Over at the Mercatus Center Bridge blog, Trace Mitchell and I just posted an essay entitled, “A Non-Partisan Way to Help Workers and Consumers,” which discusses the new Federal Trade Commission’s (FTC) Economic Liberty Task Force report on occupational licensing.

We applaud the FTC’s calls for greater occupational licensing uniformity and portability, but regret the missed opportunity to address root problem of excessive licensing more generally. But while FTC is right to push for greater occupational licensing uniformity and portability, policymakers need to confront the sheer absurdity of licensing so many jobs that pose zero risk to public health & safety. Licensing has become completely detached from risk realities and actual public needs.

As the FTC notes, excessive licensing limits employment opportunities, worker mobility, and competition while also “resulting in higher prices, reduced quality, and less convenience for consumers.” These are unambiguous facts that are widely accepted by experts of all stripes. Both the Obama and Trump Administrations, for example, have been completely in league on the need for comprehensive  licensing reforms.

Trace and I argue that we need serious occupational reforms built on the idea of the “right to earn a living” that must pass this test: “All occupational regulations shall be limited to those demonstrably necessary and carefully tailored to fulfill legitimate public health, safety, or welfare objectives.”  Also, all licensing authorities should be put on the clock and be required, within one year, to reassess the wisdom of all existing licenses to ensure they meet that test. If not, they are repealed or reformed.

In recent testimony in Texas, our Mercatus Center colleague Matthew Mitchell has also discussed other reform options, including the “Occupational Board Reform Act,” which recently passed in Nebraska. The goal of the law is to “protect the fundamental right of an individual to pursue a lawful occupation;.” They key provision of the Act demands that state actors:

use the least restrictive regulation which is necessary to protect consumers from undue risk of present, significant, and substantiated harms that clearly threaten or endanger the health, safety, or welfare of the public when competition alone is not sufficient and which is consistent with the public interest;

That’s an excellent approach to reform and when combined with the Right to Earn a Living Act, policymakers can begin to reverse the protectionist, anti-competitive licensing schemes that encumber entrepreneurs and workers across the land.

In forthcoming work, I hope to more fully develop the connection between the right to earn a living, the need for comprehensive licensing reform, and the freedom to innovate more generally. In the meantime, hop over to The Bridge to read our new essay on how the FTC report helps advance this cause..

On June 9th, the Federal Trade Commission hosted an excellent workshop on “The ‘Sharing’ Economy: Issues Facing Platforms, Participants, and Regulators,” which included 4 major panels and dozens of experts speaking about these important issues. It was my great pleasure to be part of the 4th panel of the day on the policy implications of the sharing economy. Along with my Mercatus colleagues Christopher Koopman and Matt Mitchell, I submitted a 20-page filing  to the Commission summarizing our research findings in this area. (We also released a major new working paper that same day on, “How the Internet, the Sharing Economy, and Reputational Feedback Mechanisms Solve the ‘Lemons Problem.’” (All Mercatus Center research on sharing economy issues can be found on this page and we plan on releasing additional papers in coming months.)

The FTC has now posted the videos from their workshop and down below I have embedded my particular panel. My remarks begin around the 5-minute mark of the video.

The Federal Trade Commission (FTC) is taking a more active interest in state and local barriers to entry and innovation that could threaten the continued growth of the digital economy in general and the sharing economy in particular. The agency recently announced it would be hosting a June 9th workshop “to examine competition, consumer protection, and economic issues raised by the proliferation of online and mobile peer-to peer business platforms in certain sectors of the [sharing] economy.” Filings are due to the agency in this matter by May 26th. (Along with my Mercatus Center colleagues, I will be submitting comments and also releasing a big paper on reputational feedback mechanisms that same week. We have already released this paper on the general topic.)

Relatedly, just yesterday, the FTC sent a letter to Michigan policymakers about restricting entry by Tesla and other direct-to-consumer sellers of vehicles. Michigan passed a law in October 2014 prohibiting such direct sales. The FTC’s strongly-worded letter decries the state’s law as “protectionism for independent franchised dealers” noting that “current provisions operate as a special protection for dealers—a protection that is likely harming both competition and consumers.” The agency argues that:

consumers are the ones best situated to choose for themselves both the vehicles they want to buy and how they want to buy them. Automobile manufacturers have an economic incentive to respond to consumer preferences by choosing the most effective distribution method for their vehicle brands. Absent supportable public policy considerations, the law should permit automobile manufacturers to choose their distribution method to be responsive to the desires of motor vehicle buyers.

The agency cites the “well-developed body of research on these issues strongly suggests that government restrictions on distribution are rarely desirable for consumers” and the staff letter continues on to utterly demolish the bogus arguments set forth by defenders of the blatantly self-serving, cronyist law. (For more discussion of just how anti-competitive and anti-consumer these laws are in practice, see this January 2015 Mercatus Center study, “State Franchise Law Carjacks Auto Buyers,” by Jerry Ellig and Jesse Martinez.)

The FTC’s letter is another example of how the agency can take steps using its advocacy tools to explain to state and local policymakers how their laws may be protectionist and anti-consumer in character. Needless to say, this also has ramifications for how the agency approaches parochial restraints on entry and innovation affecting the sharing economy.

In our forthcoming Mercatus Center comments to the FTC for its June 6th sharing economy workshop, Christopher Koopman, Matt Mitchell, and I will address many issues related to the sharing economy and its regulation. Beyond addressing all five of the specific questions asked in the Commission’s workshop notice, we also include a discussion about “Federal Responses to Local Anticompetitive Regulations.” Down below I have reproduced the current rough draft of that section of our filing in the hope of getting input from others. Needless to say, the idea of the FTC aggressively using its advocacy efforts or even federal antitrust laws to address state and local barriers to trade and innovation will make some folks uncomfortable–especially on federalism grounds. But we argue that a good case can be made for the agency using both its advocacy and antitrust tools to address these issues. Let us know what you think.

The Federal Trade Commission possesses two primary tools to address public restraints of trade created by state and local authorities: advocacy and antitrust.[1]

Through its advocacy program, the Commission can provide specific comments to state and local officials regarding the effects of both proposed and existing regulations.[2] Commissioner Joshua Wright has noted that, “For many years, the FTC has used its mantle to comment on legislation and regulation that may restrain competition in a way that harms consumers.”[3] Thus, at a minimum, the Commission can and should shine light on parochial governmental efforts to restrain trade and limit innovation throughout the sharing economy.[4] By shining more light on state or local anti-competitive rules, the Commission will hopefully make governments, or their surrogate bodies (such as licensing boards), more transparent about their practices and more accountable for laws or regulations that could harm consumer welfare. However, to be successful, the Commission’s advocacy efforts depend upon the willingness of state and local legislators and regulators to heed its advice.^[5]

The Commission has already used its advisory role in its recent guidance to state and local policymakers regarding the regulation of ridesharing services. The Commission noted then that “a regulatory framework should be responsive to new methods of competition,” and set forth the following vision regarding what it regards as the proper approach to parochial regulation of passenger transportation services:

Staff recommends that a regulatory framework for passenger vehicle transportation should allow for flexibility and adaptation in response to new and innovative methods of competition, while still maintaining appropriate consumer protections. [Regulators] also should proceed with caution in responding to calls for change that may have the effect of impairing new forms or methods of competition that are desirable to consumers. . . .  In general, competition should only be restricted when necessary to achieve some countervailing procompetitive virtue or other public benefit such as protecting the public from significant harm.[6]

This represents a reasonable framework for addressing concerns about parochial regulation of the sharing economy more generally.

Unfortunately, in areas relevant to the regulation of the sharing economy (e.g., taxicab regulations and rules governing home and apartment rentals) anticompetitive regulations have remained on the books—and in some instances have expanded—in spite of more than 30 years of Commission comment and advocacy.[7]  In fact, as Public Citizen noted in a recent Supreme Court filing:

[M]any more occupations are regulated than ever before, and most boards doing the regulating—in both traditional and new professions—are dominated by industry members who compete in the regulated market. Those board member-competitors, in turn, commonly engage in regulation that can be seen as anticompetitive self-protection. The particular forms anticompetitive regulations take are highly varied, the possibilities seemingly limited only by the imaginations of the board members.[8]

In these instances, the Commission’s antitrust enforcement authority may need to be utilized when its advocacy efforts fall short with regard to regulations that favor incumbents by limiting competition and entry.[9] Many academics have endorsed expanded antitrust oversight of public barriers to trade and innovation.[10] As Commissioner Wright has argued, “the FTC is in a good position to use its full arsenal of tools to ensure that state and local regulators do not thwart new entrants from using technology to disrupt existing marketplace.”[11] He notes specifically that he is “quite confident that a significant shift of agency resources away from enforcement efforts aimed at taming private restraints of trade and instead toward fighting public restraints would improve consumer welfare.”[12] We agree.

The Supreme Court’s recent decision in North Carolina State Board of Dental Examiners v. Federal Trade Commission made it clear that local authorities cannot claim broad immunity from federal antitrust laws.[13] This is particularly true, the Court noted, “where a State delegates control over a market to a nonsovereign actor,” such as a professional licensing board consisting primarily of members of the affected interest being regulated.[14] “Limits on state-action immunity are most essential when a State seeks to delegate its regulatory power to active market participants,” the Court held, “for dual allegiances are not always apparent to an actor and prohibitions against anticompetitive self-regulation by active market participants are an axiom of federal antitrust policy.”[15]

The touchstone of this case and the Court’s related jurisprudence in this area is political accountability.[16] State officials must (1) “clearly articulate” and (2) “actively supervise” licensing arrangements and regulatory bodies if they hope to withstand federal antitrust scrutiny.[17] The Court clarified this test in N.C. Dental holding that “the Sherman Act confers immunity only if the State accepts political accountability for the anticompetitive conduct it permits and controls.”[18] In other words, if state and local officials want to engage in protectionist activities that restrain trade in pursuit of some other countervailing objective, then they need to own up to it by being transparent about their anticompetitive intentions and then actively oversee the process after that to ensure it is not completely captured by affected interests.[19]

Some might argue that this does not go far enough to eradicate anti-competitive barriers to trade at the state or local level that could restrain the innovative potential of the sharing economy. While that may be true, some limits on the Commission’s federal antitrust discretion are necessary to avoid impinging upon legitimate state and local priorities.

Over time, it is our hope that by empowering the public with more options, more information and better ways to shine light on bad actors, the sharing economy will continue to make many of those old regulations unnecessary. Thus, in line with Commissioner Maureen Ohlhausen’s wise advice, the Commission should encourage state and local officials to exercise patience and humility as they confront technological changes that disrupt traditional regulatory systems.[20]

But when parochial regulators engage in blatantly anti-competitive activities that restrain trade, foster cartelization, or harm consumer welfare in other ways, the Commission can act to counter the worst of those tendencies.[21] The Commission’s standard of review going forward was appropriately articulated by Commissioner Wright recently when he noted that, “in the context of potentially disruptive forms of competition through new technologies or new business models, we should generally be skeptical of regulatory efforts that have the effect of favoring incumbent industry participants.”[22]

Such parochial protectionist barriers to trade and innovation will become even more concerning as the potential reach of so many sharing economy businesses grows larger. The boundary between intrastate and interstate commerce is sometimes difficult to determine for many sharing economy platforms. Clearly, much of the commerce in question occurs within the boundaries of a state or municipality, but sharing economy services also rely upon Internet-enabled platforms with a broader reach. To the extent state or local restrictions on sharing economy operations create negative externalities in the form of “interstate spillovers,” the case for federal intervention is strengthened.[23] It would be preferable if Congress chose to deal with such spillovers using its Commerce Clause authority (Art. 1, Sec. 8 of the Constitution),[24] but the presence of such negative externalities might also bolster the case for the Commission’s use of antitrust to address parochial restraints on trade.

[1]     See Maureen K. Ohlhausen, Reflections on the Supreme Court’s North Carolina Dental Decision and the FTC’s Campaign to Rein in State Action Immunity, before the Heritage Foundation, Washington, DC, March 31, 2015, at 19-20.

[2]     Id., at 20. (“The primary goal of such advocacy is to convince policymakers to consider and then minimize any adverse effects on competition that may result from regulations aimed at preventing various consumer harms.”) Also see James C. Cooper and William E. Kovacic, “U.S. Convergence with International Competition Norms: Antitrust Law and Public Restraints on Competition,” Boston University Law Review, Vol. 90, No. 4, (August 2010): 1582, “Competition advocacy helps solve consumers’ collective action problem by acting within the regulatory process to advocate for regulations that do not restrict competition unless there is a compelling consumer protection rationale for imposing such costs on citizens.”).

[3]     Joshua D. Wright, “Regulation in High-Tech Markets:  Public Choice, Regulatory Capture, and the FTC,” Remarks of Joshua D. Wright Commissioner, Federal Trade Commission at the Big Ideas about Information Lecture Clemson University, Clemson, South Carolina, April 2, 2015, at 15, https://www.ftc.gov/public-statements/2015/04/regulation-high-tech-markets-public-choice-regulatory-capture-ftc.

[4]     Cooper and Kovacic, “U.S. Convergence with International Competition Norms,” at 1610, (“Competition agencies could devote greater resources to conduct research to measure the effects of public policies that restrict competition. A research program could accumulate and analyze empirical data that assesses the consumer welfare effects of specific restrictions. Such a program could also assess whether the stated public interest objectives of government restrictions are realized in practice.”)

[5]     Cooper and Kovacic, “U.S. Convergence with International Competition Norms,” at 1582, (“The value of competition advocacy should be measured by (1) the degree to which comments altered regulatory outcomes times (2) the value to consumers of those improved outcomes. For all practical purposes, however, both elements are difficult to measure with any degree of certainty.”).

[6]     Federal Trade Commission, Staff Comments Before the Colorado Public Utilities Commission In The Matter of The Proposed Rules Regulating Transportation By Motor Vehicle, 4 Code of Colorado Regulations, (March 6, 2013), http://ftc.gov/os/2013/03/130703coloradopublicutilities.pdf.

[7]     Marvin Ammori, “Can the FTC Save Uber,” Slate, March 12, 2013, http://www.slate.com/articles/technology/future_tense/2013/03/uber_lyft_sidecar_can_the_ftc_fight_local_taxi_commissions.html (noting that, “not only does the FTC have the authority to take these cities to impartial federal courts and end their anticompetitive actions; it also has deep expertise in taxi markets and antitrust doctrines.”) Also see, Edmund W. Kitch, “Taxi Reform—The FTC Can Hack It,” Regulation, May/June 1984, http://object.cato.org/sites/cato.org/files/serials/files/regulation/1984/5/v8n3-3.pdf.

[8]     Brief of Amici Curiae Public Citizen in Support of Respondent, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 2014): 24.

[9]     Brief of Antitrust Scholars as Amici Curiae in Support of Respondent, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 6, 2014): 24, (“Antitrust review is entirely appropriate for curbing the excesses of occupational licensing because the anticompetitive effect has a similar effect on the market—and in particular consumers—as does traditional cartel activity.”)

[10]   See Mark A. Perry, “Municipal Supervision and State Action Antitrust Immunity,” The University of Chicago Law Review, Vol. 57, (Fall 1990): 1413-1445; William J. Martin, “State Action Antitrust Immunity for Municipally Supervised Parties,” The University of Chicago Law Review, Vol. 72, (Summer, 2005): 1079-1102; Jarod M. Bona, “The Antitrust Implications of Licensed Occupations Choosing Their Own Exclusive Jurisdiction,” University of St. Thomas Journal of Law & Public Policy, Vol 5, (Spring 2011): 28-51; Ingram Weber “The Antitrust State Action Doctrine and State Licensing Boards,” The University of Chicago Law Review, Vol. 79, (2012); Aaron Edlin and Rebecca Haw, “Cartels by Another Name:  Should Licensed Occupations Face Antitrust Scrutiny?,” University of Pennsylvania Law Review, Vol. 162, (2014): 1093-1164.

[11]   Wright, “Regulation in High-Tech Markets,” at 28-9.

[12]   Wright, “Regulation in High-Tech Markets,” at 29.

[13]   North Carolina State Bd. of Dental Exam’rs v. FTC, 135 S. Ct. 1101 (2015).

[14]   Id.

[15]   Id. Also see Edlin & Haw, “Cartels by Another Name,” at 1143, (“Who could seriously argue that an unsupervised group of competitors appointed to regulate their own profession can be counted on to neglect their selfish interests in favor of the state’s?”); Brief Amicus of the Pacific Legal Foundation and Cato Institute, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 2014): 3, (“Antitrust immunity for private parties who act under color of state law is especially problematic, given that anticompetitive conduct is most likely to occur when private parties are in a position to exploit government’s regulatory powers.”)

[16]   See Maureen K. Ohlhausen, Reflections on the Supreme Court’s North Carolina Dental Decision and the FTC’s Campaign to Rein in State Action Immunity, before the Heritage Foundation, Washington, DC, March 31, 2015, at 16, https://www.ftc.gov/public-statements/2015/03/reflections-supreme-courts-north-carolina-dental-decision-ftcs-campaign, (“states need to be politically accountable for whatever market distortions they impose on consumers.”); Edlin & Haw, “Cartels by Another Name,” at 1137, (“political accountability is the price a state must pay for antitrust immunity.)

[17]   See Federal Trade Commission, Office of Policy and Planning, Report of the State Action Task Force (2003): 54, (“clear articulation requires that a state enunciate an affirmative intent to displace competition and to replace it with a stated criterion. Active supervision requires the state to examine individual private conduct, pursuant to that regulatory regime, to ensure that it comports with that stated criterion. Only then can the underlying conduct accurately be deemed that of the state itself, and political responsibility for the conduct fairly placed with the state.”) This test has been developed and refined in a variety of cases over the past 35 years. See: California Retail Liquor Dealers Ass’n v. Midcal Aluminum, Inc., 445 U.S. 97 (1980); Cmty. Comm’ns Co., Inc. v. City of Boulder, 455 U.S. 40, 48-51 (1982); City of Columbia v. Omni Outdoor Advertising, Inc., 499 U.S. 365 (1991); FTC v. Ticor Title Ins. Co., 504 U.S. 621 (1992).

[18]   North Carolina State Bd. of Dental Exam’rs v. FTC, 135 S. Ct. 1101 (2015).

[19]   Edlin & Haw, “Cartels by Another Name,” at 1156. (“Requiring that the state place its imprimatur on regulation is at least better than the status quo, in which states too often delegate self-regulation to professionals and walk away.”) See also North Carolina State Bd. of Dental Exam’rs v. FTC, 135 S. Ct. 1101 (2015) (“[Federal antitrust] immunity requires that the anticompetitive conduct of nonsovereign actors, especially those authorized by the State to regulate their own profession, result from procedures that suffice to make it the State’s own.”).

[20]  Maureen K. Ohlhausen, Commissioner, Fed. Trade Commission, “Regulatory Humility in Practice,” Remarks of the American Enterprise Institute, Washington, D.C. (April 1, 2015).

[21]   Edlin & Haw, “Cartels by Another Name,” at 1094, (“state action doctrine should not prevent antitrust suits against state licensing boards that are comprised of private competitors deputized to regulate and to outright exclude their own competition, often with the threat of criminal sanction.”). See also Brief Amicus of the Pacific Legal Foundation and Cato Institute, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 2014): 2, 21, http://www.americanbar.org/content/dam/aba/publications/supreme_court_preview/BriefsV4/13-534_resp_amcu_plf-cato.authcheckdam.pdf, (noting that courts “should presume strongly against granting state-action immunity in antitrust cases.  It makes little sense to impose powerful civil and criminal punishments on private parties who are deemed to have engaged in anti-competitive conduct, while exempting government entities—or, worse, private parties acting under the government’s aegis—when they engage in the exact same conduct. . . . “Whatever one’s opinion of antitrust law in general, there is no justification for allowing states broad latitude to disregard federal law and erect private cartels with only vague instructions and loose oversight.”)

[22]   Wright, “Regulation in High-Tech Markets,” at 7.

