Posts tagged as:

FTC Issues Groundhog Report on Privacy

by on March 26, 2012 · 1 comment

The Federal Trade Commission issued a report today calling on companies “to adopt best privacy practices.” In related news, most people support airline safety… The report also “recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.”

This is regulatory cheerleading of the same kind our government’s all-purpose trade regulator put out a dozen years ago. In May of 2000, the FTC issued a report finding “that legislation is necessary to ensure further implementation of fair information practices online” and recommending a framework for such legislation. Congress did not act on that, and things are humming along today without top-down regulation of information practices on the Internet.

By “humming along,” I don’t mean that all privacy problems have been solved. (And they certainly wouldn’t have been solved if Congress had passed a law saying they should be.) “Humming along” means that ongoing push-and-pull among companies and consumers is defining the information practices that best serve consumers in all their needs, including privacy.

Congress won’t be enacting legislation this year, and there doesn’t seem to be any groundswell for new regulation in the next Congress, though President Obama’s reelection would leave him unencumbered by future elections and so inclined to indulge the pro-regulatory fantasies of his supporters.

The folks who want regulation of the Internet in the name of privacy should explain how they will do better than Congress did with credit reporting. In forty years of regulating credit bureaus, Congress has not come up with a system that satisfies consumer advocates’ demands. I detail that government failure in my recent Cato Policy Analysis, “Reputation under Regulation: The Fair Credit Reporting Act at 40 and Lessons for the Internet Privacy Debate.”

SHARE: 1 comment

How Much is a Bad Blog Post Worth?

by on March 21, 2012 · 0 comments

I was astounded to see the misstatements and misapplication of math in a recent Atlantic blog post called “How Much Is Your Data Worth? Mmm, Somewhere Between Half a Cent and $1,200.”

For his back-of-envelope calculations about the value of personal data, Alexis Madrigal writes, “User profiles — slices of our digital selves — are sold in large chunks, i .e. at least 10,000 in a batch. On the high end, they go for $0.005 per profile, according to advertising-industry sources.”

The dollar value isn’t crazy—a CPM rate of about five cents is on the low end—but he has got the nature of the transaction precisely wrong. Advertisers place ads with content providers like Facebook, Google, and ad networks. The latter direct those ads to their visitors, trying to get ads to the people the advertiser wants to reach. They do not sell the information they use to guess at what interests consumers—consumers’ profiles, to whatever extent they exist.

If content providers sold data about their visitors to advertisers, this would undercut their own role in the advertising business. There wouldn’t be a second sale to make. And doing so would require a radical re-engineering of targeted advertising, which is largely cookie-based. The purchaser of the profile wouldn’t know how to find the subject of the profile in order to deliver an ad.

Madrigal repeats several times that “profiles” are “sold.” It’s a highly misleading characterization, creating the impression that dossiers of information about people are circulating the Internet on a strange black market. On the contrary, profiles are held—not sold—by content providers and advertising networks. There are privacy concerns enough with that business model. We don’t need it mis-described.

I probably would have let this pass. Madrigal isn’t the first to get the advertising business model wrong. (And he hasn’t repeated the error that I know of.) But then comes the bad math.

Writes Madrigal:

[L]et’s not forget the rest of the Internet advertising ecosystem either, which the Internet Advertising Bureau says supported $300 billion in economic activity last year. That’s more than $1,200 per Internet user and much of the online advertising industry’s success is predicated on the use of this kind of targeting data.

Personal information is one input into part of the online advertising. It makes no sense to assign all the value from the entire ecosystem to that one input. The auto industry is about a $400 billion industry, and there are about 250 million car tires sold in the U.S. each year. This does not mean that tires are worth over $2,000 each.

The idea, evidently, is to make the case that consumers are losing a lot in the advertising ecosystem today. That may or may not be true. I’d like to see it shown in the success of a company like Personal or others in the Personal Data Ecosystem, which could re-jigger the personal-data > free-content bargain. But I don’t think that misstating how advertising works and exploding the value of personal data is a good way to make the case for change.

SHARE: 0 comments

new paper: The Perils of Classifying Social Media Platforms as Public Utilities

by on March 19, 2012 · 0 comments

The Mercatus Center at George Mason University has just released my new white paper, “The Perils of Classifying Social Media Platforms as Public Utilities.” [PDF] I first presented a draft of this paper last November at a Michigan State University conference on “The Governance of Social Media.” [Video of my panel here.]

