What explains the rebirth of analog era media? Many people (including me!) predicted that vinyl records, turntables, broadcast TV antennas and even printed books seemed destined for the dustbin of technological history. We were so wrong, as I note in this new oped that has gone out through the Tribune Wire Service.

“Many of us threw away our record collections and antennas and began migrating from physical books to digital ones,” I note. “Now, these older technologies are enjoying a revival. What explains their resurgence, and what’s the lesson?”

I offer some data about the rebirth of analog era media as well as some possible explanations for their resurgence. “With vinyl records and printed books, people enjoy making a physical connection with the art they love. They want to hold it in their hands, display it on their wall and show it off to their friends. Digital music or books don’t satisfy that desire, no matter how much more convenient and affordable they might be. The mediums still matter.”

Read more here. Meanwhile, my own personal vinyl collection continues to grow without constraint! …

The Obama Administration has just released a draft “Consumer Privacy Bill of Rights Act of 2015.” Generally speaking, the bill aims to translate fair information practice principles (FIPPs) — which have traditionally been flexible and voluntary guidelines — into a formal set of industry best practices that would be federally enforced on private sector digital innovators. This includes federally-mandated Privacy Review Boards, approved by the Federal Trade Commission, the agency that will be primarily responsible for enforcing the new regulatory regime.

Many of the principles found in the Administration’s draft proposal are quite sensible as best practices, but the danger here is that they could soon be converted into a heavy-handed, bureaucratized regulatory regime for America’s highly innovative, data-driven economy.

No matter how well-intentioned this proposal may be, it is vital to recognize that restrictions on data collection could negatively impact innovation, consumer choice, and the competitiveness of America’s digital economy.

Online privacy and security is vitally important, but we should look to use alternative and less costly approaches to protecting privacy and security that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

That is why flexible data collection and use policies and evolving best practices will ultimately serve consumers better than one-size-fits all, top-down regulatory edicts. Instead of imposing these FIPPs in a rigid regulatory fashion, privacy and security best practices will need to evolve gradually to new marketplace realities and be applied in a more organic and flexible fashion, often outside the realm of public policy.

Regulatory approaches, like the Obama Administration’s latest proposal, will instead impose significant costs on consumers and the economy. Data is the fuel that powers our information economy. Privacy-related mandates that curtail the use of data to better target or personalize new services could raise costs for consumers. There is no free lunch. Something has to pay for all the wonderful free sites and services we enjoy today. If data can’t be used to cross-subsidize those services, prices will go up.

Data regulations could also indirectly cost consumers by diminishing the abundance of content and culture now supported by the data-driven economy. In other words, even if prices and paywalls don’t go up, quantity or quality could suffer if data collection is restricted.

Data regulations could also hurt the competitiveness of domestic markets and the global competitive advantage that America’s tech sector has in this space. That regulatory burden would fall hardest on smaller operators and new start-ups. Today’s “app economy” has given countless small innovators a chance to compete on even footing with the biggest players. Burdensome data collection restrictions could short-circuit the engine that drives entrepreneurial innovation among mom-and-pop companies if ad dollars get consolidated in the hands of only the larger companies that can afford to comply with new rules.

We don’t want to go down the path the European Union charted in the 1990s with heavy-handed data directives. That suffocated high-tech entrepreneurialism and innovation there. America’s Internet sector came to be the envy of the world because our more flexible, light-touch regulatory regime leaves more breathing room for competition and innovation compared to Europe’s top-down regime. We should not abandon that approach now.

Finally, the Obama Administration’s proposal deals exclusively with private sector data collection and has nothing to say about government surveillance activities. The Administration would be wise to channel its energies into that far more significant privacy problem first.

Additional Reading from Adam Thierer of the Mercatus Center

Law Review Articles:

• “The Pursuit of Privacy in a World Where Information Control is Failing,” Harvard Journal of Law and Public Policy, Vol. 36, No. 2, (2013).
• “A Framework for Benefit-Cost Analysis in Digital Privacy Debates,” George Mason Law Review, Vol. 20, No. 4, (2013).
• “Privacy Law’s Precautionary Principle Problem,” Maine Law Review, Vol. 66, No. 2 (2014).
• “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation,” Richmond Journal of Law and Technology, Vol. 21 (2015).
• “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology, Vol. 14, No. 1, (2013).

Testimony / Filings

• Testimony before the Senate Commerce Committee on the Internet of Things, February 11, 2015.
• Testimony before the Senate Commerce Committee on Privacy, Data Collection & Do Not Track, April 24, 2013.
• Filing to the Federal Trade Commission on Privacy & Security Implications of the Internet of Things, May 31, 2013.
• Filing to the Federal Trade Commission on Protecting Consumer Privacy in an Era of Rapid Change, February 22, 2011.