[23]   FTC, Report of the State Action Task Force, 44, (“an unfortunate gap has emerged between scholarship and case law. Although many of the leading commentators have expressed serious concern regarding problems posed by interstate spillovers, their thinking has yet to take root in the law. Such spillovers undermine both economic efficiency and some of the same political representation values thought to be protected by principles of federalism.”); Brief Amicus of the Pacific Legal Foundation and Cato Institute, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 2014): 13, (“Allowing states expansive power to exempt private actors from antitrust laws would also disrupt national economic policy by encouraging a patchwork of state-established entities licensed to engage in cartel behavior. This would disrupt interstate investment and consumer expectations, and would have spillover effects across state lines.”) Cooper and Kovacic, “U.S. Convergence with International Competition Norms,” at 1598, (“When a state exports the costs attendant to its anticompetitive regulatory scheme to those who have not participated in the political process, however, there is no political backstop; arguments for immunity based on federalism concerns are severely weakened, if not wholly eviscerated, in these situations.”

[24]   See Adam Thierer, The Delicate Balance: Federalism, Interstate Commerce, and Economic Freedom in the Technological Age (Washington, DC: The Heritage Foundation, 1998): 81-118.

Yesterday, the Federal Trade Commission (FTC) released its long-awaited report on “The Internet of Things: Privacy and Security in a Connected World.” The 55-page report is the result of a lengthy staff exploration of the issue, which kicked off with an FTC workshop on the issue that was held on November 19, 2013.

I’m still digesting all the details in the report, but I thought I’d offer a few quick thoughts on some of the major findings and recommendations from it. As I’ve noted here before, I’ve made the Internet of Things my top priority over the past year and have penned several essays about it here, as well as in a big new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology shortly. (Also, here’s a compendium of most of what I’ve done on the issue thus far.)

I’ll begin with a few general thoughts on the FTC’s report and its overall approach to the Internet of Things and then discuss a few specific issues that I believe deserve attention.

Big Picture, Part 1: Should Best Practices Be Voluntary or Mandatory?

Generally speaking, the FTC’s report contains a variety of “best practice” recommendations to get Internet of Things innovators to take steps to ensure greater privacy and security “by design” in their products. Most of those recommended best practices are sensible as general guidelines for innovators, but the really sticky question here continued to be this: When, if ever, should “best practices” become binding regulatory requirements?

The FTC does a bit of a dance when answering that question. Consider how, in the executive summary of the report, the Commission answers the question regarding the need for additional privacy and security regulation: “Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.” But, just a few lines later, the agency (1) “reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach;” and (2) “recommends that Congress enact broad-based (as opposed to IoT-specific) privacy legislation.”

Here and elsewhere, the agency repeatedly stresses that it is not seeking IoT-specific regulation; merely “broad-based” digital privacy and security legislation. The problem is that once you understand what the IoT is all about you come to realize that this largely represents a distinction without a difference. The Internet of Things is simply the extension of the Net into everything we own or come into contact with. Thus, this idea that the agency is not seeking IoT-specific rule sounds terrific until you realize that it is actually seeking something far more sweeping: greater regulation of all online / digital interactions. And because “the Internet” and “the Internet of Things” will eventually (if they are not already) be considered synonymous, this notion that the agency is not proposing technology-specific regulation is really quite silly.

Now, it remains unclear whether there exists any appetite on Capitol Hill for “comprehensive” legislation of any variety – although perhaps we’ll learn more about that possibility when the Senate Commerce Committee hosts a hearing on these issues on February 11. But at least thus far, “comprehensive” or “baseline” digital privacy and security bills have been non-starters.

And that’s for good reason in my opinion: Such regulatory proposals could take us down the path that Europe charted in the late 1990s with onerous “data directives” and suffocating regulatory mandates for the IT / computing sector. The results of this experiment have been unambiguous, as I documented in congressional testimony in 2013. I noted there how America’s Internet sector came to be the envy of the world while it was hard to name any major Internet company from Europe. Whereas America embraced “permissionless innovation” and let creative minds develop one of the greatest success stories in modern history, the Europeans adopted a “Mother, May I” regulatory approach for the digital economy. America’s more flexible, light-touch regulatory regime leaves more room for competition and innovation compared to Europe’s top-down regime. Digital innovation suffered over there while it blossomed here.

That’s why we need to be careful about adopting the sort of “broad-based” regulatory regime that the FTC recommends in this and previous reports.

Big Picture, Part 2: Does the FTC Really Need More Authority?

Something else is going on in this report that has also been happening in all the FTC’s recent activity on digital privacy and security matters: The agency has been busy laying the groundwork for its own expansion.

In this latest report, for example, the FTC argues that

Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections… The Commission has continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.

In other words, this agency wants more authority. And we are talking about sweeping authority here that would transcend its already sweeping authority to police “unfair and deceptive practices” under Section 5 of the FTC Act. Let’s be clear: It would be hard to craft a law that grants an agency more comprehensive and open-ended consumer protection authority than Section 5. The meaning of those terms — “unfairness” and “deception” — has always been a contentious matter, and at times the agency has abused its discretion by exploiting that ambiguity.

Nonetheless, Sec. 5 remains a powerful enforcement tool for the agency and one that has been wielded aggressively in recently years to police digital economy giants and small operators alike. Generally speaking, I’m alright with most Sec. 5 enforcement, especially since that sort of retrospective policing of unfair and deceptive practices is far less likely to disrupt permissionless innovation in the digital economy. That’s because it does not subject digital innovators to the sort of “Mother, May I” regulatory system that European entrepreneurs face. But an expansion of the FTC’s authority via more “comprehensive, baseline” privacy and security regulatory policies threatens to convert America’s more sensible bottom-up and responsive regulatory system into the sort of innovation-killing regime we see on the other side of the Atlantic.

Here’s the other thing we can’t forget when it comes to the question of what additional authority to give the FTC over privacy and security matters: The FTC is not the end of the enforcement story in America. Other enforcement mechanism exist, including: privacy torts, class action litigation, property and contract law, state enforcement agencies, and other targeted privacy statutes. I’ve summarized all these additional enforcement mechanisms in my recent law review article referenced above. (See section VI of the paper.)

FIPPS, Part 1: Notice & Choice vs. Use-Based Restrictions

Next, let’s drill down a bit and examine some of the specific privacy and security best practices that the agency discusses in its new IoT report.

The FTC report highlights how the IoT creates serious tensions for many traditional Fair Information Practice Principles (FIPPs). The FIPPs generally include: (1) notice, (2) choice, (3) purpose specification, (4) use limitation, and (5) data minimization. But the report is mostly focused on notice and choice as well as data minimization.

When it comes to notice and choice, the agency wants to keep hope alive that it will still be applicable in an IoT world. I’m sympathetic to this effort because it is quite sensible for all digital innovators to do their best to provide consumers with adequate notice about data collection practices and then give them sensible choices about it. Yet, like the agency, I agree that “offering notice and choice is challenging in the IoT because of the ubiquity of data collection and the practical obstacles to providing information without a user interface.”

The agency has a nuanced discussion of how context matters in providing notice and choice for IoT, but one can’t help but think that even they must realize that the game is over, to some extent. The increasing miniaturization of IoT devices and the ease with which they suck up data means that traditional approaches to notice and choice just aren’t going to work all that well going forward. It is almost impossible to envision how a rigid application of traditional notice and choice procedures would work in practice for the IoT.

Relatedly, as I wrote here last week, the Future of Privacy Forum (FPF) recently released a new white paper entitled, “A Practical Privacy Paradigm for Wearables,” that notes how FIPPs “are a valuable set of high-level guidelines for promoting privacy, [but] given the nature of the technologies involved, traditional implementations of the FIPPs may not always be practical as the Internet of Things matures.” That’s particularly true of the notice and choice FIPPS.

But the FTC isn’t quite ready to throw in the towel and make the complete move toward “use-based restrictions,” as many academics have. (Note: I have lengthy discussion of this migration toward use-based restrictions in my law review article in section IV.D.). Use-based restrictions would focus on specific uses of data that are particularly sensitive and for which there is widespread agreement they should be limited or disallowed altogether. But use-based restrictions are, ironically, controversial from both the perspective of industry and privacy advocates (albeit for different reasons, obviously).

The FTC doesn’t really know where to go next with use-based restrictions. The agency says that, on one hand, “has incorporated certain elements of the use-based model into its approach” to enforcement in the past. On the other hand, the agency says it has concerns “about adopting a pure use-based model for the Internet of Things,” since it may not go far enough in addressing the growth of more widespread data collection, especially of more sensitive information.

In sum, the agency appears to be keeping the door open on this front and hoping that a best-of-all-worlds solution miraculously emerges that extends both notice and choice and use-based limitations as the IoT expands. But the agency’s new report doesn’t give us any sort of blueprint for how that might work, and that’s likely for good reason: because it probably won’t work at that well in practice and there will be serious costs in terms of lost innovation if they try to force unworkable solutions on this rapidly evolving marketplace.

FIPPS, Part 2: Data Minimization

The biggest policy fight that is likely to come out of this report involves the agency’s push for data minimization. The report recommends that, to minimize the risks associated with excessive data collection:

companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. However, recognizing the need to balance future, beneficial uses of data with privacy protection, staff’s recommendation on data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect. If a company determines that none of these options will fulfill its business goals, it can seek consumers’ consent for collecting additional, unexpected categories of data…

This is an unsurprising recommendation in light of the fact that, in previous major speeches on the issue, FTC Chairwoman Edith Ramirez argued that, “information that is not collected in the first place can’t be misused,” and that:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the off chance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value.

In my forthcoming law review article, I discussed the problem with such reasoning at length and note:

if Chairwoman Ramirez’s approach to a preemptive data use “commandment” were enshrined into a law that said, “Thou shall not collect and hold onto personal information unnecessary to an identified purpose.” Such a precautionary limitation would certainly satisfy her desire to avoid hypothetical worst-case outcomes because, as she noted, “information that is not collected in the first place can’t be misused,” but it is equally true that information that is never collected may never lead to serendipitous data discoveries or new products and services that could offer consumers concrete benefits. “The socially beneficial uses of data made possible by data analytics are often not immediately evident to data subjects at the time of data collection,” notes Ken Wasch, president of the Software & Information Industry Association. If academics and lawmakers succeed in imposing such precautionary rules on the development of IoT and wearable technologies, many important innovations may never see the light of day.

FTC Commissioner Josh Wright issued a dissenting statement to the report that lambasted the staff for not conducting more robust cost-benefit analysis of the new proposed restrictions, and specifically cited how problematic the agency’s approach to data minimization was. “[S]taff merely acknowledges it would potentially curtail innovative uses of data. . . [w]ithout providing any sense of the magnitude of the costs to consumers of foregoing this innovation or of the benefits to consumers of data minimization,” he says. Similarly, in her separate statement, FTC Commissioner Maureen K. Ohlhausen worried about the report’s overly precautionary approach on data minimization when noting that, “without examining costs or benefits, [the staff report] encourages companies to delete valuable data — primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive,” she concludes.

Regardless, the battle lines have been drawn by the FTC staff report as the agency has made it clear that it will be stepping up its efforts to get IoT innovators to significantly slow or scale back their data collection efforts. It will be very interesting to see how the agency enforces that vision going forward and how it impacts innovation in this space. All I know is that the agency has not conducted a serious evaluation here of the trade-offs associated with such restrictions. I penned another law review article last year offering “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” that they could use to begin that process if they wanted to get serious about it.

The Problem with the “Regulation Builds Trust” Argument

One of the interesting things about this and previous FTC reports on privacy and security matters is how often the agency premises the case for expanded regulation on “building trust.” The argument goes something like this (as found on page 51 of the new IoT report): “Staff believes such legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

This is one of those commonly-heard claims that sounds so straight-forward and intuitive that few dare question it. But there are problems with the logic of the “we-need-regulation-to-build-trust-and boost adoption” arguments we often hear in debates over digital privacy.

First, the agency bases its argument mostly on polling data. “Surveys also show that consumers are more likely to trust companies that provide them with transparency and choices,” the report says. Well, of course surveys say that! It’s only logical that consumers will say this, just as they will always say they value privacy and security more generally when asked. You might as well ask people if they love their mothers!

But what consumers claim to care about and what they actually do in the real-world are often two very different things. In the real-world, people balance privacy and security alongside many other values, including choice, convenience, cost, and more. This leads to the so-called “privacy paradox,” or the problem of many people saying one thing and doing quite another when it comes to privacy matters. Put simply, people take some risks — including some privacy and security risks — in order to reap other rewards or benefits. (See this essay for more on the problem with most privacy polls.)

Second, online activity and the Internet of Things are both growing like gangbusters despite the privacy and security concerns that the FTC raises. Virtually every metric I’ve looked at that track IoT activity show astonishing growth and product adoption, and projections by all the major consultancies that have studied this consistently predict the continued rapid growth of IoT activity. Now, how can this be the case if, as the FTC claims, we’ll only see the IoT really take off after we get more regulation aimed at bolstering consumer trust? Of course, the agency might argue that the IoT will grow at an even faster clip than it is right now, but there is no way to prove one way or the other. In any event, the agency cannot possible claim that the IoT isn’t already growing at a very healthy clip — indeed, a lot of the hand-wringing the staff engages in throughout the report is premised precisely on the fact that the IoT is exploding faster that our ability to keep up with it!! In reality, it seems far more likely that cost and complexity are the bigger impediments to faster IoT adoption, just as cost and complexity have always been the factors weighing most heavily on the adoption of other digital technologies.

Third, let’s say that the FTC is correct – and it is – when it says that a certain amount of trust is needed in terms of IoT privacy and security before consumers are willing to use more of these devices and services in their everyday lives. Does the agency imagine that IoT innovators don’t know that? Are markets and consumers completely irrational? The FTC says on page 44 of the report that, “If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust.” Well, if such a mismatch does exist, then the assumption should be that consumers can and will push back, or seek out new and better options. And other companies should be able to sense the market opportunity here to offer a more privacy-centric offering for those consumers who demand it in order to win their trust and business.

Finally, and perhaps most obviously, the problem with the argument that increased regulation will help IoT adoption is that it ignores how the regulations put in place to achieve greater “trust” might become so onerous or costly in practice that there won’t be as many innovations for us to adopt to begin with! Again, regulation — even very well-intentioned regulation — has costs and trade-offs.

In any event, if the agency is going to premise the case for expanded privacy regulation on this notion, they are going to have to do far more to make their case besides simply asserting it.

Once Again, No Appreciation of the Potential for Societal Adaptation

Let’s briefly shift to a subject that isn’t discussed in the FTC’s new IoT report at all.

Regular readers may get tired of me making this point, but I feel it is worth stressing again: Major reports and statements by public policymakers about rapidly-evolving emerging technologies are always initially prone to stress panic over patience. Rarely are public officials willing to step-back, take a deep breath, and consider how a resilient citizenry might adapt to new technologies as they gradually assimilate new tools into their lives.

That is really sad, when you think about it, since humans have again and again proven capable of responding to technological change in creative ways by adopting new personal and social norms. I won’t belabor the point because I’ve already written volumes on this issue elsewhere. I tried to condense all my work into a single essay entitled, “Muddling Through: How We Learn to Cope with Technological Change.” Here’s the key takeaway:

humans have exhibited the uncanny ability to adapt to changes in their environment, bounce back from adversity, and learn to be resilient over time. A great deal of wisdom is born of experience, including experiences that involve risk and the possibility of occasional mistakes and failures while both developing new technologies and learning how to live with them. I believe it wise to continue to be open to new forms of innovation and technological change, not only because it provides breathing space for future entrepreneurialism and invention, but also because it provides an opportunity to see how societal attitudes toward new technologies evolve — and to learn from it. More often than not, I argue, citizens have found ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes.

Again, you almost never hear regulators or lawmakers discuss this process of individual and social adaptation even though they must know there is something to it. One explanation is that every generation has their own techno-boogeymen and lose faith in the ability of humanity to adapt to it.

To believe that we humans are resilient, adaptable creatures should not be read as being indifferent to the significant privacy and security challenges associated with any of the new technologies in our lives today, including IoT technologies. Overly-exuberant techno-optimists are often too quick to adopt a “Just-Get-Over-It!” attitude in response to the privacy and security concerns raised by others. But it is equally unforgivable for those who are worried about those same concerns to utterly ignore the reality of human adaptation to new technologies realities.

Why are Educational Approaches Merely an Afterthought?

One final thing that troubled me about the FTC report was the way consumer and business education is mostly an afterthought. This is one of the most important roles that the FTC can and should play in terms of explaining potential privacy and security vulnerabilities to the general public and product developers alike.

Alas, the agency devotes so much ink to the more legalistic questions about how to address these issues, that all we end up with in the report is this one paragraph on consumer and business education:

Consumers should understand how to get more information about the privacy of their IoT devices, how to secure their home networks that connect to IoT devices, and how to use any available privacy settings. Businesses, and in particular small businesses, would benefit from additional information about how to reasonably secure IoT devices. The Commission staff will develop new consumer and business education materials in this area.

I applaud that language, and I very much hope that the agency is serious about plowing more effort and resources into developing new consumer and business education materials in this area. But I’m a bit shocked that the FTC report didn’t even bother mentioning the excellent material already available on the “On Guard Online” website it helped created with a dozen other federal agencies. Worse yet, the agency failed to highlight the many other privacy education and “digital citizenship” efforts that are underway today to help on this front. I discuss those efforts in more detail in the closing section of my recent law review article.

I hope that the agency spends a little more time working on the development of new consumer and business education materials in this area instead of trying to figure out how to craft a quasi-regulatory regime for the Internet of Things. As I noted last year in this Maine Law Review article, that would be a far more productive use of the agency’s expertise and resources. I argued there that “policymakers can draw important lessons from the debate over how best to protect children from objectionable online content” and apply them to debates about digital privacy. Specifically, after a decade of searching for legalistic solutions to online safety concerns — and convening a half-dozen blue ribbon task forces to study the issue — we finally saw a rough consensus emerge that no single “silver-bullet” technological solutions or legal quick-fixes would work and that, ultimately, education and empowerment represented the better use of our time and resources. What was true for child safety is equally true for privacy and security for the Internet of Things.

It’s a shame the FTC staff squandered the opportunity it had with this new report to highlight all the good that could be done by getting more serious about focusing first on those alternative, bottom-up, less costly, and less controversial solutions to these challenging problems. One day we’ll all wake up and realize that we spent a lost decade debating legalistic solutions that were either technically unworkable or politically impossible. Just imagine if all the smart people who were spending all their time and energy on those approaches right now were instead busy devising and pushing educational and empowerment-based solutions instead!

One day we’ll get there. Sadly, if the FTC report is any indication, that day is still a ways off.

The Mercatus Center at George Mason University has just released my latest working paper, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation.” The “Internet of Things” (IoT) generally refers to “smart” devices that are connected to both the Internet and other devices. Wearable technologies are IoT devices that are worn somewhere on the body and which gather data about us for various purposes. These technologies promise to usher in the next wave of Internet-enabled services and data-driven innovation. Basically, the Internet will be “baked in” to almost everything that consumers own and come into contact with.

Some critics are worried about the privacy and security implications of the Internet of Things and wearable technology, however, and are proposing regulation to address these concerns. In my new 93-page article, I explain why preemptive, top-down regulation would derail the many life-enriching innovations that could come from these new IoT technologies. Building on a recent book of mine, I argue that “permissionless innovation,” which allows new technology to flourish and develop in a relatively unabated fashion, is the superior approach to the Internet of Things.

As I note in the paper and my earlier book, if we spend all our time living in fear of the worst-case scenarios — and basing public policies on them — then best-case scenarios can never come about. As the old saying goes: nothing ventured, nothing gained. Precautionary principle-based regulation paralyzes progress and must be avoided.  We instead need to find constructive, “bottom-up” solutions to the privacy and security risks accompanying these new IoT technologies instead of top-down controls that would limit the development of life-enriching IoT innovations.

The better alternative is to deal with concerns creatively as they develop, using a balanced, layered approach  involving many different solutions, including: educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, torts and products liability law, and targeted enforcement of existing legal standards as needed.

Generally speaking, patience, humility, and forbearance by policymakers is crucial to allowing greater innovation and consumer choice in this arena. Importantly, policymakers should not forget that societal and individual adaptation will play a role here, just as it has during so many other turbulent technological transformations.

This article can be downloaded on my Mercatus Center page, on SSRN, or at Research Gate. I am hoping to find a law or policy journal interested in publishing this paper soon. If you with a journal and are interested, please contact me. [UPDATE 12/3/14: This paper has been accepted for publication in the Richmond Journal of Law & Technology, Vol. 21, Issue 6 (2015).]

