Yesterday, the Federal Trade Commission (FTC) released its long-awaited report on “The Internet of Things: Privacy and Security in a Connected World.” The 55-page report is the result of a lengthy staff exploration of the issue, which kicked off with an FTC workshop on the issue that was held on November 19, 2013.

I’m still digesting all the details in the report, but I thought I’d offer a few quick thoughts on some of the major findings and recommendations from it. As I’ve noted here before, I’ve made the Internet of Things my top priority over the past year and have penned several essays about it here, as well as in a big new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology shortly. (Also, here’s a compendium of most of what I’ve done on the issue thus far.)

I’ll begin with a few general thoughts on the FTC’s report and its overall approach to the Internet of Things and then discuss a few specific issues that I believe deserve attention.

Big Picture, Part 1: Should Best Practices Be Voluntary or Mandatory?

Generally speaking, the FTC’s report contains a variety of “best practice” recommendations to get Internet of Things innovators to take steps to ensure greater privacy and security “by design” in their products. Most of those recommended best practices are sensible as general guidelines for innovators, but the really sticky question here continued to be this: When, if ever, should “best practices” become binding regulatory requirements?

The FTC does a bit of a dance when answering that question. Consider how, in the executive summary of the report, the Commission answers the question regarding the need for additional privacy and security regulation: “Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.” But, just a few lines later, the agency (1) “reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach;” and (2) “recommends that Congress enact broad-based (as opposed to IoT-specific) privacy legislation.”

Here and elsewhere, the agency repeatedly stresses that it is not seeking IoT-specific regulation; merely “broad-based” digital privacy and security legislation. The problem is that once you understand what the IoT is all about you come to realize that this largely represents a distinction without a difference. The Internet of Things is simply the extension of the Net into everything we own or come into contact with. Thus, this idea that the agency is not seeking IoT-specific rule sounds terrific until you realize that it is actually seeking something far more sweeping: greater regulation of all online / digital interactions. And because “the Internet” and “the Internet of Things” will eventually (if they are not already) be considered synonymous, this notion that the agency is not proposing technology-specific regulation is really quite silly.

Now, it remains unclear whether there exists any appetite on Capitol Hill for “comprehensive” legislation of any variety – although perhaps we’ll learn more about that possibility when the Senate Commerce Committee hosts a hearing on these issues on February 11. But at least thus far, “comprehensive” or “baseline” digital privacy and security bills have been non-starters.

And that’s for good reason in my opinion: Such regulatory proposals could take us down the path that Europe charted in the late 1990s with onerous “data directives” and suffocating regulatory mandates for the IT / computing sector. The results of this experiment have been unambiguous, as I documented in congressional testimony in 2013. I noted there how America’s Internet sector came to be the envy of the world while it was hard to name any major Internet company from Europe. Whereas America embraced “permissionless innovation” and let creative minds develop one of the greatest success stories in modern history, the Europeans adopted a “Mother, May I” regulatory approach for the digital economy. America’s more flexible, light-touch regulatory regime leaves more room for competition and innovation compared to Europe’s top-down regime. Digital innovation suffered over there while it blossomed here.

That’s why we need to be careful about adopting the sort of “broad-based” regulatory regime that the FTC recommends in this and previous reports.

Big Picture, Part 2: Does the FTC Really Need More Authority?

Something else is going on in this report that has also been happening in all the FTC’s recent activity on digital privacy and security matters: The agency has been busy laying the groundwork for its own expansion.

In this latest report, for example, the FTC argues that

Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections… The Commission has continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.

In other words, this agency wants more authority. And we are talking about sweeping authority here that would transcend its already sweeping authority to police “unfair and deceptive practices” under Section 5 of the FTC Act. Let’s be clear: It would be hard to craft a law that grants an agency more comprehensive and open-ended consumer protection authority than Section 5. The meaning of those terms — “unfairness” and “deception” — has always been a contentious matter, and at times the agency has abused its discretion by exploiting that ambiguity.

Nonetheless, Sec. 5 remains a powerful enforcement tool for the agency and one that has been wielded aggressively in recently years to police digital economy giants and small operators alike. Generally speaking, I’m alright with most Sec. 5 enforcement, especially since that sort of retrospective policing of unfair and deceptive practices is far less likely to disrupt permissionless innovation in the digital economy. That’s because it does not subject digital innovators to the sort of “Mother, May I” regulatory system that European entrepreneurs face. But an expansion of the FTC’s authority via more “comprehensive, baseline” privacy and security regulatory policies threatens to convert America’s more sensible bottom-up and responsive regulatory system into the sort of innovation-killing regime we see on the other side of the Atlantic.

Here’s the other thing we can’t forget when it comes to the question of what additional authority to give the FTC over privacy and security matters: The FTC is not the end of the enforcement story in America. Other enforcement mechanism exist, including: privacy torts, class action litigation, property and contract law, state enforcement agencies, and other targeted privacy statutes. I’ve summarized all these additional enforcement mechanisms in my recent law review article referenced above. (See section VI of the paper.)

FIPPS, Part 1: Notice & Choice vs. Use-Based Restrictions

Next, let’s drill down a bit and examine some of the specific privacy and security best practices that the agency discusses in its new IoT report.

The FTC report highlights how the IoT creates serious tensions for many traditional Fair Information Practice Principles (FIPPs). The FIPPs generally include: (1) notice, (2) choice, (3) purpose specification, (4) use limitation, and (5) data minimization. But the report is mostly focused on notice and choice as well as data minimization.

When it comes to notice and choice, the agency wants to keep hope alive that it will still be applicable in an IoT world. I’m sympathetic to this effort because it is quite sensible for all digital innovators to do their best to provide consumers with adequate notice about data collection practices and then give them sensible choices about it. Yet, like the agency, I agree that “offering notice and choice is challenging in the IoT because of the ubiquity of data collection and the practical obstacles to providing information without a user interface.”

The agency has a nuanced discussion of how context matters in providing notice and choice for IoT, but one can’t help but think that even they must realize that the game is over, to some extent. The increasing miniaturization of IoT devices and the ease with which they suck up data means that traditional approaches to notice and choice just aren’t going to work all that well going forward. It is almost impossible to envision how a rigid application of traditional notice and choice procedures would work in practice for the IoT.

Relatedly, as I wrote here last week, the Future of Privacy Forum (FPF) recently released a new white paper entitled, “A Practical Privacy Paradigm for Wearables,” that notes how FIPPs “are a valuable set of high-level guidelines for promoting privacy, [but] given the nature of the technologies involved, traditional implementations of the FIPPs may not always be practical as the Internet of Things matures.” That’s particularly true of the notice and choice FIPPS.

