I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. [Update 4/16: It is now live on the site.] In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

Another great column by the Wall Street Journal’s Gordon Crovitz, who is quickly becoming my favorite tech policy columnist. In today’s column, “Bloggers Mugged by Regulators,” he comments on the FTC’s new disclosure rules for bloggers, which I discussed here over the weekend.  Crovitz focuses on the enforcement challenges associated with the new rules and also argues that self-regulation should be given a chance to work:

There should be more disclosure, but the Web is different from earlier media in ways that make government regulation less relevant and practical. The Web has its own self-regulatory mechanisms. Failing to disclose interests sullies one’s reputation online, and reputation harm travels faster and lasts longer than it did before the Web. There’s also greater need for caveat emptor online, because there is no practical way that any government agency can monitor the world’s bloggers and posters. There will always be people who post comments about products and services that are self-serving in one way or another, at least by someone’s definition. […] Instead of trying to extend analog-era regulations onto the Web, the FTC should encourage readers to be vigilant about assessing for themselves the independence of sources online. At least we now know the biggest fraudulent claim so far on the Web: It’s been committed by regulators claiming there can be a government stamp of approval on everything anyone posts anywhere on the Web.

Amen brother.

Libertarian folk-hero Rep. Ron Paul has apparently convinced (WSJ) House Financial Services Committee Chairman Barney Frank to implement his proposal (HR 1207) for an audit of the Federal Reserve by the end of 2010. Paul’s Bill would expand existing audits considerably because, under current law, the Government Accountability Office,

can’t review most of the Fed’s monetary policy actions or decisions, including discount window lending (direct loans to financial institutions), open-market operations and any other transactions made under the direction of the Federal Open Market Committee. It also can’t look into the Fed’s transactions with foreign governments, foreign central banks and other international financing organizations… While the bill only seeks a one-time audit, [Paul] said he wants the Fed to be audited at least annually with the report — and details of its transactions — disclosed publicly.

I’d like to up the ante: Let’s make sure that any data disclosures are made in eXtensible Business Reporting Language (XBRL), as Mark Cuban and our own Jim Harper have previously suggested. Such machine-readable disclosures would be much more useful, because the data could be analyzed or “mashed-up” with other data sets to answer questions we might not even be able to formulate today.