Finally, if you are interested in this topic, you might want to flip through these slides I prepared for a presentation on this topic that I made at the Federal Communications Commission in September:

There are several “flavors” of net neutrality–Eli Noam at Columbia University estimates there are seven distinct meanings of the term–but most net neutrality proponents agree that reinterpreting the 1934 Communications Act and “classifying” Internet service providers as Title II “telecommunications” companies is the best way forward. Proponents argue that ISPs are common carriers and therefore should be regulated much like common carrier telephone companies. Last week I filed a public interest comment about net neutrality and pointed out why the Title II option is unwise and possibly illegal.

For one, courts have defined “common carriers” in such a way that ISPs don’t look much like common carriers. It’s also unlikely that ISPs can be classified as telecommunications providers because Congress defines “telecommunications” as the transmission of information “between or among points specified by the user.” Phone calls are telecommunications because callers are selecting the endpoint–a person associated with the known phone number. Even simple web browsing, however, requires substantial processing by an ISP that often coordinates several networks, servers, and routers to bring the user the correct information, say, a Wikipedia article or Netflix video. Under normal circumstances, this process is completely mysterious to a user. By classifying ISPs as common carriers and telecommunications providers, therefore, the FCC invites immense legal risk.

As I’ve noted before, prioritized data can provide consumer benefits and stringent net neutrality rules would harm the development of new services on the horizon. Title II–in making the Internet more “neutral”–is anti-progress and is akin to putting the toothpaste back in the tube. The Internet has never been neutral, as computer scientist David Clark and others point out, and it’s getting less neutral all the time. VoIP phone service is already prioritized for millions of households. VoLTE will do the same for wireless phone customers.

It’s a largely unreported story that many of the most informed net neutrality proponents, including President Obama’s former chief technology officer, are fine with so-called “fast lanes”–particularly if it’s the user, not the ISP, selecting the services to be prioritized. There is general agreement that prioritized services are demanded by consumers, but Title II would have a predictable chilling effect on new services because of the regulatory burdens.

MetroPCS, for example, a small wireless carrier with about 3% market share attempted selling a purportedly non-neutral phone plan that allowed unlimited YouTube viewing and was pilloried for it by net neutrality proponents. MetroPCS, chastened, dropped the plan. With Title II, a small ISP or wireless carrier wouldn’t dream of attempting such a thing.

In the comment, I note other undesirable effects of Title II, including that it undermines the position the US has held publicly for years that the Internet is different than traditional communications.

If the FCC further intermingles traditional telecommunications with broadband, it may increase the probability of the [International Telecommunications Union] extending sender-pays or other tariffing and tax rules to the exchange of Internet traffic. Several countries proposed instituting sender-pays at a contentious 2012 ITU forum and the United States representatives vigorously fought sender-pays for the Internet. Many developing countries, particularly, would welcome such a change in regulations, because, as Mercatus scholar Eli Dourado found, sender-pays rules “allow governments to export some of their statutory tax burden.” New foreign tariffing rules would function essentially as a transfer of wealth from popular US-based companies like Facebook and Google to corrupt foreign governments and telephone cartels.

Finally, I note that classifying ISPs as common carriers weakens the enforcement of antitrust and consumer protection laws. Generally, it is difficult to bring antitrust lawsuits in extensively regulated industries. After filing my comment, I learned that the FTC also filed a comment noting, similarly, that its Section 5 authority would be limited if the FCC goes the Title II route. Brian Fung and others have since written about this interesting political and legal development. This detrimental effect on antitrust enforcement should weigh against Title II regulation.

There are substantial drawbacks to Title II regulation of ISPs and the FCC should exercise regulatory humility and its traditional hands-off approach to the Internet. In the end, Title II would harm investment in nascent technologies and network upgrades. The harms to consumers and small carriers, particularly, would be immense. It almost makes one think that comedy sketches and “death of the Internet” reporting don’t lead to good public policy.

More Information

See my presentation (36 minutes) on net neutrality and “fast lanes” on the Mercatus website.

On Thursday, it was my great pleasure to present a draft of my forthcoming paper, “The Internet of Things & Wearable Technology: Addressing Privacy & Security Concerns without Derailing Innovation,” at a conference that took place at the Federal Communications Commission on “Regulating the Evolving Broadband Ecosystem.” The 3-day event was co-sponsored by the American Enterprise Institute and the University of Nebraska College of Law.

The 65-page working paper I presented is still going through final peer review and copyediting, but I posted a very rough first draft on SSRN for conference participants. I expect the paper to be released as a Mercatus Center working paper in October and then I hope to find a home for it in a law review. I will post the final version once it is released. [UPDATE:The final version of this working paper was released on November 19, 2014.]

In the meantime, however, I thought I would post the 46 slides I presented at the conference, which offer an overview of the nature of the Internet of Things and wearable technology, the potential economic opportunities that exist in this space, and the various privacy and security challenges that could hold this technological revolution back. I also outlined some constructive solutions to those concerns. I plan to be very active on these issues in coming months.

Additional Reading

• “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2012
• “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
• My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
• [Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)

Much of my recent research and writing has been focused on the contrast between “permissionless innovation” (the notion that innovation should generally be allowed by default) versus its antithesis, the “precautionary principle” (the idea that new innovations should be discouraged or even disallowed until their developers can prove that they won’t cause any harms).  I have discussed this dichotomy in three recent law review articles, a couple of major agency filings, and several blog posts. Those essays are listed at the end of this post.

In this essay, I want to discuss a recent speech by Federal Trade Commission (FTC) Chairwoman Edith Ramirez and show how precautionary principle thinking is increasingly creeping into modern information technology policy discussions, prompted by the various privacy concerns surrounding “big data” and the “Internet of Things” among other information innovations and digital developments.

First, let me recap the core argument I make in my recent articles and filings. It can be summarized as follows:

• If public policy is guided at every turn by the precautionary mindset then innovation becomes impossible because of fear of the unknown. Hypothetical worst-case scenarios trump all other considerations under this mentality. Social learning and economic opportunities become far less likely under such a policy regime. In practical terms, it means fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living. (See this essay and this one.)
• Wisdom is born of experience, including experiences involving risk and the possibility of mistakes and accidents. Patience and a general openness to permissionless innovation represent the wise disposition toward new technologies not only because it provides breathing space for future entrepreneurialism, but also because it provides an opportunity to observe both the evolution of societal attitudes toward new technologies and how citizens adapt to them. (See this essay.)
• Not every wise ethical principle, social norm, or industry best practice automatically makes for wise public policy. If we hope to preserve a free and open society, we simply cannot convert every ethical directive or norm — no matter how sensible — into a legal directive or else the scope of human freedom and innovation will need to shrink precipitously. (See this essay.)
• The best solutions to complex social problems are organic and “bottom-up” in nature. User education and empowerment, informal household media rules, social pressure, societal norms, and targeted enforcement of existing legal norms (especially through the common law) are almost always superior to “top-down,” command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I” nature. (See this essay).
• For the preceding reasons, when it comes to information technology policy, “permissionless innovation” should, as a general rule, trump “precautionary principle” thinking. To the maximum extent possible, the default position toward new forms of technological innovation should be “innovation allowed,” or what Paul Ohm has appropriately labeled the “anti-Precautionary Principle.” (See this essay.)

Again, we are today witnessing the clash of these conflicting worldviews in a fairly vivid way in many current debates about online commercial data collection, “big data,” and the so-called “Internet of Things.” For example, FTC Chairwoman Ramirez recently delivered a speech at the annual Technology Policy Institute Aspen Forum on the topic of “The Privacy Challenges of Big Data: A View from the Lifeguard’s Chair.” Ramirez made several provocative assertions and demands in the speech, but here’s the one “commandment” I really want to focus on. Claiming that “One risk is that the lure of ‘big data’ leads to the indiscriminate collection of personal information,” Chairwoman Ramirez went on to argue:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the offchance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value. (emphasis added)

And later in the speech she goes on to argue that “Information that is not collected in the first place can’t be misused” and then suggests a parade of horribles that will befall if such data collection is allowed at all.

The Problem with “Mother, May I”?

So here we have a rather succinct articulation of precautionary principle thinking as applied to modern data collection practices. Chairwoman Ramirez is essentially claiming that — because there are various privacy risks associated with data collection and aggregation — we must consider preemptive and potentially highly restrictive approaches to the initial collection and aggregation of data.

The problem with that logic should be fairly obvious and it was perfectly identified by the great political scientist Aaron Wildavsky in his seminal 1988 book Searching for Safety. Wildavsky warned of the dangers of the “trial without error” mentality — otherwise known as the precautionary principle approach — and he contrasted it with the trial-and-error method of evaluating risk and seeking wise solutions to it. Wildavsky argued that:

The direct implication of trial without error is obvious: If you can do nothing without knowing first how it will turn out, you cannot do anything at all. An indirect implication of trial without error is that if trying new things is made more costly, there will be fewer departures from past practice; this very lack of change may itself be dangerous in forgoing chances to reduce existing hazards. (emphasis added)

Let’s apply that lesson to Chairwoman Ramirez’s speech. When she argues that “Information that is not collected in the first place can’t be misused,” there is absolutely no doubt that her statement is true. But it is equally true that information that is not collected at all is information that might have been used to provide us with the next “killer app” or the great gadget or digital service that we cannot currently contemplate but that some innovative entrepreneur out there might be looking to develop.

Likewise, claiming that “old data is of little value” and issuing the commandment that “Thou shall not collect and hold onto personal information unnecessary to an identified purpose” reveals a rather stunning arrogance about the possibility of serendipitous data discovery: Either Chairwoman Ramirez doesn’t think it can happen or she doesn’t care if it does. But the reality is that the cornucopia of innovation information options and opportunities we have at our disposal today was driven in large part by data collection, including personal data collection. And often those innovations were not part of some initial grand design; instead they came about through the discovery of new and interesting things that could be done with data after the fact.

For example, many of the information services and digital technologies that we enjoy and take for granted today — language translation tools, mobile traffic services, digital mapping technologies, spam and fraud detection tools, instant spell-checkers, and so on — came about not necessarily because of some initial grand design but rather through innovative thinking after-the-fact about how preexisting data sets might be used in interesting new ways. As Viktor Mayer-Schonberger and Kenneth Cukier point out in their recent book, Big Data: A Revolution That Will Transform How We Live, Work, and Think, “data’s value needs to be considered in terms of all the possible ways it can be employed in the future, not simply how it is used in the present.” “In the big-data age,” they note, “data is like a magical diamond mine that keeps on giving long after its principle value has been tapped.” (p. 103-4)

In any event, if the new policy in the United States is to follow Chairwoman Ramirez’s pronouncement that “Keeping data on the offchance that it might prove useful is not consistent with privacy best practices,” then much of the information economy as we know it today will need to be shut down. At a minimum, entrepreneurs will need to start hiring a lot more lobbyists who can sit in Washington and petition the FTC or other policymakers for permission to innovate whenever they have an interesting new idea for how to use data in order to offer us a new service that was not initially collected for a previously stated purpose. Again, it’s “Mother, May I” regulation and we had better get used to a lot more of it if we go down the path that Chairwoman Ramirez is charting.

Alternative, Less-Restrictive Remedies

But here’s the biggest flaw in Chairwoman Ramirez’s reasoning: There is no need for preemptive, prophylactic, precautionary approaches when less-restrictive and potentially equally effective remedies exist.

The title of Ramirez’s speech was subtitled “A View from the Lifeguard’s Chair,” implying that her role is oversee online practices to ensure consumers are safe. That’s a noble intention, but based on some of her remarks, one is left wondering if her true intention is to just drain the information oceans instead.

But there are better ways to deal with dangerous digital waters. In my work on both online child safety and commercial data privacy, I have argued that the best answer to these complex social problems is a mix of technological controls, social pressure and, informal rules and norms, and, most importantly, education and digital literacy efforts.  And government can play an important role by helping educate and empower citizens to help prepare them for our new media environment.

That was the central finding of a blue-ribbon panel of experts convened in 2002 by the National Research Council of the National Academy of Sciences to study how best to protect children in the new, interactive, “always-on” multimedia world. Under the leadership of former U.S. Attorney General Richard Thornburgh, the group produced an amazing report entitled Youth, Pornography, and the Internet, which outlined a sweeping array of methods and technological controls for dealing with potentially objectionable media content or online dangers. Ultimately, however, the experts used a compelling metaphor to explain why education was the most important tool on which parents and policymakers should rely:

Technology—in the form of fences around pools, pool alarms, and locks—can help protect children from drowning in swimming pools. However, teaching a child to swim—and when to avoid pools—is a far safer approach than relying on locks, fences, and alarms to prevent him or her from drowning. Does this mean that parents should not buy fences, alarms, or locks? Of course not—because they do provide some benefit. But parents cannot rely exclusively on those devices to keep their children safe from drowning, and most parents recognize that a child who knows how to swim is less likely to be harmed than one who does not. Furthermore, teaching a child to swim and to exercise good judgment about bodies of water to avoid has applicability and relevance far beyond swimming pools—as any parent who takes a child to the beach can testify. (p. 224)

Regrettably, as I noted in my old book on online safety, we often fail to teach our children how to swim in the new media waters. Indeed, to extend the metaphor, it is as if we are generally adopting an approach that is more akin to just throwing kids in the deep water and waiting to see what happens. The same is true for digital privacy. We sometimes expect both kids and adults to figure out how to swim in these information currents without a little training first.

To rectify this situation, a serious media literacy and digital citizenship agenda is needed in America. Media literacy programs teach children and adults alike to think critically about media, and to better analyze and understand the messages that media providers are communicating.  I went on to argue in my old book that government should push media literacy efforts at every level of the education process. And those efforts should be accompanied by widespread public awareness campaigns to better inform parents about the parental control tools, rating systems, online safety tips, and other media control methods at their disposal.

In the three recent law review articles listed below, I extended this model to privacy and showed how this bottom-up, education and empowerment-based approach is equally applicable to all the debates we are having today about commercial data collection. And I also stressed to vital importance of personal responsibility and corporate responsibility as part of these digital citizenship efforts.

Conclusion

So, in sum, the key question going forward is: Are we going teach people how to swim, or are we going to drain the information oceans based on the fear that people could be harmed by the very existence of some deep data waters?

Chairwoman Ramirez concluded her speech by noting that, “Like the lifeguard at the beach, though, the FTC will remain vigilant to ensure that while innovation pushes forward, consumer privacy is not engulfed by that wave.” As well-intentioned as that sounds, the thrust of her remarks suggest that fear of the water is prompting this particular lifeguard to consider drastic precautionary steps to save us from the potential dangers of those waves. Needless to say, such a mentality and corresponding policy framework would have profound ramifications.

Indeed, let’s be clear about what’s at stake here. This is not about “protecting corporate profits” or Silicon Valley companies. This is about ensuring that individuals as both citizens and consumers continue to enjoy the myriad benefits that accompany an open, innovative information ecosystem. We can find better ways to address the dangers of deep data waters without draining the info-oceans. Let’s teach people how to swim in those waters and how to be responsible data stewards so that we can all continue to enjoy the many benefits of our modern data-driven economy.

 Additional Reading:

Law Review Articles:

• “The Pursuit of Privacy in a World Where Information Control is Failing” – Harvard Journal of Law & Public Policy
• “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle” – Minnesota Journal of Law, Science & Technology
• “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” – George Mason University Law Review

Blog posts:

• “Who Really Believes in ‘Permissionless Innovation’?” – March 4, 2013
• “What Does It Mean to ‘Have a Conversation’ about a New Technology?”
• “Planning for Hypothetical Horribles in Tech Policy Debates,” August 6, 2013
• “On the Line between Technology Ethics vs. Technology Policy,” August 1, 2013
• “Can We Adapt to the Internet of Things?” – June 19, 2013 (IAPP Privacy perspectives blog)

Testimony / Filings:

• Senate Testimony on Privacy, Data Collection & Do Not Track – April 24, 2013
• Comments of the Mercatus Center to the FTC in Privacy & Security Implications of the Internet of Things
• Mercatus filing to FAA on commercial domestic drones

This afternoon, Berin Szoka asked me to participate in a TechFreedom conference on “COPPA: Past, Present & Future of Children’s Privacy & Media.” [CSPAN video is here.] It was a in-depth, 3-hour, 2-panel discussion of the Federal Trade Commission’s recent revisions to the rules issued under the 1998 Children’s Online Privacy Protection Act (COPPA).

While most of the other panelists were focused on the devilish details about how COPPA works in practice (or at least should work in practice), I decided to ask a more provocative question to really shake up the discussion: What are we going to do when COPPA fails?

My notes for the event follow down below. I didn’t have time to put them into a smooth narrative, so please pardon the bullet points.

COPPA will fail in the long-run for two reasons:

(1)    With COPPA, the FTC is engaged in a technological arms race that it cannot win.

• COPPA was formulated for a Web 1.0 world of static websites with limited interactivity. In that environment is worked reasonably well, although it certainly imposed costs on site developers and affected market structure.
• As we moved into a Web 2.0 world of interactive social media in the mid to late-2000s, however, the rule has been strained by marketplace new realities. COPPA’s drafters never really envisioned sites like Facebook, Twitter, etc.
• In our current environment—let’s call it the Web 2.5 world—we have added mobile geolocation and social discovery to the mix and that is straining COPPA to the breaking point.
• But we are about to enter the Web 3.0 world of the “Internet of Things;” a sensor-based world in which the communication technology will literally be woven into the clothes we wear and all the devices we use.
  • Cisco has estimated that by 2020, 37 billion devices will be linked together and communicating.
  • It will be almost impossible for COPPA to keep up with the explosion of these technologies because everything in our lives and our children’s lives will be interconnected, communicating, and collecting data.
  • Information will be ubiquitously collected simply by nature of the technology itself.
  • The entire Web 3.0 world will be one of comprehensive passive information collection.
  • So, notions like “collection”, “directed at children” and “personal information” will be become impossible to enforce absence a flat-out ban on the technologies themselves

(2)    COPPA will also fail because of the simple reality that the more complicated and costly this regulatory regime becomes, the more likely it is that that both kids and parents will ignore it or seek to actively evade it.

• The actual monetary cost of any online service may obviously be one thing parents and kids seek to avoid.
• But the bigger cost is the mental hassle associated with delayed gratification.
  • When people demand certain services, they want them now. And they will get them even when law gets in the way. And sometimes they value the utility / functionality that those services provide more than they value privacy.
  • A 2011 Harvard-Berkeley study pointed out the evasion is already rampant and that many parents are facilitating that result by encouraging their kids to lie about their ages online.
    • This problem will only increase in the Internet of Things era as kids and parents come to expect all their devices to be communicating at all times and retaining data for them.

So, what are we going to do about? How do we prepare for the post-COPPA world that’s coming?

• We shouldn’t just throw up our hands in defeat.
• But we must accept the technological and practical challenges associated with regulation and seek out alternative approaches.
• Best solution, therefore, is: Education, media literacy, and digital citizenship
  • We need to do a much better job educating both kids and adults about sensible online interactions.
  • We need to talk to our kids and each other about being more savvy, sensible, respectful, and resilient media consumers and digital citizens.
  • In encouraging our kids and fellow Netizens to be good “digital citizens,” we must stress smarter online hygiene (sensible personal data use) and better “Netiquette” (proper behavior toward others), which can further both online safety and digital privacy goals.
  • More generally, as part of these digital literacy and citizenship efforts, we must do more  to explain the potential perils of over-sharing information about ourselves and others while simultaneously encouraging consumers to delete unnecessary online information occasionally and cover their digital footprints in other ways.
  • These education and literacy efforts are also important because they help us adapt to new technological changes by employing a variety of coping mechanisms or new social norms. These efforts and lessons should start at a young age and continue on well into adulthood through other means, such as awareness campaigns and public service announcements.

Additional Reading:

• The Unintended Consequences of Well-Intentioned Privacy Regulation
• Thoughts on Latest FTC COPPA Rule Revisions & Online Child Safety / Privacy
• Joint CDT-PFF-EFF Comments on FTC’s COPPA Review & the Dangers of COPPA Expansion
• What We Didn’t Hear at Yesterday’s FTC COPPA Workshop
• COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, by Berin Szoka & Adam Thierer

In mid-April, the Federal Trade Commission (FTC) requested comments regarding “the consumer privacy and security issues posed by the growing connectivity of consumer devices, such as cars, appliances, and medical devices” or the so-called “Internet of Things.” This is in anticipation of a November 21 public workshop that the FTC will be hosting on the same issue.