But the FTC isn’t quite ready to throw in the towel and make the complete move toward “use-based restrictions,” as many academics have. (Note: I have lengthy discussion of this migration toward use-based restrictions in my law review article in section IV.D.). Use-based restrictions would focus on specific uses of data that are particularly sensitive and for which there is widespread agreement they should be limited or disallowed altogether. But use-based restrictions are, ironically, controversial from both the perspective of industry and privacy advocates (albeit for different reasons, obviously).

The FTC doesn’t really know where to go next with use-based restrictions. The agency says that, on one hand, “has incorporated certain elements of the use-based model into its approach” to enforcement in the past. On the other hand, the agency says it has concerns “about adopting a pure use-based model for the Internet of Things,” since it may not go far enough in addressing the growth of more widespread data collection, especially of more sensitive information.

In sum, the agency appears to be keeping the door open on this front and hoping that a best-of-all-worlds solution miraculously emerges that extends both notice and choice and use-based limitations as the IoT expands. But the agency’s new report doesn’t give us any sort of blueprint for how that might work, and that’s likely for good reason: because it probably won’t work at that well in practice and there will be serious costs in terms of lost innovation if they try to force unworkable solutions on this rapidly evolving marketplace.

FIPPS, Part 2: Data Minimization

The biggest policy fight that is likely to come out of this report involves the agency’s push for data minimization. The report recommends that, to minimize the risks associated with excessive data collection:

companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. However, recognizing the need to balance future, beneficial uses of data with privacy protection, staff’s recommendation on data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect. If a company determines that none of these options will fulfill its business goals, it can seek consumers’ consent for collecting additional, unexpected categories of data…

This is an unsurprising recommendation in light of the fact that, in previous major speeches on the issue, FTC Chairwoman Edith Ramirez argued that, “information that is not collected in the first place can’t be misused,” and that:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the off chance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value.

In my forthcoming law review article, I discussed the problem with such reasoning at length and note:

if Chairwoman Ramirez’s approach to a preemptive data use “commandment” were enshrined into a law that said, “Thou shall not collect and hold onto personal information unnecessary to an identified purpose.” Such a precautionary limitation would certainly satisfy her desire to avoid hypothetical worst-case outcomes because, as she noted, “information that is not collected in the first place can’t be misused,” but it is equally true that information that is never collected may never lead to serendipitous data discoveries or new products and services that could offer consumers concrete benefits. “The socially beneficial uses of data made possible by data analytics are often not immediately evident to data subjects at the time of data collection,” notes Ken Wasch, president of the Software & Information Industry Association. If academics and lawmakers succeed in imposing such precautionary rules on the development of IoT and wearable technologies, many important innovations may never see the light of day.

FTC Commissioner Josh Wright issued a dissenting statement to the report that lambasted the staff for not conducting more robust cost-benefit analysis of the new proposed restrictions, and specifically cited how problematic the agency’s approach to data minimization was. “[S]taff merely acknowledges it would potentially curtail innovative uses of data. . . [w]ithout providing any sense of the magnitude of the costs to consumers of foregoing this innovation or of the benefits to consumers of data minimization,” he says. Similarly, in her separate statement, FTC Commissioner Maureen K. Ohlhausen worried about the report’s overly precautionary approach on data minimization when noting that, “without examining costs or benefits, [the staff report] encourages companies to delete valuable data — primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive,” she concludes.

Regardless, the battle lines have been drawn by the FTC staff report as the agency has made it clear that it will be stepping up its efforts to get IoT innovators to significantly slow or scale back their data collection efforts. It will be very interesting to see how the agency enforces that vision going forward and how it impacts innovation in this space. All I know is that the agency has not conducted a serious evaluation here of the trade-offs associated with such restrictions. I penned another law review article last year offering “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” that they could use to begin that process if they wanted to get serious about it.

The Problem with the “Regulation Builds Trust” Argument

One of the interesting things about this and previous FTC reports on privacy and security matters is how often the agency premises the case for expanded regulation on “building trust.” The argument goes something like this (as found on page 51 of the new IoT report): “Staff believes such legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

This is one of those commonly-heard claims that sounds so straight-forward and intuitive that few dare question it. But there are problems with the logic of the “we-need-regulation-to-build-trust-and boost adoption” arguments we often hear in debates over digital privacy.

First, the agency bases its argument mostly on polling data. “Surveys also show that consumers are more likely to trust companies that provide them with transparency and choices,” the report says. Well, of course surveys say that! It’s only logical that consumers will say this, just as they will always say they value privacy and security more generally when asked. You might as well ask people if they love their mothers!

But what consumers claim to care about and what they actually do in the real-world are often two very different things. In the real-world, people balance privacy and security alongside many other values, including choice, convenience, cost, and more. This leads to the so-called “privacy paradox,” or the problem of many people saying one thing and doing quite another when it comes to privacy matters. Put simply, people take some risks — including some privacy and security risks — in order to reap other rewards or benefits. (See this essay for more on the problem with most privacy polls.)

Second, online activity and the Internet of Things are both growing like gangbusters despite the privacy and security concerns that the FTC raises. Virtually every metric I’ve looked at that track IoT activity show astonishing growth and product adoption, and projections by all the major consultancies that have studied this consistently predict the continued rapid growth of IoT activity. Now, how can this be the case if, as the FTC claims, we’ll only see the IoT really take off after we get more regulation aimed at bolstering consumer trust? Of course, the agency might argue that the IoT will grow at an even faster clip than it is right now, but there is no way to prove one way or the other. In any event, the agency cannot possible claim that the IoT isn’t already growing at a very healthy clip — indeed, a lot of the hand-wringing the staff engages in throughout the report is premised precisely on the fact that the IoT is exploding faster that our ability to keep up with it!! In reality, it seems far more likely that cost and complexity are the bigger impediments to faster IoT adoption, just as cost and complexity have always been the factors weighing most heavily on the adoption of other digital technologies.

Third, let’s say that the FTC is correct – and it is – when it says that a certain amount of trust is needed in terms of IoT privacy and security before consumers are willing to use more of these devices and services in their everyday lives. Does the agency imagine that IoT innovators don’t know that? Are markets and consumers completely irrational? The FTC says on page 44 of the report that, “If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust.” Well, if such a mismatch does exist, then the assumption should be that consumers can and will push back, or seek out new and better options. And other companies should be able to sense the market opportunity here to offer a more privacy-centric offering for those consumers who demand it in order to win their trust and business.

