In a recent Senate Commerce Committee hearing on the Internet of Things, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) “announced legislation that would direct the National highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy.” Spurred by a recent report from his office (Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk) Markey argued that Americans “need the equivalent of seat belts and airbags to keep drivers and their information safe in the 21^st century.”

Among the many conclusions reached in the report, it says, “nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” This comes across as a tad tautological given that everything from smartphones and computers to large-scale power grids are prone to being hacked, yet the Markey-Blumenthal proposal would enforce a separate set of government-approved, and regulated, standards for privacy and security, displayed on every vehicle in the form of a “Cyber Dashboard” decal.

Leaving aside the irony of legislators attempting to dictate privacy standards, especially in the post-Snowden world, it would behoove legislators like Markey and Blumenthal to take a closer look at just what it is they are proposing and ask whether such a law is indeed necessary to protect consumers. For security in particular, there may be concerns that require redress, but if one looks at the report, it becomes apparent that it lacks a very important feature:: no specific examples of real car hacking are mentioned. The only examples illustrated in the report are described in brief detail:

An application was developed by a third party and released for Android devices that could integrate with a vehicle through the Bluetooth connection. A security analysis did not indicate any ability to introduce malicious code or steal data, but the manufacturer had the app removed from the Google Play store as a precautionary measure.

Great! The company solved the problem. What about the other instance cited in the report?

Some individuals have attempted to reprogram the onboard computers of vehicles to increase engine horsepower or torque through the use of “performance chips”. Some of these devices plug into the mandated onboard diagnostic port or directly into the under-the-hood electronics system.

So the only two examples of “car hacking” described in the Markey report are essentially duds. The first is a non-issue, since the company (1) determined there was little security risk involved and (2) removed the item from the market anyways, just to be sure. The second is, in a sense, hacking, but it is individual car owners doing it to their own cars. Neither of these cases appears to be sufficient grounds for imposing a set of arbitrary and, in many cases, capriciously anti-innovation approaches to privacy and data security in cars.

In the wake of the report’s release, this past Tuesday, March 10, General Motors, Toyota, and Ford were all hit with a nationwide class action lawsuit, alleging that the companies concealed “dangers posed by a lack of electronic security in a vast swath of vehicles.” Specifically, the lawsuit is aimed at the presence of controller area network (CAN) buses, which act as data hubs between the various electronic systems in a car. These systems are, indeed, susceptible to hacking, but no more than any personal computer that is connected to the Internet.

The trouble with this lawsuit, brought by the Stanley Law Group, is that it has not cited any specific harms that have occurred as a result of this “defect” (as a side note, saying a computer being susceptible to hacking constitutes a defect in design is the equivalent of saying an airplane that is susceptible to lightning strikes is fundamentally defective). Rather, the plaintiffs argue that “[w]e shouldn’t need to wait for a hacker or terrorist to prove exactly how dangerous this is before requiring car makers to fix the defect.”

As Adam Thierer and I pointed out in our 2014 paper, Removing Roadblocks to Intelligent Vehicles and Driverless Cars:

Manufacturers have powerful reputational incentives at stake here, which will encourage them to continuously improve the security of their systems. Companies like Chrysler and Ford are already looking into improving their telematics systems to better compartmentalize the ability of hackers to gain access to a car’s controller-area-network bus. Engineers are also working to solve security vulnerabilities by utilizing two-way data-verification schemes (the same systems at work when purchasing items online with a credit card), routing software installs and updates through remote servers to check and double-check for malware, adopting of routine security protocols like encrypting files with digital signatures, and other experimental treatments. (pg. 40-41)

It’s always easy to see the potential for abuse and harm with any new emerging technology, but optimism and fortitude in the face of the uncertain is what helps society, and individuals, grow and progress. Car hacking, while certainly a viable concern, is not so ubiquitous that it necessitates a heavy-handed regulatory approach. Rather, we should permit various standards to emerge and attempt to deal with possible harms. In this way, we can experiment to properly determine what approaches work and what do not. Federal standards imposed from on high assume that firms and individuals are not capable of working through these murky issues. We should be a bit more optimistic about the human capacity for ingenuity and adaptability.

To end on something of a more optimistic note, Tom Vanderbilt of Wired magazine gives keen insight into the reality of regulating based on hypothetical scenarios:

Every scenario you can spin out of computer error – what if the car drives the wrong way – already exists in analog form, in abundance. Yes, computer-guidance systems and the rest will require advances in technology, not to mention redundancy and higher standards of performance, but at least these are all feasible, and capable of quantifiable improvement. On the other hand, we’ll always have lousy drivers.

Additional Reading 

• Law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 17, 2014.
• “Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security,” February 10, 2015.
• “Don’t Slam the Brakes on Smart Cars,” December 1, 2014.
• “Intelligent Vehicles Could Save Lives,” November 25, 2014.
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)

On Sunday night, 60 Minutes aired a feature with the ominous title, “Nobody’s Safe on the Internet,” that focused on connected car hacking and Internet of Things (IoT) device security. It was followed yesterday morning by the release of a new report from the office of Senator Edward J. Markey (D-Mass) called Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,  which focused on connected car security and privacy issues. Employing more than a bit of techno-panic flare, these reports basically suggest that we’re all doomed.