These issues are finally starting to catch the attention of the public and policymakers alike with the rise of wearable computing, remote home automation and monitoring technologies, smart grids, autonomous vehicles and intelligent traffic systems, and so on. The Internet of Things represents the next great wave of Internet innovation, but it also represents the next great battleground in the field of Internet policy.

I filed comments with the FTC today in this proceeding and made a few simple points about why they should proceed cautiously here. A summary of my filing follows.

Avoiding a Precautionary Principle for the Internet of Things

First, while it is unclear where the FTC is heading with this proceeding—or for that matter, whether this even a formal proceeding at all—the danger exists that it represents the beginning of a regulatory regime for a new set of information technologies that are still in their infancy. Fearing hypothetical worst-case scenarios about the misuse of some IoT technologies, some policy activists and policymakers could seek to curb or control their development.

Policymakers should avoid acting on those impulses. Simply put, the Internet of Things—like the Internet itself—should not be subjected to a precautionary principle, which would impose preemptive, prophylactic restrictions on this rapidly evolving sector to guard against every theoretical harm that could develop. Preemptive restrictions on the development of the Internet of Things could retard technological innovation and limit the benefits that flow to consumers.

In other words, to the maximum extent possible, the default position toward new forms of technological innovation such as the Internet of Things should be innovation allowed, or what Paul Ohm, who recently joined the FTC as a Senior Policy Advisor, refers to as an “anti-Precautionary Principle.” This policy norm is better captured in the well-known Internet ideal of “permissionless innovation,” or the general freedom to experiment and learn through trial-and-error experimentation. As I noted in a recent essay here:

Wisdom is born of experience, including experiences involving risk and the possibility of mistakes and accidents. Patience and openness to permissionless innovation represent the wise disposition toward new technologies not only because it provides breathing space for future entrepreneurialism, but also because it provides an opportunity to observe both the evolution of societal attitudes toward new technologies and how citizens adapt to them.

Adaptation Is Not Just Possible but Likely

Which leads to the next major point I make in my filing: Humans adapt! The more I study the history of various technological innovations the more I find the same story unfolding: again and again society has found ways to adapt to new technological changes by employing a variety of coping mechanisms or new social norms. In fact, we see a common cycle of initial resistance, gradual adaptation, and then eventual assimilation of new technologies into society. (I previously outlined this cycle in my law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.”)

I offer several specific examples of this process in action—from the rise of the telephone and the camera to RFID and Gmail. I argue that these examples should give us hope that we will also find ways of adapting to the challenges presented by the rise of the Internet of Things.

Norms Evolve and “Regulate”

Third, my filing discusses how societal norms evolve in response to new technologies and even come to “regulate” acceptable use of those technologies. Law tends to regulate in sweeping ways and then get locked in. Social norms and technological etiquette, by contrast, flexibly evolve in unique ways over time.

Some of these norms or social constraints are more “top-down” and formal in nature in that they are imposed by establishments or organizations in the form of restrictions on technologies. In other cases, these norms or social constraints are purely bottom-up and group-driven. I offer examples of both types of norms in my filing.

Other Remedies Exist or Will Develop as Needed

Finally, I argue in my filing that policymakers should exercise restraint and humility in the face of uncertain change and address harms that develop—if they do at all—after careful benefit-cost analysis of various remedies. I note that many federal and state laws already exist that could address perceived harms associated with these technologies.

And let’s be clear: some misuses and harms will develop, just as they have for every other information technology ever invented. But, to reiterate, we have generally not preemptive applied precautionary regulation to each and every new information technology based on the potential threat of some misuses developing. Instead, we have allowed experimentation and innovation to take place largely unimpeded and then relied on a combination of education, user empowerment, various social norms and coping mechanisms, and then targeted laws as needed after serious harms were demonstrated. That same approach should govern the Internet of Things.

If we succumb to the opposite impulse and apply a “Mother May I?” permissioned approach to the Internet of Things—with innovation only being allowed after regulators deem those technologies “safe” or “acceptable”—then we risk derailing the next great wave of Internet-based innovation. The implications for America’s consumers and our global competitiveness could not be more profound. The result will be fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living.

Hopefully the FTC is not going down that path with this proceeding or its forthcoming workshop on the Internet of Things. But stay tuned. This set of issues is expanding rapidly and promises to produce heated privacy, security, and safety debates for many years to come.

Please read my filing for more details. I’ve also embedded it below.

Comments of Adam Thierer Mercatus Center in FTC Internet of Things Proceeding (June 2013)

The Information Economy Project at the George Mason University School of Law is hosting a conference tomorrow, Friday, April 19. The conference title is From Monopoly to Competition or Competition to Monopoly? U.S. Broadband Markets in 2013. There will be two morning panels featuring discussion of competition in the broadband marketplace and the social value of “ultra-fast” broadband speeds.

We have a great lineup, including keynote addresses from Commissioner Joshua Wright, Federal Trade Commission and from Dr. Robert Crandall, Brookings Institution.

The panelists include:

Eli Noam, Columbia Business School

Marius Schwartz, Georgetown University, former FCC Chief Economist

Babette Boliek, Pepperdine University School of Law

Robert Kenny, Communications Chambers (U.K.)

Scott Wallsten, Technology Policy Institute

The panels will be moderated by Kenneth Heyer, Federal Trade Commission and Gus Hurwitz, University of Pennsylvania, respectively. A continental breakfast will be served at 8:00 am and a buffet lunch is provided. We expect to adjourn at 1:30 pm. You can find an agenda here and can RSVP here. Space is limited and we expect a full house, so those interested are encouraged to register as soon as possible.

Last week on his personal blog, Peter Fleischer, Global Privacy Counsel for Google, posted an interesting essay entitled “We Need a Better, Simpler Narrative of US Privacy Laws.” Fleischer says that Europe has done a better job marketing its privacy regime to the world than the United States and argues that “The US has to figure out how to explain its privacy laws on the global stage” since “Europe is convincing many countries around the world to implement privacy laws that follow the European model.” He notes that “in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws [while] not a single country, anywhere, has followed the US model.” Fleischer argues that this has ramifications for long-term trade policy and global Internet regulation more generally.

I found this essay very interesting because I deal with some of these issues in my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing” (Harvard Journal of Law & Public Policy, vol. 36, no. 2, Spring 2013). In the article, I suggest that the U.S. does have a unique privacy regime and it is one that is very similar in character to the regime that governs online child safety issues. Whether we are talking about online safety or digital privacy, the defining characteristics of the U.S. regime are that it is bottom-up, evolutionary, education-based, empowerment-focused, and resiliency-centered. It focuses on responding to safety and privacy harms after exhausting other alternatives, including market responses and the evolution of societal norms.

The EU regime, by contrast, is more top-down in character and takes a more static, inflexible view of privacy rights. It tries to impose a one-size-fits-all model on a diverse citizenry and it attempts to do so through heavy-handed data directives and ongoing “agency threats.” It is a regime that makes more sweeping pronouncements about rights and harms and generally recommends a “precautionary principle” approach to technological change in which digital innovation is more “permissioned.”

Put simply, the U.S. regime is reactive in character while the E.U. regime is more preemptive.  The U.S. system focuses on responding to safety and privacy problems using a more diverse toolbox of solutions, some of which are governmental in character while others are based on evolving social and market norms and responses. To be clear, law does enter the picture here in the U.S., but it does so in a very different way than it does in the E.U.  Fleischer actually explains that point quite nicely in his essay:

[W]hat is the US model?  People in the privacy profession know that the US has a dense “patchwork” model of privacy laws: every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other “non-privacy” laws, like consumer protection laws, are regularly invoked in privacy matters.  Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions.

Indeed, in my new law review article, I summarize the litany of cases the FTC has brought recently on the data security and privacy front using its authority under Section 5 of the Federal Trade Commission Act to police “unfair and deceptive” practices. State AGs are active on this front as well, and there is plenty of class action activity every time there’s a privacy or data security screw-up.

Meanwhile, public officials continue to work collaboratively with privacy advocates, corporations, and educators to develop better education and awareness-building efforts, including “best practices” on safety, security, and privacy issues.

For more details on this U.S. model, please consult pages 436-454 of my article, in which I provide a comprehensive overview of what I refer to as America’s “3-E Approach” to dealing with online safety and digital privacy concerns. The “3-Es” refer to education, empowerment, and targeted enforcement of existing legal standards. As I note in the article:

[America’s “3-E Approach”] does not imagine it is possible to craft a single, universal solution to online safety or privacy concerns. It aims instead to create a flexible framework that can help individuals cope with a world of rapidly evolving technological change and constantly shifting social and market norms as they pertain to information sharing.

But what frustrates Fleischer is that the U.S model still doesn’t translate into a simple narrative for international audiences:

How on earth do you explain US privacy laws to an international audience?  How do you explain the role of class action litigation to people in countries where it doesn’t even exist?  The US privacy law narrative is convoluted. That’s a pity, since almost all of the global privacy professionals with whom I’ve discussed this issue agree with me that the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy.  (I didn’t say “perfect”, since laws never are, and I’m not grading them either.) By contrast, Europe’s privacy narrative is simple and appealing.  Its laws are very general, aspirational, horizontal and concise.  Critics could say they’re also inevitably vague, as any high-level law would have to be.  But, like the US Bill of Rights, they have a sort of simple and profound universality that has inspired people around the world.  And they are enforced (at least, on paper) by a single, identifiable, specialist regulator.

I understand the frustration Fleischer is expressing here regarding how to frame the U.S. model for broader audiences. But the crucial point here is that, as he correctly notes, “the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy,” even if it is the case that we will never achieve anything near perfection when it comes to online privacy (or online safety for that matter). But it is unfortunate that Fleischer ignores the many other moving pieces at work here that are important to the U.S. system, especially the diverse array of educational and awareness-building efforts as well as the astonishing array of empowerment tools that currently exist to help user protect their privacy to the degree they desire.

Of course, it should also be obvious that the U.S. regime is never going to appeal to a global audience as much as Europe’s privacy regime for the same reason that many other U.S. policy regimes don’t appeal to certain countries or their leaders: Our systems aren’t regulatory enough in character for them! But while those top-down, centralized, preemptive regulatory regimes will almost always be more “aspirational, horizontal and concise” — and, therefore, have greater appeal to activist-minded lawmakers and regulators — that also means those regimes will likely leave less breathing room for social evolution (i.e., evolving norms about safety and privacy) and economic innovation (new digital goods and services that potentially disrupt those regulatory expectations). That has real consequences for long-term growth and overall consumer welfare.

Regardless, to the extent we need “a better, simpler narrative for U.S. privacy policy” as Fleischer suggests, I believe we can boil it down to a few words: bottom-up, evolutionary, flexible, and reactive. What this means for public policy is clear: We need diverse tools and solutions for a diverse citizenry, while leaving plenty of breathing room for ongoing innovation and the evolution of social norms and market responses. Whether it’s online safety or digital privacy, public policy should take into account the extraordinary diversity of citizen needs and tastes and leave the ultimate decision about acceptable online content and interactions to them. We should look to educate and empower citizens so that they can make decisions about their online safety and privacy for themselves so that policymakers are not constantly trying to make decisions on their behalf.

This is a model worth defending, even if it is sometimes hard to delineate its contours.  Please read my HJLPP article for a fuller exploration of that model and a defense of it.

In the upcoming issue of Harvard Business Review, my colleague Paul Nunes at Accenture’s Institute for High Performance and I are publishing the first of many articles from an on-going research project on what we are calling “Big Bang Disruption.”

The project is looking at the emerging ecosystem for innovation based on disruptive technologies.  It expands on work we have done separately and now together over the last fifteen years.

Our chief finding is that the nature of innovation has changed dramatically, calling into question much of the conventional wisdom on business strategy and competition, especially in information-intensive industries–which is to say, these days, every industry.

The drivers of this new ecosystem are ever-cheaper, faster, and smaller computing devices, cloud-based virtualization, crowdsourced financing, collaborative development and marketing, and the proliferation of mobile everything.  There will soon be more smartphones sold than there are people in the world.  And before long, each of over one trillion items in commerce will be added to the network.

The result is that new innovations now enter the market cheaper, better, and more customizable than products and services they challenge.  (For example, smartphone-based navigation apps versus standalone GPS devices.)  In the strategy literature, such innovation would be characterized as thoroughly “undiscplined.”  It shouldn’t succeed.  But it does.

So when the disruptor arrives and takes off with a bang, often after a series of low-cost, failed experiments, incumbents have no time for a competitive response.  The old rules for dealing with disruptive technologies, most famously from the work of Harvard’s Clayton Christensen, have become counter-productive.   If incumbents haven’t learned to read the new tea leaves ahead of time, it’s game over.

The HBR article doesn’t go into much depth on the policy implications of this new innovation model, but the book we are now writing will.  The answer should be obvious.

This radical new model for product and service introduction underscores the robustness of market behaviors that quickly and efficiently correct many transient examples of dominance, especially in high-tech markets.

As a general rule (though obviously not one without exceptions), the big bang phenomenon further weakens the case for regulatory intervention.  Market dominance is sustainable for ever-shorter periods of time, with little opportunity for incumbents to exploit it.

Quickly and efficiently, a predictable next wave of technology will likely put a quick and definitive end to any “information empires” that have formed from the last generation of technologies.

Or, at the very least, do so more quickly and more cost-effectively than alternative solutions from regulation.  The law, to paraphrase Mark Twain, will still be putting its shoes on while the big bang disruptor has spread halfway around the world.

Unfortunately, much of the contemporary literature on competition policy from legal academics is woefully ignorant of even the conventional wisdom on strategy, not to mention the engineering realities of disruptive technologies already in the market.  Looking at markets solely through the lens of legal theory is, truly, an academic exercise, one with increasingly limited real-world applications.

Indeed, we can think of many examples where legacy regulation actually makes it harder for the incumbents to adapt as quickly as necessary in order to survive the explosive arrival of a big bang disruptor.  But that is a story for another day.

Much more to come.

Related links:

1. “Creating a ‘Politics of Abundance’ to Match Technology Innovation,” Forbes.com.
2. “Why Best Buy is Going out of Business…Gradually,” Forbes.com.
3. “What Makes an Idea a Meme?“, Forbes.com
4. “The Five Most Disruptive Technologies at CES 2013,” Forbes.com

Obama’s talked a big game about online privacy. He promised reform during the 2008 campaign. A year ago, the White House proposed a “Privacy Bill of Rights.” But so far, the Administration’s delivered little more than fine words. Worse, they’ve focused on the wrong problems.

Government has an important role to play in protecting consumer privacy, but its snooping and surveillance are far bigger problems—which have only grown worse. While Washington talks of a new commercial privacy “Bill of Rights,” the real Bill of Rights is in peril.

The American Revolution erupted, in large part, out of seething resentment at British privacy intrusions—without judicial supervision. Virginia adopted its own Bill of Rights shortly before the Declaration of Independence, including what later became Madison’s Fourth Amendment to the Constitution: “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” Law enforcement must generally obtain a warrant before conducting a search—which means convincing a judge that probable cause exists to believe a crime has been committed.

The Fourth Amendment applies to digital files just like paper files—but only if you don’t give them to a third party. That caveat makes some sense offline: if you gave your diary away, would you really expect it will stay secret? But online, it makes no sense at all: we increasingly store our most private communications on in the “cloud”—on servers owned by Dropbox, Google, Facebook, etc. Congress attempted to fill this judge-made gap in Fourth Amendment protections by passing the Electronic Communications Privacy Act in 1986. But the law protects only data held for short periods—and thus no longer protects us.

Meanwhile, government snooping has grown significantly. Google last week published an updated report showing the company received nearly two and a half times as many requests from law enforcement for user data as in the same period in 2009. Most of these came without a warrant. That isn’t necessarily a problem, since these numbers include both requests for “content” (emails, documents) and basic subscriber information (name, etc.)—and even the Fourth Amendment doesn’t require a warrant for the latter. (After all, law enforcement needs to be able to build an investigation to establish probable cause.) Google, like Facebook, Yahoo! and Microsoft all insist on getting warrants for content information. But smaller companies with fewer lawyers probably don’t. No one really knows how much unconstitutional snooping goes on because Google’s transparency report is quite unusual.

Those internet companies that do insist on warrants generally started doing so only after a federal appellate court in 2010 ruled that the Fourth Amendment requires them—despite that pesky “third party doctrine.” Shortly after the White House report, the Supreme Court handed down a landmark decision in U.S. v Jones requiring a warrant for planting a tracking device on a car. More importantly, five justices called on Congress to craft new legislative protections for location data. Justice Sotomayor lamented the lack of effective protection for content data.

There’s bipartisan support for such reforms but it’s thin. The Senate finally passed a warrant requirement for content in December, handing the matter over to the House. The good news is that the House Republican and Senate Democratic chairmen of the judiciary committees have pledged to work together on a fix. The bad news is that the issue hasn’t yet been made a priority by either party’s leadership. And the Republican-led bill to require a warrant for location data faces a harder fight from law enforcement agencies that still insist they shouldn’t have to bother convincing courts for permission to track our movements.

And still, the Administration has said nothing. The Commerce Department, which drafted the “Bill of Rights” report, is supposed to promote American competitiveness—but doesn’t realize that many American businesses hesitate to adopt cloud-based enterprise software solutions, lest they give a backdoor into their files to Obama’s regulators—who boldly talk about “crucifying ” American companies. That mistrust is an even bigger problem overseas: American companies like Amazon and Salesforce dominate the cloud computing market, yet struggle to get Europeans, in particular, to trust them. Respecting our Constitution would be good for business—if we did it.

Still worse is the mistrust at home and abroad created by the Foreign Intelligence Surveillance and Patriot Acts, which allow national security agencies to snoop online with little judicial oversight—and often without any notice to those whose online communications have been wiretapped. Obama just signed an extension to FISA, despite promises he made as a Senator to filibuster any such bill. Many worry the act legalizes a surveillance program that inadvertently sweeps up Americans’ communications even though its aim is to collect information outside the U.S. The Administration offered no support when a bipartisan coalition tried to “require a report on the impact of the FISA Amendments Act of 2008 on the privacy of the people of the United States.”

Europeans bitterly resent these laws, particularly because they deny recourse to non-U.S. citizens who might be spied on. They’re now threatening to block data transfers to the U.S., essentially shutting off digital trade, by deeming that the U.S. no longer has “adequate” privacy protections. Yet the Commerce Department and the Federal Trade Commission have stayed mum. Why?

As the chief U.S. privacy regulator, the FTC holds the bully pulpit. They haven’t been shy about calling for new legislation to grow their own powers—but haven’t said a word about the problem of unchecked government access. They’ve spent the last four years talking about the threat posed by tracking—by advertisers, not government, as if anyone ever went to jail because of getting the wrong online ad. They want to make our approach to privacy regulation more European to maintain our “adequacy” status—but ignore the Europeans’ bigger concern: government snooping.

They’ve also failed to focus on bigger privacy threats to consumers—like identity theft, the number one complaint at the FTC for over a decade. Under Bush, the FTC focused its limited resources on combating the theft and breach of sensitive online information. Obama’s FTC has held a flurry of privacy workshops, but none focused on identity theft. Congress has failed to pass legislation to set minimum standards for securing consumer data, and the FTC has not used its rulemaking power in the one area where regulation is quite justified. This has left the agency to set security standards piecemeal, in a series of enforcement actions that do little to guide companies on sound data security. The FTC now faces its first court challenge about this approach—and could lose.

In short, if 2012 was a good year for privacy, it’s only because the bar has been set so low—and it wasn’t because the Administration delivered the kind of “Change” he promised on the 2008 campaign. 2013 could turn out better. The ECPA content fix could pass quickly, especially if Republicans eager to shed their stodgy image decide to make it a signature issue. But ECPA reform will be incomplete until it includes the location fix and the other principles around which 77 civil liberties groups, companies and trade associations have rallied in the “Digital Due Process” coalition, founded nearly three years ago. FISA doesn’t seem likely to get better anytime soon, but there is some cause for celebration on government access: Late last year, Congress finally reconstituted the Privacy and Civil Liberties Oversight Board, a key recommendation of the 9/11 Commission. Congress now just needs to confirm the Board’s chairman and appropriate $2 million to fund it—a small price to pay for some degree of oversight on government access. Finally, the retirement of FTC Chairman Jon Leibowitz seems imminent. The new chairman’s confirmation hearings offer a golden opportunity to make clear that privacy protection from government is inextricably intertwined with protection by government against corporate abuses and the negligence that leads to real harms like identity theft.

