaps simply don’t care—that what’s true of opt-out is also true of opt-in:  in practice, few people will bother doing either.  In a world of perfect information and infinite time, of course, there would be no difference in outcomes with the two different rules.  But in the real world with real constraints on time, knowledge and everything else, mandating opt-in would make all the difference in the world by severely limiting the ability of advertisers to target advertising.

The Ignored Trade-offs

We’ve been assembling evidence on the real-world costs of restricting targeted advertising. Here are just a few data points we’ve seen to give you a sense of what’s at stake:

• Relevance to Users: The best evidence that users prefer seeing more relevant ads is their increased likeliness to actually click on an ad—instead of just ignoring it or trying to block it. The most recent study of this issue concluded that Click-Through Rates (CTR) can be improved by as much as 670% by using basic behavioral targeting as compared to simple contextual targeting—0r even more than 1000% using more sophisticated targeting. Conversion rates (the percentage of clicks that actually result in a sale) also strongly indicate that consumers find ads more interesting, and in one 2005 study, were estimated to increase up to 3000% with behavioral targeting.
• Macro: More Revenue to Fund All Services & Content: eMarketer (in June 2008) estimated that U.S. spending on behavioral targeting would grow from $.775 billion in 2008 to $4.4 billion in 2012—representing fully a quarter of display ad spending.  The total amount of money at stake is huge:  U.S. online ad revenues totaled $23.5 billion in 2008.
• Micro: More Revenue for Individual Publishers: Estimates on the increased profitability of behavioral targeting range as high as 1200% (eMarketer).

While these examples illustrate the broad outlines of the trade-offs ignored by privacy regulatory advocates, the key dilemma to understand is this: If, under an opt-in regime, publishers would be able to target advertising for webpages based on the keywords contained within those pages, and not on other content the user has looked at, the value of most Internet content will depend not on how many eyeballs it attracts but primarily on the economic value of the keywords that are directly associated with it. Pages with keywords related to products and services will fetch a fine price because advertisers will be able to make money off ads on those pages ( e.g., a site for digital camera reviews). But content with little commercial value will generate little revenue. Indeed, this is perhaps the single greatest problem faced by journalism sites. Who wants to advertise on a story about North Korea? How many users are going to be interested in taking a honeymoon in the DMZ?

But if such websites could target advertising to users’ user’s likely interests based on an anonymous profile of their interests created by collecting data about their browsing “behavior,” web content becomes valuable because of the audience it attracts, not just because the content itself serves as a rough proxy for a user’s interests. This democratization of Internet advertising revenue is essential for sustaining the future of journalism in particular, but also for “free” culture more generally.

As we noted in our response to the FTC’s proposed self-regulatory guidelines on data collection for advertising:

Depending on how regulation is structured, therefore, it is possible that new privacy mandates would severely curtail the overall quantity of content and services offered—and greatly limit the ability of new providers to enter the market with innovative offerings. Alternatively, or perhaps additionally, companies would change the character of their offerings and water-down sophisticated services that cater to consumer demand; in other words, the quality of service would deteriorate. Bottom line: Something must give because there is no free lunch. Regulation is a giant game of economic whack-a-mole: Attempting to control one of the primary variables of price, quantity, or quality inevitably results in non-optimal adjustments in the other two variables. The absence of price as a variable in this context means there is one less variable for the government to control in the first place. Simply stated, stifling the evolution of the online advertising marketplace will likely result in fewer free online services and less content, less high-quality online services and content, or some combination of both… We stand at an important crossroads in the debate over the online marketplace and the future of a “free and open” Internet. Many of those who celebrate that goal focus on concepts like “net neutrality” at the distribution layer, but what really keeps the Internet so “free and open” is the economic engine of online advertising at the applications and content layers. If misguided government regulation chokes off the Internet’s growth or evolution, we would be killing the goose that laid the golden eggs…. These observations are even more relevant to the online marketplace, where advertising has been shown to be the only business model with any real staying power. Walled gardens, pay-per-view, micropayments, and subscription-based business models are all languishing. Consequently, the overall health of the Internet economy and the aggregate amount of information and speech that can be supported online are fundamentally tied up with the question of whether we allow the online advertising marketplace to evolve in an efficient, dynamic fashion. Heavy-handed privacy regulation (or co-regulation) could, therefore, become the equivalent of a disastrous industrial policy for the Internet that chokes off the resources needed to fuel e-commerce and online free speech going forward.

Our Challenge to the Advocates of Privacy Regulation

For these reasons, we have repeatedly issued the following three-part challenge in our previous work to those who advocate the regulation of online advertising:

1. Identify the harm or market failure that requires government intervention.
2. Prove that there is no less restrictive alternative to regulation.
3. Explain how the benefits of regulation outweigh its costs.