On 60 Minutes, we meet former game developer turned Department of Defense “cyber warrior” Dan (“call me DARPA Dan”) Kaufman–and learn his fears of the future: “Today, all the devices that are on the Internet [and] the ‘Internet of Things’ are fundamentally insecure. There is no real security going on. Connected homes could be hacked and taken over.”

60 Minutes reporter Lesley Stahl, for her part, is aghast. “So if somebody got into my refrigerator,” she ventures, “through the internet, then they would be able to get into everything, right?” Replies DARPA Dan, “Yeah, that’s the fear.” Prankish hackers could make your milk go bad, or hack into your garage door opener, or even your car.

This segues to a humorous segment wherein Stahl takes a networked car for a spin. DARPA Dan and his multiple research teams have been hard at work remotely programming this vehicle for years. A “hacker” on DARPA Dan’s team proceeded to torment poor Lesley with automatic windshield wiping, rude and random beeps, and other hijinks. “Oh my word!” exclaims Stahl.

Never mind that we are told that the “hackers” who “hacked” into this car had been directly working on its systems for years—a luxury scarcely available to the shadowy malicious hackers about whom DARPA Dan and his team so hoped to frighten us. The careful setup, editing, and Lesley Stahl’s squeals made for convincing theater.

Then there’s the Markey report. On the surface, the findings appear grim. For instance, we are warned that “Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” Nearly 100%? We’re practically naked out there! But digging through the report, we learn that the basis for this claim is that most of the 16 manufacturers surveyed responded that 100% of their vehicles are equipped with wireless entry points (WEPs)—like Bluetooth, Wi-Fi, navigation, and anti-theft features. Because these features “could pose vulnerabilities,” they are listed as a threat—one that lurks in nearly 100% of the cars on the market, at that.

Much of the report is similarly panicky and sometimes humorous (complaint #3: “many manufacturers did not seem to understand the questions posed by Senator Markey.”) The report concludes that the “alarmingly inconsistent and incomplete state of industry security and privacy practice,” warrants recommendations that federal regulators — led by the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) — “promulgate new standards that will protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”

Take a Deep Breath

As we face an uncertain future full of rapidly-evolving technologies, it’s only natural that some might feel a little anxiety about how these new machines and devices operate. Despite the exaggerated and sometimes silly nature of techno-panic reports like these, they reflect many people’s real and understandable concerns about new technologies.

But the problem with these reports is that they embody a “panic-first” approach to digital security and privacy issues. It is certainly true that our cars are become rolling computers, complete with an arsenal of sensors and networking technologies, and the rise of the Internet of Things means almost everything we own or come into contact with will possess networking capabilities. Consequently, just as our current generation of computing and communications technologies are vulnerable to some forms of hacking, it is likely that our cars and IoT devices will be as well.

But don’t you think that automakers and IoT developers know that? Are we really to believe that journalists, congressmen, and DARPA Dan have a greater incentive to understand these issues than the manufacturers whose companies and livelihoods are on the line? And wouldn’t these manufacturers only take on these risks if consumer demand and expected value supported them? Watching the 60 Minutes spot and reading through the Markey report, one is led to think that innovators in this space are completely oblivious to these threats, simply don’t care enough to address them, and don’t have any plans in motion. But that is lunacy.

No Mention of Liability?

To begin, neither report even mentions the possibility of massive liability for future hacking attacks on connected cars or IoT devices. That is amazing considering how the auto industry already attracts an absolutely astonishing amount of litigation activity. (Ambulance-chasing is a full-time legal profession, after all.) Thus, to the extent that some automakers don’t want to talk about everything they are doing to address security issues, it’s likely because they are still figuring out how to address the various vulnerabilities out there without attracting the attention of either enterprising hackers or trial lawyers.

Nonetheless, contrary to the absurd statement by Mr. Kaufman that “There is no real security going on” for connected cars or the Internet of Things, the reality is that these are issues that developers are actively studying and trying to address. Manufacturers of connected devices know that: (1) nobody wants to own or use devices that are fundamentally insecure or dangerous; and (2) if they sell such devices to the public, they are in for a world of hurt once the trial lawyers see the first headlines about it.

It also still quite unclear how big the threat is here. Writing over at Forbes yesterday, Doug Newcomb notes that “the threat of car hacking has largely been overblown by the media – there’s been only one case of a malicious car hack, and that was an inside job by a disgruntled former car dealer employee. But it’s a surefire way to get the attention of the public and policymakers,” he correctly observes. Newcomb also interviewed Damon McCoy, an assistant professor of computer science at George Mason University and a car security researcher, who noted that car hacking hasn’t become prevalent and that “Given the [monetary] motivation of most hackers, the chance of [automotive hacking] is very low.”

Security is a Dynamic, Evolving Process

Regardless, the notion that we can just clean this whole device security situation up with a single set of federal standards, as the Markey report suggests, is appealing but fanciful. “Security threats are constantly changing and can never be holistically accounted for through even the most sophisticated flowcharts,” observed my Mercatus Center colleagues Eli Dourado and Andrea Castillo in their recent white paper on “Why the Cybersecurity Framework Will Make Us Less Secure.” “By prioritizing a set of rigid, centrally designed standards, policymakers are neglecting potent threats that are not yet on their radar,” Dourado and Castillo note elsewhere.