Any of these developments would be well worth celebrating on Privacy Day 2014.

[Crossposted at Forbes.com]

That was the response of a friend currently in Rwanda who had issued a Facebook plea for someone to upload the weird “Innocence of Muslims” video to Dropbox.

“Oh, where is the stupid internet in Rwanda?????” she exclaimed.

In typical snark, I had asked, “What do you connect to Dropbox with? Tin-can on string?”

She actually has Internet access, but she finds YouTube so much less reliable than other platforms that she asks friends to upload YouTube videos elsewhere.

I anecdotally find YouTube videos to be clunky downloads compared to others. Quite naturally, I watch fewer videos on YouTube and more on other platforms. I don’t know, but guess, that Google has made some decision to economize on video downloads—a high percentage of people probably watch only the first third of any video, so why send them the whole thing right away?—and that its imperfect implementation has me watching the spinning “pause” wheel (or playing “snake”) routinely when I think a YouTube offering would be interesting.

Would the Google of five years have allowed that? It’s well known that Google recognizes speed as an important elements of quality service on the Internet.

And this is why antitrust action against Google is unwarranted. When companies get big, they lose their edge, as I’m guessing Google is losing its edge in video service. This opens the door to competitors as part of natural economic processes.

Just the other week, I signed up with Media.net and I’ll soon be running tests on whether it gets better results for me on WashingtonWatch.com than Google AdSense. So far so good. A human customer service representative navigated me through the (simple) process of opening an account and getting their ad code.

These are anecdotes suggesting Google’s competitive vulnerability. But you can get a more systematic airing of views at TechFreedom’s event September 28th: “Should the FTC Sue Google Over Search?“

The Federal Trade Commission issued a report today calling on companies “to adopt best privacy practices.” In related news, most people support airline safety… The report also “recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.”

This is regulatory cheerleading of the same kind our government’s all-purpose trade regulator put out a dozen years ago. In May of 2000, the FTC issued a report finding “that legislation is necessary to ensure further implementation of fair information practices online” and recommending a framework for such legislation. Congress did not act on that, and things are humming along today without top-down regulation of information practices on the Internet.

By “humming along,” I don’t mean that all privacy problems have been solved. (And they certainly wouldn’t have been solved if Congress had passed a law saying they should be.) “Humming along” means that ongoing push-and-pull among companies and consumers is defining the information practices that best serve consumers in all their needs, including privacy.

Congress won’t be enacting legislation this year, and there doesn’t seem to be any groundswell for new regulation in the next Congress, though President Obama’s reelection would leave him unencumbered by future elections and so inclined to indulge the pro-regulatory fantasies of his supporters.

The folks who want regulation of the Internet in the name of privacy should explain how they will do better than Congress did with credit reporting. In forty years of regulating credit bureaus, Congress has not come up with a system that satisfies consumer advocates’ demands. I detail that government failure in my recent Cato Policy Analysis, “Reputation under Regulation: The Fair Credit Reporting Act at 40 and Lessons for the Internet Privacy Debate.”

Given the importance of privacy self-help—that is, setting your browser to control what it reveals about you when you surf the Web—I was concerned to hear that Google, among others, had circumvented third-party cookie blocking that is a default setting of Apple’s Safari browser. Jonathan Mayer of Stanford’s Center for Internet and Society published a thorough and highly technical explanation of the problem on Thursday.

The story starts with a flaw in Safari’s cookie blocking. Mayer notes Safari’s treatment of third-party cookies:

Reading Cookies Safari allows third-party domains to read cookies.
Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.
Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari.

Mayer says Google was exploiting this yet-to-be-closed loophole to install third-party cookies, the domain of which Safari would then allow to write cookies. After describing “(relatively) straightforward” cookie synching, Mayer says:

But we noticed a special response at the last step for Safari browsers. … Instead of responding with the “_drt_” cookie, the server sends back a page that includes a form and JavaScript to submit the form (using POST) to its own URL.

Third-party cookie blocking evaded, and users’ preferences frustrated.

Ars Technica has published Google’s response, which doesn’t seem to have gone up on any of its blogs, in full. Google says they created this functionality to deliver better services to their users, but doing so inadvertently allowed Google advertising cookies to be set on the browser.

I don’t know that I’m technically sophisticated enough to register a firm judgement, but it looks to me like Google was faced with an interesting dilemma: They had visitors who were signed in to their service and who had opted to see personalized ads and other content, such as ‘+1’s but those same visitors had set their browsers contrary to those desires. Google chose the route better for Google, defeating the browser-set preferences. That, I think, was a mistake.

I wonder if there isn’t some Occam’s Razor that a Google engineer might have applied at some point in this process, thinking, “Golly, we are really going to great lengths to get around a browser setting. Are we sure we should be doing this?” Maybe it would have been more straightforward to highlight to Safari users that their settings were reducing their enjoyment of Google’s services and ads, and to invite those users to change their settings. This, and urging Apple to fix the browser, would have been more consistent with the company’s credo of non-evil.

Now, to the ideological stuff, of which I can think of two items:

1) There is a battle for control of earth out there—well, a battle over whether third-party cookie blocking is good or bad. Have your way advocates. I think the consuming public—that is, the market—should decide.

2) There is a battle to make a federal case out of every privacy transgression. An advocacy group called Consumer Watchdog (which has been prone to privacy buffoonery in the past) hustled out a complaint to the Federal Trade Commission. I think the injured parties should be compensated in full for their loss and suffering, of which there wasn’t any. De minimis non curat lex, so this is actually just a learning opportunity for Google, for browser authors, and for the public.

Kudos and thanks are due to Jonathan Mayer, as well as ★★★★★ and Ashkan Soltani, for exposing this issue.

Today the Federal Trade Commission released a new report entitled, “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing,” which concludes that “confusing and hard-to-find disclosures do not give parents the control that they need in this area. The FTC argues that “parents need consistent, easily accessible, and recognizable disclosures regarding in-app purchase capabilities so that they can make informed decisions about whether to allow their children to use apps with such capabilities.”

It’s hard to be against the FTC’s “the more disclosure, the better” policy recommendation and I’m not about to come out against it here. But the question is: how much disclosure is enough? Reading through the report and seeing how hard the FTC hammers this point home makes me think the agency wants our app store checkout process to be littered with the pages of fine print disclosure policies that now accompany our credit card statements and home mortgage payments! Seriously, would that make us better off?

As a parent of two kids who both download countless apps on my Android phone, my wife’s iPhone, and our family’s Android tablet, I appreciate a certain amount of disclosure about what sort of information apps are collecting and how they are using it. I think Google’s Android marketplace strikes a nice balance here, providing us with the most crucial facts about what the application will access or share. Apple could do more on disclosure but the company also prides itself (to the dismay of some!) on its rigorous pre-screening process to make sure the apps in the App Store are safe and don’t violate certain privacy and security policies. Yet, as the FTC correctly points out, “the details of this screening process are not clear.” Of course, most Apple users simply don’t give a damn. They’re all too happy to let Apple just take care of it for them even if they’re not really sure what’s happening to their data behind the scenes. The more privacy-sensitive crowd wants greater disclosure and control, of course, and I’m sympathetic to that plea.  But again, how much disclosure is enough? Are you going to wade through pages of disclosure policies and privacy opt-ins before downloading that latest iteration of “Angry Birds” or “Cut the Rope”? Yeah, I didn’t think so.

Anyway, I don’t want to dwell on that. The more interested findings in the survey relate to price and market dynamics and I am hoping people don’t ignore them. After surveying the price of kids’ apps available in the Android Market and Apple App Store, the agency found that, “While prices ranged from free to $9.99, most of the 960 app store promotion pages listed a price of $0.99 or less. Indeed, 77% of the apps in the survey listed an install price of $0.99 or less, and 48% were free.  Free apps appeared to be the most frequently downloaded.” Here’s the pricing breakdown for both Android and Apple:

Folks, these are astonishing numbers. Almost 100% of the most downloaded kids apps in the Android Market are free… as in ZERO dollars and ZERO cents! And while Apple App Store prices tend to be a bit higher, 93% of apps are $2 or less.  This is one of the great consumer success stories of our time. Consumer welfare is vastly enhanced by the presence of hundred of kids apps that serve almost every interest and desire under the sun, and all for less than what you’d pay for a cup of coffee or a gallon of gas.

But wait, there’s more!!

This incredible success story is even more remarkable because of what the FTC finds next about market structure:

Staff found that hundreds of developers were responsible for the apps in the study. Staff encountered 441 unique developers in this study, only twelve of which had apps on both platforms. Only a handful of app developers were responsible for more than 10 apps in our sample. Developers with one app in our sample were popular, accounting for about 50% of all downloads/feedback ratings, even though they were responsible for only about 30% of the apps. In contrast, those developers with more than 10 apps in our sample accounted for about 1% of the feedback ratings for Apple, (and 20% of the downloads for Android) despite accounting for about 20% of all of the apps in the survey. This finding illustrates the broad and diverse nature of the mobile app marketplace.

“Broad and diverse marketplace,” you say?  That might be the understatement of the year!  I challenge you to find another part of not just our online ecosystem but indeed our entire economy that is this broad, diverse, innovate, competitive, and inexpensive.  I’m not sure that such a radically atomistic, mom-and-pop marketplace of entrepreneurs can last forever, but let’s pause and appreciate the fact that it does exist today.

Now, here’s the really interesting part of this story: This is generally what the world of kids’ online services looked like back in the late 1990s as well. It was incredibly diverse with lots of small mom-and-pop sites catering to kids and parents, often at no charge. And then along came COPPA. [Background here for those who are not familiar.] While COPPA helped address the legitimate problems a small handful of bad apples out there at the time created, it also raised serious compliance costs for that entire sector, including the many smaller mom-and-pop sites. In a letter send to the FTC back in 2005, child safety advocate Parry Aftab claimed that, “The cost of obtaining verifiable parental consent for interactive communications is very high, estimated at more than $45 per child, and even at that price difficult to obtain.” I have no idea how accurate that number was then (I think that was way too high of an estimate), or what the compliance cost per child was in the late 1990s, but let’s be conservative and say it was much smaller, perhaps less that a few bucks per child verified under COPPA.  And let’s assume that if we extended COPPA-like regulatory requirements to app stores that there would be some compliance cost. Again, even if the compliance cost was only a buck per kid, can you see how it devastating that would be to all the small mom-and-pop app developers out there who currently only get a dollar or two for their apps (assuming they charge anything at all)? Yes, it’s true that some of them use ads to offset their costs, but those ads have to pick up the tab for all their labor and development costs.  If you add new regulatory compliance costs to the mix, those mom-and-pop developers will be hit very hard. And then we will have far fewer of them. And the ones that remain will likely charge us more than the couple of bucks we pay per app today.

Further, even if the compliance cost per child gets down to a few cents (or tens of cents) per kid for large operators, it’s probably much higher for smaller operators. In other words, most of the costs here are fixed (hiring an extra employee, having lawyers review your policy, etc.), not marginal (the cost of verifying each additional kid), so it’s really hard to say what the real costs are. And with Apple and Google also taking a cut of the apps sold in the market, you really begin to see how adding on any additional compliance costs could hit the bottom lines of smaller app developers in a big way. When margins are this thin, burdensome regulatory mandates hurt even more. And sometimes they can drive you right out of business.

Which brings us back to the FTC’s role here. It’s clear that the consumer protection side of the agency has an important role to play here when it comes to ensuring consumers are better informed about data collection practices and corresponding privacy issues. But let’s not forget that the FTC was originally created as a competition agency. It’s supposed to care about market structure, competition, and consumer welfare. So, I wonder… are the folks in the FTC’s Bureau of Economics paying any attention to what their colleague are doing here? Because if we start layering on privacy regulations, all the good intentions in the world won’t be able to hold back the likely contraction and consolidation of this vibrant industry that will take place as small mom-and-pops struggle to absorb new regulatory burdens and compliance costs.

Something to think about before regulatory intervention drives up consumers prices and drives out of the market the countless entrepreneurs that make this sector so exciting–especially for parents and kids.

[Cross posted at Truth on the Market]

As everyone knows by now, AT&T’s proposed merger with T-Mobile has hit a bureaucratic snag at the FCC. The remarkable decision to refer the merger to the Commission’s Administrative Law Judge (in an effort to derail the deal) and the public release of the FCC staff’s internal, draft report are problematic and poorly considered. But far worse is the content of the report on which the decision to attempt to kill the deal was based.

With this report the FCC staff joins the exalted company of AT&T’s complaining competitors (surely the least reliable judges of the desirability of the proposed merger if ever there were any) and the antitrust policy scolds and consumer “advocates” who, quite literally, have never met a merger of which they approved.

In this post I’m going to hit a few of the most glaring problems in the staff’s report, and I hope to return again soon with further analysis.

As it happens, AT&T’s own response to the report is actually very good and it effectively highlights many of the key problems with the staff’s report. While it might make sense to take AT&T’s own reply with a grain of salt, in this case the reply is, if anything, too tame. No doubt the company wants to keep in the Commission’s good graces (it is the very definition of a repeat player at the agency, after all). But I am not so constrained. Using the company’s reply as a jumping off point, let me discuss a few of the problems with the staff report.

First, as the blog post (written by Jim Cicconi, Senior Vice President of External & Legislative Affairs) notes,

We expected that the AT&T-T-Mobile transaction would receive careful, considered, and fair analysis. Unfortunately, the preliminary FCC Staff Analysis offers none of that. The document is so obviously one-sided that any fair-minded person reading it is left with the clear impression that it is an advocacy piece, and not a considered analysis. In our view, the report raises questions as to whether its authors were predisposed. The report cherry-picks facts to support its views, and ignores facts that don’t. Where facts were lacking, the report speculates, with no basis, and then treats its own speculations as if they were fact. This is clearly not the fair and objective analysis to which any party is entitled, and which we have every right to expect.

OK, maybe they aren’t pulling punches. The fact that this reply was written with such scathing language despite AT&T’s expectation to have to go right back to the FCC to get approval for this deal in some form or another itself speaks volumes about the undeniable shoddiness of the report.

Cicconi goes on to detail five areas where AT&T thinks the report went seriously awry: “Expanding LTE to 97% of the U.S. Population,” “Job Gains Versus Losses,” “Deutsche Telekom, T-Mobile’s Parent, Has Serious Investment Constraints,” “Spectrum” and “Competition.” I have dealt with a few of these issues at some length elsewhere, including most notably here (noting how the FCC’s own wireless competition report “supports what everyone already knows: falling prices, improved quality, dynamic competition and unflagging innovation have led to a golden age of mobile services”), and here (“It is troubling that critics–particularly those with little if any business experience–are so certain that even with no obvious source of additional spectrum suitable for LTE coming from the government any time soon, and even with exponential growth in broadband (including mobile) data use, AT&T’s current spectrum holdings are sufficient to satisfy its business plans”).

What is really galling about the staff report—and, frankly, the basic posture of the agency—is that its criticisms really boil down to one thing: “We believe there is another way to accomplish (something like) what AT&T wants to do here, and we’d just prefer they do it that way.” This is central planning at its most repugnant. What is both assumed and what is lacking in this basic posture is beyond the pale for an allegedly independent government agency—and as Larry Downes notes in the linked article, the agency’s hubris and its politics may have real, costly consequences for all of us.

Competition

But procedure must be followed, and the staff thus musters a technical defense to support its basic position, starting with the claim that the merger will result in too much concentration. Blinded by its new-found love for HHIs, the staff commits a few blunders. First, it claims that concentration levels like those in this case “trigger a presumption of harm” to competition, citing the DOJ/FTC Merger Guidelines. Alas, as even the report’s own footnotes reveal, the Merger Guidelines actually say that highly concentrated markets with HHI increases of 200 or more trigger a presumption that the merger will “enhance market power.” This is not, in fact, the same thing as harm to competition. Elsewhere the staff calls this—a merger that increases concentration and gives one firm an “undue” share of the market—“presumptively illegal.” Perhaps the staff could use an antitrust refresher course. I’d be happy to come teach it.

Not only is there no actual evidence of consumer harm resulting from the sort of increases in concentration that might result from the merger, but the staff seems to derive its negative conclusions despite the damning fact that the data shows that wireless markets have seen considerable increases in concentration along with considerable decreases in prices, rather than harm to competition, over the last decade. While high and increasing HHIs might indicate a need for further investigation, when actual evidence refutes the connection between concentration and price, they simply lose their relevance. Someone should tell the FCC staff.

This is a different Wireless Bureau than the one that wrote so much sensible material in the 15th Annual Wireless Competition Report. That Bureau described a complex, dynamic, robust mobile “ecosystem” driven not by carrier market power and industrial structure, but by rapid evolution and technological disruptors. The analysis here wishes away every important factor that every consumer knows to be the real drivers of price and innovation in the mobile marketplace, including, among other things:

1. Local markets, where there are five, six, or more carriers to choose from;
2. Non-contract/pre-paid providers, whose strength is rapidly growing;
3. Technology that is making more bands of available spectrum useful for competitive offerings;
4. The reality that LTE will make inter-modal competition a reality; and
5. The reality that churn is rampant and consumer decision-making is driven today by devices, operating systems, applications and content – not networks.

The resulting analysis is stilted and stale, and describes a wireless industry that exists only in the agency’s collective imagination.

There is considerably more to say about the report’s tortured unilateral effects analysis, but it will have to wait for my next post. Here I want to quickly touch on a two of the other issues called out by Cicconi’s blog post.

Jobs

First, although it’s not really in my bailiwick to comment on the job claims that have been such an important aspect of the public conversations surrounding this merger, some things are simple logic, and the staff’s contrary claims here are inscrutable. As Cicconi suggests, it is hard to understand how the $8 billion investment and build-out required to capitalize on AT&T’s T-Mobile purchase will fail to produce a host of jobs, how the creation of a more-robust, faster broadband network will fail to ignite even further growth in this growing sector of the economy, and, finally, how all this can fail to happen while the FCC’s own (relatively) paltry $4.5 billion broadband fund will somehow nevertheless create approximately 500,000 (!!!) jobs. Even Paul Krugman knows that private investment is better than government investment in generating stimulus – the claim is that there’s not enough of it, not that it doesn’t work as well. Here, however, the fiscal experts on the FCC’s staff have determined that massive private funding won’t create even 96,000 jobs, although the same agency claims that government funding only one half as large will create five times that many jobs. Um, really?

Meanwhile the agency simply dismisses AT&T’s job preservation commitments. Now, I would also normally disregard such unenforceable pronouncements as cheap talk – except given the frequency and the volume with which AT&T has made them, they would suffer pretty mightily for failing to follow through on them now. Even more important perhaps, I have to believe (again, given the vehemence with which they have made the statements and the reality of de facto, reputational enforcement) they are willing to agree to whatever is in their control in a consent decree, thus making them, in fact, legally enforceable. For the staff to so blithely disregard AT&T’s claims on jobs is unintelligible except as farce—or venality.

Spectrum

Although the report rarely misses an opportunity to fail to mention the spectrum crisis that has been at the center of the Administration’s telecom agenda and the focus of the National Broadband Plan, coincidentally authored by the FCC’s staff, the crux of the report seems to come down to a stark denial that such a spectrum crunch even exists. As I noted, much of the staff report amounts to an extended meditation on why the parties can and should run their businesses as the staff say they can and should. The report’s section assessing the parties’ claims regarding the transition to LTE (para 210, ff.) is remarkable. It begins thus:

One of the Applicants’ primary justifications for the necessity of this transaction is that, as standalone firms, AT&T and T-Mobile are, and will continue to be, spectrum and capacity constrained. Due to these constraints, we find it more plausible that a spectrum constrained firm would maximize deployment of more spectrally efficient LTE, rather than limit it. Transitioning to LTE is primarily a function of only two factors: (1) the extent of LTE capable equipment deployed on the network and (2) the penetration of LTE compatible devices in the subscriber base. Although it may make it more economical, the transition does not require “spectrum headroom” as the Applicants claim. Increased deployment could be achieved by both of the Applicants on a standalone basis by adding the more spectrally efficient LTE-capable radios and equipment to the network and then providing customers with dual mode HSPAILTE devices. . . .