Finally, and perhaps most obviously, the problem with the argument that increased regulation will help IoT adoption is that it ignores how the regulations put in place to achieve greater “trust” might become so onerous or costly in practice that there won’t be as many innovations for us to adopt to begin with! Again, regulation — even very well-intentioned regulation — has costs and trade-offs.

In any event, if the agency is going to premise the case for expanded privacy regulation on this notion, they are going to have to do far more to make their case besides simply asserting it.

Once Again, No Appreciation of the Potential for Societal Adaptation

Let’s briefly shift to a subject that isn’t discussed in the FTC’s new IoT report at all.

Regular readers may get tired of me making this point, but I feel it is worth stressing again: Major reports and statements by public policymakers about rapidly-evolving emerging technologies are always initially prone to stress panic over patience. Rarely are public officials willing to step-back, take a deep breath, and consider how a resilient citizenry might adapt to new technologies as they gradually assimilate new tools into their lives.

That is really sad, when you think about it, since humans have again and again proven capable of responding to technological change in creative ways by adopting new personal and social norms. I won’t belabor the point because I’ve already written volumes on this issue elsewhere. I tried to condense all my work into a single essay entitled, “Muddling Through: How We Learn to Cope with Technological Change.” Here’s the key takeaway:

humans have exhibited the uncanny ability to adapt to changes in their environment, bounce back from adversity, and learn to be resilient over time. A great deal of wisdom is born of experience, including experiences that involve risk and the possibility of occasional mistakes and failures while both developing new technologies and learning how to live with them. I believe it wise to continue to be open to new forms of innovation and technological change, not only because it provides breathing space for future entrepreneurialism and invention, but also because it provides an opportunity to see how societal attitudes toward new technologies evolve — and to learn from it. More often than not, I argue, citizens have found ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes.

Again, you almost never hear regulators or lawmakers discuss this process of individual and social adaptation even though they must know there is something to it. One explanation is that every generation has their own techno-boogeymen and lose faith in the ability of humanity to adapt to it.

To believe that we humans are resilient, adaptable creatures should not be read as being indifferent to the significant privacy and security challenges associated with any of the new technologies in our lives today, including IoT technologies. Overly-exuberant techno-optimists are often too quick to adopt a “Just-Get-Over-It!” attitude in response to the privacy and security concerns raised by others. But it is equally unforgivable for those who are worried about those same concerns to utterly ignore the reality of human adaptation to new technologies realities.

Why are Educational Approaches Merely an Afterthought?

One final thing that troubled me about the FTC report was the way consumer and business education is mostly an afterthought. This is one of the most important roles that the FTC can and should play in terms of explaining potential privacy and security vulnerabilities to the general public and product developers alike.

Alas, the agency devotes so much ink to the more legalistic questions about how to address these issues, that all we end up with in the report is this one paragraph on consumer and business education:

Consumers should understand how to get more information about the privacy of their IoT devices, how to secure their home networks that connect to IoT devices, and how to use any available privacy settings. Businesses, and in particular small businesses, would benefit from additional information about how to reasonably secure IoT devices. The Commission staff will develop new consumer and business education materials in this area.

I applaud that language, and I very much hope that the agency is serious about plowing more effort and resources into developing new consumer and business education materials in this area. But I’m a bit shocked that the FTC report didn’t even bother mentioning the excellent material already available on the “On Guard Online” website it helped created with a dozen other federal agencies. Worse yet, the agency failed to highlight the many other privacy education and “digital citizenship” efforts that are underway today to help on this front. I discuss those efforts in more detail in the closing section of my recent law review article.

I hope that the agency spends a little more time working on the development of new consumer and business education materials in this area instead of trying to figure out how to craft a quasi-regulatory regime for the Internet of Things. As I noted last year in this Maine Law Review article, that would be a far more productive use of the agency’s expertise and resources. I argued there that “policymakers can draw important lessons from the debate over how best to protect children from objectionable online content” and apply them to debates about digital privacy. Specifically, after a decade of searching for legalistic solutions to online safety concerns — and convening a half-dozen blue ribbon task forces to study the issue — we finally saw a rough consensus emerge that no single “silver-bullet” technological solutions or legal quick-fixes would work and that, ultimately, education and empowerment represented the better use of our time and resources. What was true for child safety is equally true for privacy and security for the Internet of Things.

It’s a shame the FTC staff squandered the opportunity it had with this new report to highlight all the good that could be done by getting more serious about focusing first on those alternative, bottom-up, less costly, and less controversial solutions to these challenging problems. One day we’ll all wake up and realize that we spent a lost decade debating legalistic solutions that were either technically unworkable or politically impossible. Just imagine if all the smart people who were spending all their time and energy on those approaches right now were instead busy devising and pushing educational and empowerment-based solutions instead!

One day we’ll get there. Sadly, if the FTC report is any indication, that day is still a ways off.

I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. [Update 4/16: It is now live on the site.] In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

by Adam Thierer & Berin Szoka, Progress Snaphot 6.1

Stephanie Clifford of the  New York Times posted a very interesting article this week summarizing a recent “on-the-record chat” the Times staff had with Federal Trade Commission (FTC) chairman Jon Leibowitz and FTC Bureau of Consumer Protection chief David Vladeck.  The interview [discussed by Braden here] is profoundly important in that it reveals an alarming disconnect regarding the relationship between “privacy” regulation and the future of media, which were the subjects of their discussion with Times staff.  Namely, Leibowitz and Vladeck apparently fail to appreciate how the delicate balance between commercial advertising and journalism is at risk precisely because of the sort of regulations they apparently are ready to adopt.  Because the value of online advertising depends on data about its effectiveness and consumers’ likely interests, and because advertising is indispensable to funding media, what’s ultimately at stake here is nothing short of the future of press freedom.

The “Day of Reckoning” Is Upon Us

Leibowitz and Vladeck spend the first half of The Times interview wringing their hands about “privacy policies,” the declarations made by websites and advertising networks about their data collection and use practices (for which the FTC can and must hold them accountable).  But the two feel that privacy policies don’t adequately inform consumers.  Chairman Leibowitz claims that online companies “haven’t given consumers effective notice, so they can make effective choices.”  And Mr. Vladeck states that advise-and-consent models “depended on the fiction that people were meaningfully giving consent.” But he and the FTC seem ready to abandon the notice and choice model because the “literature is clear” that few people read privacy policies, Vladeck told the Times.  He and Leibowitz continue:

“Philosophically, we wonder if we’re moving to a post-disclosure era and what that would look like,” Mr. Vladeck said. “What’s the substitute for it?” He said the commission was still looking into the issue, but it hoped to have an answer by June or July, when it plans to publish a report on the subject. Mr. Leibowitz gave a hint as to what might be included: “I have a sense, and it’s still amorphous, that we might head toward opt-in,” Mr. Leibowitz said.