We’re still waiting…

We’ve also made it clear that there is an alternative to the pre-emptive, one-size-fits-all regulation demanded by the regulatory advocates:  We’ve proposed a “layered approach” based on user education, user empowerment, self-regulation and FTC enforcement of privacy policies.  Our goal is as follows:

The ideal state of affairs would be to create a system of tools and data disclosure practices that would empower each user to implement their personal privacy preferences while also recognizing the freedom of those who rely on advertising revenues to “condition the use of their products and services on disclosure of information”—not to mention the viewing of ads! Self-regulatory efforts can be refined, especially through technological innovation to better satisfy the concerns of policymakers, privacy advocates, and average consumers. For example, if websites and ad networks participating in a self-regulatory framework supplemented their current “natural language” privacy policies with equivalent “machine-readable” code [ e.g., P3p], that data could be “read” by browser tools that would implement pre-specified user preferences by blocking the collection of information depending on whether the privacy policies of certain websites or ad networks met the user’s preferences about data-use. Such robust and granular disclosure, if implemented for behavioral advertising, would exceed the wildest dreams of those who argue that users currently do not read privacy policies—without disrupting the browsing experience or cluttering websites. But this system would only work if users had to make real choices about “pay*ing+ for ‘free’ content and services by disclosing their personal information.”

A Final Word About Advertising

On some level, this debate isn’t about user privacy at all, but about the alleged evils of advertising as inherently manipulative.  Jeff Chester straddles both camps.  His rantings about the use of “neuromarketing” boil down to the same simple idea that the Neo-Marxists have been pushing for decades:  Since people are stupid, ignorant and/or lazy (see above), they’re easy to control and trick with shiny objects, pretty faces, memorable slogans, and catchy jingles. No better response to this argument has ever been made than was offered in this 1959 magazine ad by the ad firm Young & Rubicam (emphasis added for Chester’s benefit):

There is no chestnut more overworked than the critical whinny: “Advertising sells people things they don’t need.” We, as one agency, plead guilty. Advertising does sell people things they don’t need. Things like television sets, automobiles, catsup, mattresses, cosmetics, ranges, refrigerators, and so on and on. People don’t really need these things. People don’t really need art, music, literature, newspapers, historians. wheels, calendars, philosophy, or, for that matter, critics of advertising, either. All people really need is a cave, a piece of meat and, possibly, a fire. The complex thing we call civilization is made up of luxuries. An eminent philosopher of our time has written that great art is superior to lesser art in the degree that it is “life-enhancing.” Perhaps something of the same thing can be claimed for the products that are sold through advertising. They enhance life, to whatever degree they can.

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

• Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
• Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
• Hamper routine and socially beneficial communication between adolescents and adults;
• Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

• Would likely be the subject of massive fraud or evasion since it is not always possible to definitively verify the parent-child relationship, or because the system could be “gamed” in other ways by determined adolescents;
• Do nothing to prevent offshore sites and services from operating outside these rules;
• Present major practical challenges for law enforcement officials in the face of such evasion by both domestic users and offshore sites;
• Could destroy opportunities for new or smaller website operators to break into the market and offer competing services and innovations, thus contributing to consolidation of online content and services by erecting barriers to entry; and
• Violate the Commerce Clause of the U.S. Constitution, since Internet activity clearly represents interstate commerce that states have no authority to regulate.

Today, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) announced the members of the new Online Safety and Technology Working Group (OSTWG).  I am honored to be among those chosen to participate in this new task force and I look forward to continuing the work started last year with the Harvard Berkman Center’s Internet Safety Technical Task Force (ISTTF), which I also served on.   I was very proud of the work done by the ISTTF and the impressive final report that Prof. John Palfrey crafted to reflect our findings.  I am eager to investigate these issues further and take a look at the latest research and technologies that can help us better understand how to protect our kids online while also protecting the free speech and privacy rights of Netizens.

The new NTIA working group, which was established under the “Protecting Children in the 21st Century Act,” will report to the Assistant Secretary of Commerce for Communications and Information on industry-implemented online child safety tools and efforts. Within a year of convening its first meeting, the group will submit a report of its findings and make recommendations on how to increase online safety measures.

Below the fold I have listed the complete roster of OSTWG task force members.  I very much looking forward to working with this outstanding group.  And I’m happy to report that my TLF blogging colleague Braden Cox will be joining me on this task force!