We are at the beginning of a long process. There is no final destination when it comes to security; it’s a never-ending process of devising and refining policies to address vulnerabilities on the fly. The complex problem of cybersecurity readiness requires dynamic solutions that properly align incentives, improve communication and collaboration, and encourage good personal and organizational stewardship of connected systems. Implementing the brittle bureaucratic standards that Markey and others propose could have the tragic unintended consequence of rendering our devices even less secure.

Standards Are Developing Rapidly

Meanwhile, the auto industry has already come up with privacy standards that go above and beyond what most other digital innovators apply to their own products today. Here are the Auto Alliance’s “Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services,” which 23 major automobile manufacturers agreed to abide by. And, according to a press release yesterday, “automakers are currently working to establish an Information Sharing Analysis Center (or “Auto-ISAC”) for sharing vehicle cybersecurity information among industry stakeholders.”

Again, progress continues and standards are evolving. This needs to be a flexible, evolutionary process, instead of a static, top-down, one-size-fits-all bureaucratic political proceeding.

We can’t set down security and privacy standards in stone for fast-moving technologies like these for another reason, and one I am constantly stressing in my work on “Why Permissionless Innovation Matters.” If we spend all our time worrying about hypothetical worst-case scenarios — and basing our policy interventions on a parade of hypothetical horribles — then we run the risk that best-case scenarios will never come about.  As analysts at the Center for Data Innovation correctly argue, policymakers should only intervene to address specific, demonstrated harms. “Attempting to erect precautionary regulatory barriers for purely speculative concerns is not only unproductive, but it can discourage future beneficial applications of the Internet of Things.” And the same is true for connected cars.

Trade-Offs Matter

Technopanic indulgence isn’t always merely silly or annoying—it can be deadly.

“During the four deadliest wars the United States fought in the 20th century, 39 percent more Americans were dying in motor vehicles” than on the battlefield. So writes Washington Post reporter Matt McFarland in a powerful new post today. The ongoing toll associated with human error behind the wheel is falling but remains absolutely staggering, with almost 100 people losing their lives and almost 6,500 people injured every day.

We must never fail to appreciate the trade-offs at work when we are pondering precautionary regulation. Ryan Hagemann and I wrote about these issues in our recent Mercatus Center working paper, “Removing Roadblocks to Intelligent Vehicles and Driverless Cars.” That paper, which has been accepted for publication in a forthcoming edition of the Wake Forest Journal of Law & Policy, outlines the many benefits of autonomous or semi-autonomous systems and discusses the potential cost of delaying their widespread adoption.

When it comes to the various security, privacy, and ethical considerations related to intelligent vehicles, Hagemann and I argue that they “need to be evaluated against the backdrop of the current state of affairs, in which tens of thousands of people die each year in auto-related accidents due to human error.” We continue on later in the paper:

Autonomous vehicles are unlikely to create 100 percent safe, crash-free roadways, but if they significantly decrease the number of people killed or injured as a result of human error, then we can comfortably suggest that the implications of the technology, as a whole, are a boon to society. The ethical underpinnings of what makes for good software design and computer-generated responses are a difficult and philosophically robust space for discussion. Given the abstract nature of the intersection of ethics and robotics, a more detailed consideration and analysis of this space must be left for future research. Important work is currently being done on this subject. But those ethical considerations must not derail ongoing experimentation with intelligent-vehicle technology, which could save many lives and have many other benefits, as already noted. Only through ongoing experimentation and feedback mechanisms can we expect to see constant improvement in how autonomous vehicles respond in these situations to further minimize the potential for accidents and harms. (p. 42-3)

As I noted here in another recent essay, “anything we can do to reduce it significantly is something we need to be pursuing with great vigor, even while we continue to sort through some of those challenging ethical issues associated with automated systems and algorithms.”

No Mention of Alternative Solutions

Finally, it is troubling that neither the 60 Minutes segment nor the Markey report spend any time on alternative solutions to these problems. In my forthcoming law review article, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation,” I devote the second half of the 90-page paper to constructive solutions to the sort of complex challenges raised in the 60 Minutes segment and the Markey report.

Many of the solutions I discuss in that paper — such as education and awareness-building efforts, empowerment solutions, the development of new social norms, and so on – aren’t even touched on by the reports. That’s a real shame because those methods could go a long way toward helping to alleviate many of the issues the reports identify.

We need a better public dialogue than this about the future of connected cars and Internet of Things security. Political scare tactics and techno-panic journalism are not going to help make the world a safer place. In fact, by whipping up a panic and potentially discouraging innovation, reports such as these can actually serve to prevent critical, life-saving technologies that could change society for the better.