Forget the spectrum crunch! It is the very absence of spectrum that will give firms the incentive and the ability to transition to more-efficient technology. And all they have to do is run duplicate equipment on their networks and give all their customers new devices overnight. And, well, the whole business model fits in a few paragraphs, entails no new spectrum, actually creates spectrum, and meets all foreseeable demand (as long as demand never increases which, of course, the report conveniently fails to assess).

Moreover, claims the report, AT&T’s transition to LTE flows inevitably from its competition with Verizon. But, as Cicconi points out, the staff is unprincipled in its disparate treatment of the industry’s competitive conditions. Somehow, without T-Mobile in the mix, prices will skyrocket and quality will be degraded—let’s say, just for example, by not upgrading to LTE (my interpretation, not the staff’s). But 100 pages later, it turns out that AT&T doesn’t need to merge with T-Mobile to expand its LTE network because it will have to do so in response to competition from Verizon anyway. It would appear, however, that Verizon’s power over AT&T operates only if T-Mobile exists separately and AT&T has a harder time competing. Remove T-Mobile and expand AT&T’s ability to compete and, apparently, the market collapses. Such is the logic of the report.

There is much more to criticize in the report, and I hope to have a chance to do so in the next few days.

It remains unclear how interested the Federal Trade Commission (FTC) is in bringing a formal antitrust action against Google, but we at least know that inquiries have been made. I suspect these inquires are far more serious than whatever the agency is fishing for with its new Twitter inquires. After all, as I note in my latest Forbes column, “Google isn’t even a teenager yet (having only been founded in September 1998), but the firm’s rise has been meteoric and it has made a long list of enemies in the process. Practically every major player in the Digital Economy… is gunning for Google these days, both in the commercial and political marketplace.” In this sense, it’s not surprising the FTC might take a keen interest in the company with so many competitors complaining.

Still, I just can’t find much merit in an antitrust case against Google since, as I noted in my column, “The firm’s success seems tied to high quality products that users prefer over rival services. Importantly, barriers to entry are low: there’s nothing stopping new entrants from innovating and offering competing online services to match Google.”

Regardless, instead of arguing about the merits of an antitrust action against Google, let’s consider the more interesting, and I think intractable, question of remedies. Here’s what I had to say about that in my Forbes essay:

[possible remedies] include a so-called Federal Search Commission that would monitor search results to achieve “fairness” or “search neutrality.” Some academics have also suggested a possible mandatory “right of reply” for companies or consumers if they don’t like what a search for their name reveals. This is the equivalent of a Fairness Doctrine for search results. Another idea, borrowed from Microsoft’s antitrust saga in Europe, is a “browser ballot” for specialized search results like maps, stock reports and weather. Just as Microsoft was required by European antitrust officials to offer a “ballot” of alternative browsers before consumers first got online, Google might be forced to show several alternative links for search queries if Google-owned sites are also shown in the results. Even if ballots could be implemented without reducing the usability of search engines—a tall order—it would be difficult, if not impossible, to incorporate all the choices available to consumers. And if government only chose a few, it would be picking winners and losers. Better to let markets decide. Making Google’s proprietary search algorithm more transparent also sounds great until you realize it would make it easier for spammers and scammers to game search results.  Search regulation might also lead to dangerous forms of speech control. Just as the Fairness Doctrine was abused by politicians in the Analog Era, search-tinkering will likely prove too tempting to pass up.  For paternalistic policymakers, search regulation could be an opening to do what they’ve always wanted: “clean up” the Net.

These are just some of the problems with the remedies that have been proposed. Please read some of the essays by Geoff Manne and Josh Wright listed down below for a more in-depth exploration of these issues. Of course, we’re still very early in this process and, if a case against Google moves forward, I suspect we’ll see a number of other possible remedies suggested.

Regardless, I can’t help but have a vague sense of unease about the mere thought of Uncle Sam as Search Czar. Again, from my Forbes essay:

These regulatory solutions would put government bureaucrats in control of the day-to-day management of one of the most dynamic digital technologies ever invented. Treating Google like an essential facility to which all must have equal access on regulated terms would mean subjecting the Internet, still largely free of government control, to public utility-style regulation. It’s hard to imagine that regulating search like local sewage service will benefit consumers in the long run. Government simply doesn’t have a very good track record of steering markets—especially dynamic, fast-evolving ones like this—in more innovative directions.

I think consumers will be better served by Google and its many competitors spending their time focused on creating innovative new products and services rather than making Washington bureaucrats happy.

Additional Reading from TLF Contributors:

• The FTC makes its Google investigation official, now what? – by Geoffrey Manne & Joshua Wright
• What’s really motivating the pursuit of Google? – by Geoffrey Manne
• Search Bias and Antitrust – by Josh Wright
• Sacrificing Consumer Welfare in the Search Bias Debate, Part II – by Josh Wright
• The Problem of Search Engines as Essential Facilities – by Geoffrey Manne
• Why Google probe should worry consumers – by Ryan Radia (in San Jose Mercury News)
• Wired on Google’s Coming Antitrust Nightmare – by Adam Thierer

According to a report today from SAI Business Insider, “The Federal Trade Commission is actively investigating Twitter and the way it deals with the companies building applications and services for its platform.”  Apparently the agency has reached out to some competing application / platform providers to ask questions about Twitter’s recent efforts to exert more control over the uses of its API by third parties. [The Wall Street Journal confirms the FTC’s interest in Twitter.]

It remains to be seen whether this leads to any serious regulatory action against Twitter by the FTC, but such a move wouldn’t necessarily be surprising considering the more activist tilt of the agency recently. It’s even less surprising considering that Columbia University law professor and prolific cyberlaw scholar Tim Wu was appointed as a senior advisor to the FTC earlier this year. When the announcement of Wu’s appointment was made, the Wall Street Journal kicked off an article with the warning, “Silicon Valley has a new fear factor.”  It seems the Journal may have been on to something!

It’s impossible to know how much of an influence Tim Wu is having on the agency, but as I have noted here before, Prof. Wu is man with a healthy appetite for regulatory activism. [See all my essays about Wu’s work here.] Moreover, he’s a man who has already determined that Twitter is a “monopolist” in his November 13, 2010 Wall Street Journal op-ed, “In the Grip of the New Monopolists.”

That essay prompted a fiery response from me [“Tim Wu Redefines Monopoly“] as well as a far more reasoned essay by antitrust gurus Geoff Manne and Josh Wright [“What’s An Internet Monopolist? A Reply to Professor Wu.”] Prof. Wu was kind enough to swing by the TLF and respond to my criticisms in an essay “On the Definition of Monopoly,” which he said served as a “corrective” to my earlier essay [even though I continue to believe that what I said fairly reflected the last four decades of economic wisdom on competition policy and that it is Wu who is well off the reservation with his expansionist views of antitrust enforcement].

Regardless of what one thinks about that exchange, if the FTC is moving forward with a case against Twitter, three practical questions need to be considered: (1) What’s the relevant market? (2) Where’s the harm? and (3) What’s the remedy?

I’ll briefly discuss each question below but should also mention that I already explored many of these issues in my essay,  “A Vision of (Regulatory) Things to Come for Twitter,” so I apologize in advance for the repetition.  I will then discuss all this in the context of Tim Wu’s latest law review article on “Agency Threats” and what he approvingly refers to as regulatory “threat regimes.”

On Market Definition

As I noted in my previous essays, it’s very much unclear how to define the contours of the market Twitter serves. After all, Twitter is only a few years old and it competes with many other forms of communication and information dissemination. For me, Twitter is a partial substitute for blogging, IMs, email, phone calls, RSS feeds, and even radio and television news. Yet, like most others, I continue to use all those other technologies and those technologies continue to pressure Twitter to innovate.

Whatever market it serves, however, Tim Wu is apparently willing to write off that market as already “in the grip” of Twitter. But does Wu really believe that nothing better will come along to compete against Twitter or even replace it entirely?  It reminds me of all the hand-wringing we heard about AOL a decade ago when people predicted its “walled gardens” would someday rule the Internet and IM.  And we all know how that turned out.

If you ask me, this episode again reflects the short-term, static snapshot thinking we all too often see at work in debates over media and technology policy. That is, many cyber-worrywarts are prone to taking snapshots of market activity and suggesting that temporary patterns are permanent disasters requiring immediate correction. Of course, a more dynamic view of progress and competition holds that “market failures” and “code failures” are ultimately better addressed by voluntary, spontaneous, bottom-up responses than by coercive, top-down approaches. [More on that conflict of visions in my book chapter on “The Case for Internet Optimism, Part 2 – Saving the Net From Its Supporters.”]

Regardless, I just don’t see how Wu or the FTC can claim Twitter has monopolized a market that is still so young that we can’t even define it.

On Harm

Even if one accepted Wu’s premise that Twitter was a monopolist, where is the harm? At least in theory, antitrust law is supposed to be about protecting consumer welfare, not competitors. If this whole thing is about UberMedia losing out in some bidding wars for alternative Twitter platforms, well, that’s just pathetic. UberMedia is free to develop or bid on alternative Twitter applications or work with others to develop entirely new services. It’s not like there’s a shortage of them out there.

If the theory is that consumers are being harmed by Twitter exerting more control over its API, I would just remind everyone that (a) we don’t pay a cent for the service that Twitter provides and (b) Twitter is still scrambling to find a way to monetize its service for the long-haul. There are also some legitimate security issues in play here that cut against the claim that what Twitter is doing is anti-consumer.

In sum, it is hard to understand where the harm lies in Twitter taking greater control of its API, and there’s certainly nothing stopping rival innovators from tying to offer a competing service.  140-character text messages aren’t exactly the stuff of traditional “information empires,” as Wu would call them.

On Remedies

Finally, we come to the thorny issue of remedies. I suppose the easiest remedy would be a prohibition on Twitter acquiring any third-party applications provider that currently relies on Twitter’s API. In other words, downstream vertical integration would be forbidden. But there’s about 40 years of antitrust literature explaining why such integration is generally pro-innovation and pro-consumer and shouldn’t be made illegal by antitrust law. Tim Wu may not buy that–and if you’ve read his recent book The Master Switch, you know he absolutely rejects it–but it is standard thinking in the field of industrial organization and antitrust economics today. Most of the economists at the FTC and DOJ could tell him as much.

Another alternative remedy might be Jonathan Zittrain’s “API neutrality” idea, proposed in his 2008 book, The Future of the Internet and How to Stop It. Zittrain suggested that API neutrality–essentially a variant of Net neutrality but for application protocols–might be needed to ensure fair access to certain services or platforms to guarantee that digital “generativity” was not imperiled. On pg. 181 of the book, Zittrain argued that:

“If there is a present worldwide threat to neutrality in the movement of bits, it comes not from restrictions on traditional Internet access that can be evaded using generative PCs, but from enhancements to traditional and emerging appliancized services that are not open to third-party tinkering.”

After engaging in some hand-wringing about “walled gardens” and “mediated experiences,” Zittrain went on to ask: “So when should we consider network neutrality-style mandates for appliancized systems?” He responds to his own question as follows:

“The answer lies in that subset of appliancized systems that seeks to gain the benefits of third-party contributions while reserving the right to exclude it later. … Those who offer open APIs on the Net in an attempt to harness the generative cycle ought to remain application-neutral after their efforts have succeeded, so all those who built on top of their interface can continue to do so on equal terms.” (p. 184)

This might be a fine generic principle, but Zittrain implies that this should be a legal standard to which online providers are held. At one point, he even alludes to the possibility of applying the common law principle of adverse possession more broadly in these contexts. He notes that adverse possession “dictates that people who openly occupy another’s private property without the owner’s explicit objection (or, for that matter, permission) can, after a lengthy period of time, come to legitimately acquire it.” But he doesn’t make it clear when it would be triggered as it pertains to digital platforms or APIs.

Nonetheless, one could imagine it would be one remedy antitrust officials might look to when considering what to do about Twitter exerting greater control over its API. Essentially, Twitter would become the equivalent of a public utility that all would have access to on regulated terms.

As I noted in the first of my many reviews of Zittrain’s book, there are many problems with the logic of API neutrality or the application of adverse possession in these contexts. Here’s my critique of the “API neutrality” notion (again, this is from 2008 so it now sounds a bit dated):

First, most developers who offer open APIs aren’t likely to close them later precisely because they don’t want to incur the wrath of “those who built on top of their interface.” But, second, for the sake of argument, let’s say they did want to abandoned previously open APIs and move to some sort of walled garden. So what? Isn’t that called marketplace experimentation? Are we really going to make that illegal? Finally, if they were so foolish as to engage in such games, it might be the best thing that ever happened to the market and consumers since it could encourage more entry and innovation as people seek out more open, pro-generative alternatives. Consider this example: Now that Apple has opened to door to third-party iPhone development a bit with the SDK, does that mean that under Jonathan’s proposed paradigm we should treat the iPhone as the equivalent of commoditized common carriage device? That seems incredibly misguided to me. If Steve Jobs opens the development door just a little bit only to slam it shut a short time later, he will pay dearly for that mistake in the marketplace. For God’s sake, just spend a few minutes over on the Howard Forums or the PPC Geeks forum if you want to get a taste for the insane amount of tinkering going on out there in the mobile world right now on other systems. If Apple tries to roll back the clock, Microsoft and others will be all too happy to take their business by offering a wealth of devices that allow you to tinker to your heart’s content. We should let such experiments continue and let the future of the Internet be determined by market choices, not regulatory choices such as forced API neutrality.

I think the same critique would apply to efforts to impose API neutrality on Twitter.  Regardless, would such a remedy be imposed through targeted regulatory action, an antitrust consent decree, or perhaps through what Tim Wu calls “agency threats”?

Wu’s “Threat Regime” Model of Internet Governance

Prof. Wu recently published a law review article on “Agency Threats” and what he approvingly refers to as “threat regimes.” The paper is a “defense of regulatory threats in particular contexts.”  Here’s a portion of the abstract:

The use of threats instead of law can be a useful choice — not simply a procedural end run. My argument is that the merits of any regulative modality cannot be determined without reference to the state of the industry being regulated. Threat regimes, I suggest, are important and are best justified when the industry is undergoing rapid change — under conditions of “high uncertainty.” Highly informal regimes are most useful, that is, when the agency faces a problem in an environment in which facts are highly unclear and evolving. Examples include periods surrounding a newly invented technology or business model, or a practice about which little is known.

I’m extremely troubled by this reasoning and can think of a couple of alternative labels for such behavior by government agencies: unaccountable, above-the-law, unconstitutional, anti-democratic, thuggery, regulatory blackmail, and so on.

But what’s even more troubling about Wu’s thinking about “threat regimes” is that he assumes this arbitrary mode of governing-by-intimidation makes even more sense in fast-moving high-tech industries. That seems counter-intuitive. If a given sector finds itself in a state of “high uncertainty” as Wu calls it, doesn’t that mean, by definition, it is dynamic and subject to forces that might bring about beneficial change? And shouldn’t we assume that those are the last sectors we would want regulators monkeying with since bureaucrats lack the requisite knowledge of how to best guide the evolution of complex information technologies?

Wu seems to believe that regulators possess a crystal ball and a set of magical dials that can guide the evolution of technology markets to a better equilibrium through the use of constant Sunstein-ian “nudges” (or perhaps shoves).  I think that’s poppycock.

Regardless, once we realize that this is the way Tim Wu thinks, an FTC investigation into Twitter’s current business practices starts to make a lot more sense. It’s about creating a “threat regime” that intimidates Twitter into to playing by the arbitrary rules of Washington bureaucrats instead of responding to marketplace demands and developments in a natural, evolutionary way. In fact, in his “threats” essay, Wu explicitly rejects that model:

The second option—“wait and see”—may sound attractive because it allows the industry to develop in what might be called a natural way. This approach, however, makes a great sacrifice: the public’s interest may be entirely unrepresented during the industry’s formative period. The risk is that the industry’s norms and business models will, effectively, be set without any public input. Waiting for the industry to settle down may result in undesirable practices that prove extremely hard to reverse or influence with rules issued later. To state the matter more colloquially, the industry may be “baked” by the time there is any real oversight or public input.

In essence, Wu desires a “mixed economy” model for high-tech sectors in which decision are guided at every juncture by the supposed wisdom of techno-cratic philosopher kings like himself. We must trust that he and his fellow regulators will guide us and our economy down an more enlightened path. And we must accept that some “threats” may be necessary to get the job done.

I find this mode of thinking disturbing in the extreme because of the rank hubris at the center of it. Regardless, Twitter appears to be well on its way to becoming a test case for Wu’s “threat” model of Internet governance.

I have an op-ed up at Main Justice on FTC Chairman Leibowitz’ recent comment in response the a question about the FTC’s investigation of Google that the FTC is looking for a “pure Section Five case.”  With Main Justice’s permission, the op-ed is re-printed here:

There’s been a lot of chatter around Washington about federal antitrust regulators’ interest in investigating Google, including stories about an apparent tug of war between agencies. But this interest may be motivated by expanding the agencies’ authority, rather than by any legitimate concern about Google’s behavior.

Last month in an interview with Global Competition Review, FTC Chairman  Jon Leibowitz was asked whether the agency was “investigating the online search market” and he made this startling revelation:

“What I can say is that one of the commission’s priorities is to find a pure Section Five case under unfair methods of competition. Everyone acknowledges that Congress gave us much more jurisdiction than just antitrust. And I go back to this because at some point if and when, say, a large technology company acknowledges an investigation by the FTC, we can use both our unfair or deceptive acts or practice authority and our unfair methods of competition authority to investigate the same or similar unfair competitive behavior . . . . ”

“Section Five” refers to Section Five of the Federal Trade Commission Act. Exercising its antitrust authority, the FTC can directly enforce the Clayton Act but can enforce the Sherman Act only via the FTC Act, challenging as “unfair methods of competition” conduct that would otherwise violate the Sherman Act. Following Sherman Act jurisprudence, traditionally the FTC has interpreted Section Five to require demonstrable consumer harm to apply.

But more recently the commission—and especially Commissioners Rosch and Leibowitz—has been pursuing an interpretation of Section Five that would give the agency unprecedented and largely-unchecked authority. In particular, the definition of “unfair” competition wouldn’t be confined to the traditional measures–reduction in output or increase in price–but could expand to, well, just about whatever the agency deems improper.

Commissioner Rosch has claimed that Section Five could address conduct that has the effect of “reducing consumer choice”—an effect that a very few commentators support without requiring any evidence that the conduct actually reduces consumer welfare. Troublingly, “reducing consumer choice” seems to be a euphemism for “harm to competitors, not competition,” where the reduction in choice is the reduction of choice of competitors who may be put out of business by competitive behavior.

The U.S. has a long tradition of resisting enforcement based on harm to competitors without requiring a commensurate, strong showing of harm to consumers–an economically-sensible tradition aimed squarely at minimizing the likelihood of erroneous enforcement. The FTC’s invigorated interest in Section Five contemplates just such wrong-headed enforcement, however, to the inevitable detriment of the very consumers the agency is tasked with protecting.

In fact, the theoretical case against Google depends entirely on the ways it may have harmed certain competitors rather than on any evidence of actual harm to consumers (and in the face of ample evidence of significant consumer benefits).

Google has faced these claims at a number of levels. Many of the complaints against Google originate from Microsoft (Bing), Google’s largest competitor. Other sites have argued that that Google impairs the placement in its search results of certain competing websites, thereby reducing these sites’ ability easily to access Google’s users to advertise their competing products. Other sites that offer content like maps and videos complain that Google’s integration of these products into its search results has impaired their attractiveness to users.

In each of these cases, the problem is that the claimed harm to competitors does not demonstrably translate into harm to consumers.

For example, Google’s integration of maps into its search results unquestionably offers users an extremely helpful presentation of these results, particularly for users of mobile phones. That this integration might be harmful to MapQuest’s bottom line is not surprising—but nor is it a cause for concern if the harm flows from a strong consumer preference for Google’s improved, innovative product. The same is true of the other claims; harm to competitors is at least as consistent with pro-competitive as with anti-competitive conduct, and simply counting the number of firms offering competing choices to consumers is no way to infer actual consumer harm.

In the absence of evidence of Google’s harm to consumers, then, Leibowitz appears more interested in using Google as a tool in his and Rosch’s efforts to expand the FTC’s footprint. Advancing the commission’s “priority” to “find a pure Section Five case” seems to be more important than the question of whether Google is actually doing anything harmful.