In this paper, I note that to the extent public utility-style regulation has been debated within the Internet policy arena over the past decade, the focus has been almost entirely on the physical layer of the Internet. The question has been whether Internet service providers should be considered “essential facilities” or “natural monopolies” and regulated as public utilities. The debate over “net neutrality” regulation has been animated by such concerns.

While that debate still rages, the rhetoric of public utilities and essential facilities is increasingly creeping into policy discussions about other layers of the Internet, such as the search layer. More recently, there have been rumblings within academic and public policy circles regarding whether social media platforms, especially social networking sites, might also possess public utility characteristics. Presumably, such a classification would entail greater regulation of those sites’ structures and business practices.

Proponents of treating social media platforms as public utilities offer a variety of justifications for regulation. Amorphous “fairness” concerns animate many of these calls, but privacy and reputational concerns are also frequently mentioned as rationales for regulation. Proponents of regulation also sometimes invoke “social utility” or “social commons” arguments in defense of increased government oversight, even though these notions lack clear definition.

Social media platforms do not resemble traditional public utilities, however, and there are good reasons why policymakers should avoid a rush to regulate them as such. Continue reading →

SHARE: 0 comments

No NSA monitoring in McCain cyber bill, seems better on privacy than Lieberman-Collins (UPDATED)

by on March 1, 2012 · 1 comment

After the NSA’s aggressive pursuit of a greater role in civilian cybersecurity, and last week’s statement by Sen. John McCain criticizing the Lieberman-Collins bill for not including a role for the agency, some feared that the new G.O.P. cybersecurity bill would allow the military agency to gather information about U.S. citizens on U.S. soil. So, it’s refreshing to see that the bill introduced today–the SECURE IT Act of 2012–does not include NSA monitoring of Internet traffic, which would have been very troubling from a civil liberties perspective.

In fact, this new alternative goes further on privacy than the Liberman-Collins bill. It limits the type of information ISPs and other critical infrastructure providers can share with law enforcement. Without such limits, “information sharing” could become a back door for government surveillance. With these limits in place, information sharing is certainly preferable to the more regulatory route taken by the Liberman-Collins bill.

It seems to me that despite Sen. McCain’s stated preference for an NSA role, the G.O.P. alternative is looking to address the over-breadth of the Lieberman-Collins bill without introducing any new complications. The SECURE IT bill is also more in line with the approach taken by the House, so it would make reaching consensus easier.

I’ll be posting more here as I learn about the bill.

UPDATE 12:06 PM: A copy of the bill is now available. Find it after the break.

UPDATE 2:55 PM: Having now had an opportunity to take a look at the bill and not just the summary, it does appear it includes a hole through which the NSA may be able to drive a freight train. While NSA monitoring of civilian networks is not mandated, information that is shared by private entities with federal cybersecurity centers “may be disclosed to and used by”

any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code …

That last bit limits law enforcement’s use of shared cyber threat information to serious crimes, but the highlighted bit potentially allows sharing with the NSA or any other agency, civilian or military, for a any “national security” reasons. That is troublingly broad and a blemish on this otherwise non-regulatory bill.

Information sharing with the NSA might be fine as long as it is not mandatory and the shared information is used only for cyber security purposes.

Cross posted from JerryBrito.com

Continue reading →

SHARE: 1 comment

new paper: Technopanics, Threat Inflation & an Info-Tech Precautionary Principle

by on February 28, 2012 · 3 comments

[UPDATE: 2/14/2013: As noted here, this paper was published by the Minnesota Journal of Law, Science & Technology in their Winter 2013 edition. Please refer to that post for more details and cite this final version of the paper going forward.]