Ms. Parry Aftab, WiredSafety Ms. Elizabeth Banker, Yahoo! Inc. Mr. Christopher Bubb, AOL Ms. Anne Collier, Net Family News, Inc./ConnectSafely.org Mr. Braden Cox, NetChoice Coalition Ms. Caroline Curtin, Microsoft Mr. Brian Cute, Afilias U.S.A. Mr. Jeremy Geigle, Arizona Family Council Ms. Marsali Hancock, Internet Keep Safe Coalition Mr. Michael Kaiser, National Cyber Security Alliance Mr. Christopher Kelly, Facebook Mr. Brian Knapp, Loopt, Inc. Mr. Timothy Lordan, Internet Education Foundation Mr. Larry Magid, SafeKids.com/ConnectSafely.org Mr. Brian Markwalter, Consumer Electronics Association Mr. Michael McKeehan, Verizon Communications, Inc. Dr. Samuel McQuade, III, Rochester Institute of Technology Ms. Orit Michiel, Motion Picture Association of America, Inc. Mr. John Morris, Center for Democracy & Technology Mr. Jonathon Nevett, Network Solutions, LLC Mr. Hemanshu Nigam, MySpace/Fox Interactive Media Ms. Jill Nissen, Ning, Inc. Mr. Jay Opperman, Comcast Corporation Mr. Kevin Rupy, United States Telecom Association Mr. John Shehan, National Center for Missing & Exploited Children Mr. K. Dane Snowden, CTIA – the Wireless Association Mr. Adam Thierer, Progress & Freedom Foundation Ms. Patricia Vance, Entertainment Software Rating Board Mr. Ralph Yarro, The CP80 Foundation

• denotes co-chairs of the task force

Chris Soghoian has responded to my recent post lauding his Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). We’re agreed in the main on user empowerment. The interesting stuff is on the margin: He disagrees with me that blocking third party cookies as I do (and he does too) is a satisfactory approach to suppressing tracking by advertisers.

There are a couple of points worth making about the discussion.

The first has to do with our slightly differing objectives. Chris is deeply focused on advertisers and his dislike of being tracked by advertisers. Though it is not absolute, I have a preference against tracking by anyone other than sites that I know, like, and trust. I’m no more worried about advertisers than any entity that would track my surfing – and there are many.

Again, TLF readers, I ask you to try setting your browser to query you before setting cookies. It’s a real insight into the dozens of entities getting a look at you as you surf, including a bunch of social networks and news sites.

If “advertisers” are what you seek to harness, that seems like a group that can be captured through some kind of centralized control mechanism. (I don’t think it actually is.) But if your goal is privacy as against all comers, you don’t attempt to centrally plan or decide who is good and who is bad. Responsibility rests with the end user.

Let the goal be “advertisers,” though. And I ask: Those social networks and news aggregators – are they “advertisers”? If you’re going to require a subset of Web communicators to obey opt-out cookies, you have to be able to define that subset – a problem Chris doesn’t seem to have thought about yet.

Lots of different publishers, sites, and networks have data that is entirely fungible with the tracking data advertisers collect. What do you get if you push down on the “officially advertisers” part of the balloon? Workarounds.

But I’ve backed into the second point – the means to these ends. Chris soft-pedals how he would get at tracking, but as far as I can tell it’s a law that says “advertisers” have to obey opt-out cookies.

Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.

Is it by magic that they “cannot ignore” opt-out cookies? No, it’s by law.

With the right law in place, Chris appears to believe, “[t]he Federal Trade Commission and Congress would likely take an interest” when advertisers tried to skirt opt-out cookies, using other technologies to glean information about Web surfers’ interests.

His hope is to end the “arms race” in which users have to constantly chase the shifting tactics advertisers use to track them. It’s a fair point: There is a constant, rolling change in how the Web is used by publishers, advertisers, and consumers to interact and trade the data each produces.

That is an “arms race” only if you’ve adopted the rigid, war-like stance that tracking by advertisers is inherently wrong. It’s not. Berin and Adam, who have done a lot more work than me on this lately, have done a good write-up of the subtleties. What Chris calls an “arms race” is better thought of as a constantly unfolding negotiation among all parties about the terms of the content-for-advertising bargain.

I believe, as a person who dislikes third-party cookies, that offering them to my computer in the hopes of gleaning some information is not wrong. Some people think it’s horribly wrong. Most people are indifferent.

Who’s right? Everyone and nobody. There doesn’t have to be one answer.

But should the terms of use for the Web be written by a vociferous minority (i.e. Chris) that can’t persuade the public to refuse tracking using the tools available to them? Perhaps the demand for control comes because the public won’t be persuaded.

Now that would be wrong – regulating cookies to force “protection” on a public that could seek it for itself, but won’t. That would deprive “advertisers” – we still don’t know who they are – of freedom and communications channels, it would deny publishers revenues, and it would deny consumers content they want and enjoy.

But let’s talk about arms races. Chris seeks exit from the so-called arms race on the technical and user side in favor of an arms race in the legislative and regulatory world. The law he imagines – so perfect as it resides there in his head – would have to be passed by Congress and implemented by a regulatory agency like the Federal Trade Commission.