This clearly foreshadows the regulatory endgame we have long suspected was coming.  When the FTC released its “Self-Regulatory Principles for Online Behavioral Advertising” eleven months ago, we asked: “What’s the Harm & Where Are We Heading?”  Their answers to both questions have become clearer with each new calculated comment—all apparently intended to slowly “turn up the heat” on the advertising industry so that the proverbial frog will stay in the pot until the water finally boils.  Leibowitz’s FTC has simply dodged the “harm” question with a four-part strategy:

1. Cobble together a “record” full of sympathy-evoking anecdotes submitted by advocates of regulation in comments and the FTC’s ongoing “Exploring Privacy” Roundtables;
2. Let the most extreme Chicken Littles fulminate about the grand conspiracy of “neuromarketing manipulation” and the like (and sometimes even shout down FTC staff in panel discussions) in order to redefine the “reasonable center” of the debate;
3. Define-down “harm” as purely a matter of “consumer expectations” or consumers’ “dignity interests” (whatever that vague and infinitely elastic term means); and
4. Attack the effectiveness of “consent” itself by suggesting that consumers cannot be trusted to understand privacy policies or be expected to make any effort to protect their own privacy.

Conveniently, this strategy leads right back to the “day of reckoning” Chairman Leibowitz threatened was coming last February: We are heading precisely where he told us we would be—to full-on, opt-in regulation.  The writing on the wall becomes more apparent every day: Leibowitz set out to bring online advertising to heel even before becoming Chairman, and his Commission is reprising almost precisely the same approach that led to the passage of the Children’s Online Privacy Protection Act (COPPA) of 1998: building a case for new authority, dismissing industry self-regulation as ineffective, and finally presenting a report to Congress intended to produce a rapid legislative response.  After the FTC presented its report on the need for regulation in congressional testimony in June 1998, it took Congress just four months to pass COPPA—and much of that time was consumed by the summer recess.  In short, Leibowitz is mounting a carefully choreographed campaign for increased regulation.

The only real question is whether Leibowitz will somehow try to use the FTC’s existing authority over “unfair or deceptive” trade practices or wait for expanded authority from Congress.  While most observers typically assume that such expanded authority would come in the form of a privacy-specific bill—be it a broad “baseline” privacy bill or one specifically focused on online data collection for advertising purposes—the authority Leibowitz yearns for could just as easily come in the form of increased rulemaking authority as part of a broader bill that allows the FTC to preemptively regulate practices that are not deceptive but merely deemed “unfair.”

This would take the agency “ Back to the Future”—to the late 1970s, when the agency reached the height of its efforts to regulate purely on “unfairness” grounds by trying to ban advertising to children.  The agency’s behavior earned it the moniker “National Nanny” from the Washington Post, hardly a bastion of regulatory skepticism.[1] That outpouring of popular resentment caused a heavily Democratic Congress to cut-off the Democratic-led agency’s regular funding and prohibit it from regulating advertising merely on the grounds of “unfairness.”  In essence, they told the agency to “go back to its knitting” and focus on protecting consumers from demonstrated harms.^[2] Duly chastened (and actually shut down for several days), the FTC formulated a meaningful legal standard for “unfairness,” which Congress codified in 1994: for a practice to be unfair, the injury it causes must be (1) substantial, (2) without offsetting benefits, and (3) one that consumers cannot reasonably avoid.

Under this statutory standard, as FTC Commissioner Thomas Rosch has argued, the commission must carefully consider:

[the] legitimate pro-consumer and pro-competitive benefits that result from [targeted advertising]. Absent hard data weighing these benefits against the limited “invasion of privacy interests” involved, it would seem difficult to conclude that treating that practice as an actionable violation of the “unfairness” prong of Section 5 will pass muster.[3]

So Leibowitz and Vladeck either need to get serious about weighing the costs and benefits of targeted advertising—or, in the absence of such actually measuring these trade-offs, get Congress to give them the authority to regulate.  But one thing is clear from their past statements: they are in a hurry to do  something. As Vladeck told The Times last August, “There is a sense of urgency around here… Consumers, I don’t think are sufficiently protected under the current regime.”  Apparently, the case is closed in their minds.

“Left Hand, Meet Right Hand”

The second half of the  Times interview concerns the future of news. Chairman Leibowitz is not optimistic:

“There are some areas where you clearly see positive creative destruction,” Mr. Leibowitz said, giving the example of travel agents who were replaced by Orbitz and other online-booking systems. The news, he said, was not one of those. “When you’re dealing with something as critical as news is to a democracy, you need to ensure, certainly, that it’s independent, but also that it’s vibrant going forward,” he said. Areas like investigative reporting, foreign and domestic bureaus, and state-house reporting, he said, would likely falter under blog operations because of “economies of scale.”

He said he wasn’t sure what the solution was, but threw out a few ideas discussed at the conference: maybe special tax treatment for newspapers, a Corporation for Public Broadcasting-like fund, or for the newspaper industry to charge fees for the re-use of its content, similar to the model that the American Society of Composers, Authors and Publishers uses. [emphasis added]

Mr. Chairman, with all due respect, haven’t you forgotten about the solution that has powered private media for a few centuries in this country?  You know— advertising!  Indeed, what’s stunning about these comments is the complete disconnect with what Leibowitz and Vladeck said earlier in the interview.  It certainly may be the case that they said more on the subject than what The Times has reported, but given their escalating rhetoric, it seems likely that significantly increased FTC regulation is on the horizon.  And, yet, as Chairman Leibowitz marches us into this brave new world of regulating Internet media through their key funding source, he and Mr. Vladeck seem to have little appreciation of the vital role played by advertising in sustaining a truly free and vibrant press.

An Attack on Advertising Is an Attack on Media Itself

Let’s step back and revisit Media Economics 101.  Almost every serious scholar in the field acknowledges this truism: Advertising cross-subsidizes media platforms and the creation of valuable information—especially news.  “Advertising is the mother’s milk of all the mass media,”  Wall Street Journal technology columnist Walt Mossberg has noted.  Similarly, Harold L. Vogel, author of Entertainment Industry Economics, the leading text in the field, has noted, “Advertising is the key common ingredient in the tactics and strategies of all entertainment and media company business models.  Indeed, it might further be said that advertising has substantively subsidized the production and delivery of news and entertainment throughout the last century.”[4] Mossberg agrees and notes, “Without ads, most editorial products and other programming would be either unavailable or prohibitively expensive.”