I’m pleased to report that the Mercatus Center at George Mason University has just released my huge new white paper, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.” I’ve been working on this paper for a long time and look forward to finding it a home in a law journal some time soon.  Here’s the summary of this 80-page paper:

Fear is an extremely powerful motivating force, especially in public policy debates where it is used in an attempt to sway opinion or bolster the case for action. Often, this action involves preemptive regulation based on false assumptions and evidence. Such fears are frequently on display in the Internet policy arena and take the form of full-blown “technopanic,” or real-world manifestations of this illogical fear. While it’s true that cyberspace has its fair share of troublemakers, there is no evidence that the Internet is leading to greater problems for society. This paper considers the structure of fear appeal arguments in technology policy debates and then outlines how those arguments can be deconstructed and refuted in both cultural and economic contexts. Several examples of fear appeal arguments are offered with a particular focus on online child safety, digital privacy, and cybersecurity. The  various  factors  contributing  to  “fear  cycles”  in these policy areas are documented. To the extent that these concerns are valid, they are best addressed by ongoing societal learning, experimentation, resiliency, and coping strategies rather than by regulation. If steps must be taken to address these concerns, education and empowerment-based solutions represent superior approaches to dealing with them compared to a precautionary principle approach, which would limit beneficial learning opportunities and retard technological progress.

The complete paper can be found on the Mercatus site here, on SSRN, or on Scribd.  I’ve also embedded it below in a Scribd reader. Continue reading →

SHARE: 3 comments

Some Thoughts on the Obama Admin’s Privacy Plan

by on February 24, 2012 · 10 comments

Over at Forbes I have posted some thoughts on the new privacy framework (Consumer Data Privacy in a Networked World) that the Obama Administration released today. In my essay, “The Problem with Obama’s “Let’s Be More Like Europe” Privacy Plan,” I hammer home the same point I’ve made here before many times: Regulation is not a costless exercise. No matter how well-intentioned regulatory proposals may be, they can often have unforeseen, unintended consequences. This is equally true for privacy controls. I discuss how a new privacy regulatory regime could drive up prices for services that currently are free or inexpensive, limit new digital services and innovations, create barriers to entry for new entrants and entrepreneurs, negatively impact the competitiveness of existing U.S. Internet operators, and, more generally, increase the horizons of government power over the Internet.

For a more detailed analysis of these issues, I encourage you to check out my big Mercatus Center filing to the FTC last year on privacy and Do Not Track regulation. Also, here are few TLF essays that summarize my skepticism about expanded privacy controls:

SHARE: 10 comments

When an Idea Become a Meme, and Why

by on February 21, 2012 · 1 comment

Ceci c’est un meme.

On Forbes today, I look at the phenomenon of memes in the legal and economic context, using my now notorious “Best Buy” post as an example. Along the way, I talk antitrust, copyright, trademark, network effects, Robert Metcalfe and Ronald Coase.

It’s now been a month and a half since I wrote that electronics retailer Best Buy was going out of business…gradually.  The post, a preview of an article and future book that I’ve been researching on-and-off for the last year, continues to have a life of its own.

Commentary about the post has appeared in online and offline publications, including The Financial Times, The Wall Street Journal, The New York Times, TechCrunch, Slashdot, MetaFilter, Reddit, The Huffington Post, The Motley Fool, and CNN. Some of these articles generated hundreds of user comments, in addition to those that appeared here at Forbes. Continue reading →

SHARE: 1 comment

Did Google Defeat People’s Privacy Preferences?

by on February 19, 2012 · 3 comments

Given the importance of privacy self-help—that is, setting your browser to control what it reveals about you when you surf the Web—I was concerned to hear that Google, among others, had circumvented third-party cookie blocking that is a default setting of Apple’s Safari browser. Jonathan Mayer of Stanford’s Center for Internet and Society published a thorough and highly technical explanation of the problem on Thursday.

The story starts with a flaw in Safari’s cookie blocking. Mayer notes Safari’s treatment of third-party cookies:

Reading Cookies Safari allows third-party domains to read cookies.
Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.
Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari.

Mayer says Google was exploiting this yet-to-be-closed loophole to install third-party cookies, the domain of which Safari would then allow to write cookies. After describing “(relatively) straightforward” cookie synching, Mayer says:

But we noticed a special response at the last step for Safari browsers. … Instead of responding with the “_drt_” cookie, the server sends back a page that includes a form and JavaScript to submit the form (using POST) to its own URL.

Third-party cookie blocking evaded, and users’ preferences frustrated.

Ars Technica has published Google’s response, which doesn’t seem to have gone up on any of its blogs, in full. Google says they created this functionality to deliver better services to their users, but doing so inadvertently allowed Google advertising cookies to be set on the browser.

I don’t know that I’m technically sophisticated enough to register a firm judgement, but it looks to me like Google was faced with an interesting dilemma: They had visitors who were signed in to their service and who had opted to see personalized ads and other content, such as ‘+1’s but those same visitors had set their browsers contrary to those desires. Google chose the route better for Google, defeating the browser-set preferences. That, I think, was a mistake.