When economic sense takes a back seat to political aggrandizement, we should worry about the effect on markets, innovation and the overall health of the economy.

It might be tempting to laugh at France’s ban on words like “Facebook” and Twitter” in the media. France’s Conseil Supérieur de l’Audiovisuel recently ruled that specific references to these sites (in stories not about them) would violate a 1992 law banning “secret” advertising. The council was created in 1989 to ensure fairness in French audiovisual communications, such as in allocation of television time to political candidates, and to protect children from some types of programming.

Sure, laugh at the French. But not for too long. The United States has similarly busy-bodied regulators, who, for example, have primly regulated such advertising themselves. American regulators carefully oversee non-secret advertising, too. Our government nannies equal the French in usurping parents’ decisions about children’s access to media. And the Federal Communications Commission endlessly plays footsie with speech regulation.

In the United States, banning words seems too blatant an affront to our First Amendment, but the United States has a fairly lively “English only” movement. Somehow, regulating an entire communications protocol doesn’t have the same censorious stink.

So it is that our Federal Communications Commission asserts a right to regulate the delivery of Internet service. The protocols on which the Internet runs are communications protocols, remember. Withdraw private control of them and you’ve got a more thoroughgoing and insidious form of speech control: it may look like speech rights remain with the people, but government controls the medium over which the speech travels.

The government has sought to control protocols in the past and will continue to do so in the future. The “crypto wars,” in which government tried to control secure communications protocols, merely presage struggles of the future. Perhaps the next battle will be over BitCoin, an online currency that is resistant to surveillance and confiscation. In BitCoin, communications and value transfer are melded together. To protect us from the scourge of illegal drugs and the recently manufactured crime of “money laundering,” governments will almost certainly seek to bar us from trading with one another and transferring our wealth securely and privately.

So laugh at France. But don’t laugh too hard. Leave the smugness to them.

I’ve already Tweeted about it, but if you are following Internet privacy debates and have not yet had the chance to read Lauren Weinstein‘s new paper, “Do-Not-Track, Doctor Who, and a Constellation of Confusion,” it is definitely worth a look.  Weinstein, founder of the Privacy Forum, zeroes in on two related issue that I have made the focus of much of my work on this issue: (1) the fact that Do Not Track is seemingly viewed by some as a silver-bullet quick fix to online privacy concerns but will really be far more complicated in practice to enforce, and (2) that Do Not Track regulation will likely have many unintended consequences, most of which are going unexplored by proponents.

For example, Weinstein says:

Do-not-track in actuality encompasses an immensely heterogeneous mosaic of issues and considerations, not appropriately subject to simplistic approaches or “quick fix” solutions.   Approaching this area without a realistic appreciation of such facts is fraught with risks and the potential for major undesirable collateral damages to businesses, organizations, and individuals. Attempts to portray these controversies as “black or white” topics subject to rapid or in some cases even unilaterally imposed resolutions may be politically expedient, but are ultimately both childish and dangerous. […] Above all, we should endeavor to remember that tracking issues both on and off the Internet are in reality part of a complicated whole, a multifaceted  set of problems — and very importantly — potentials as well. The decisions that we make now regarding these issues will likely have far-ranging implications and effects on the Internet for many years to come, perhaps for decades.

Absolutely correct. He also argues that:

Rather than view do-not-track and tracking in general as binary choices, or even as an overly simplistic one-dimensional continuum — with “no tracking” and “tracking” at the good and evil ends of the spectrum respectively — a multidimensional and so significantly more nuanced view would seem to make a great deal better logical sense. For each of us, our comfort levels with “tracking” as it may be most broadly defined — both in Internet and non-Internet contexts — will vary widely depending on specific details and circumstances.

Quite right. I made similar arguments in my February filing to the Federal Trade Commission as part of it Do Not Track proceeding.

Weinstein also asks an important question here:

Even while some divisions of government are proselytizing for the rapid adoption of risky and overly simplistic do-not-track mechanisms that are more akin to sledgehammers than balanced control methodologies, and aimed particularly at ad personalization networks — others in government are pushing hard for vast and comprehensive data retention laws that would require ISPs and Web services to record and maintain detailed records of virtually all Web browsing, email, and other activities. … Why is there such a focus on do-not-track in the relatively innocuous ad serving sector, but often so much hypocritical disregard of government’s desire for encompassing tracking in other contexts that carry enormously larger potentials for abuses?

To be fair, however, I do think that many of the advocates of Do Not Track regulation are also focused on government access to data but I think they sometimes fail to adequately distinguish between the “enormously larger potentials for abuses” associated with government data collection and what Weinstein rightly regards as the far less serious issue of “the relatively innocuous ad serving sector.”  There is a world of difference between what government collects and uses private data to accomplish versus what the private sector does with it. As I pointed out in my latest Forbes column this week, “Governments possess unique powers the private sector lacks, such as taxation, surveillance, fines, and imprisonment.” By contrast, private companies mostly collect data to sell us a better mousetrap at a better price.  It’s hard to see how that is a “harm” in the same league with what government officials and agencies would like to do with data. In fact, that’s really a benefit to consumers.

Anyway, make sure to read Weinstein’s entire essay.  I have not yet seen any responses to it but I very much look forward to seeing what proponents of Do Not Track regulation have to say about his very sharp piece.

Twitter could be in for a world of potential pain. Regulatory pain, that is. The company’s announcement on Friday that it would soon be cracking down on the uses of its API by third parties is raising eyebrows in cyberspace and, if recent regulatory history is any indicator, this high-tech innovator could soon face some heat from regulatory advocates and public policy makers. If this thing goes down as I describe it below, it will be one hell of a fight that once again features warring conceptions of “Internet freedom” butting heads over the question of whether Twitter should be forced to share its API with rivals via some sort of “open access” regulatory regime or “API neutrality,” in particular. I’ll explore that possibility in this essay. First, a bit of background.

Understanding Forced Access Regulation

In the field of communications law, the dominant public policy fight of the past 15 years has been the battle over “open access” and “neutrality” regulation. Generally speaking, open access regulations demand that a company share its property (networks, systems, devices, or code) with rivals on terms established by law. Neutrality regulation is a variant of open access regulation, which also requires that systems be used in ways specified by law, but usually without the physical sharing requirements. Both forms of regulation derive from traditional common carriage principles / regulatory regimes. Critics of such regulation, which would most definitely include me, decry the inefficiencies associated with such “forced access” regimes, as we prefer to label them. Forced access regulation also raises certain constitutional issues related to First and Fifth Amendment rights of speech and property.

The Telecommunications Act of 1996 got this ball rolling with its mandated access provisions for local phone service. To make a very long and tortured history much shorter, this was a battle over how far law should go to force local telephone companies to share their phone lines with rivals at regulated rates. (Check this old piece of mine for a flavor of how well that turned out.) The advocates of open access regulation eventually turned their attention to cable systems and tried (but failed) to apply similar sharing / access rules there. Following those fights, which involved many nasty court skirmishes, the Net neutrality wars broke out. Net neutrality is a type of forced access regime for broadband platforms. Although Net neutrality regulation would not necessarily require carriers to share networks with rivals, it would at least require that platform providers play by special access and interconnection rules set by federal regulators.

Forced access provisions have been used in other contexts. We might think of the provisions we saw at work in the Microsoft antitrust case as a form of forced access regulation. Some may also recall the interconnection provisions that governed AOL’s instant messaging service following its merger with Time Warner (discussed more below). There are other examples, but I think you get the point.

New Frontiers for Forced Access Regulation?

All this history is well known to all readers of this blog and followers of communications policy. The reason I repeat it here is because this fight is now spreading to new sectors, platforms, and technologies.

For example, “search neutrality” is one of those new frontiers of the forced access fight. Some academics and regulatory advocates are pushing for rules that would govern how search results are shown or for special requirements on search providers to eliminate supposed “search bias” or to ensure search “fairness” of various sorts. Make sure to read James Grimmelmann’s terrific treatment of the concept from his chapter in TechFreedom’s book, The Next Digital Decade, and then also listen to this podcast featuring Danny Sullivan dissecting the issue.

Some critics also want to treat search engines (and Google in particular) as “essential facilities.” In another essay from The Next Digital Decade, Geoff Manne has done a good job pointing out why that’s such a misguided idea.

Similarly, some folks (such as danah boyd) are already calling for Facebook to be regulated as a public utility or essential facility. I responded in my essay, “Facebook Isn’t a “Utility” & You Certainly Shouldn’t Want it to Be Regulated As Such,” in which I pointed out that Facebook isn’t exactly a “life-essential” service that is gouging customers, who have plenty of other choices in social networking services.

Adverse Possession & API Neutrality for Twitter?

An equally interesting battle is now set to unfold for Twitter following Friday’s announced changes. To get a flavor for what might lie ahead for the company, we might begin by taking a second look at what Harvard University’s Jonathan Zittrain proposed in his 2008 book, The Future of the Internet and How to Stop It. In that book, Zittrain suggested that “API neutrality” might be needed to ensure fair access to certain cyber-services or digital platforms to ensure “generativity” was not imperiled. On pg. 181 of the book, Zittrain argued that:

“If there is a present worldwide threat to neutrality in the movement of bits, it comes not from restrictions on traditional Internet access that can be evaded using generative PCs, but from enhancements to traditional and emerging appliancized services that are not open to third-party tinkering.”

After engaging in some hand-wringing about “walled gardens” and “mediated experiences,” Zittrain went on to ask: “So when should we consider network neutrality-style mandates for appliancized systems?” He responds to his own question as follows:

“The answer lies in that subset of appliancized systems that seeks to gain the benefits of third-party contributions while reserving the right to exclude it later. … Those who offer open APIs on the Net in an attempt to harness the generative cycle ought to remain application-neutral after their efforts have succeeded, so all those who built on top of their interface can continue to do so on equal terms.” (p. 184)

This might be a fine generic principle, but Zittrain implies that this should be a legal standard to which online providers are held. At one point, he even alludes to the possibility of applying the common law principle of adverse possession more broadly in these contexts. He notes that adverse possession “dictates that people who openly occupy another’s private property without the owner’s explicit objection (or, for that matter, permission) can, after a lengthy period of time, come to legitimately acquire it.” But he doesn’t make it clear when it would be triggered as it pertains to digital platforms or APIs.

As I noted in the first of my many reviews of his book, there are many problems with the logic of API neutrality or the application of adverse possession in these contexts. Here’s my critique of the “API neutrality” notion (again, this is from 2008):

First, most developers who offer open APIs aren’t likely to close them later precisely because they don’t want to incur the wrath of “those who built on top of their interface.” But, second, for the sake of argument, let’s say they did want to abandoned previously open APIs and move to some sort of walled garden. So what? Isn’t that called marketplace experimentation? Are we really going to make that illegal? Finally, if they were so foolish as to engage in such games, it might be the best thing that ever happened to the market and consumers since it could encourage more entry and innovation as people seek out more open, pro-generative alternatives. Consider this example: Now that Apple has opened to door to third-party iPhone development a bit with the SDK, does that mean that under Jonathan’s proposed paradigm we should treat the iPhone as the equivalent of commoditized common carriage device? That seems incredibly misguided to me. If Steve Jobs opens the development door just a little bit only to slam it shut a short time later, he will pay dearly for that mistake in the marketplace. For God’s sake, just spend a few minutes over on the Howard Forums or the PPC Geeks forum if you want to get a taste for the insane amount of tinkering going on out there in the mobile world right now on other systems. If Apple tries to roll back the clock, Microsoft and others will be all too happy to take their business by offering a wealth of devices that allow you to tinker to your heart’s content. We should let such experiments continue and let the future of the Internet be determined by market choices, not regulatory choices such as forced API neutrality.

I think the same critique would apply to efforts to impose API neutrality on Twitter. But before going into more detail, we need to first ask another question: Does Twitter possess “market power” such that their actions warrant antitrust or regulatory scrutiny at all?

But Isn’t Twitter a “Monopoly”?

Savvy readers will recall that influential Columbia Law School cyberlaw professor Tim Wu has already labeled Twitter a “monopoly,” although he has not yet bothered telling us what the relevant market is here. As I pointed out in an essay critiquing the way Prof. Wu flippantly assigns the label “monopoly” to just about any big tech provider, it’s very much unclear what to call the market Twitter serves. After all, the service is only a few years old and competes with many other forms of communication and information dissemination. For me, Twitter is a partial substitute for blogging, IMs, email, phone calls, and my RSS feed. Yet, like most others, I continue to use all those other technologies and those technologies continue to pressure Twitter to innovate.

Regardless, Prof. Wu is now in a position to put his ideas into action since he is currently serving a short tenure as special advisor to the Federal Trade Commission (FTC).  Might he act on his instincts, therefore, and advise the agency to take action against Twitter? It is unlikely that Prof Wu will be around the FTC long enough to help them bring any sort of formal action against Twitter, but he could help lay the groundwork for a creative interpretation of our nation’s antitrust laws such that Twitter somehow comes to be labeled a “monopoly” or what he refers to as an “information empire” in his new book The Master Switch. (See my last review of the book here.)

But I think he’d have a very hard time convincing the folks in the FTC’s Economics Bureau that Twitter is really worth worrying about or that it has anything approximating a “monopoly” in this emerging market, whatever that market is. But Wu has the ear of key people in government right now and could be lobbying for more expansive constructions of “information monopoly” since he made it very clear in his book that traditional antitrust analysis was not sufficient for information sectors. “[I]nformation industries… can never be properly understood as ‘normal’ industries,” Wu claimed, and even traditional forms of regulation, including antitrust, “are clearly inadequate for the regulation of information industries,” he says. (p. 303)

The Principle of the Matter

So here’s my take on the issue. Twitter is an amazing innovator. It created the space it now plays in and that market is still so new and unique that we don’t even have a name for it yet. In America, we should – and usually do – celebrate such entrepreneurialism. But sometimes certain Ivory Tower elites, regulatory-minded advocates, paternalistic policymakers, or even disgruntled competitors, claim that such innovators “owe” the rest of us something because they got rich or powerful thanks to that innovation. “Forced access” or “neutrality” mandates becomes a convenient regulatory prescription to achieve that end even though the motivating principle behind such regulation is, essentially, “what’s yours is mine.”

Indeed, from my perspective, the entire notion of forced access to the Twitter API could be dismissed by noting that, technically speaking, Twitter’s API is its private property and they should be free to do as they wish with it. That’s why I’m particularly concerned with Zittrain’s notion that we might consider applying adverse possession principles to any digital platform with enough users; at root, it’s a call to limit or even abolish property rights for digital platforms once they gain popularity or have a large number of users. As noted below, that has extremely dangerous ramifications for digital innovation but, more profoundly in my opinion, it is an unjust and unconstitutional taking of an innovator’s property. Of course, I understand that property rights aren’t exactly in vogue in America anymore and that this isn’t really a satisfying answer from the consumer’s perspective, so let’s continue on and consider a few other reasons why forced access regulation of Twitter via API neutrality would be a mistake.

First, we should not forget that Twitter has yet to find a way to turn its service into a serious revenue-generator. The most obvious reason for that is that Twitter (a) doesn’t charge anything for the service it provides and (b) doesn’t lock down its platform / API such that they might be able to earn a return on their investment by monetizing eyeballs via advertising on their own platform. That’s why Twitter’s announcement on Friday won’t come to a shock to anyone with a whiff of business sense in their heads. At some point, Twitter probably had to do something like this if they wanted to find a way to monetize and grow their business.

I can hear some out there screaming out “but it’s not fair!” as if there was cosmic sense of cyber-justice that has been betrayed because Twitter had the audacity to lock-down their platform. Of course, it is certainly true that some third-party app providers may suffer because of Twitter’s move here.  I’m not going to lie to you; if Twitter’s move to exert greater control over its API somehow destroys the beauty that is the TweetDeck desktop interface, I am going to be screaming mad myself! I do not think there has ever been a slicker, more user-friendly interface for any web service in Internet history than what TweetDeck offers consumers. For my money – which means nothing since TweetDeck is free! – TweetDeck is digital perfection defined. And, incidentally, I’d be happy to pay for it if they asked.

But despite my gushing love for it, let’s be clear about something: TweetDeck has no inherent right to exist. Indeed, TweetDeck owes its very existence to the fact that Twitter offered its API to the world on a completely free, unlicensed, unrestricted basis. The same holds true for all those other third-party platforms that depend upon the Twitter API. What Twitter giveth, Twitter can taketh away.

Stated differently, Twitter has thus far had a voluntary open access policy in place for the first few years of its existence but now wants to partially abandon that policy. This policy reversal will, no doubt, lead to claims that the company is acting like one of Wu’s proverbial “information empires” and that perhaps Zittrain’s API neutrality regime should be put in place as a remedy.  Indeed, Zittrain has already referred to it as a “bait-and-switch” and cited back to the provisions of his book that I outlined above. I believe that foreshadows what’s to come: more pressure from the Ivory Tower and then, potentially, from public policy makers that will first encourage and then push to force Twitter to grant access to its platform on terms set by others.  It’s a potential first step toward the forced commoditization of the Twitter API and the involuntary surrender of its property rights to some collective authority who will manage it as a “collective good,” “common carrier,” or “essential facility.”

But Consider This… (on API Neutrality and Disincentives)

Of course, the people at Twitter certain realize how important all those third-party apps and platforms have been to growing the Twitter information empire. Thus, an overly-zealous move to crush third parities by denying them the API or any incidental use of the Twitter name / branding could backfire in two ways: it could lead to a major consumer backlash which in turn spurs the development of alternative platforms and entirely new types of competing services.

Vertical integration might be one way to partially alleviate those problems. Twitter could start cutting deals with existing third-party platforms that rely upon its API such that they were brought under the Twitter corporate umbrella, where more standardization could occur. But Twitter doesn’t have the money to buy them all out. Moreover, Twitter doesn’t want to see dozens of interfaces under its corporate umbrella. For them, this is about “a consistent user experience.” In other words, they’d obviously prefer a more standardized platform / interface that simply got rid of some of those third-party apps and platforms altogether.

As a result, in the short term, I think we’ll likely end up with a market dominated by Twitter’s proprietary platform(s) but with a couple of other leading existing third-party providers being tolerated by the company so as not to rock the boat too much. And that’s not a bad thing. Here’s the key principle to keep in mind: If we apply API neutrality or adverse possession principles forcibly, it sends a horrible signal to entrepreneurs that basically says their platforms are theirs in name only and will be forcibly commoditized once they are popular enough. That’s a horrible disincentive to future innovation and investment. However, it means we must sometimes tolerate short term spells of “market power” when we allow entrepreneurs to realize the benefits of their past innovations and investments if we hope to get more of them in the future.

Avoiding Static Snapshots

But wait, you say, isn’t this all quite horrible for the consumers and competition? Isn’t this just Wu’s “information empire” fear manifesting itself such that antitrust or API neutrality really is required?

Here’s where those warring conceptions of “Internet freedom” come into play. As I’ve noted here many times before in my work on the “conflict of visions” about Internet freedom today, it is during what some might regard as a market’s darkest hour when some of the most exciting disruptive technologies and innovations develop. People don’t sit still; they respond to incentives, including short spells of apparently excessive private power.

By contrast, the “static snapshot” crowd gets so worked up about short term spells of “market power” – which usually don’t represent serious market power at all – that they call for the reordering of markets to suit their tastes.  Sadly, they sometimes do this under the banner of “Internet freedom,” claiming that we can “free” consumers from the supposed tyranny of the marketplace. In reality, that vision wraps markets in chains and ultimately leaves consumers worse off by stifling innovation and inviting in ham-handed regulatory edits and bureaucracies to plan this fast-paced sector of our economy.

“Splitting the Root”

And innovation is possible. Is it really that unthinkable that a Twitter competitor might come along? In a sense, TweetDeck shows the way forward.  TweetDeck has already bucked Twitter’s 140-character limit by offering “Deck.ly,” an exclusive service that allows TweetDeck users to type Twitter messages longer than 140 characters, but which will only be visible via TweetDeck platforms. What if TweetDeck took the next bold step and offered an entirely separate API in direct competition to Twitter? It would be the tweeting equivalent of “splitting the root,” to borrow a concept from the domain name space.