Ladar Levison, founder of encrypted email service Lavabit, discusses recent government action that led him to shut down his firm. When it was suspected that NSA whistleblower Edward Snowden used Lavabit’s email service, the FBI issued a National Security Letter ordering Levison to hand over SSL keys, jeopardizing the privacy of Lavabit’s 410,000 users. Levison discusses his inspiration for founding Lavabit and why he chose to suspend the service; how Lavabit was different from email services like Gmail; developments in his case and how the Fourth Amendment has come into play; and his involvement with the recently-formed Dark Mail Technical Alliance.

Download

Related Links

• Lavabit, Levison
• Dark Mail, Zimmerman, Callas, Janke, Levison
• Lawyers raise civil liberty concerns in Lavabit case, Salon
• Lawyers for Lavabit founder: judges may dismiss civil liberties concerns, The Guardian

Jack Schinasi discusses his recent working paper, Practicing Privacy Online: Examining Data Protection Regulations Through Google’s Global Expansion published in the Columbia Journal of Transnational Law. Schinasi takes an in-depth look at how online privacy laws differ across the world’s biggest Internet markets — specifically the United States, the European Union and China. Schinasi discusses how we exchange data for services and whether users are aware they’re making this exchange. And, if not, should intermediaries like Google be mandated to make its data tracking more apparent? Or should we better educate Internet users about data sharing and privacy? Schinasi also covers whether privacy laws currently in place in the US and EU are effective, what types of privacy concerns necessitate regulation in these markets, and whether we’ll see China take online privacy more seriously in the future.

Download

Related Links

• Practicing Privacy Online: Examining Data Protection Regulations Through Google’s Global Expansion, SSRN
• Journal of Transnational Law, Columbia University

Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:

1. First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
2. Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
3. Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

The testimony also contains 4 appendices elaborating on some of these themes.

Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”)

Testimony of Adam D. Thierer before the Senate Committee on Commerce, Science & Transportation hearing…

Some of My Recent Essays on Privacy & Data Collection

1. A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
2. On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
3. Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
4. Two Paradoxes of Privacy Regulation – Aug. 25, 2010
5. Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
6. When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011
7. Lessons from the Gmail Privacy Scare of 2004 – March 25, 2011
8. Who Really Believes in “Permissionless Innovation”? – March 4, 2013 (condensed from Minnesota Journal of Law, Science & Technology law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”)
9. The Problem of Proportionality in Debates about Online Privacy and Child Safety – Nov. 28, 2009
10. Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness– Jan. 5, 2011

A headline in the USA Today earlier this week screamed, “Hello, Big Brother: Digital Sensors Are Watching Us.”  It opens with an all too typical techno-panic tone, replete with tales of impending doom:

Odds are you will be monitored today — many times over. Surveillance cameras at airports, subways, banks and other public venues are not the only devices tracking you. Inexpensive, ever-watchful digital sensors are now ubiquitous.

They are in laptop webcams, video-game motion sensors, smartphone cameras, utility meters, passports and employee ID cards. Step out your front door and you could be captured in a high-resolution photograph taken from the air or street by Google or Microsoft, as they update their respective mapping services. Drive down a city thoroughfare, cross a toll bridge, or park at certain shopping malls and your license plate will be recorded and time-stamped. Several developments have converged to push the monitoring of human activity far beyond what George Orwell imagined. Low-cost digital cameras, motion sensors and biometric readers are proliferating just as the cost of storing digital data is decreasing. The result: the explosion of sensor data collection and storage.

Oh my God! Dust off you copies of the Unabomber Manifesto and run for your shack in the hills!

No, wait, don’t. Let’s instead step back, take a deep breath and think about this. As the article goes on to note, there will certainly be many benefits to our increasing “sensor society.”  Advertising and retail activity will become more personalized and offer consumers more customized good and services.  I wrote about that here at greater length in my essay on “Smart-Sign Technology: Retail Marketing Gets Sophisticated, But Will Regulation Kill It First?”  More importantly, ubiquitous digital sensors and data collection/storage will also increase our knowledge of the world around us exponentially and do wonders for scientific, environmental, and medical research.

But that won’t soothe the fears of those who fear the loss of their privacy and the rise of a surveillance society in which our every move is watched or tracked. So, let’s talk about what those of you who feel that way want to do about it.