Additional Reading

• Making Sure the “Trolley Problem” Doesn’t Derail Life-Saving Innovation, January 15, 2015.
• Muddling Through: How We Learn to Cope with Technological Change, June 30, 2014
• Law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 17, 2014.
• Law review article: “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation.”
• Ongoing blog series: Moral Panics & Technopanics
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
• Slide Presentation: Policy Issues Surrounding the Internet of Things & Wearable Technology, September 12, 2014
• [Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)
• The Growing Conflict of Visions over the Internet of Things & Privacy, January 14, 2012
• Can We Adapt to the Internet of Things? IAPP Privacy Perspectives, June 19, 2013
• My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013

Sen. Edward J. Markey (D-Mass.) and Rep. Joe Barton (R-Texas) have reintroduced their “Do Not Track Kids Act,” which, according to this press release, “amends the historic Children’s Online Privacy Protection Act of 1998 (COPPA), will extend, enhance and update the provisions relating to the collection, use and disclosure of children’s personal information and establishes new protections for personal information of children and teens.” I quickly scanned the new bill and it looks very similar to their previous bill of the same name that they introduced in 2011 and which I wrote about here and then critiqued at much greater length in a subsequent Mercatus Center working paper (“Kids, Privacy, Free Speech & the Internet: Finding The Right Balance”).

Since not much appears to have changed, I would just encourage you to check out my old working paper for a discussion of why this legislation raises a variety of technical and constitutional issues. But I remain perplexed by how supporters of this bill think they can devise age-stratified online privacy protections without requiring full-blown age verification for all Internet users. And once you go down that path, as I note in my paper, you open up a huge Pandora’s Box of problems that we have already grappled with for many years now. As I noted in my paper, the real irony here is that the “problem with these efforts is that expanding COPPA would require the collection of more personal information about kids and parents. For age verification to be effective at the scale of the Internet, the collection of massive amounts of additional data is necessary.”

But that’s hardly the only problem. How about the free speech rights of teens? They do have some, after all, but this bill could create new limitations on their ability to freely surf the Internet, gather information, and communicate with others.

In the end, I don’t expect this bill to pass; it’s mostly just political grandstanding “for the children.” But it’s a real shame that smart people waste their time with counter-productive and constitutionally suspect measures such as these instead of focusing their energy on more constructive educational efforts and awareness-building approaches to online safety and privacy concerns. Again, read my paper for more details on that alternative approach to these issues.

California’s continuing effort to make the Internet their own digital fiefdom continued this week with Gov. Jerry Brown signed legislation that creates an online “Eraser Button” just for minors. The law isn’t quite as sweeping as the seriously misguided “right to be forgotten” notion I’ve critique here (1, 2, 3, 4) and elsewhere (5, 6) before. In any event, the new California law will:

require the operator of an Internet Web site, online service, online application, or mobile application to permit a minor, who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s Internet Web site, service, or application by the minor, unless the content or information was posted by a 3rd party, any other provision of state or federal law requires the operator or 3rd party to maintain the content or information, or the operator anonymizes the content or information. The bill would require the operator to provide notice to a minor that the minor may remove the content or information, as specified.

As always, the very best of intentions motivate this proposal. There’s no doubt that some digital footprints left online by minors could come back to haunt them in the future, and that concern for their future reputation and privacy is the primary motivation for the measure. Alas, noble-minded laws like these often lead to many unintended consequences, and even some thorny constitutional issues. I’d be hard-pressed to do a better job of itemizing those potential problems than Eric Goldman, of Santa Clara University School of Law, and Stephen Balkam, Founder and CEO of the Family Online Safety Institute, have done in recent essays on the issue.

Goldman’s latest essay in Forbes argues that “California’s New ‘Online Eraser’ Law Should Be Erased” and meticulously documents the many problems with the law. “The law is riddled with ambiguities,” Goldman argues, including the fact that:

First, it may not be clear when a website/app is “directed” to teens rather than adults. The federal law protecting kids’ privacy (Children’s Online Privacy Protection Act, or COPPA) only applies to pre-teens, so this will be a new legal analysis for most websites and apps. Second, the law is unclear about when the minor can exercise the removal right. Must the choice be made while the user is still a minor, or can a centenarian decide to remove posts that are over 8 decades old? I think the more natural reading of the statute is that the removal right only applies while the user is still a minor. If that’s right, the law would counterproductively require kids to make an “adult” decision (what content do they want to stand behind for the rest of their lives) when they are still kids. Third, the removal right doesn’t apply if the kids were paid or received “other consideration” for their content. What does “other consideration” mean in this context? If the marketing and distribution inherently provided by a user-generated content (UGC) website is enough, the law will almost never apply. Perhaps we’ll see websites/apps offering nominal compensation to users to bypass the law.

Goldman also notes that it is unclear why California should even have the right to be regulating the Internet in this fashion. It is his opinion that, “states categorically lack authority to regulate the Internet because the Internet is a borderless electronic network, and websites/apps typically cannot make their electronic packets honor state borders.” I’ve been moving in that direction for the past decade myself since patchwork policies for the Internet — regardless of the issue — can really muck up the free flow of both speech and commerce. I teased out my own concerns about this in my January essay on “The Perils of Parochial Privacy Policies” and argued that the a world of “50 state Internet Bureaus isn’t likely to help the digital economy or serve the long-term interests of consumers.”  Sadly, some privacy advocates seem to be cheering on this sort of parochial regulation anyway without thinking through those consequences. They are probably just happy to have another privacy law on the books, but as I always try to point out not just in this context but also in debates over online child safety, cybersecurity, and digital copyright protection, the ends rarely justify the means. I just don’t understand why more people who care about true Internet freedom aren’t railing against these stepped-up state efforts (especially the flurry of California activity) and calling it out for the threat that it is.

