Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:
- First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
- Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
- Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.
The testimony also contains 4 appendices elaborating on some of these themes.
Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”) Continue reading →
Last week on his personal blog, Peter Fleischer, Global Privacy Counsel for Google, posted an interesting essay entitled “We Need a Better, Simpler Narrative of US Privacy Laws.” Fleischer says that Europe has done a better job marketing its privacy regime to the world than the United States and argues that “The US has to figure out how to explain its privacy laws on the global stage” since “Europe is convincing many countries around the world to implement privacy laws that follow the European model.” He notes that “in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws [while] not a single country, anywhere, has followed the US model.” Fleischer argues that this has ramifications for long-term trade policy and global Internet regulation more generally.
I found this essay very interesting because I deal with some of these issues in my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing” (Harvard Journal of Law & Public Policy, vol. 36, no. 2, Spring 2013). In the article, I suggest that the U.S. does have a unique privacy regime and it is one that is very similar in character to the regime that governs online child safety issues. Whether we are talking about online safety or digital privacy, the defining characteristics of the U.S. regime are that it is bottom-up, evolutionary, education-based, empowerment-focused, and resiliency-centered. It focuses on responding to safety and privacy harms after exhausting other alternatives, including market responses and the evolution of societal norms.
The EU regime, by contrast, is more top-down in character and takes a more static, inflexible view of privacy rights. It tries to impose a one-size-fits-all model on a diverse citizenry and it attempts to do so through heavy-handed data directives and ongoing “agency threats.” It is a regime that makes more sweeping pronouncements about rights and harms and generally recommends a “precautionary principle” approach to technological change in which digital innovation is more “permissioned.”
Put simply, the U.S. regime is
reactive in character while the E.U. regime is more preemptive. The U.S. system focuses on responding to safety and privacy problems using a more diverse toolbox of solutions, some of which are governmental in character while others are based on evolving social and market norms and responses. To be clear, law does enter the picture here in the U.S., but it does so in a very different way than it does in the E.U. Continue reading →
I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)
The new
Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.
If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. Continue reading →
Obama’s talked a big game about online privacy. He promised reform during the 2008 campaign. A year ago, the White House proposed a “Privacy Bill of Rights.” But so far, the Administration’s delivered little more than fine words. Worse, they’ve focused on the wrong problems.
Government has an important role to play in protecting consumer privacy, but its snooping and surveillance are far bigger problems—which have only grown worse. While Washington talks of a new commercial privacy “Bill of Rights,” the real Bill of Rights is in peril.
The American Revolution erupted, in large part, out of seething resentment at British privacy intrusions—without judicial supervision. Virginia adopted its own Bill of Rights shortly before the Declaration of Independence, including what later became Madison’s Fourth Amendment to the Constitution: “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” Law enforcement must generally obtain a warrant before conducting a search—which means convincing a judge that probable cause exists to believe a crime has been committed. Continue reading →
The number of major cyberlaw and information tech policy books being published annually continues to grow at an astonishing pace, so much so that I have lost the ability to read and review all of them. In past years, I put together end-of-year lists of important info-tech policy books (here are the lists for 2008, 2009, 2010, and 2011) and I was fairly confident I had read just about everything of importance that was out there (at least that was available in the U.S.). But last year that became a real struggle for me and this year it became an impossibility. A decade ago, there was merely a trickle of Internet policy books coming out each year. Then the trickle turned into a steady stream. Now it has turned into a flood. Thus, I’ve had to become far more selective about what is on my reading list. (This is also because the volume of journal articles about info-tech policy matters has increased exponentially at the same time.)
So, here’s what I’m going to do. I’m going to discuss what I regard to be the five most important titles of 2012, briefly summarize a half dozen others that I’ve read, and then I’m just going to list the rest of the books out there. I’ve read most of them but I have placed an asterisk next to the ones I haven’t. Please let me know what titles I have missed so that I can add them to the list. (Incidentally, here’s my compendium of all the major tech policy books from the 2000s and here’s the running list of all my book reviews.)
Continue reading →
[UPDATE
4/30/13: This article was subsequently published in Volume 65, Issues 2 of the Federal Communications Law Journal in April 2013. The links below now point to the final FCLJ version.]
The Mercatus Center at George Mason University has just released a new paper by Brent Skorup and me entitled, “Uncreative Destruction: The War on Vertical Integration in the Information Economy.” Brent, who is the research director for the Information Economy Project at the George Mason University School of Law, and I have been working on this paper since the Spring and we are looking forward to getting it published in a law review shortly. The paper focuses on Tim Wu’s “separations principle” for the digital economy, something I’ve spent some time critiquing here in the past. Here’s the introduction from the 44-page paper that Brent and I just released:
Are information sectors sufficiently different from other sectors of the economy such that more stringent antitrust standards should be applied to them preemptively? Columbia Law School professor Tim Wu responds in the affirmative in his book The Master Switch: The Rise and Fall of Information Empires. Having successfully pushed net-neutrality regulation into the policy spotlight, Wu has turned his attention to what he regards as excessive market concentration and threats to free speech throughout the entire information economy.To support his call for increased antitrust intervention, Wu explains his view of competition in the information economy—a view that deviates substantially from current mainstream antitrust theory.
Continue reading →
That was the response of a friend currently in Rwanda who had issued a Facebook plea for someone to upload the weird “Innocence of Muslims” video to Dropbox.
“Oh, where is the stupid internet in Rwanda?????” she exclaimed.
In typical snark, I had asked, “What do you connect to Dropbox with? Tin-can on string?”