The reason for the indispensability of advertising is simple: Information (including news and other forms of “content”) has “public good” characteristics that make it is very difficult (and occasionally impossible) for information-publishers to recoup their investments.  Simply put, they quite literally lack pricing power: Whatever they charge, someone else will charge less for a close substitute, inevitably leading to “free” distribution of the content, even though the content is anything but free to produce.  Advertising is the one business model that has traditionally saved the day by rewarding publishers for attracting the attention of an audience.

Which raises another under-appreciated point: Private advertising promotes press independence.  “Newspapers, magazines, radio, television, and many websites all receive their primary income from advertising,” notes William F. Arens, author of  Contemporary Advertising, another leading textbook in the field. “This facilitates freedom of the press and promotes more complete information” he concludes.[5] Why?  Because, contrary to what some critics claim, advertising and marketing help keep private media providers independent of the need for taxpayer subsidies or private patrons.  This begs an even more profound question: If not advertising, then what else?

A “Public Option” for the Press?

What’s most troubling about Chairman Leibowitz’s comments to the Times is that he has apparently found his alternative to advertising: a “public option” for the press! He mentions special tax treatment for newspapers or a new CPB-like fund (don’t we already have one?) as two possibilities.  That certainly will be music to the ears of radical, pro-regulatory activist groups like the ironically-named “Free Press,” which wants to see a massive “public works” program for the media sector.

Free Press recently filed comments with the FTC in the agency’s recent workshop, “Can Journalism Survive the Internet Age?” and proposed a far-reaching industrial policy for “saving the news.”  They call for over $50 billion in subsidies for the Corporation for Public Broadcasting and other bureaucracies, a “journalism jobs program” for that would be part of AmeriCorps, a variety of new tax incentives for struggling media operations or individuals who support favored institutions, and an assortment of government incentives to encourage local ownership and media divestiture (by handing over control to smaller operators or minority-owned groups).  Ironically, “Free Press” has also floated the concept of “a small tax on advertising” as one way to pay for a press bailout.

The organization’s founder Robert W. McChesney, the prolific neo-Marxist media scholar, penned an essay with John Nichols of The Nation last year, claiming that saving journalism essentially requires that media become an appendage of the State.  Although advertising has supported journalism as a “public good” for centuries, the only way they can conceive to provide a public good is to socialize its means of production.  Thus, journalism, like education and national defense, requires constant government oversight and support: “A moment has arrived at which we must recognize the need to invest tax dollars to create and maintain news gathering, reporting and writing with the purpose of informing all our citizens.”  They ask us to consider the $60 billion in government spending they propose as a “free press ‘infrastructure project,’” which would “keep the press system alive.”

Some in Congress seem willing to listen.  The Senate has already held hearings about the future of journalism.  And Senator Benjamin L. Cardin (D-MD) recently introduced what he has called the “Newspaper Revitalization Act,” which would allow newspapers to become nonprofit organizations in an effort to help them stay afloat.  Importantly, however, the bill would also disallow political endorsements on newspaper editorial pages—which, like campaign finance restrictions, would be a boon for incumbent politicians.  That bill should serve as fair warning to journalists about the sort of strings lawmakers will attach to press-welfare efforts going forward.  What other “golden shackles” might come with media subsidies?

To be clear, Chairman Leibowitz hasn’t called for a complete press takeover along the lines of the Free Press plan.  Yet, he hasn’t answered a key question in this debate: Who pays for news?  He appears ready to endorse a bold new regulatory scheme for the Internet and online media that, in the name of “protecting privacy” would put at risk the one traditionally successful method of supporting private media operations—advertising.  As the Pew Research Center’s Project for Excellence in Journalism noted in its latest State of the News Media report, “The problem facing American journalism is not fundamentally an audience problem or a credibility problem.  It is a revenue problem—the decoupling… of advertising from news.”  There’s probably no way policymakers can stop this process, nor should they try.  But they shouldn’t be creating new obstacles to the survival of traditional media creators, either.

Unfortunately, that’s exactly what Chairman Leibowitz’s new regulatory scheme would do.  The revenue “delta” between “smart” advertising (tailored to consumers’ likely interests and measured for effectiveness in producing clicks, purchases, etc.) and “dumb advertising” (based purely on surrounding keywords or demographics of users presumed to visit the site) is difficult to measure but potentially enormous—even 10 times as great for some sites.[6] The difference between opt-in and opt-out could be nearly as dramatic, because it’s difficult to get consumers to opt-in for anything, especially for small players—which means that opt-in regulation could, perversely, force consolidation in the online advertising and content markets.  If the FTC cares about its statutory responsibility to safeguard competition, they should take this dynamic seriously and be hyper-cautious about heavy-handed mandates that could derail smarter advertising.

Finally, to be fair, in his interview, the Chairman also suggests the newspaper industry might want to find new way “to charge fees for the re-use of its content.”  We’re certainly not opposed to the notion and think that, if it could somehow be made to work (especially by removing antitrust obstacles), it could part of a diverse revenue mix for digital journalism.  But, there’s the rub.  Micropayments inevitably face the problem of “mental transaction costs”  that likely swamp the perceived value of most content and, like pay-walls, have generally worked only in media environments characterized by a scarcity of providers and a uniqueness of a sufficiently valuable product.  These cold, hard economic realities are why advertising remains indispensable.

The Principled Alternative to Regulation

Convinced that privacy policies simply don’t work, Leibowitz and Vladeck are asking what a “post-disclosure era” would look like.  We appreciate the continued sensitivities expressed by certain groups and individuals about online privacy and data use more generally.  But there is another way forward.  We have proposed the following “5-E” layered approach to concerns about online privacy, focusing on restraining government access to data as a clear harm, rather than crippling the private sector uses of data that directly benefit consumers:

1. Erect a higher “Wall of Separation between Web and State” by increasing Americans’ protection from government access to their personal data—thus bringing the Fourth Amendment into the Digital Age.
2. Educate users about privacy risks and data management in general as well as specific practices and policies for safer computing.
3. Empower users to implement their privacy preferences in specific contexts as easily as possible.
4. Enhance self-regulation by industry sectors and companies to integrate with user education and empowerment.
5. Enforce existing laws against unfair and deceptive trade practices as well as state privacy tort laws.

Such a layered approach would not only be a “less restrictive” alternative to top-down, one-size-fits-all government regulation, but also potentially more effective in key respects than government data use/collection mandates.  In an ideal world, adults would be fully empowered to tailor privacy decisions, like speech decisions, to their own values and preferences (“household standards”).  Consumers would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information. Importantly, those tools and methods would give them the ability to block the things they don’t like—annoying ads or the collection of data about them, as well as objectionable content—while also helping them find the information and content they desire.