In an essay over on LinkedIn entitled, “Let’s Delete The ‘Eraser Button,'” Stephen Balkam points out another mystery about the new California law: “It’s unclear why this law was even proposed when there exists a range of robust reporting mechanism across the Internet landscape.” Indeed, in this particular case it seems like much of the law is redundant and unnecessary. “What this bill should have been about is education and awareness, about taking responsibility for our actions and using the tools that already exist across the social media landscape,” Balkam says. “Here are three key actions that can already be taken:

Delete – you can take down or delete postings, comments and photos that you have put up on Facebook, Twitter, YouTube and most of the other platforms. Report – anyone can report abusive comments or inappropriate content by others about you or other people and, in many cases, have them removed. Request – you can ask that you be untagged from a photo or that a posting or photo be removed that has been uploaded by someone else. In addition there are in-line privacy settings on many of the leading social media sites, so that you or your teen can choose who sees what.”

Balkam is exactly right. The tools are already there; it’s the education and awareness that are lacking. As I have pointed out countless times here before, there is no need for preemptive regulatory approaches when less-restrictive and potentially equally effective remedies already exist. We just need to do a better job informing users about the existence of those tools and methods and then explain how to take advantage of them. Just adding more layers of law — especially parochial regulation — is not going to make that happen magically. Worse yet, in the process, such laws open the barn door to far more creative and meddlesome forms of state-based Internet regulation that should concern us all.

And now for the really interesting question that I have no answer to: Will anyone step up and challenge this law in court?

The Mercatus Center at George Mason University has just released my new white paper, “The Perils of Classifying Social Media Platforms as Public Utilities.” [PDF] I first presented a draft of this paper last November at a Michigan State University conference on “The Governance of Social Media.” [Video of my panel here.]

In this paper, I note that to the extent public utility-style regulation has been debated within the Internet policy arena over the past decade, the focus has been almost entirely on the physical layer of the Internet. The question has been whether Internet service providers should be considered “essential facilities” or “natural monopolies” and regulated as public utilities. The debate over “net neutrality” regulation has been animated by such concerns.

While that debate still rages, the rhetoric of public utilities and essential facilities is increasingly creeping into policy discussions about other layers of the Internet, such as the search layer. More recently, there have been rumblings within academic and public policy circles regarding whether social media platforms, especially social networking sites, might also possess public utility characteristics. Presumably, such a classification would entail greater regulation of those sites’ structures and business practices.

Proponents of treating social media platforms as public utilities offer a variety of justifications for regulation. Amorphous “fairness” concerns animate many of these calls, but privacy and reputational concerns are also frequently mentioned as rationales for regulation. Proponents of regulation also sometimes invoke “social utility” or “social commons” arguments in defense of increased government oversight, even though these notions lack clear definition.

Social media platforms do not resemble traditional public utilities, however, and there are good reasons why policymakers should avoid a rush to regulate them as such. Treating these nascent digital services as regulated utilities would harm consumer welfare because public utility regulation has traditionally been the archenemy of innovation and competition. Furthermore, treating today’s leading social media providers as digital essential facilities threatens to convert “natural monopoly” or “essential facility” claims into self-fulfilling prophecies. Related proposals to mandate “API neutrality” or enforce a “Separations Principle” on integrated information platforms would be particularly problematic. Such regulation also threatens innovation and investment. Marketplace experimentation in search of sustainable business models should not be made illegal.

Remedies less onerous than regulation are available. Transparency and data-portability policies would solve many of the problems that concern critics, and numerous private empowerment solutions exist for those users concerned about their privacy on social media sites.

Finally, because social media are fundamentally tied up with the production and dissemination of speech and expression, First Amendment values are at stake, warranting heightened constitutional scrutiny of proposals for regulation. Social media providers should possess the editorial discretion to determine how their platforms are configured and what can appear on them.

This 63-page paper can be found on the Mercatus site here, on SSRN, or on Scribd.  I’ve also embedded it below in a Scribd reader. Eventually, a shorter version of this paper will appear as a chapter in a MIT Press book.

Social Networks as Public Utilities [Adam Thierer]

Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of their forthcoming “Do Not Track Kids Act of 2011.”  I’ve only had a chance to give it a quick read, but the bill, which is intended to help safeguard kids’ privacy online, has two major regulatory provisions of interest:

(1) New regulations aimed at limiting data collection about children and teens, including (a) expansion of the Children’s Online Privacy Protection Act (COPPA) of 1998, which would build upon COPPA’s “verifiable parental consent” model; and (b) a new “Digital Marketing Bill of Rights for Teens;” and (c) limits on collection of geolocation information about both children and teens.