The Challenge of Information Control

The USA Today quotes some people I know fairly well and have great respect for (Lee Tien, Chris Wolf, & Ryan Calo) raising various concerns but not really offering any specific recommendations. I suspect that it’s only a matter of time before we hear calls for regulation — even bans — of digital sensor / surveillance technologies.  On the other hand, things might unfold the way they did when RFID chips/tags came on the scene.  There was a lot of hysteria then, but things died down and — unless I missed something — no major restrictions on their use were instituted and RFID is in widespread use today.

But the “creepiness” or intrusiveness factor gets ratcheted up a bit with next-gen digital sensor technology, especially because they have become highly decentralized and dirt cheap. Practically every teenager is walking around with a powerful digital “sensor” or surveillance technology in the pocket today.  It’s called their phone.  Except they rarely use it to make calls.  They do, however, use it to record audio and video of themselves and the world around them and instantaneously share it will the planet. They also use geolocation technologies to pinpoint the movement of themselves and others in real time.

Meanwhile, new translation tools and biometric technologies are becoming widely available to average folk. Those of you who have played with Google Goggles on your smartphone know what I am talking about. Incredibly cool stuff, but you can see where it is heading. In a couple of years, we’ll have biometric buttons on our shirts feeding live streams of our daily movements and interactions into social networking sites and databases. We’ll use them to record our days and play them back later, or perhaps to just instantly scan and recognize faces and places in case we can’t remember them using our noggins. As a result, mountains of intimate data we be created, collected, collated, and cataloged on a daily basis. 

And there isn’t much we can do to stop this. As I noted in my essays on “Privacy as an Information Control Regime: The Challenges Ahead, and “The IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars,” today’s information control efforts are greatly complicated by problems associated with (1) convergence, (2) scale, (3) volume, and (4) unprecedented individual empowerment / user-generation of content.  Thus, for better or worse, the information genies — porn, hate speech, spam, state secrets, pirated content, personal information, etc. — are out of their bottles and getting them back in will be an enormous challenge.

Darknet & the Decline of Practical Obscurity

In the context of personal privacy, the net result of all of this — to quote Jim Harper’s excellent 2006 book Identity Crisis — is the “decline of practical obscurity.”  “As practical obscurity declines,” Harper notes, “it becomes more likely that large quantities of data center on identified individuals  will be collected and more likely that it will be shared and used. With large collections if data highly correlated to precise identities, he consequences of being identified are changing.” (p. 163)  Harper rightly notes that may not be all bad. Again, there will be many benefits associated with this. But many others — especially those who are privacy fundamentalists and would have privacy trump most other values — won’t want to hear about possible benefits or trade-offs. It’s pretty much all bad from their perspective.

So, let’s get back to what we want to do about all this. Is “creepiness” enough of a harm to call in the code cops to undo progress?  If so, can we roll back the clock or put this particular technology back in the bottle?  I suppose that, with enough effort, we could.  But I can’t help but think about all the “darknet“-related critiques I’ve heard over the past decade about the futility of efforts to protect intellectual property or use DRM to secure IP against widespread dissemination. As I noted in my essay on “Two Paradoxes of Privacy Regulation,” many of these arguments have been set forth by the same people who now tell us they want to try to bottle up information in this context by “property-tizing” personal information.

But if the darknet critique holds for flows of copyrighted information, why would it not also hold for personal information?  Perhaps there is less incentive to push out personal information across the planet as aggressively as intellectual property, but that doesn’t mean there is no incentive to do so.  Many people will do it voluntarily each and every day when they put the most intimate details (and pictures / videos) of their lives online.  And, as they darknet critique informs us, once the information is out, it’s pretty much game over.

This is one reason why I’ve been mildly entertained by what some privacy regulatory advocates have said recently about “Do Not Track” regulation being able to stop or slow the technological arms race in the privacy arena.  “The header-based Do Not Track system appeals because it calls for an armistice in the arms race of online tracking,” says Rainey Reitman of EFF.  And the always provocative regulatory agitator Chris Soghoian argues that “opt out mechanisms… [could] finally free us from this cycle of arms races, in which advertising networks innovate around the latest browser privacy control.”  These guys should know better. There is no way in hell that Do Not Track would slow the technological “arms race” in this arena. If anything, a Do Not Track mandate will speed up that arms race and potentially just shift attention toward the development of Deep Packet Inspection (DPI) technologies or other, more invasive, forms of tracking.

I suppose they would argue that we’ll turn our attention to those technological developments as they happen, but that would make my point. There will be technological and marketplace responses to efforts to freeze current market structures, norms, and technologies in place. Again, for better or worse, progress happens.  It’s just that privacy advocates aren’t particularly fond of the consequences of technological progress in this regard and want to put a stop to it.  But they will fail.