Each of these regulatory bodies is under constant, well, “siege” by phalanxes of lobbyists, paid to advocate the views of their clients, including ” advertisers.” There is no realistic hope that Chris’ opt-out cookie law would make it through that in the form he wants. Defining what one means by “advertisers” is a gruesome task, with likely First Amendment problems. Instead of the clean bill Chris imagines, it would be perverted (from Chris’ perspective) by lobbying and special-interest influence. Remember when Congress passed a law alleging it would prevent spam?

Chris would transfer the arms race we’re in now – where consumers are in control, if apathetic – to a field where consumers are not in control and very apathetic, believing that they are protected by the government. This is the approach preferred by victims of the fatal conceit, who think that they can design society better than society can design itself. (Berin has done a terrific job of lambasting the Center for Democracy and Technology for its similarly conceited, blindly pro-regulatory armchair quarterbacking on the online advertising issue.)

Plenty of people dream about regulation that works, of course. The SEC’s failure to protect investors in the Madoff case provides one more example among many where law and regulation failed utterly to protect consumers – and by its existence encouraged their irresponsibility.

It is damaging folly to try protecting consumers from the tracking advertisers do when consumers can just as well protect themselves.

I’ve already laid out my own reactions to Google’s roll-out of an “interest based advertising” (IBA) program here.  In a nutshell, I applauded Google setting a new “gold standard” in user empowerment by providing:

• Notice in their IBA-targeted ads of who’s paying for the ad and the fact that Google is serving it; and 
• A link to a powerful “Ad Preference Manager” that allows users to:
  • See and modify the “digital dossier” (to use the fearmonger’s term) of interests associated with the cookie on their computer; and 
  • Opt-out of tracking for IBA purposes.    

But as I predicted, despite these pro-privacy features (and despite the fact that other major companies such as Yahoo! and Microsoft already have IBA programs), a number of privacy advocacy organizations are attacking Google for daring to enter the IBA (or “online behavioral advertising”) business at all.   I’ll have much more to say about the criticism of Google’s new Ad Preference Manager soon, especially coming from Marc Rotenberg of EPIC (a “disaster“) and Jeff Chester of CDD—precisely the sort of the “paroxysms of privacy hysteria” I predicted.  

But first, the criticism from Ari Schwartz of the Center for Democracy & Technology requires a response today.  At its best, CDT plays a vital role in calling corporations to continually raise the bar on privacy.  My own think tank, the Progress & Freedom Foundation, works closely with CDT on many issues, such as advocating user empowerment through technological means as a constitutionally “less restrictive” way of protecting children than government censorship.

 Here’s what Ari had to say:

[T]he opt-out is based on a failed premise. The truth of the matter is that the industry needs to work together to move beyond the discredited cookie opt-out model….  Google claims to have improved upon the old model by creating a plug-in for users to keep their opt-out cookie while deleting the rest of their cookies. While as a technical matter that may be true, without an industry-wide solution these plug-in options just serve to confuse users about what they need to do to protect themselves. If this plug-in approach catches on, will users need to download a plug-in from every network advertiser and every analytics company to stop the tracking? That model just isn’t sustainable.

Ari is setting up a straw man when he suggests that users are going to have to download a separate plug-in for every ad network.  The obvious solution, as Ari points out, is an industry-wide plug-in. But if it’s so obvious, why can’t CDT just write it themselves?  Indeed, why didn’t they write it years ago?

These aren’t rhetorical questions.  I  really  want to know what would be required to create a plug-in that does what Google’s plug-in does for every other ad network’s opt-out cookie in the Opt-out tool developed by the Network Advertising Initiative (NAI):  Maintain “persistent” user choice by checking to see whether a user has deleted whatever their opt-out cookies and, if so, restoring those cookies.  

CDT will probably insist that, if it’s really so easy to create such an industry-wide plug-in, NAI should have done so years ago.  Maybe so.  Perhaps if the industry had moved faster to innovate in privacy protection, they would be in a stronger position right now politically.  Of course, if the industry moves slowly in this regard, maybe that’s because they’ve got their hands full trying to keep advertising, the economic engine that funds the Internet’s “free” content and services, working-a reality Ari ignores.  Or perhaps it wouldn’t matter:  It seems that no matter what industry might do, it’s just not good enough for Ari.  Under the banner of “Keeping the Internet Open, Innovative and Free,” Ari is in fact leading CDT in a full-on attack on the Internet, pushing for regulation that will make the Internet:

• Less “Open” to competition among service providers and the diversity of voices and choices produced by online content creators who depend on advertising;
• Less “Innovative” in terms of new content, new services, new online personalization technologies, and new advertising business models that could broaden the base of economic support for the entire Internet; and
• Less “Free” both in political terms—“free” from government regulation and controls—and in financial terms—“free” to users because advertisers foot the bill.