(2) An Internet “Eraser Button” for Kids to help kids wipe out embarrassing facts they have place online but later come to regret.  Specifically, the bill would require online operators “to the extent technologically feasible, to implement mechanisms that permit users of the website, service, or application of the operator to erase or otherwise eliminate content that is publicly available through the website, service, or application and contains or displays personal information of children or minors.” This is loosely modeled on a similar idea currently being considered in the European Union, a so-called “right to be forgotten” online.

Both of these proposals were originally floated by the child safety group Common Sense Media (CSM) in a report released last December.  It’s understandable why some policymakers and child safety advocates like CSM would favor such steps. They fear that there is simply too much information about kids online today or that kids are voluntarily placing far too much personal information online that could come back to haunt them in the future. These are valid concerns, but there are both practical and principled reasons to be worried about the regulatory approach embodied in the Markey-Barton “Do Not Track Kids Act”:

• It is very hard to imagine how most elements of this new “Do Not Track Kids” regulatory regime would work without requiring mandatory online age verification of all websurfers, which would raise serious constitutional issues. Previous efforts to age-verify websurfers (namely, The Child Online Protection Act or COPA) have been found to violate the First Amendment and also to raise different privacy concerns. By contrast, the Children’s Online Privacy Protection Act (COPPA) partially avoided this problem by limiting its coverage to kids 12 and under and did not mandate strict age verification. The Markey-Barton bill seems to imagine that the COPPA regime can simply be expanded without serious constitutional scrutiny (or economic cost, for that matter). The sponsors are wrong. Their bill puts COPPA on a collision course with COPA because it would necessitate expanded age verification in order to be effective.
• An Internet “Eraser Button” is similarly challenged by practical realities and principled concerns. It’s unclear how to even enforce such a notion. Moreover, if it could be enforced, it would raise profound free speech issues since it is tantamount to digital censorship and specifically threatens press freedoms. And the economic costs of such a mandate — especially on smaller operators — could be quite significant. See my recent Forbes essay for a discussion of those problems.
• Although some of the concerns that motivate the “Do Not Track Kids Act” are understandable, there are two very different models for how we might address these problems: ‘Legislate & Regulate’ vs. ‘Educate & Empower.’ The latter is the superior framework for dealing with these concerns in light of the practical and principled problems associated with the former.

I will expand upon these concerns in a follow-up post, but for now I would direct your attention to the 36-page white paper that Berin Szoka and I released two years ago on this topic:”COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.” It explains why this issue is so complicated and raises so many constitutional red flags.

Additional Reading:

on COPA:

• Son of COPA?: H.R. 4059, “The Online Age Verification and Child Safety Act” – by Adam Thierer
• Closing the Book on COPA? – by Adam Thierer
• COPA Struck Down (Part 1): Again! – by Adam Thierer
• COPA Struck Down (Part 2): The Effectiveness of Filtering & Age Verification – by Adam Thierer
• COPA Struck Down (Part 3): Implications for Age Verification & Social Networking – by Adam Thierer

on Eraser Button:

• Erasing Our Past On The Internet – by Adam Thierer [Forbes essay]
• Europe Reimagines Orwell’s Memory Hole – by Larry Downes
• “Privacy” as Censorship: Fleischer Dismantles the EU’s “Right to Forget” – by Berin Szoka
• The Conflict Between a “Right to Be Forgotten” & Speech / Press Freedoms – by Adam Thierer

As part of what Politico’s Tony Romm calls this week’s “all-out online privacy blitzkrieg,” Rep. Ed Markey (D-Mass) announced he would be proposing legislation aimed at better protecting kids from the supposed evils of online “tracking” and marketing.  Apparently, Rep. Markey’s effort will build on the “Do Not Track” proposal that is garnering so much attention this week.

Lost in the smoke surrounding that privacy blitzkrieg is an important distinction between these two proposals:  There is a very big difference between re-engineering browsers and websites to comply with a “Do Not Track” mandate and a new regulatory scheme aimed at identifying the ages or identities of individuals using certain online sites or services.  Namely, the latter likely necessitates some sort of mandatory age verification or online authentication regime for the Internet.

Let’s take a step back for some context.  Markey helped author the Children’s Online Privacy Protection Act (COPPA) of 1998, which dealt with the collection of information for kids under 13 online. But COPPA wasn’t a strict age verification or online authentication regime for the Internet.  Instead, COPPA mandated a “verifiable parental consent” regime which the Federal Trade Commission (FTC) later enforced using a so-called “sliding scale” approach.  Essentially, sites that are “directed at” kids under 13 are supposed to get parental consent using a variety of mechanisms (credit cards, sign and fax forms, phone calls, etc) before any collection of information takes place. Of course, there are some devilish details here regarding what counts as “directed at” or “collection,” but the crucial point here is that COPPA does not require the formal authentication of web surfer identities or ages — whether they kids or parents.

So, the really tricky question here is how one goes about expanding the COPPA regulatory regime without stumbling into the legal thicket that tied up the Child Online Protection Act (COPA) of 1998, a law which did mandate such an authentication regime and, as a result, witnessed a grueling decade-long legal battle over its constitutionality.  Ultimately, the courts rejected COPA as inconsistent with America’s tradition of anonymous speech, something central to our evolution as a democracy, pre-dating even the First Amendment that protects it from government interference. Thus, we have, at least for now, closed the book on COPA. But are we about to re-open it with COPPA expansion a la the forthcoming Markey bill?