Hyper-Transparency

At this point, some savvy readers might suspect I have fallen under the spell of David Brin and the vision he set forth in his 1997 book, The Transparent Society. There’s some truth to that, at least as it pertains to the empirical side of his argument. For those who forget his provocative thesis, Brin argued that:

While new surveillance and data technologies pose vexing challenges, we may be wise to pause and recall what worked for us so far. Reciprocal accountability — a widely shared power to shine light, even on the mighty — is the unsung marvel of our age, empowering even eccentrics and minorities to enforce their own freedom. Shall we scrap civilization’s best tool — light — in favor of a fad of secrecy?

Across the political spectrum, a “Strong Privacy” movement claims that liberty and personal privacy are best defended by anonymity and encryption, or else by ornate laws restricting what groups or individuals may be allowed to know. This approach may seem appealing, but there are no historical examples of it ever having worked.  Strong Privacy bears a severe burden of proof when they claim that a world of secrets will protect freedom… even privacy… better than what has worked for us so far — general openness.

Indeed, it’s a burden of proof that can sometimes be met! Certainly there are circumstances when/where secrecy is the only recourse… in concealing the location of shelters for battered wives, for instance, or in fiercely defending psychiatric records. These examples stand at one end of a sliding scale whose principal measure is the amount of harm that a piece of information might plausibly do, if released in an unfair manner. At the other end of the scale, new technologies seem to require changes in our definition of privacy. What salad dressing you use may be as widely known as what color sweater you wear on the street… and just as harmlessly boring.

The important thing to remember is that anyone who claims a right to keep something secret is also claiming a right to deny knowledge to others. There is an inherent conflict! Some kind of criterion must be used to adjudicate this tradeoff and most sensible people seem to agree that this criterion should be real or plausible harm… not simply whether or not somebody likes to keep personal data secret.

As a normative matter, I’m not entirely in league with Brin, but I do think he makes a very powerful case for transparency and openness trumping privacy and secrecy. (And isn’t it a delicious irony of information policy debates that the same crowd that is typically hammering on policymakers about the need for greater “openness” and transparency in all other matters suddenly wants to the opposite when our personal information is brought into the discussion?!)

But where I am entirely in agreement with Brin is with his empirical or practical case for understanding and, to some extent, accepting the world around us.  I wouldn’t necessarily label it the snarky “privacy is dead, just get over it,” but I would think it fair to call this philosophy “privacy is changing, and we need to learn how to live with it.”

Thinking about Concrete Harms & Targeted Solutions to Them

To be clear, I’m not against all forms of “privacy” law or regulation.  When it comes to government surveillance, I think we need more limitations on the State and the ability of public officials to access certain types of information, or act upon it. The key point here is that the solution to State surveillance concerns should not be bans on the technology. We instead need to shackle State actors and tightly delimit their power over our lives—such as by tightening up the Electronic Communications Privacy Act, as the Digital Due Process Coalition proposes, and by creating new protections for locational data, as Sen. Wyden has recently proposed.  And we should do so because the State possesses uniquely coercive powers over our lives and our property.

For privately aggregated data, it’s more complicated. I continue to think we can live with most forms of private data collection and aggregation since there are great benefits for society.  Most of the time, companies are just trying to sell us a more relevant product.  It’s hard for me to see the harm in that.  But there will be certain categories of personal information that will eventually need to be carved out of the mix.  I think health and financial information are the two primary categories in this case. It doesn’t mean we should take extreme steps to limit all data flows associated with them, but we will likely need to take some steps.  And most countries, including the U.S., already have targeted laws dealing with those two categories of personal information.  In this sense, I look at privacy regulation in much the same way I look at censorship.  The general default should be that openness and information sharing are permissible. But in some extreme cases — think child pornography — most of us can agree that the harm is quite tangible and significant enough to warrant repression of that information / content.

These are challenging issues and this is fertile ground for further academic investigation.  I think that we are only beginning to explore and understand the mechanics of information control regimes. As we continue that exploration, especially as we look to significantly broaden regulation of personal information flows, here are some questions for scholars to consider and debate:

• In the context of privacy and personal information, how far should law go to roll back digital progress or try to put the genie back in the bottle?
• Does the “darknet” theory have ramifications for the privacy debate?
• Can or should we have similar information control regimes for privacy, content control, defamation, intellectual property, cybersecurity, etc, or should each problem be treated/regulated differently?
• If, however, we adopt differing regulatory regimes for different classes of information, won’t the most restrictive regime become a model for the others?
• Finally, instead of attempting to stifle all information flows or block new technologies that facilitate information sharing, are we better off — as Brin suggests — channeling our energy in to increasing transparency across the board so that those who hold information about us are forced to reveal what they have or know?  Of course, that will lead some to suggest — as many privacy advocates do today — that we should be given more control over the uses of that information once it is in the wild.  Again, what I am assuming here is that that is increasingly an exercise in futility.