CDT ignores these very real costs to crippling online advertising, which will ultimately be borne by the very consumers whom CDT claims to be protecting.  This is precisely why Adam Thierer and I have argued so strongly for a layered approach (and here at page 7) to privacy concerns about online advertising that combines self-regulation and tough FTC enforcement of privacy policies with a recognition that only by empowering individual users to make their own choices can we balance inherently subjective concerns about privacy with the need to fund the Internet’s future:

We stand at an important crossroads in the debate over the online marketplace and the future of a “free and open” Internet.  Many of those who celebrate that goal focus on concepts like “net neutrality” at the distribution layer, but what really keeps the Internet so “free and open” is the economic engine of online advertising at the applications and content layers.  If misguided government regulation chokes off the Internet’s growth or evolution, we would be killing the goose that laid the golden eggs. 

Back to the plug-in…  CDT argues that the opt-out cookie system is flawed in respects other than ensuring the persistence of user opt-outs.  We can debate that question.  But I’d just like to get a clear answer once and for all about why CDT hasn’t already developed this plug-in themselves.

Here‘s the NAI opt-out, Ari, and here‘s the code for Google’s plug-in—it’s open source! How much easier could Google have made this for you?  Quit yapping and start coding! 

Since CDT doesn’t seem up to the task, we’ve already modified the Google plug-in to preserve another ad network’s opt-out cookie (download our beta plug-in here) and are currently working to expand the plug-in to work for multiple cookies—which is simply a matter of coding.  We’d welcome help from anyone with experience in writing Firefox plug-ins. 

NAI could (and probably should) do this, themselves.  But if CDT wants to start being philosophically consistent about empowering consumers across in the board —on privacy issues as well as child protection issues—writing this plug-in themselves is a great way to shame the rest of the advertising industry into picking up where Google left off.   I suspect CDT’s failure to do so thus far reflects a crass political calculation that anything they does to empower users to manage their own privacy through technical solutions simply undermines their arguments that only government can protect users—thus weakening their push for regulation.  So much for CDT’s declared mission of “seek[ing] practical solutions to enhance privacy!”

And so begins another fight over data retention. As Declan summarizes:

Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations. The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates. […] Two bills have been introduced so far — S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet Safety Act.

Julian also has coverage over at Ars and quotes CDT’s Greg Nojeim who says the data retention language is “invasive, risky, unnecessary, and likely to be ineffective.”  I think that’s generally correct.  Moreover, I find it ironic that at a time when so many in Congress seemingly want online providers to collect and retain LESS data about users, this bill proposes that ISPs be required to collect and retain MORE data. One wonders how those two legislative priorities will be reconciled!!

Don’t get me wrong. It’s good that Congress is taking steps to address the scourge of child pornography — especially with stiffer sentences for offenders and greater resources for law enforcement officials. Extensive data retention mandates, however, would be unlikely to help much given the ease with which bad guys will likely circumvent those requirements using alternative access points or proxies.  Finally, retention mandates pose a threat to the privacy of average law-abiding citizens and impose expensive burdens of online intermediaries.

We’ve had more to say about data retention here at the TLF over the years.  Here’s a few things to read:

• Yahoo! Data-Retention Policy vs. The New Justice Department, by Cord Blomquist
• Another Reason to Be Wary of Age Verification & Data Retention Mandates, by Adam Thierer, October 30, 2006.
• Mandatory Data Retention: How Much is Appropriate? by Adam Thierer, June 26, 2006.
• Internet Data Storage Is The Wrong Way To Combat Child Sexual Exploitation, by Hance Haney, Sept. 20, 2006.
• Data Retention on the Move, by Jim Harper, June 1, 2006.

Over at CDT’s “Policy Beta” blog, my friends John Morris and Sophia Cope have penned two important essays about online free speech issues that are worthy of your attention. In the first, Sophia argues that the “Next President Must Preserve Free Speech on the Internet.” She argues:

It will be critical for the next President to do his part to uphold the Internet’s robust culture of free speech and innovation as we march further into the 21st Century. In stark contrast to the mass media of the last century, the Internet has provided, at very low cost, virtually unlimited forums for both creators and consumers of new content and technologies. This in turn has created a huge boost for participatory democracy and our economy. The next Administration must reject Congressional or agency efforts to censor content or stifle the fire of innovation on the Internet and other communications media.

Amen! Importantly, Sophia points to the essential role of Section 230 of the Telecommunications Act of 1996, which protects online service providers from crushing legal liability in a variety of circumstances. Sec. 230 is probably the most important — and most often forgotten — law dealing with online freedom. Unfortunately, however, it’s increasingly under attack and we need to be vigilant in defending it. (I’m working on a big paper about that right now with my PFF colleagues Berin Szoka and Adam Marcus).