I wonder if there isn’t some Occam’s Razor that a Google engineer might have applied at some point in this process, thinking, “Golly, we are really going to great lengths to get around a browser setting. Are we sure we should be doing this?” Maybe it would have been more straightforward to highlight to Safari users that their settings were reducing their enjoyment of Google’s services and ads, and to invite those users to change their settings. This, and urging Apple to fix the browser, would have been more consistent with the company’s credo of non-evil.

Now, to the ideological stuff, of which I can think of two items:

1) There is a battle for control of earth out there—well, a battle over whether third-party cookie blocking is good or bad. Have your way advocates. I think the consuming public—that is, the market—should decide.

2) There is a battle to make a federal case out of every privacy transgression. An advocacy group called Consumer Watchdog (which has been prone to privacy buffoonery in the past) hustled out a complaint to the Federal Trade Commission. I think the injured parties should be compensated in full for their loss and suffering, of which there wasn’t any. De minimis non curat lex, so this is actually just a learning opportunity for Google, for browser authors, and for the public.

Kudos and thanks are due to Jonathan Mayer, as well as ★★★★★ and Ashkan Soltani, for exposing this issue.

SHARE: 3 comments

The FTC, Mobile Apps, Kids’ Privacy, Prices & Competition

by on February 16, 2012 · 19 comments

Today the Federal Trade Commission released a new report entitled, “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing,” which concludes that “confusing and hard-to-find disclosures do not give parents the control that they need in this area. The FTC argues that “parents need consistent, easily accessible, and recognizable disclosures regarding in-app purchase capabilities so that they can make informed decisions about whether to allow their children to use apps with such capabilities.”

It’s hard to be against the FTC’s “the more disclosure, the better” policy recommendation and I’m not about to come out against it here. But the question is: how much disclosure is enough? Reading through the report and seeing how hard the FTC hammers this point home makes me think the agency wants our app store checkout process to be littered with the pages of fine print disclosure policies that now accompany our credit card statements and home mortgage payments! Seriously, would that make us better off?

As a parent of two kids who both download countless apps on my Android phone, my wife’s iPhone, and our family’s Android tablet, I appreciate a certain amount of disclosure about what sort of information apps are collecting and how they are using it. I think Google’s Android marketplace strikes a nice balance here, providing us with the most crucial facts about what the application will access or share. Apple could do more on disclosure but the company also prides itself (to the dismay of some!) on its rigorous pre-screening process to make sure the apps in the App Store are safe and don’t violate certain privacy and security policies. Yet, as the FTC correctly points out, “the details of this screening process are not clear.” Of course, most Apple users simply don’t give a damn. They’re all too happy to let Apple just take care of it for them even if they’re not really sure what’s happening to their data behind the scenes. The more privacy-sensitive crowd wants greater disclosure and control, of course, and I’m sympathetic to that plea.  But again, how much disclosure is enough? Are you going to wade through pages of disclosure policies and privacy opt-ins before downloading that latest iteration of “Angry Birds” or “Cut the Rope”? Yeah, I didn’t think so.

Anyway, I don’t want to dwell on that. The more interested findings in the survey relate to price and market dynamics and I am hoping people don’t ignore them. Continue reading →

SHARE: 19 comments

Senate Cybersecurity Bill Nukes Privacy Protections

by on February 9, 2012 · 0 comments

My seen-it-all cool was shaken yesterday when I examined how a Senate cybersecurity bill would scythe down legal protections for privacy. Anyone participating in government “cybersecurity exchanges” would have nearly total immunity from liability under any law. No Privacy Act, no ECPA, no E-Government Act, no contract law, no privacy torts. The scuttlebutt is that Senator Reid (D-NV) may push this especially hard as payback to the Internet for the SOPA/PIPA debacle.

In the push for cybersecurity legislation, Congress is driven far more by its desire to act (and D.C. lobbyists’ desire to have Congress act) than by any plausible contribution it can make to the difficult problem of securing computers, networks, and data. That’s why this cybersecurity bill, and all others I have seen, have greater costs than benefits.

Read about the devastation for privacy and the rule of law on offer in a current draft in “The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy.”

SHARE: 0 comments

← Previous Entries

Next Entries →