[Here’s an oped of mine that recently ran on Reuters.  Readers will recognize many of these themes and arguments since I have developed them here on the TLF many times before.]

Privacy Regulation and the “Free” Internet

by Adam Thierer, Mercatus Center at George Mason University

Would you like to pay $20 a month for Facebook, or a dime every time you did a search on Google or Bing?  That’s potentially what is at stake if the Obama administration and advocates of stepped-up regulation of online advertising get their way.

The Internet feels like the ultimate free lunch.  Once we pay for basic access, a cornucopia of seemingly free services and content is at our fingertips.  But those services don’t just fall to Earth like manna from heaven.  What powers the “free” Internet are data collection and advertising. In essence, the relationship between consumers and online content and service providers isn’t governed by any formal contract, but rather by an unwritten  quid pro quo: tolerate some ads or we’ll be forced to charge you for service.  Most consumers gladly take that deal—even if many of them gripe about annoying or intrusive ads, at times.

Nonetheless, calls for regulation persist, especially as advertising grows more sophisticated.  More targeted forms of online advertising hold the promise of better ads more closely tailored to consumers’ interests.  But that also raises anxieties among some Web surfers who fear their privacy might be undermined by increased data collection or “tracking.”

To address those concerns, the Federal Trade Commission (FTC) and the Department of Commerce have stepped-up activity in this arena and has suggested that new rules may be needed. Earlier this month, the FTC released a report endorsing a new regulatory framework, including a so-called “Do Not Track” mechanism to allow easier consumer opt-outs of online data collection and advertising.  Last Thursday, the Commerce Department followed suit with a new report calling for expanded oversight and a new Privacy Policy Office within Commerce.  Meanwhile, discussion continues in Congress about a new “baseline” privacy law.

The stakes in the debate are significant since regulation could fundamentally alter the nature of online commerce and the future of how digital content and services are provided.  Curtailing data collection and online advertising could be killing the goose that lays the Internet’s golden eggs.  Such regulation will likely have a particularly deleterious impact on small publishers and service providers, who depend almost entirely upon online advertising.  In turn, this could curtail new entry and innovation—and new forms of speech and culture.

Some regulatory advocates don’t hide their desire to move the U.S. in the direction the European Union has charted with its “data directives” and more stringent forms of privacy regulation.  But America’s refusal thus far to walk down that more regulatory path offers scholars the chance to evaluate Europe’s more restrictive approach and study whether America’s lead in the global digital marketplace might be tied to its more “hands-off” approach to online regulation. A recent study by Avi Goldfarb and Catherine Tucker found that “after the [European Union’s] Privacy Directive was passed [in 2002], advertising effectiveness decreased on average by around 65 percent in Europe relative to the rest of the world.” They argue that because regulation decreases ad effectiveness, “this may change the number and types of businesses sustained by the advertising-supporting Internet.” Regulation of advertising and data collection for privacy purposes, it seems, can affect the global competitiveness of online firms.

Regulatory efforts will be complicated by the fact that privacy is a highly subjective condition and definitions of consumer “harm” vary widely.  Many of us don’t much worry about data collection or advertising online; we merrily go along our way surfing free sites, services, and content.  But a handful of vocal pro-regulatory privacy advocates and organizations have successfully convinced many policymakers that the hyper-sensitive concerns of a small minority should trump all other considerations.

Ironically, many of those privacy advocates bash copyright law and claim it is an information control regime, yet privacy regulation would constitute a stronger information control regime by creating the equivalent of copyright for personal information (which would, in turn, conflict mightily with the First Amendment).  In essence, privacy regulations limit the right of people to talk about other people, or communicate facts about them.  This raises serious free speech concerns and has particularly troubling ramifications for press freedoms.  Restrictions on advertising could also have an effect on non-commercial speech, such as political ads or non-profit communication.

Some proposed privacy regulations, such as a “Do Not Track” mandate, would also require a re-architecting of the Internet and the potential regulation of every Web browser to ensure compliance.  If our experience with attempting to eradicate email spam through regulation proves anything, it’s that such schemes are unlikely to work given the Net’s borderless nature.

There is a better path to balancing privacy interests and economic growth than through an onerous privacy regulatory regime. Educating and empowering consumers with more, and better, privacy-enhancing tools can help alleviate much of the concern about data collection or advertising intrusiveness.  The most-downloaded add-on for both the Firefox and Chrome web browsers is AdBlock Plus, which blocks advertising on most sites. A host of other tools are available to block or limit various types of data collection, and every major browser has privacy control tools and anonymous surfing modes to help users limit data collection.