In the second essay on the CDT blog today, John Morris notes how Congress has been passing a “flurry” of last-minute child safety bills. He points out:

While the public’s attention was focused on the drama unfolding around the economic bailout, it was actually a busy time for other bills to get pushed – sometimes under the cover of the bailout darkness. Just before recess, Congress considered parts of four “child safety” bills, acted on three, and sent two to the White House. While not all the provisions in these bills raise red flags, some language gives free expression advocates plenty to worry about.

One of the measures he discusses, S. 602, the “Child Safe Viewing Act of 2007,” was the subject of an essay I penned here a few days ago.

Anyway, make sure to read these excellent essays by Sophia and John.

Along with my friends John Morris and Sophia Cope of the Center for Democracy & Technology, I have just submitted an amicus brief to the Supreme Court in the potentially historic free speech case FCC v. Fox, which will be heard in November.

[Reminder: The FCC v. Fox case is the indecency case involving the FCC’s new policy for “fleeting expletives.” I wrote about the Second Circuit Court of Appeals decision here. The full decision is here. By contrast, the so-called “Janet Jackson case” — CBS v. FCC — took place in the Third Circuit Court of Appeals and that court recently handed down a decision that also went against the FCC. I wrote about the Third Circuit’s decision here.]

The FCC v. Fox case could become the most important First Amendment-related Supreme Court case since FCC v. Pacifica Foundation, which just turned 30 years old last month. Of course, it could be that the Supreme Court simply sticks to the procedural questions regarding whether the FCC moved too far, too fast in reversing it’s long-standing policy of restraint regarding “fleeting expletives.” That’s essentially what the Second Circuit did. On the other hand, the Supremes might reach the substantive First Amendment issues tied up in the Pacifica case. We just won’t know for sure until the case is handed down.

Regardless, in the joint CDT-PFF amicus brief filed today, we argue that the FCC has both gone too far procedurally and that “the time is rapidly approaching for this Court to find that broadcast, like the Internet and other means of mass communication, ‘is entitled to the highest protection from government intrusion’ and that there is no longer a factual ‘basis for qualifying the level of First Amendment scrutiny that should be applied to this medium.'” Citing Reno v. ACLU, 521 U.S. at 863, 870.”

A more detailed summary of our argument follows below. Our brief contends that the “pervasiveness rationale,” which is the basis of the FCC’s authority to regulate broadcast programming, is being challenged by technological convergence, the proliferation of new media platforms, and the widespread availability of parental control technologies. Video content available over broadcast television is available over a variety of other platforms, such as the Internet and mobile devices, and an increasing number of households subscribe to satellite or cable video services. “With broadcast television being just one of the myriad of ways that people can access lawful content (including indecent content), it no longer makes sense from a constitutional or policy perspective to give broadcast speech less First Amendment protection,” we argue.

Parental controls, such as the V-Chip and set-top box controls, allow parents to block content they deem offensive or inappropriate. Better yet, the rise of VCRs, DVD recorders, video on demand, and digital video recorders means that parents can tailor media consumption to their specific needs and values. Those tools are widely available and provide a less restrictive alternative to government regulation. As a result, the FCC can no longer justify broadcast television content censorship on “pervasiveness” grounds. [I have written much more about that point here, here and here.]

Our joint brief also states that complaint data the FCC cites as justification for the expansion of indecency enforcement, has been inflated through accounting changes. These changes in the way the complaints are counted, which were only instituted for indecency complaints, are in violation of the APA. These complaints, mostly generated by a single advocacy group, cannot be a substitute for an analysis of “community standards” and essentially represent a “heckler’s veto” that violates the First Amendment rights of other viewers.

The brief also cites the Commission’s inconsistent analysis of what it deems “indecent” as a violation of both the First Amendment rights of broadcasters and the APA. The inconsistency in what the FCC finds as indecent has a chilling effect on the free expression of content providers and provides inadequate guidance to broadcasters, which is required under FCC statutes.

The CDT-PFF brief can be found online here and I have also embedded the document below via the Scribd reader. [And those interested in this case might also be interested my recent law review article: “Why Regulate Broadcasting: Toward a Consistent First Amendment Standard for the Information Age.”]

Incidentally, other briefs that have been filed in the matter can be found here. And, last month, I wrote about how personally troubled I was about the lack of support from liberals who have already filed in this case. See: “Liberals Abandoning the First Amendment, Part 3: The Fox Case.”