She actually has Internet access, but she finds YouTube so much less reliable than other platforms that she asks friends to upload YouTube videos elsewhere.
I anecdotally find YouTube videos to be clunky downloads compared to others. Quite naturally, I watch fewer videos on YouTube and more on other platforms. I don’t know, but guess, that Google has made some decision to economize on video downloads—a high percentage of people probably watch only the first third of any video, so why send them the whole thing right away?—and that its imperfect implementation has me watching the spinning “pause” wheel (or playing “snake”) routinely when I think a YouTube offering would be interesting.
Would the Google of five years have allowed that? It’s well known that Google recognizes speed as an important elements of quality service on the Internet.
And this is why antitrust action against Google is unwarranted. When companies get big, they lose their edge, as I’m guessing Google is losing its edge in video service. This opens the door to competitors as part of natural economic processes.
Just the other week, I signed up with Media.net and I’ll soon be running tests on whether it gets better results for me on WashingtonWatch.com than Google AdSense. So far so good. A human customer service representative navigated me through the (simple) process of opening an account and getting their ad code.
These are anecdotes suggesting Google’s competitive vulnerability. But you can get a more systematic airing of views at TechFreedom’s event September 28th: “Should the FTC Sue Google Over Search?“
It was my honor today to be a panelist at a Hill event on “Apps, Ads, Kids & COPPA: Implications of the FTC’s Additional Proposed Revisions,” which was co-sponsored by the Family Online Safety Institute and the Association for Competitive Technology. It was a free-wheeling discussion, but I prepared some talking points for the event that I thought I would share here for anyone interested in my views about the Federal Trade Commission’s latest proposed revisions to the Children’s Online Privacy Protection Act (COPPA).
________
The Commission deserves credit for very wisely ignoring calls by some to extend the coverage of COPPA’s regulatory provisions from children under 13 all the way up to teens up to 18.
- that would have been a constitutional and technical enforcement nightmare. But the FTC realized that long ago and abandoned any thought of doing that. So that is a huge win since we won’t be revisiting the COPA age verification wars.
- That being said, each tweak or expansion of COPPA, the FTC opens the door a bit wider to a discussion of some sort age verification or age stratification scheme for the Internet.
- And we know from recent AG activity (recall old MySpace age verification battle) and Hill activity (i.e. Markey-Barton bill) that there remains an appetite for doing something more to age-segment Internet populations
Continue reading →
The Federal Trade Commission (FTC) has just released its final privacy framework proposal, “Protecting Consumer Privacy in an Era of Rapid Change.” The agency released a draft report with the same title back in late 2010 and then asked for comments. [Here were my comments to the agency.] The FTC’s final report comes just a month after the Obama Administration released its 50-page privacy framework, Consumer Data Privacy in a Networked World, which included a privacy “bill of rights.” That report was primarily driven by the Department of Commerce. [I penned a Forbes column about that report the day it was released.] The new FTC report is fairly consistent with the earlier Commerce Department report. Here are some of the key themes or recommendations from the final FTC report:
- rooted in a set of baseline privacy principles with a strong push for “privacy by design,” more consumer choice, and better transparency.
- along with Dept of Commerce, the agency will work with industry to develop privacy codes of conduct and then give them teeth with possibility of FTC enforcement.
- pushes for industry to pursue voluntary “Do Not Track” mechanism, which to the agency apparently means “do not collect” any info.
- calls on Congress to pass data security legislation and legislation “to provide greater transparency for, and control over, the practices of information brokers.” Also, “to further increase transparency, the Commission calls on data brokers that compile data for marketing purposes to explore creating a centralized website where data brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”
- the agency will host a workshop later this year to discuss privacy withing “large platform providers.” The report notes: “To the extent that large platforms, such as Internet Service Providers, operating systems, browsers, and social media, seek to comprehensively track consumers’ online activities, it raises heightened privacy concerns.”
- the agency is also stepping up oversight on mobile privacy issues.
- the agency says it “generally supports the exploration of efforts to develop additional mechanisms, such as the ‘eraser button’ for social media,” but stops short of saying it should be mandated at this time.
Some of my initial random thoughts about the FTC report: Continue reading →
The Federal Trade Commission issued a report today calling on companies “to adopt best privacy practices.” In related news, most people support airline safety… The report also “recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.”
This is regulatory cheerleading of the same kind our government’s all-purpose trade regulator put out a dozen years ago. In May of 2000, the FTC issued a report finding “that legislation is necessary to ensure further implementation of fair information practices online” and recommending a framework for such legislation. Congress did not act on that, and things are humming along today without top-down regulation of information practices on the Internet.
By “humming along,” I don’t mean that all privacy problems have been solved. (And they certainly wouldn’t have been solved if Congress had passed a law saying they should be.) “Humming along” means that ongoing push-and-pull among companies and consumers is defining the information practices that best serve consumers in all their needs, including privacy.
Congress won’t be enacting legislation this year, and there doesn’t seem to be any groundswell for new regulation in the next Congress, though President Obama’s reelection would leave him unencumbered by future elections and so inclined to indulge the pro-regulatory fantasies of his supporters.
The folks who want regulation of the Internet in the name of privacy should explain how they will do better than Congress did with credit reporting. In forty years of regulating credit bureaus, Congress has not come up with a system that satisfies consumer advocates’ demands. I detail that government failure in my recent Cato Policy Analysis, “Reputation under Regulation: The Fair Credit Reporting Act at 40 and Lessons for the Internet Privacy Debate.”
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.