Again, because privacy is a subjective condition, not everyone takes advantage of these empowerment tools.  The crucial point, however, is that the tools exist and they need not be perfect to be preferable to government regulation, which, in this case, could decimate the “free” Internet as we know it.

Adam Thierer is a senior research fellow at the Mercatus Center at George Mason University where he works with the Technology Policy Program. Thierer covers technology, media, Internet, and free speech policy issues with a particular focus in online child safety and digital privacy policy issues. The views expressed are his own.

Yesterday, the Federal Trade Commission (FTC) hosted an all-day workshop on “Protecting Kids’ Privacy Online,” which looked into the Children’s Online Privacy Protection Act of 1998 (COPPA) and challenges posed to its enforcement by new technological developments. The FTC staff did a nice job bringing together and moderating 5 panels worth of participants, all of whom had plenty of interesting things to say about the future of COPPA.  But I was more struck by what was not said yesterday. Namely, there was:

• ZERO explanation of the supposed harms of advertising, marketing, and data collection. Advertising-bashing is an old sport here in Washington, so I guess I should not have been surprised to hear several panelists yesterday engaging in teeth-gnashing and hand-wringing about advertising, marketing, and the data collection methods that make it possible. But this grousing just went on and on without any explanation by the critics of the supposed harms that would result from it.
• ZERO appreciation of the benefits of advertising, marketing, and data collection. Not once yesterday — NOT ONCE — did anyone pause to ask what it is that makes all these wonderful online sites, services and content free (or dirt cheap) to consumers.  Everyone at this show was guilty of the “manna fallacy” (that all this stuff just falls magically to Earth from the Net Gods above). Well, back here in the real world, something has to pay for all those goodies, and that something is advertising and marketing, which are facilitated by data collection! Or would you like to pay $19.95 a month for each of those currently free sites and services? Yeah, I didn’t think so.

• Almost ZERO discussion of the excellent steps that so many websites are taking today above and beyond COPPA to make sure online communities are safe. What I found most amazing about the day’s discussion was the way many people seem to assume that COPPA is the most important approach to keeping kids safe online. In reality, as I have pointed out in my past work, COPPA is one the least important things that keeps kids safe online. It’s what sites do after kids get into their communities that is really important. And, until the last panel of the day, we heard very little about the important steps that countless online sites and communities take to make sure they offer more safe and secure environments for kids. In particular, beyond basic parental controls, moderation and intervention efforts by site operators are increasing within social networking sites, virtual worlds, and many other sites to ensure that they offer such “well lit” neighborhoods. Failure to integrate this into the discussion was the major failing of the day.

• Little discussion of the role of parents should play in mentoring their kids online. So, I’m a parent.  Two kids. Ages 8 and 5. Guess what? They love commercial messages! I let them see them. Online and off. We talk about them. I explain to them not to believe everything they see. I explain that sometimes people are just out to sell them silly stuff they don’t need or, worse yet, scam them out of their money. I explain that there’s a lot of crap out there. And I explain to them that they should always consult with mom and dad about purchasing decisions to get our advice and consent. Hey… there’s a word for this: mentoring (otherwise known as “good parenting.”) Yes, yes, I know COPPA is suppose to aid parents in this regard, but honestly, I only think of COPPA as a small speed bump.  It can slow people — either kids or marketers — down a bit, but it will never stop companies from wanting to sell products or people (including kids) from wanting to buy them.  This is life in a capitalistic society, folks. Unless you want to live in some Marxist “Worker’s Paradise” where we ban all commercial messages and tightly limit consumption and consumer choice (and “wasteful capitalist” competition!), you better get used to it. And, to go back to point #1, you have yet to show me how exposure to commercial messages “harms” kids.  I’m not saying I want to subject my kids to an endless bombardment-by-ads, but as with everything else in this world, there is a sensible way to educate them using a combination of good mentoring and media literacy.
• ZERO acknowledgment that COPPA expansion puts the law on a collision course with COPA, which has already been litigated and found unconstitutional. During the fourth panel yesterday on “Emerging Parental Verification Access and Methods,” there was some troubling talk of turning schools or mobile phone operators into online credentialing authorities. I’ve discussed the dangers of these approaches to online age verification here before (especially the insanely misguided suggestion that schools should become DMVs for our kids and be passing out digital credentials). Which brings up a broader concern not really discussed at all yesterday: At what point would an expansion of COPPA’s “verifiable parental consent” requirements converge with the unconstitutional mandatory age verification model found in the Children’s Online Protection Act (COPA)? We fought an epic, decade-long legal battle over COPA only to have the entire framework tossed out as a violation of the First Amendment. This issue was at the heart of the COPPA 2.0 paper Berin Szoka and I released last year, and a theme Berin recently explained in his Senate testimony and subsequent answers to questions for the Congressional Record.