This week I was pleased to join a diverse collection of think tanks and public interest groups in submitting joint comments to the FCC opposing the proposed content filtering mandate that would be part of a future AWS-3 auction. That’s the proposed auction that would create a “free” nationwide wireless broadband service. As part of the deal, the company would need to need to take steps to provide a “clean” Internet connection by filtering content. This joint filing points out why that is a bad idea:

• the reach of the filtering mandate is extraordinarily broad, and would attempt to censor content far beyond any content regulation regime that has been previously upheld in the face of constitutional challenge.
• even if the scope of the filtering mandate were more narrowly focused, it would conflict with the First Amendment analysis that the Supreme Court applied to Internet access in the seminal Reno v. ACLU decision.
• even if the Commission were to require filtering on an “opt out” or “opt in” basis, the Constitutional problems would not be avoided. Opt-out filtering would impose an unconstitutional burden on listeners and recipients of Internet communications, and both opt-out and opt-in filtering would violate the First Amendment rights of speakers and other content providers on the Internet. Simply put, the First Amendment does not allow a government mandated “blacklist” of websites to be blocked.
• would also violate the terms and intent of two federal statutes – 47 U.S.C. § 326 (which prohibits the Commission from “interfer[ing] with the right of free speech”) and 47 U.S.C. § 230 (which promotes user control over content and limits burdens on service providers).
• would also limit what people could do online using the free AWS-3 service so dramatically that the usefulness of the service would be radically reduced.
• would also certainly lead to legal challenges that would delay the implementation of the proposed access service. The reason I believe this fight is so important is because, ultimately, it represents an effort by the FCC to begin treating wireless broadband more like broadcast spectrum. That is, regulators want to create the classic regulatory quid pro quo: We’ll rig the wireless allocation process to make it easy for you to get spectrum, and you’ll be a good little boy and clean up the Net for us! This is the game the FCC has been playing for 70 years in the broadcast television and radio licensing space. And not they want to extend that nonsense to wireless broadband. As Commander Jean-Luc Picard would say: “The line must be drawn here!” We don’t want the Internet regulated like broadcasting.

Many thanks to John Morris of CDT for coordinating this filing and asking me to sign on. The comments can be found on the CDT website, and I have also embedded them down below as a Scribd file. Also, Leslie Harris of CDT has a short editorial about the issue over at ABC News.com.

A few days ago, I posted an essay about the recent history of “moral panics,” or “technopanics,” as Alice Marwick refers to them in her brilliant new article about the recent panic over MySpace and social networking sites in general.

I got thinking about technopanics again today after reading the Washington Post’s front-page article, “When the Phone Goes With You, Everyone Else Can Tag Along.” In the piece, Post staff writer Ellen Nakashima discusses the rise of mobile geo-location technologies and services, which are becoming more prevalent as cell phones grow more sophisticated. These services are often referred to as “LBS,” which stands for “location-based services.”

Many of phones and service plans offered today include LBS technologies, which are very useful for parents like me who might want to monitor the movement of their children. Those same geo-location technologies can be used for other LBS purposes. Geo-location technologies are now being married to social networking utilities to create an entirely new service and industry: “social mapping.” Social mapping allows subscribers to find their friends on a digital map and then instantly network with them. Companies such as Loopt and Helio have already rolled out commercial social mapping services. Loopt has also partnered with major carriers to roll out its service nationwide, including the new iPhone 3G. It is likely that many other rivals will join these firms in coming months and years.

These new LBS services present exciting opportunities for users to network with friends and family, and it also open up a new world of commercial / advertising opportunities. Think of how stores could offer instantaneous coupons as you walk by their stores, for example. And very soon, you can imagine a world were many of our traditional social networking sites and services are linked into LBS tools in a seamless fashion. But as today’s Washington Post article notes, mobile geo-location and social mapping is also raising some privacy concerns:

what many users may not realize is that by sharing this information, they are creating often permanent records that can tell not only wireless providers, but also social networking sites, other users, and potentially law enforcement and civil attorneys every place they are and have been, as long as their phone and tracking device are on.

My friend Jim Dempsey of Center for Democracy & Technology was also quoted in the WP story raising additional concerns:

“How easy is it for the user to turn the location function on and off, and how easy it is for the user to delete past location information?” he said. “What are the companies collecting? Who are they sharing it with? How long do they store it? And what control does the consumer have over the information? These are the fundamental questions.” The wireless industry, through CTIA The Wireless Association, has issued guidelines for location-based services that stress consumer notice and consent and data security. But, Dempsey said, self-regulation is only part of the solution. What is needed, he said, is baseline federal legislation covering all firms that collect personal electronic data.

Moreover, when child safety advocates become more aware of this technology, you can imagine some of the other types of bogeyman scenarios that some people will conjure up: stalkers, jealous boyfriends, predators, etc, etc. So, I don’t think I’m going out on too much of limb here when I predict that mobile geo-location and social mapping will become America’s next great technopanic.