Some would decry the potential lack of interoperability at first. But I bet some sharp folks out there would quickly find work-arounds. Has everyone forgotten the hand-wringing that took place over instant message interoperability just a decade ago (and the resulting restrictions placed on the company following its merger with Time Warner)? Big bad AOL was going to eat everyone’s lunch in the IM space, don’t you remember? But all the hand-wringing about AOL’s looming monopolization of instant messaging seems particularly silly now since anyone can download a free chat client like Digsby or Adium to manage IM services from AOL, Yahoo!, Google, Facebook and just about anyone else, all within a single interface — essentially making it irrelevant which chat service your friends use.

Again, people respond to incentives, and sometimes it takes bone-headed moves by market leaders to really get people off their butts and motivate them to code work-arounds and superior solutions. Is it so hard to imagine that a similar response might follow Twitter’s move this week? After all, we are not talking about replicating a massive physical network of pipes or towers here. We are talking about pure code, for God’s sake! Competition to Twitter is more than possible and it’s likely to come from sources and platforms we cannot currently imagine (just as few of us could have imagined something like Twitter developing just five years ago).

Conclusion

So, Twitter’s move is not an end but rather a new beginning. Personally, I think it could spawn another amazing round of innovation in this space. Again, we must not forget that we are dealing with a space that is still so new that we do not know what to call it. For that reason alone, we should be skeptical of calls for a preemptive regulatory strike. We need to have a little faith in the entrepreneurial spirit and the dynamic nature of markets built upon code, which have the uncanny ability to morph and upend themselves seemingly every few years. In the short term, Twitter will continue to possess a dominant position in whatever we call this market that it serves. But the short term is just that; it’s not the end of the story.

Now excuse me while I get back to Tweeting!

We’ve said it here before too may times to count: When it comes to the future of content and services — especially online or digitally-delivered content and services — there is no free lunch. Something has to pay for all that stuff and increasingly that something is advertising.  But not just any type of advertising — targeted advertising is the future. We see that again today with Skype’s announcement that it is rolling out an advertising scheme as well as in this Wall Street Journal story (“TV’s Next Wave: Tuning In to You“) about how cable and satellite TV providers are ramping up their targeted advertising efforts.

No doubt, we’ll soon hear the same old complaints and fears trotted out about these developments.  We’ll hear about how “annoying” such ads are or how “creepy” they are.  Yet, few will bother detailing what the actual harm is in being delivered more tailored or targeted commercial messages.  After all, there’s actually a benefit to receiving ads that may be of more interest to us. Much traditional advertising was quite “spammy” in that it was sent to the mass market without a care in the world about who might see or hear it. But in a diverse society, it would be optimal if the ads you saw better reflected your actual interests / tastes. And that’s a primary motivation for why so many content and service providers are turning to ad targeting techniques. As Skype noted in its announcement today: “We may use non-personally identifiable demographic data (e.g. location, gender and age) to target ads, which helps ensure that you see relevant ads. For example, if you’re in the US, we don’t want to show you ads for a product that is only available in the UK.”  Similarly, the Journal article highlights a variety of approaches that television providers are using to better tailor ads to their viewers.

Some will still claim it’s too “creepy.” But, as I noted in my recent filing to the Federal Trade Commission on its new privacy green paper:

If harm is reduced to “creepiness” or even “annoyance” and “unwanted solicitations” as some advocate, it raises the question whether the commercial Internet as we know it can continue to exist.  Such an amorphous standard leaves much to the imagination and opens the door to creative theories of harm that are sure to be exploited.  In such a regime, harm becomes highly conjectural instead of concrete. This makes credible cost-benefit analysis virtually impossible since the debate becomes purely about emotion instead of anything empirical. … Importantly, nothing in the Commission’s proceeding has thus far demonstrated that online data collection and “tracking” represent a clear harm to consumers per se, or that any “market failure” exists here. Such a showing would be difficult since using data to deliver more tailored advertising to consumers can provide important benefits to the public..

I’ve already noted one possible benefit to consumers: ads that are more relevant to them and, therefore, potentially less “annoying.” But the far more important benefits would be (1) keeping costs for content and services reasonable, and/or (2) just keeping that content flowing or those services in business. I go into more detail about both of these potential benefits in my FTC filing, but the reasoning here is pretty straightforward.  Again, advertising is the great subsidizer of the press, media, content, and online services. The reason we already have access to some much great content and so many great (and often free) online services is because of advertising.

But the market for content and services is becoming more cut-throat competitive every day. There’s simply so much stuff to choose from that both the content/service providers and the advertisers are being forced to evolve and change their business models. Locking them into to yesterday’s (or even today’s) advertising and marketing methods limits their ability to respond to competitive pressures and concoct more innovate models going forward.  Targeting will clearly be part of the mix, and if it can help companies continue to provide their content and services to the public — or, better yet, provide them at a more competitive price — then policymakers must take those potential benefits into account when considering privacy regulations, even if some feel such ads are “creepy.”  Again, it’s unclear how “creepiness” is a harm and, even if it is, it has to be stacked against the many potential benefits or more targeted forms of advertising.  There’s no guarantee those methods will succeed, of course, but they should at least be given a chance.

Again, read my FTC comments for more detail.  And let’s say it once more, with feeling: There is no free lunch!

___

Addendum: I just noticed this follow-up Wall Street Journal blog post by Jessica E. Vascellaro on “Calculating the Benefit of a Targeted TV Ads,” which concludes by noting that: “A test of targeted TV ads by Comcast in 2009 found that homes receiving targeted advertising tuned away from the commercials 32% less of the time than homes that received non-targeted ads.” Stated differently, those consumers seeing targeted ads found them 32% less “annoying”! And, again, more effective advertising means more dollars for content and services.

That also reminded me of this eMarketer article I saw last month on how “Targeting Boosts Low Facebook Click Rates.” It noted that:

Just as not all advertisers are created equal, neither are all ads. Facebook’s self-serve ad targeting platform provides marketers with a wide variety of options for narrowing down the audience for their campaigns and targeting them appropriately. And according to data from BLiNQ Media, targeting can provide a dramatic increase in ad effectiveness. Clickthrough rates for campaigns run through the company’s platform were 7.5 times higher for ads targeted with demographic characteristics or interest information gleaned from profiles than for ads that were not targeted.

Indeed, not all advertising is created equal, and more targeted forms of advertising could create more value for content creators, services providers, and consumers. If it’s given a chance, that is.

Congrats are due to Tim Wu, who’s just been appointed as a senior advisor to the Federal Trade Commission (FTC). Tim is a brilliant and gracious guy; easily one of the most agreeable people I’ve ever had the pleasure of interacting with in my 20 years in covering technology policy. He’s a logical choice for such a position in a Democratic administration since he has been one of the leading lights on the Left on cyberlaw issues over the past decade.

That being said, Tim’s ideas on tech policy trouble me deeply. I’ll ignore the fact that he gave birth to the term “net neutrality” and that he chaired the radical regulatory activist group, Free Press. Instead, I just want to remind folks of one very troubling recommendation for the information sector that he articulated in his new book, The Master Switch: The Rise and Fall of Information Empires. While his book was preoccupied with corporate power and the ability of media and communications companies to posses a supposed “master switch” over speech or culture, I’m more worried about the “regulatory switch” that Tim has said the government should toss.

Tim has suggested that a so-called “Separations Principle” govern our modern information economy. “A Separations Principle would mean the creation of a salutary distance between each of the major functions or layers in the information economy,” he says. “It would mean that those who develop information, those who control the network infrastructure on which it travels, and those who control the tools or venues of access must be kept apart from one another.”  Tim calls this a “constitutional approach” because he models it on the separations of power found in the U.S. Constitution.

I critiqued this concept in Part 6 of my ridiculously long multi-part review of his new book, and I discuss it further in a new Reason magazine article, which is due out shortly. As I note in my Reason essay, Tim’s blueprint for “reforming” technology policy represents an audacious industrial policy for the Internet and America’s information sectors. In concrete regulatory terms—and despite Tim’s insistence to the contrary, his approach most assuredly would require regulation—the Separations Principle would segregate information providers into three buckets: creators, distributors, and hardware makers. Presumably these would  become three of the new “titles” (or regulatory sections) of a forthcoming Information Economy Separations Act.

While conceptually neat, these classifications don’t conform to our highly dynamic digital economy, whose parameters can change wildly within the scope of just a few years. For example, Google cut its teeth in the search and online advertising markets, but it now markets phones and computers. Verizon, once just a crusty wireline telephone company, now sells pay TV services and a variety of wireless devices. AOL reinvented itself as media company after its brief reign as the king of dial-up Internet access. Would firms that already possess integrated operations and investments (for instance, Microsoft or Apple) be forced to divest control of them to comply with the Separations Principle? If so, wouldn’t that hinder technological development?

In his book, Tim shrugs off such concerns. “The Separations Principle accepts in advance that some of the benefits of concentration and unified action will be sacrificed,” he writes, “even in ways that may seem painful or costly.” Such a flippant attitude ignores not only the potential benefits of certain forms of integration but also the fact that his proposed information apartheid would upend the American economy as we know it (for instance, by forcing the breakup of  dozens of leading technology companies as well as countless media and entertainment providers). He also ignores the litigation nightmare that would ensue once the government started forcing divestitures.

More shockingly,Tim never explains how the bureaucratic machinations and regulatory capture he decries throughout his book would be held in check under his proposed regime. He breezily writes that “the government [should] also keep its distance and not intervene in the market to favor any technology, network monopoly, or integration of the major functions of an information industry,” but does not explain how this will be accomplished. Does he believe we can build a better breed of bureaucrat if we just try harder? (I suppose he does now that he’s been appointed as one!!)

Equally astonishing is Tim’s assertion that “a Separations regime would take much of the guesswork and impressionism…out of the oversight of information industries.” To the extent that his Separations Principle eliminates “guesswork” and creates more regulatory certainty, it would do so only by creating rigid artificial barriers to market entry and innovation across the information economy. That’s the kind of “certainty” we can live without!

I can only hope that Prof. Wu leaves this particular idea back in the ivory tower as he makes his transition to policy advisor at the FTC.  America’s high-tech sector cannot survive the sort of regulatory wrecking ball approach to public policy that Tim has recommended.

Today the Mercatus Center has released a short new paper I have authored on “Unappreciated Benefits of Advertising and Commercial Speech.”  I begin the piece by noting that:

Federal policy makers, state legislators, and state attorneys general have recently shown interest in regulating commercial advertising and marketing. Several new regulatory initiatives are being proposed, or are already underway, that could severely curtail or restrict advertising or marketing on a variety of platforms. The consequences of these stepped-up regulatory efforts will be profound and will hurt consumer welfare both directly and indirectly.

I go on to note that “advertising can be an easy target for politicians or regulatory activist groups who make a variety of (typically unsubstantiated) claims about its negative impact on society,” but then continue on to explain how “the role of commercial speech in a free-market economy is often misunderstood or taken for granted.” I outline how, despite regulators’ concerns, consumers actually derive three important types of benefits from advertising and marketing: (1) Informational / Educational Benefits; (2) Market Choice / Pro-Competitive Benefits; and (3) Media Promotion / Cross-Subsidization.  After discussing each benefit, I conclude that:

For these reasons, a stepped-up regulatory crusade against advertising and marketing will hurt consumer welfare since it will raise prices, restrict choice, and diminish marketplace competition and innovation—both in ad-supported content and service markets, and throughout the economy at large.  Simply stated, there is no free lunch.

Read the entire 1,800-word essay here.  I have also embedded the document down below in a Scribd reader.

Unappreciated Benefits of Advertising and Commercial Speech (Adam Thierer – Mercatus Center) http://d1.scribdassets.com/ScribdViewer.swf

Via @csoghoian (who can be wrathful if you don’t attribute), Adobe buries the lede in its blog post about privacy improvements to the Flash player. They’re working with the most popular browser vendors on integrating control of “local shared objects”—more commonly known as “Flash cookies”—into the interface. Users control of Flash cookies will soon be similar to control of ordinary cookies.

It doesn’t end there:

Still, we know the Flash Player Settings Manager could be easier to use, and we’re working on a redesign coming in a future release of Flash Player, which will bring together feedback from our users and external privacy advocates. Focused on usability, this redesign will make it simpler for users to understand and manage their Flash Player settings and privacy preferences. In addition, we’ll enable you to access the Flash Player Settings Manager directly from your computer’s Control Panels or System Preferences on Windows, Mac and Linux, so that they’re even easier to locate and use. We expect users will see these enhancements in the first half of the year and we look forward to getting feedback as we continue to improve the Flash Player Settings Manager.

Mysterious, sinister “Flash cookies” were Exhibit A in the argument for a Do Not Track regulation. There is no way that people can cope with the endless array of tracking technologies advertisers are willing to deploy, the argument went, so the government must step in, define what it means to be “tracked,” and require it to stop—without kneecapping the free Internet. (Good luck with that!)

But Flash cookies are now quickly taking their place as a feature that users can control from the browser (or OS), customizing their experience of the Web to meet their individual privacy preferences. This is not a panacea, of course: People must still be made aware of the importance of controlling Flash cookies, as well as regular cookies. New tracking technologies will emerge, and consumer-friendly information controls meeting those challenges will be required in response.

But if this is what the drawn-out “war” against tracking technologies looks like, color me pro-war!

In a few short months, Adobe has begun work on the controls needed to put Flash cookies under peoples’ control. The Federal Trade Commission—prospective imposer of peace through complex, top-down regulation—took more than a year to produce a report querying whether a Do Not Track regulation might be a good idea. This problem will essentially be solved (and we’ll be on to the next one) before the FTC would have gotten saddled up.

Yes, Adobe may have acted because of the threat of damaging government regulation. That seems always to be what gets these companies moving. Of course it does, when the primary modus operandi of privacy advocacy is to push for government regulation. Were the privacy community to work as assiduously on boycotts as acting through intermediary government regulators, change might come even faster.

We could do without the standing army of regulators. Having a government sector powerful enough to cow the business sector is costly, both in terms of freedom and tax dollars.

With the failure of Do Not Track, the vision of a free and open Internet—populated by aware, empowered individuals—lives on.

Reading through the respective December 2010 privacy reports from the Federal Trade Commission (FTC) and Department of Commerce (DoC), one cannot help but be struck by the Obama Administration’s seeming desire to make America’s tech sector — and the regulatory regime that governs it — more closely resemble Europe’s.  The push for an ambitious new “privacy framework” and set of “fair information practices” is just a riff borrowed from the EU data directive.  And although the Obama team stops short of calling privacy a “dignity right” as many European policymakers are prone to do, it’s clear from both the FTC and DoC reports that that’s were they want to take us.

It’s interesting to me, though, that the Obama Administration relies on two fundamentally flawed rationales for the “European-ification” of American privacy law.  In this regard, I’ll reference some passages from the DoC’s report that appear in the section on “The Economic Imperative” for a new regime, which appears on pages 13-16 of the report.

Myth #1: Privacy Regs Are Needed to Get More People Online or Using Digital Technology

First, the DoC pulls out the old saw about the need for expanded privacy regs to ensure greater online trust and, as a result, promote increased online interactions.  The report claims that “maintaining consumer trust is vital to the success of the digital economy” and that “an erosion of trust will inhibit the adoption of new technologies” (p. 15)  The problem with the theory that online commerce or consumer interactions online are somehow being thwarted by a lack of more privacy regulation is that it is plainly contradicted by the facts. 

Interestingly, you need do nothing more that scan back just a couple of paragraphs in the DoC report to find some of those facts! For example, on pg. 14, the report notes: “The Internet is also increasingly important to the personal and working lives of individual Americans.  Ninety-six percent of working Americans use the Internet as part of their daily life, while sixty-two percent of working Americans use the Internet as an integral part of their jobs.”  Does the DoC not see the contradiction here, or is the Obama Administration claiming that we cannot rest until we move the needle from 96% to 100%?!

Then we have the DoC’s claim that “an erosion of trust will inhibit the adoption of new technologies.”  Really?  What, then, are we to make of the 500 million people who have flocked to Facebook despite repeated claims by some that it is a privacy pariah? And there are plenty of other examples of the explosion of online activity over the past decade.  The fact is, online participation and technology adoption is growing like wildfire. If you need more evidence, go through the data sets from the Pew Internet & American Life Project about Internet usage over time and try to find one metric that is decreasing.  [Just as an unrelated aside, I am still sometimes astonished by how many people use eBay despite continuing concerns about online fraud, which is a far more serious and legitimate “harm” than most supposed privacy violations.  Yet, eBay is now the world’s largest online marketplace with more than 90 million active users globally and $60 billion in transactions annually, or $2,000 every second.]

In sum, advocates of increased privacy regulation have fed the DoC a catchy line about the need for more privacy regulation in the name of encouraging greater online participation and the DoC has bought into that theory despite a lack of evidence that there is any real problem here.

Myth #2: Privacy Regs Are Needed to Promote the Competitiveness of U.S. High-Tech Firms

Second, we hear of the DoC speak of the need for “interoperability” or harmonization of privacy policies internationally to facilitate smoother online commercial interactions or data flows.  Despite the report’s admission that “a considerable amount of global commerce takes place on the Internet [and] global online transactions currently total an estimated $10 trillion annually” and is growing, the DoC continues on to argue that:

the lack of cross-border interoperability in privacy principles and regulations creates barriers to cross-border data flow and significant compliance costs for companies. Improving the global interoperability of data privacy approaches could enable increased exports of U.S. services and… support the overall objective of creating jobs by promoting exports. Thus, commercial data privacy considerations are vital not only to our domestic commerce, but also to international trade.

In other words, says the DoC, things are pretty good right now, but they will get a lot better once we harmonize privacy regulations in the direction of the E.U. and other regions.  But here’s the problem with that theory: The DoC is assuming that the benefits of regulatory harmonization — which, to be perfectly clear, would arrive in the form increased regulation on U.S. operators — would outweigh the cost of complying with those new rules.

The DoC says it wants to “prevent conflicting policy regimes from serving as a trade barrier” (p. 20), but should the U.S. impose burdensome new regulations on American companies to achieve that goal?  Would we really be better off if all U.S. firms and policy more closely resembled the E.U. in this regard?   To answer that question, you might conduct the simple experiment of stopping the average person in the street — here in the U.S. or even abroad — and asking them to name five major U.S. digital economy companies and then see if they can even name one major European competitor in the same arena. Needless to say, it’s hard to find many European counterparts that rival Google, Amazon, Apple, Facebook, eBay, Microsoft, etc.   Now, why is that?  Why is it that the information technology sector has thrived in America and that U.S. companies are leaders in many of their respective sectors across the globe?  Might it be precisely because we did not follow others down the path of “data directives” and heavy handed, top-down regulation of the Internet more generally?

Do you want some empirical evidence for why it’s a bad idea to achieve parity or harmonization in the fashion the DoC suggests?  Well then, consider this recent study by Avi Goldfarb and Catherine Tucker which found that “after the [European Union’s] Privacy Directive was passed [in 2002], advertising effectiveness decreased on average by around 65 percent in Europe relative to the rest of the world.”  They argue that because regulation decreases ad effectiveness, “this may change the number and types of businesses sustained by the advertising-supporting Internet.” Regulation of advertising and data collection for privacy purposes, it seems, can affect the global competitiveness of online firms.

The other problem with the DoC’s appeal for harmonization of privacy regulatory regimes through increased regulation is that it sets a horrible precedent.   At least thus far this has not been the approach the U.S. government has taken in most other Internet policy contexts, and with good reason.  Think about this in the context of speech controls.  When we see the Europeans or other regions and countries stifling free speech and expression online, has our response been to say, “Well, in the name of policy harmonization and improving cross-border interoperability, we Americans need to accept the wisdom of censoring the Net.”  Of course not!  That would be insane.  Instead, when confronted with conflicting regulatory regimes abroad, our response here in the States has usually been to proudly boast to the world that we have the more sensible approach to Net regulation, which is to say, it should be tightly limited so as not to stifle speech or commerce.  I really don’t care if you want to call that “American exceptionalism” or whatever else; I just think it’s plain old common sense.

And yet, in the case of privacy regulation, the Obama Administration’s Department of Commerce wants to throw that notion to the wind and harmonize in the direction of more regulation of U.S. companies.  Isn’t the Commerce Department supposed to be in the business of helping to promote U.S. trade, exports, commerce, and global competitiveness?  If so, the right approach to “leveling the playing field” in this context should be the same as it is in relation to speech policy or trade law: the rest of the world should deregulate down to our level; we should absolutely not regulate up to theirs.