Anyway, I could go on but I’ll just stop there and reference a few other things that we’ve been doing on COPPA and age verification issues more generally. But everyone should stay tuned to this debate because the prospect for COPPA expansion is quite real and it will have profound ramifications, as the subtitle to our first paper down below explains:

• COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, by Berin Szoka & Adam Thierer
• Response of Berin Szoka to Questions from Sen. Mark Pryor Regarding Hearing on “An Examination of Children’s Privacy: New Technologies & the Children’s Online Privacy Protection Act”
• Written Testimony of Berin Szoka, Hearing on “An Examination of Children’s Privacy: New Technologies & the Children’s Online Privacy Protection Act” before the Subcommittee on Consumer Protection, Committee on Commerce, Science & Transportation, U.S. Senate, April 29, 2010
• Final Statement of Adam Thierer to the Internet Safety Technical Task Force
• “USA Today, Age Verification, and the Death of Online Anonymity,” by Adam Thierer, PFF Blog, Jan. 23, 2008
• Social Networking and Age Verification: Many Hard Questions; No Easy Solutions, by Adam Thierer, March 21, 2007.
• “Age Verification for Social Networking Sites: Is it Possible? Is it Desirable?” event transcript, May 11, 2007.

I finally got around to reading Planet Google: One Company’s Audacious Plan to Organize Everything We Know, by Randall Stross. It’s very well done. Stross is a frequently contributor to the New York Times and the author of several other interesting books on the technology industry. He knows how to weave a story together, and it helps that Google’s story is a pretty amazing one.

Each chapter discusses a different part of Google’s growing family of services — GMail, Google Maps, Google Earth, Book Search, and YouTube. Of course, it all started with search and Stross does a good job explaining how the ingenious Google search algorithm has grown from dorm room project to the greatest aggregator of human knowledge that the world has ever known. This, in turn, has powered Google’s hugely successful online advertising system. The real secret of their success with online advertising, Stross argues, is that “Google’s impersonal, mathematical approach search also provides you with the ability to serve advertisements that are tailored to a search, rather than to the person submitting the search request, whose identity would have to be known.”

Despite the benefits of such generally anonymous searching, as Google has grown and added new services and capabilities, concerns about the sheer volume of data that the company collects have led to heightened privacy concerns. Indeed, privacy is a core theme that Stross uses in the book to tie many of the chapters and issues together. Google is constantly struggling to strike the right balance between providing more access to the world’s information while also being careful not to raise privacy concerns. But it’s unclear exactly how much more information collection that users (or public officials) will tolerate before advocating stricter limits on Google’s reach.  As Stross points out:

Guided by its founding mission, to organize all the world’s information, Google has created storage capacity that allows it to gain control of what its users are you doing in a comprehensive way that no other company has done, and to preserve those records indefinitely, without the need to clear out old records to make way for new ones. Moreover, Google differentiates its service by refining its own proprietary software formula to mine and massage the data, technology that it zealously protects from the sight of rivals. This sets up a conflict between Google’s wish to operate a “black box” (completely opaque to the outside) and its users’ wish for transparency.

At the very least, users would like Google to disclose what protections are in place to safeguard their privacy. It is also natural that users would be curious about the machines that hold their personal data, as well as about which employees within Google have access to that data, and about the risks that it might be leaked, stolen, or transferred, for example, to a government agency that requests it. (p. 62)

Personally, I think most of these privacy fears are overblown. The mundane, trivial aspects of our daily lives aren’t really of much interest to Google. And to the extent users are concerned about their privacy, there are plenty of ways they can take steps to better protect their personal information or web-surfing habits.  Blocking ads, rejecting cookies, and using encryption are three steps that privacy-sensitive users can take to better shield the personal info or surfing habits. Finally, the concern about government access to data is best remedied by limits on what government can access in the first place. We shouldn’t be regulating Google or other companies to limit information collection based on a fear of government access; we just need to tightly limit the government’s ability to enlist private companies as agents of the state.