But before the hysteria begins, let’s step back and try to take a level-headed look at this issue and understand why we likely don’t have as much to fear as some privacy advocates or child safety advocates might suggest.

First, no one is forcing you to buy the phones equipped with LBS or purchase / download these technologies! These tools are luxuries that we are blessed to have at our disposal. These technologies are barely out of the cradle and we already have people hinting that preemptive regulation might be necessary based merely on hypothetical fears. That’s a recipe for destroying innovation.

Second, if you do choose to use LBS services, you will obviously first need to own a mobile phone. That means you pay money for that phone and a monthly plan. To the extent, therefore, this becomes a child safety issue, we have a very important tool for parents in place right up front: the power of the purse. As I have written in my book on parental controls and online child safety (p. 33), when media and communications technologies cost good money—and cell phones and mobile data plans certainly do!—parents have a very important additional check on the child’s media exposure or interactive communication capabilities. In the case of LBS, parents can first decide if they want to buy their kids phones with those technologies. If they do, then they will also be able to monitor and manage usage of such tools by keeping a close tab on the monthly statements. After all, the kids don’t pay the bills! Mom and Dad do.

Third, just as is the case with other child safety and privacy-based technopanics (social networking, Gmail, etc) the likely harm is being greatly over-stated and self-help tools and controls are being completely ignored. In this case, even if you do choose to purchase or use these services, you must take active steps to share your information to others.

Consider how Loopt works. Luckily, I have had the opportunity to play with the Loopt service and learn more about it. It’s very cool. But what really impresses me about Loopt is how the company has layered on safety and security controls. Loopt has put together a slick “privacy & security” website that summarizes the advice they give their customers. The best part about it is the “Be Safe Guide” that offers sensible guidance for safe and responsible use of this new technology. Loopt stresses that you should only open your network and share location-based information with a close circle of friends. And Loopt encourages users to confirm phone numbers with other users after they have open up their network to others. Because Loopt is a closed, private network, this process means it would be very difficult for privacy violations of any sort to occur. Here’s how they describe it:

To initiate a friend-request (or contact other users in any way), a subscriber must already know the other user’s mobile phone number. Even when a friendship request is successfully sent, the prospective friend must consent as well to a reciprocal “friendship connection” before any location sharing will occur. In other words, Loopt users only see where their established friends are, not strangers. Loopt is not an “open” social network and does not offer any browsing or searching of full profiles by non-friends.

And Loopt doesn’t retain all that “location history” over an extended period; just the most recent locational position such that users can connect when they want. So, in light of these many layers of protection, it is difficult for me to see how anyone can raise privacy concerns about how Loopt works.

Of course, it is true that there will be other rivals to Loopt in coming years, and they might have somewhat different policies or procedures. But remember three things:

First, the industry as a whole has been working together to develop a set of best practices on this front. As part of their effort to create and refine their “Wireless Content Guidelines,” the CTIA, the wireless industry’s trade association, has worked with its member companies to create privacy and safety guidelines for this emerging industry sector.

Second, the combination of that industry self-regulation and vigilant oversight / pressure from privacy groups and industry watchdogs will put enormous pressure on LBS providers to make sure they take steps to protect user privacy / safety. Consumers will come to expect a certain baseline level of privacy and security based on industry leaders like Loopt. Those who ignore the wishes of consumers will have hell to pay in the marketplace. And bad PR or grief from all those privacy and child safety advocates will be a real killer for LBS providers who don’t craft and enforce sensible policies.

Third, self-help tools exist that can help users (or parents) take additional steps to protect privacy. And consumer education / safety awareness efforts for younger users is increasing. I talk at length about those efforts in my book. While LBS providers certainly should take steps to help consumers protect privacy, personal responsibility has to play a role here too. We shouldn’t be rejecting every new innovation that hits the market just because there is some potential theoretical downside or some way that consumers could really screw up and do something stupid with it. People have to be responsible. And self-help tools are flourishing to help consumers protect their privacy in many different contexts. Just as those self-help tools represent a better, less-restrictive way of dealing with concerns about media content, so too do they offer a superior way of dealing with privacy concerns. (I often wonder why it is that some of the free speech groups out there defend the existence of such tools as the “less-restrictive means” of protecting children as compared to speech-stifling regulations, but when it comes to privacy regulation they never bother to mention those same self-help tools and methods. What gives? If the tools represent the better alternative to regulation in the free speech context then why not also in the privacy context?? It makes no sense to me, and in an upcoming PFF report, Berin Szoka and I are going to be discussing this issue at much greater length.)

Regardless, and in conclusion, before people go making a mountain out of a molehill and creating a technopanic around LBS and services like Loopt, I do hope they take a deep breath and consider these facts before they rush to regulate this exciting new technology and emerging industry sector.