But of course, the devil’s in the details.  Leibowitz and Vladeck would set the bar so high as to what constitutes “effective” consumer choice that current privacy policies necessarily fail their test—if only because most users don’t care enough to make the “right” privacy choices.  Privacy policies, even if read by relatively few consumers, nonetheless allow privacy advocates, journalists and watchdog-bloggers to scrutinize what companies say they’re doing—promises to which the FTC should hold companies stringently.  That’s clearly not good enough for Leibowitz and Vladeck, who want to give up on “notice and choice” and move on to “opt-in” mandates.  But why not first try to make “notice” more effective?  The advertising industry is currently developing standardized interfaces that could communicate key information about privacy practices in a single icon, label or other easily-digested “consumer touch point.”

More radically, why focus on tinkering with consumer interfaces, when standardized data disclosure formats like the Protocol for Privacy Preferences (P3P) could distill legalistic privacy policies into “machine-readable” code?  Such disclosures could provide a powerful form of “notice” that the ordinary consumer could “use”: simply setting their own privacy preferences in a browser tool that automatically implements those preferences by blocking tracking that users object to.  Such a privacy disclosure format could also allow the FTC to automate enforcement of its existing authority to punish unfair or deceptive trade practices.

Conclusion

And so we return to the question the FTC asked in its recent workshop, “Can Journalism Survive the Internet Age?”  Answer: Not if the FTC kills the golden goose that lays the golden eggs through onerous advertising regulations and data controls in the name of “privacy.”  Chairman Leibowitz and Bureau Chief Vladeck shouldn’t foreclose the possibility that advertising can play a central role in the future of a free press in the Digital Age—just as it has done historically in the United States.  Indeed, they would be wise to remember that advertising has always been with us.  As the Supreme Court noted in its 1996 decision, 44 Liquormart, Inc. v. Rhode Island.

Advertising has been a part of our culture throughout our history. Even in colonial days, the public relied on “commercial speech” for vital information about the market. Early newspapers displayed advertisements for goods and services on their front pages, and town criers called out prices in public squares. Indeed, commercial messages played such a central role in public life prior to the founding that Benjamin Franklin authored his early defense of a free press in support of his decision to print, of all things, an advertisement for voyages to Barbados.[7]

Of course, for advertising to continue to play the role as sustainer of the press, it must be allowed to evolve.  Media operators—large and small alike—must be allowed to craft new strategies, some of which may require data collection and marketing practices that will make some privacy-sensitive users uncomfortable, but will also ensure that the goose keeps on laying golden eggs for them and everyone else.

While Chairman Leibowitz may decry the creative destruction at work in the news sector and information industries today, that shakeup will continue and, no doubt, be painful for incumbent players.  Advertising alone may not “save the day” for media as it has in the past, but it will likely remain essential to sustaining private media platforms and providers going forward— if federal policymakers allow it.  The alternative—massive government intervention into the news and media sectors—is too horrifying to think about.

[1] Washington Post, March 1, 1978.

[2] Congress terminated the FTC’s efforts to prohibit advertising to children, and barred the agency from issuing any advertising regulation predicated solely on unfairness for three years.  FTC Improvements Act, Pub. L. No. 96-252, § 11 (May 1980).  See generally J. Howard Beales, Director of the Bureau of Consumer Protection, Federal Trade Commission, The FTC’s Use of Unfairness Authority: Its Rise, Fall, and Resurrection, www.ftc.gov/speeches/beales/unfair0603.shtm.

[3] Thomas Rosch, Some Reflections on the Future of the Internet: Net Neutrality, Online Behavioral Advertising, and Health Information Technology, Remarks at U.S. Chamber of Commerce Telecommunications & E-Commerce Committee Fall Meeting, October 26, 2009, 13, www.ftc.gov/speeches/rosch/091026chamber.pdf.

[4] Harold L. Vogel, Entertainment Industry Economics (Cambridge, MA: Cambridge University Press, 7th Edition, 2007), at 46.

[5] William F. Arens, Contemporary Advertising (McGraw-Hill Irwin, 10^th Ed., 2006) at 50.

[6] See Berin Szoka & Mark Adams, The Benefits of Online Advertising & Costs of Privacy Regulation, PFF Working Paper, Nov. 8, 2009, www.scribd.com/doc/22445754/Benefits-of-Online-Advertising-Paper.

[7] 517 U.S. 484, 495 (1996), http://www.law.cornell.edu/supct/html/94-1140.ZO.html

______________________________

Related PFF Publications

• Privacy Trade-Offs: How Further Regulation Could Diminish Consumer Choice, Raise Prices, Quash Digital Innovation & Curtail Free Speech, Berin Szoka, Comments to the Federal Trade Commission “Exploring Privacy” Roundtable, November 10, 2009.
• Online Advertising & User Privacy: Principles to Guide the Debate, Berin Szoka & Adam Thierer, Progress Snapshot 4.19, Sept. 2008.
• Targeted Online Advertising: What’s the Harm & Where Are We Heading?, Berin Szoka & Adam Thierer, Progress on Point 16.2, April 2009.
• Privacy Polls v. Real-World Trade-Offs, Berin Szoka, Progress Snapshot 5.10, Oct. 2009.
• The Benefits of Online Advertising & Costs of Privacy Regulation, Berin Szoka & Mark Adams, PFF Working Paper, Nov. 8, 2009.
• Benefits of Online Advertising, Berin Szoka, Mark Adams, Howard Beales, Thomas Lenard & Jules Polonetsky, PFF Capitol Briefing, July 2009.
• Public Option for Press Should Get the Red Pen, Adam Thierer, The Daily Caller, Jan. 12, 2010.

I have ranted once or twice before about the regulatory requirement that Google—a search engine—post a link to a privacy notice on its home page.

Not all computers all places may see it, but Google appears to be experimenting with a bit of javascript that leaves the page blank but for the Google image and the search field until you roll your cursor over it. But they’re leaving the privacy notice (and a copyright notice) there, probably for fear that privacy advocates will yelp about a modern-day paperwork violation.

This provides an opportunity to see the difference between a world with privacy notice regulation and one without. One is cluttered and overlawyered. The other is pure and clean and fresh.

Take a look for yourself. Which do you prefer?

This?

Or this?

I think the answer is obvious. The only difference, mind you, is aesthetic. If Google were permitted to have a truly good looking Web site, users’ privacy would be no worse off for it because they don’t read privacy notices.