At yesterday’s House Energy & Commerce hearing on “Do Not Track” where he announced his intention to drop legislation, Rep. Markey didn’t offer concrete details about how his bill would work, but he did go out of his way to praise the work of Common Sense Media (CSM) on this front.  This implies his plan will be in line with what CSM has already advocated.  As I noted in this essay in July, CSM recently submitted a filing to the FTC advocating expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.”

As I pointed out in that earlier essay, as well as in this beefy paper with Berin Szoka, “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech,” there are many profound questions raised by any proposal to expand COPPA along the lines that Common Sense Media and presumably now Rep. Markey suggest.  Here are a few questions that privacy advocates and policymakers need to consider before heading down this path:

1. What is the supposed harm that requires such a significant expansion of Internet regulation? Why the need for a massive expansion of federal regulation in this area?  CSM never makes it clear in its FTC filing. Are there corresponding benefits to be considered? Aren’t other values or principles at stake here?
2. What are the free speech implications of their proposals. Extending COPPA to cover older teens will require websites used by large numbers of adults to age verify all users. This raises the same First Amendment concerns about government interference with anonymous communication that caused COPA to be struck down by the courts as unconstitutional. Thus, another lengthy legal battle likely awaits.
3. Is it the case that — in the name of protecting privacy — this approach might demand a massive amount of additional information be collected to facilitate the regulatory regime? Expanded age verification mandates would mean more information has to be collected about kids and their parents, but also about adults who, after all, have to prove they aren’t children!  That means a honey pot of new information would be created and held by someone, potentially the government itself.
4. How would such a proposal cope with all the sites or services that allow voluntary sharing of personal information by children? In an era of widespread user-generated content, instant messaging, online gaming, and other forms of digital interaction, expanded verifiable parental consent requirements become a formidable regulatory problem.
5. Don’t older teens have some speech rights? The Common Sense Media proposal implies that teens are utterly incapable of making decisions for themselves until the day they turn 18.  Never mind that most U.S. states set their age of consent at 16 or 17, for example.  These teens are people who we already allow to hold jobs and drive cars and who will shortly be in college and then eligible to vote and serve in our Armed Forces.  Yet, the CSM approach would require “verifiable parental consent” before older teens could read or look at anything online.
6. What will the economic impact be of this mandate on smaller websites that cater to kids & teens? If expanded regulation crowds out smaller start-ups, the resulting level of creativity and innovation in this market will suffer.  Thus, COPPA expansion could lead to unnecessary industry consolidation as smaller operators are forced to sell to bigger player who can cover regulatory compliance costs.
7. What’s the potential cost to consumers / parents? Expanding verifiable parental consent requirements will no doubt burden the creators or various sites and services, but those costs will ultimately be borne by the public when they are passed along in the form of a fee for services, many of which were previously free of charge.
8. Aren’t there better, less burdensome, ways to protect kids’ privacy online? There are many beneficial steps being taken by site operators today that make kids safer online. If we assume that COPPA is the most important approach to keeping kids safe online, we are making a huge mistake. COPPA is probably one of the least important things that keeps kids safe online. It’s what sites do after kids get into their online communities that is really important because—guess what!—kids are going to get in to social networking communities and other sites.  There are many important steps being taken by countless online sites and communities take to make sure they offer more safe and secure environments for kids. In particular, beyond basic parental controls, moderation and intervention efforts by site operators are increasing within social networking sites, virtual worlds, and many other sites to ensure that they offer such “well lit” online neighborhoods. We should be encouraging a lot more of that and working to find new “oversight and intervention” methods to deal with problems when they pop up. Common Sense Media has done a lot of great work on this front and should have focused on how those methods could be improved instead of how the create a more cumbersome, intrusive, expensive, and ultimately unworkable age verification regulatory regime for the Internet.

As Rep. Markey and his fellow policymakers move forward with any plan to expand COPPA, they should carefully weight these considerations against the supposed evils of online data collection, advertising, and marketing.  It’s certainly true that greater care must be taken by advertisers and marketers when dealing with kids, but education, user / parental empowerment, and industry self-regulation may be the better approach here.

Joe Tighe, an IT Infrastructure Consultant, has an interesting essay up over at Circle ID.  He takes a hard look at Rep. Ed Markey’s proposed “Internet Freedom Preservation Act of 2009” and makes an argument that many of us here have made ad nauseum — regulation involves trade-offs and unintended consequences:

One of the main problems with the proposed legislation is the lack of recognition of costs to provide internet services. Some applications, such as video are bandwidth hogs and require significantly greater network infrastructure and associated costs to deliver when compared to the network infrastructure costs to deliver email access. Under the proposed legislation, services providers would have to charge the low bandwidth users (casual browsers and email readers) more to offset the higher costs of the video users. One result of the proposed legislation would be less consumer choice and a hidden “bandwidth hog tax”. Today, most service providers offer tiered products and pricing to consumers and businesses to account for the additional costs to deliver bandwidth intensive applications. You pay more if you use more under the tiered pricing model. These are not “discriminatory” practices. Rather, tiered pricing and application prioritization are sound business models delivering reliable, profitable product choices and unburdened internet ecommerce. Consumers and businesses currently have choices. The proposed legislation takes away choice and increases costs to consumers and businesses.