Still, as Stross points out, privacy concerns persist:

How can users be certain that their personal information won’t be put to uses to which an individual would never willingly consent? Privacy concerns extend across all Internet companies, but those concerns of our greatest where personal information is gathered in the largest pool. This makes the stewardship of Google’s machine a subject of public interest. Whatever is behind a door that is intentionally kept closed will appear sinister, whether deservedly so or not. For the sake of improving its public image, it’s possible that Google may relent and open its doors, at least enough to afford a peek inside. (p. 62)

I think that’s a fair point and this is something Google is really going to struggle with in coming years, especially as its search algorithm and other applications grow more powerful and comprehensive.  A good example of that is already seen with Google’s amazing “Street View” technology, which provides panoramic street-level views of maps searched via Google Maps. “What neither Google nor its critics realized,” Stross says, “was that our anonymity while walking about in public space in the predigital age was protected not by law but by the crude state of technology–we felt invisible only because cameras were not in place to capture our images.” (p. 145)

As a society, we had better get used to this because Street View is just the beginning of what will eventually grow into a far more sophisticated set of technologies as geo-mapping, geo-location, and image retrieval are married to virtual reality technologies. We’re really not that far away from Star Trek “holodecks” being projected into our living rooms, and once those holodecks let us walk down any street in the world, things are going to get both really exciting and a little bit creepy at the same time. But even if Google abandoned Street View tomorrow, somebody else would pick it up and run with it. Innovation in this space cannot be frozen. (Microsoft’s recent launch of Photosynth shows us that).  Google has already taken steps to protect privacy on Street View by blurring facial images and letting users flag “inappropriate or sensitive imagery for blurring or removal.”  That’s about all we can ask for.

Another theme that Stross develops nicely in the book is the ongoing war between Google and Microsoft. He argues that “Google’s ascendance has been accompanied by Microsoft’s decline.” (p. 195)  But that does not mean Google will be able to hold their current lead. As Stross rightly points out:

No computer company has ever been able to enjoy pre-eminence that spans two successive technological eras. IBM in the mainframe era could not head off the ascent of Digital Equipment Corporation in the minicomputer era, which, in turn, could not head off the ascent of Microsoft in the personal computer era.

And now Google has “succeeded in pushing Microsoft into a defensive crouch” and made life very difficult for that supposed “monopolist” of the PC era.  As a result, some Google critics claim this latest King of the Tech Hill cannot be toppled and that Google is the new “monopoly” we need to worry about.  But these fears are also overblown. Google faces threats today from many different providers and doesn’t really even have its act together in other areas. For example, Stross points out how Facebook and other social networking sites have been a real pain for Google. Facebook, in particular, is creating a massive walled garden that is largely outside Google’s search and information retrieval capabilities. “In a twinkling,” Stross argues, “Facebook became a miniature Web universe–behind a wall, inaccessible to Google.” (p. 30)  Meanwhile, in recent months, Google has annouced layoffs and has scuttled a variety of programs and projects which haven’t panned out, including experiments in social networking, virtual worlds, and a Twitter competitor.

But it is tomorrow’s providers and technologies that will pose the most serious challenge to Google’s current hegemony. No one can predict what big application(s) or competitor(s) will emerge next, but it all could happen faster than you think.  After all, let’s not forget that most of us hadn’t even conducted our first Google search 10 years ago, and no one considered Google a serious threat to Microsoft back in 1999.  Just a decade later, Google has Microsoft wondering if they have a future at all. Things can change that rapidly in the digital world and it should make us question the wisdom of government intervention into such a fast-moving field.

Moreover, government micromanagement of the services Google provides–especially search–is troubling to imagine. I don’t even want to think about how a DOJ consent decree would seek to control Google’s algorithm or the search business in general. But some critics are already speaking of “Googleopoly” and calling for a “Federal Search Commission,” foreshadowing the fight to come.  Google’s rapid growth and sheer size may end up tilting both policymakers and public opinion against them more and more in coming years as such “Googlephobia” increases. Stross notes that:

Google’s future will be determined to no small degree by the view that its users hold of the company itself. Google has enjoyed mostly favorable public notice in its first ten years, but maintaining a cuddly, anticorporate image when it stands among the U.S. companies with the largest market capitalization may pose an increasingly difficult challenge. (p. 18)

Indeed, Google’s “Don’t Be Evil” motto is already wearing a little thin in some quarters. And some of us still aren’t even sure what it means. As Google grows bigger and makes buckets more money in coming years–and they likely will–I think Stross is correct in arguing that Google’s honeymoon with the public and policymakers will likely come to an end. That doesn’t mean they won’t still be a great company doing great things, it’s just that they’ll be antagonizing even more competitors, lawmakers, and other groups than they already do today. And that will likely spell serious trouble for them. It’s never good to have so many enemies. Just ask Microsoft!

In the meantime, we shouldn’t lose sight of what an amazing capitalist success story Google has been and how lucky we are that they have been at least a little bit successful in their mission “to organize the world’s information and make it universally accessible and useful.”  It’s an incredible story, and Planet Google is a fine early history of the company and the new era of computing it has ushered in.