As I mentioned in a post last month, dozens of comments were filed with the Federal Communications Commission (FCC) as part of the agency’s “Child Safe Viewing Act” Notice of Inquiry.  Again, this proceeding was required under the “Child Safe Viewing Act of 2007,” which Congress passed last year and President Bush signed last December. The goal of the bill and the FCC’s proceeding (MB 09-26) is to study “advanced blocking technologies” that “may be appropriate across a wide variety of distribution platforms, including wired, wireless, and Internet platforms.”  I filed 150+ pages worth of comments in this matter, and here’s my analysis of why this bill and the FCC’s proceeding are worth monitoring closely.

Anyway, this week saw many of the same groups that filed before (and some new ones) file reply comments about those earlier submissions.  To make things simple, I have collected most of the notable reply comments down below in case anyone is interested.

• Association of National Advertisers
• American Legislative Exchange Council
• Children’s Media Policy Coalition
• Coalition for Independent Ratings
• Comcast
• Consumer Electronic Association
• Digimarc
• Electronic Frontier Foundation
• Entertainment Software Association
• Funai Electric Co.
• ION Media Networks
• Microsoft
• Motorola
• NAB, NCTA, & MPAA
• Nintendo
• Parents Television Council
• Smart Television Alliance
• TiVo
• T-Mobile
• TV Guardian

Google’s new “Interest Based Advertising” (IBA) program represents the company’s first foray into what is generally called “Online Behavioral Advertising” (OBA):  In order to deliver more relevant advertising, Google will begin tailoring ads delivered through AdSense on the Google Content Network (GCN) and YouTube.com (but not Google.com).  This tailoring will be based on a profile of each user’s interests created by tracking their browsing activity across sites that use AdSense-but not search queries or other user information.  Until now, (i) AdSense has delivered essentially “contextual” advertising by choosing which ad to display on a page based on an algorithmic analysis of keywords on that page; and (ii) Google has tracked users’ browsing only for analytics purposes-to limit the number of times a user sees a particular ad (to prevent overexposure) and to allow sequencing of ads in campaigns where one ad must follow another. 

Google is sure to be attacked for crossing a “line in the sand” drawn by some privacy advocates between contextual and behavioral advertising-even though Google’s closest competitor, Yahoo!, already offers a similar program, and the concept in general is hardly new.  Google’s position as the leading search engine and third party ad-delivery network will no doubt cause paroxysms of privacy hysteria among those who consider targeted advertising inherently invasive, unfair or manipulative.

But those whose first priority is advancing consumer privacy, not advancing a political or regulatory agenda, should applaud Google for excluding sensitive categories and for putting the new Ad Preference Manager at the core of the company’s new IBA program.  The Ad Preference Manager sets a new “gold standard” for implementing the principles of Notice and Choice, which have formed the core of both OBA industry self-regulation and the various regulatory proposals made in recent years.  Indeed, Google has done precisely what Adam Thierer and I have called for:  giving consumers more granular control over their own privacy preferences by developing better tools.

How Google’s Ad Preference Manager Works

For years, debates about how OBA should be regulated (whether by industry or by government) have revolved around two key questions: 

• Notice: How should consumers best be informed about the data that’s being collected about them, how it’s being used, by whom, and so on?
• Choice: How should consumers be given the ability to opt-out of tracking for OBA purposes?

While there are significant philosophical disagreements about some aspects of these debates-such as whether the default should be opt-in or opt-out-much of the debate has come down to questions of implementation that may seem trivial or easily-solved to lay people:  Where should notice be provided?  If notice is provided in ads themselves, what should the link say and how big should it be?  By what technological means should users be able to opt-out of tracking?  Google has provided an elegantly simple solution to these questions. 

Google provides “notice” to users in two ways:

• In the ads.  In the bottom left corner of each AdSense ad on sites in the GCN, users will see the URL for the advertiser’s website.  This is already the case for all text ads, but not for display ads.  In the bottom right corner of both display and text ads, users will see an “Ads by Google” link.  Thus, the ad itself provides the user notice of (i) who’s paying for the ad and (ii) who’s serving it. 
• In the Ad Preference Manager.  If the user clicks the “Ads by Google” link, they will see which of the ~20 categories and ~600 subcategories have been associated with the tracking cookie in their browser.  Thus, Google provides notice to the user of what’s in their so-called “digital dossier.”

Google provides “choice” to the user in two ways:

• Editing categories.  The Ad Preference manager not only shows the profile that has been algorithmically assembled of their likely interests, but it lets them decide for themselves which categories they’re really interested in.  If a user finds that they have been placed in the “Automotive > Motorcycles” category but actually owns a SUV, they could select “Automotive > Trucks & SUVs”-or no Automotive category at all.  
• A persistent opt-out.  Users can decide to opt-out completely from having their data collected for IBA purposes.  That choice will be respected in the future, and will therefore be “persistent.”

The Persistent Opt-Out Plug-in

For roughly a decade, the OBA industry has operated under a self-regulatory scheme developed by the Network Advertising Initiative (NAI).  NAI lets users opt-out of receiving ads based on OBA targeting.  But privacy advocates have objected on three grounds:

First, privacy advocates argue that it’s currently too hard for users to find the NAI opt-out tool since users don’t know which ad network is serving which ads and there’s no obvious way to get from an ad to the opt-out option.  Google moots this argument by making its opt-out easily accessible to anyone who clicks on the “Ads by Google” link that appears beneath every IBA-targeted ad.

Second and most importantly, privacy advocates decry NAI’s opt-out because it isn’t “persistent”- i.e., it requires the placement of a special “opt-out cookie” on the user’s computer, which may be inadvertently deleted when users delete all their cookies.  Indeed, many users do precisely that on a regular basis through either their browser or antivirus software-thus erasing their own opt-out choice.  Google moots this argument too:  While Google’s opt-out also relies on a special opt-out cookie, Google has created an easily installed plug-in for the two most common Web browsers, Internet Explorer and Firefox, that ensures that the opt-out cookie is automatically recreated even if a user deletes their cookies.  For the Chrome and Safari Web browsers (which do not support plug-ins), Google has outlined a simple procedure whereby users can achieve the same result.

Third, many critics worry that any cookie-based opt-out mechanism still involves sending data to ad networks that the ad networks could use to track users-despite promises in their privacy policies not to do so.  Even though the FTC can enforce such policies, it may be difficult for users to determine what the ad networks are doing with the data they receive from users that have opted out of tracking.  Although Google’s system seems to be no different in this regard from how other NAI member companies handle opt outs, truly privacy-sensitive users could easily address this concern by configuring their Web browser to not send any data to these networks and/or not allow any persistent cookies, as we’ve discussed in our Privacy Solutions Series.   