Quite right.  Read the whole essay here.

Well, I know I’m starting to sound like a broken record on this point, but it never ceases to amaze me how some policymakers get away with speaking so poorly of parents during policy debates about media content. First, you will recall that, in late April, the Federal Communications Commission released a report calling for the regulation of violent video content on the grounds that parental control tools and efforts were ineffective. (For details, see my essay: “FCC Violence Report Concludes that Parenting Doesn’t Work.”) Then, just last week, at a House Commerce hearing on “The Images Kids See on the Screen,” Rep. Ed Markey and several other members of the committee argued that parents just couldn’t cope with modern media and that government needed to step in on their behalf. But nothing could top the performance of Sen. John Rockefeller at today’s Senate Commerce Committee hearing on “The Impact of Media Violence on Children.”

Sen. Rockefeller opened the hearing with a verbal tirade “repeatedly bashing TV and its executives as though they were Dan Aykroyd’s Irwin Mainway SNL character out to sell bags-o-glass to unsuspecting kids,” as John Eggerton of Broadcasting & Cable noted. Sen. Rockefeller, who is planning to soon introduce legislation to regulate “excessively violent” television programming, said that the industry is being “cowardly” and “debasing our culture” in a “never-ending race to the bottom.”

Rockefeller went on to say that the industry was “blaming parents” for not dealing with the problem of objectionable content with private controls and methods instead of censoring content themselves before it ever got on air. “Parents do not want more tools,” he argued, “they want the content off the air.” Of course, that point is debatable as I’ll discuss more below.

But what Rockefeller said next was really telling. After claiming that Americans don’t want more tools to handle this on their own, Rockefeller launched into full-blown attack mode against parents and the act of parenting: “There are many parents who cannot make these things work, or they are just not there [in the home]… Americans don’t know technology well,” he said. And, most shockingly, Rockefeller concluded that, “Unless you can show that parental responsibility works, I think we have to try something else.”

I don’t know about you, but there’s something deeply insulting and troubling about that statement. As I mentioned above, Sen. Rockefeller suggested that industry is “blaming parents,” but it sounds to me like he’s the one blaming them and actually going further by accusing them of not being able to do their jobs.

Regardless, what are we to make of Rockefeller’s other contention that “Parents do not want more tools,” he argued, “they want the content off the air.” There are three problems with this argument.

First, as I discussed in great detail in this essay just yesterday, many recent polls confirm what we already know to be true: Parents are parenting. They are learning to cope with new media realities and adapt to them to make sure they can monitor and control their children’s media experiences. For example, the TV Watch poll released just this week revealed that 73 percent of parents monitor what their children watch, including 87 percent of parents whose children are ages 0-10. Also, 86 percent of parents believe that more parental involvement is the best way to keep kids from seeing what they shouldn’t see on television. Those results seem to strongly contradict Sen. Rockefeller’s contention that parental responsibility doesn’t work.

Second, we know that it cannot possibly be the case, as the Senator suggests, that all parents “just want the content off the air.” After all, I’m a parent of two young kids and some of the things that Sen. Rockefeller wants censored are my favorite shows and they are among the most popular shows on television today. (ex: CSI, The Shield, Rescue Me). Tens of millions of American parents like my wife and me tune into these shows each week and enjoy them. Are they fit for kids? Of course not, and like most other parents, my wife and I take steps to ensure our kids cannot watch them. But I think the millions of American parents who enjoy those programs would be deeply insulted by Senator Rockefeller’s suggestion that we all “just want the content off the air.” That’s a decision for us to make for ourselves, Senator.

Finally, not every home in America has kids in residence but the Senator wants to impose regulations that would treat everyone as if they were children. The majority of U.S. households, in fact, are made up entirely of adults. According to the Census Bureau, only one-third of U.S. households include children under the age of 18. Under Sen. Rockefeller’s logic, however, we should be treating all homes as if children were present and regulating television so that it is only fit for a child. I don’t know about the rest of you parents out there, but I can’t live on just Sesame Street and Mr. Rogers alone!

Sen. Rockefeller is certainly free to get on his moral high-horse and preach to us about his vision for television: highly sanitized and apparently full of only documentaries and nature programs (just make sure none of them are about war or animals fighting each other to the death!) But it is quite another thing to mandate that vision from above using the heavy hand of government regulation as the Senator is threatening.

If the Senator wants to take a more constructive (and constitutional) approach, he might want to consider doing more to help educate parents about the many excellent parental control tools at their disposal. (Hey Senator.. send them my book! It has over 100 pages of parental control tools, tips and methods to help them.) Heck, if he doesn’t think that’s enough, then he can propose government subsidies for TiVos, personal video recorders, DVD players and VCRs so that parents can perfectly tailor TV programming to their own values!

But Senator, don’t you dare suggest that all America parents are incompetent or that we all want media censored to be in line with your values. That is deeply insulting and blatantly un-American.