A Superior Solution to a “Do-Not-Track” Registry

The privacy advocates who lambaste the inadequacies of the NAI opt-out system have demanded the creation of a government-run “Do-Not-Track” registry loosely modeled on-but very different in practice from-the FTC’s Do-Not-Call registry, by which over 170 million Americans have opted out of receiving telemarketing calls.  Google’s Ad Preference Manager provides a better system.

First, it proves that the “persistency” problem can be solved.  In fact, since Google’s plug-in is open source, these privacy advocates may be able to use it to create a browser plug-in that works for opt-out cookies from other NAI member companies.  Indeed, given how simple Google’s plug-in is, one wonders why they didn’t do this when NAI’s Opt-Out Tool was first made available.  Perhaps the technologists at these organizations have spent a little too much time developing elaborate regulatory solutions and too little time focusing on empowering users.  Or perhaps these organizations simply decided that creating such a tool would undercut their argument that only government intervention could protect users’ privacy.  Ironically, some of the organizations pushing Do-Not-Track have joined us in emphasizing the effectiveness of user empowerment tools in other contexts-such as online child protection, where parental control software offers a more effective alternative to government regulation of Internet content that also does less to restrict constitutionally protected speech.  Even more ironically, their Do-Not-Track proposal specifically calls for the development of browser-based tools to implement the government-maintained Do-Not-Track database.  In an era when anyone can write a browser plug-in that can achieve wild popularity (such as the roughly 43 million downloads of the Firefox plug-ins AdBlock Plus and NoScript), these advocacy organizations have little excuse for not practicing what they preach. 

Second, Google has set a new standard in both Notice-by including a link to the opt-out in every ad-and Choice-by respecting user’s opt-out preferences.  Other ad networks now face intense pressure to catch up with, or outpace, Google by implementing the same kind of Notice and Choice.  Indeed, NAI will now be expected to improve its own opt-out system with a browser plug-in capable of preserving opt-out preferences for all of its members’ ad networks.  To the extent that this plug-in might work better with cooperation from the ad networks, that cooperation should now be more forthcoming than ever. 

Third, if these privacy advocates’ real objection to any cookie-based opt-out system-whether the NAI opt-out tool or Google’s plug-in-is uncertainty as to whether opt-out preferences would really be respected by ad networks that continue to collect tracking data (as discussed above), who better than Google to lead the market in setting higher standards for privacy protection?  Ultimately, these standards will be, and should be, enforced by the FTC under its existing authority to punish unfair and deceptive trade practices.

What This Episode Says About Google

Some privacy advocates will argue that Google is just too big-and therefore too “scary”-to be allowed to engage in OBA, and may try to paint Google’s entry in the OBA marketplace as a net loss to privacy, notwithstanding the extremely pro-privacy way in which Google has implemented its “IBA” service.  But if this incident demonstrates anything about Google, it’s the following:

First, it’s no accident that Google is now leading the pack of third party ad networks by developing innovative solutions that respect consumer privacy.  Unlike most third party ad networks, Google is directly focused on the demands of consumers:  In addition to the ad network they acquired from DoubleClick, of course, Google offers consumers a wide array of other online services (search, email, maps, etc.).  Because these services (and their competitors) are all free, Google has to compete in what economists call “non-price terms”-such as privacy.  So, Google has a lot to lose by alienating its users and a lot to gain by being seen as a leader in privacy protection.  Would an independent DoubleClick have taken so much care to address privacy concerns?  As the developer of a competing search engine once said about the Internet search industry, ”you earn your right to be in business every day, page view after page view, click after click.”  

Second, it’s no accident that Google was a late-comer to the OBA market, lagging behind Yahoo! in particular.  The most likely reason Google has taken its time in rolling out an OBA product is that Google is subject to a unique level of scrutiny by privacy advocates by virtue of its size.  Being the “big kid on the block,” Google has to be especially careful not to appear to be “Big Brother.”  This reputational check on Google should allay some concerns about Google’s size.

Third, this episode also demonstrates the advantages of having a player like Google large enough to be able to singlehandedly set a new paradigm in privacy protection.  Google risks alienating some advertisers and publishers with its bold empowerment of users, but was willing to take those risks because of its incentives as a consumer-facing company and able to do so because of its leadership in the marketplace.  Uncomfortable as this reality may be for those who fret about antitrust issues and indeed for Google itself, the simple reality is that sometimes it takes “big dogs” to make self-regulatory systems truly effective.  For example, the video game industry’s highly effective content rating system has worked because the titans in that field were big enough to push through a tough system and keep it working.  Similarly, Microsoft has led the way for years in empowering users by offering in Internet Explorer the most sophisticated cookie management tools available in any browser, as we’ve discussed.  In a nutshell, privacy leadership requires scale. 

Conclusion

Google’s Ad Preference Manager, with its persistent opt-out plug-in, offers precisely the kind of robust opt-out that privacy advocates have always demanded.  Google deserves a rousing “Amen!” from privacy advocates.  But those who respond to this program by insisting that “more needs to be done on how to educate people and tell them how to opt out,” are right in two senses.  First, Google has shown other ad networks how to do more to empower users.  I am confident that they will rise to that challenge by continuing to refine self-regulation through technological innovation.  Second, this is by no means the last word in privacy protection from Google, which operates in the midst of continually-evolving privacy standards.  I expect Google and competing ad networks will continue to innovate in developing technologies that empower users to manage their own privacy-and that this competitive “race to the top” will improve online privacy protection in a broader sense beyond just advertising by putting pressure on other online service providers to improve their privacy practices and policies.

But I fear that too many privacy advocates will instead see this as just another reason for the government to intervene-perhaps because of fear of Google engaging in OBA or  because they think the government, not Google, should be developing privacy solutions.  Or perhaps they think Google’s system shows that a system of government-mandated solutions really could work.  To the contrary, Google’s approach is precisely the kind of innovation that would be discouraged by pre-emptive government regulation.  Worse, those who would freeze privacy protection in place would also freeze in place much of the Internet itself, precluding development of new business models that would compete with Google, allaying concerns about competition and benefiting consumers.  Why preclude broadband providers, for example, from figuring out how to deploy ad-targeting technologies in a manner that does as much to empower users with better privacy controls as Google has-especially when this could create a new source of funding for “free” content and services and even discounts on broadband? 

I hope instead that the effectiveness of Google’s approach will shift the policy debate about protecting user privacy back to an emphasis on the layered approach Adam Thierer and I have outlined, supplementing consumer education, industry self-regulation, existing state privacy tort laws, and  FTC enforcement of corporate privacy policies with increasingly powerful technological “self-help” tools that allow privacy-wary consumers to take privacy into their own hands.