When legislation or regulation is what you rely on for privacy protection, your privacy protection relies on political consensus staying the same. When political consensus changes, your privacy can go away.
Witness the Department of Education’s proposed change to FERPA regulations—the Family Education Rights and Privacy Act—to make more data about students available to more people. The privacy protections that have applied until now are unlikely to withstand the Education Department’s belief that using data about students is more important.
To anyone who relied on FERPA for privacy protection: Oops!
Reputation oils the gears of many markets. People’s expressions of opinion about goods and services help establish the reputations of sellers and service providers. Knowing that they are the subject of reputation systems that they do not control, service providers do a better job on average than they otherwise would. Slacking off even once can sully a reputation and produce well-placed economic sanctions: people won’t do business. Withdrawing reputation information from the public sphere will generally slow the process of winnowing bad actors out of any market and rewarding most highly the good ones. Commercial opinion is a little engine of positive externalities.
Federal privacy regulations under the Health Insurance Portability and Accountability Act shaped the information terms in health care services in ways people are right to disagree with. So it might be tempting to trade away one’s right to criticize a doctor for greater privacy protection. But a new site called DoctoredReviews.com argues against that bargain—indeed, it argues the bargain is illusory—and it criticizes the use of copyright law to enforce the deal.
Apparently, a group called Medical Justice is offering doctors a form contract to give to patients that holds out greater privacy protection for the patient if the patient will refrain from criticizing the doctor. That’s a deal people should be free to make, though—again—it’s probably a bad one. One way that the deal is enforced is by giving the doctor a copyright in the expressions of opinion that patients may issue. This gives the doctor a right to issue “take-down” notices to web sites where content critical of them is found.
This peculiar use of copyright takes the virtuous cycle where a patient talking about an experience with a doctor benefits others, and doesn’t just nip it—bringing it back to zero. It places enforcement costs on third parties. The enforcement of copyrights in commentary pushes negative externalities onto web site operators as it deprives markets of useful information.
The DoctoredOpinions site has a good, concise explanation of the law as it relates to website owners. I think copyright has some explaining to do—its distinction from rights in physical property is in high relief—if its enforcement can draw disinterested and uninvolved third parties into an administrative/litigation vortex.
Every lover of liberty and the Constitution should be offended by the moniker “Privacy Bill of Rights” appended to regulatory legislation Senators John Kerry (D-MA) and John McCain (R-AZ) introduced yesterday. As C|Net’s Declan McCullagh points out, the legislation exempts the federal government and law enforcement:
[T]he measure applies only to companies and some nonprofit groups, not to the federal, state, and local police agencies that have adopted high-tech surveillance technologies including cell phone tracking, GPS bugs, and requests to Internet companies for users’ personal information–in many cases without obtaining a search warrant from a judge.
The real “Privacy Bill of Rights” is in the Bill of Rights. It’s the Fourth Amendment.
It takes a lot of gall to put the moniker “Privacy Bill of Rights” on legislation that reduces liberty in the information economy while the Fourth Amendment remains tattered and threadbare. Nevermind “reasonable expectations”: the people’s right to be secure against unreasonable searches and seizures is worn down to the nub.
Senators Kerry and McCain should look into the privacy consequences of the Internal Revenue Code. How is privacy going to fare under Obamacare? How is the Department of Homeland Security doing with its privacy efforts? What is an “administrative search”?
McCullagh was good enough to quote yours truly on the new effort from Sens. Kerry and McCain: “If they want to lead on the privacy issue, they’ll lead by getting the federal government’s house in order.”
San Francisco’s Entertainment Commission will soon be considering a jaw-dropping attack on privacy and free assembly. Here are some of the rules the Commission may adopt for any gathering of people expected to reach 100 or more:
3. All occupants of the premises shall be ID Scanned (including patrons, promoters, and performers, etc.). ID scanning data shall be maintained on a data storage system for no less than 15 days and shall be made available to local law enforcement upon request.
4. High visibility cameras shall be located at each entrance and exit point of the premises. Said cameras shall maintain a recorded data base for no less than fifteen (15 days) and made available to local law enforcement upon request.
Would you recognize a police state if you lived in one? How about a police city? The First Amendment right to peaceably assemble takes a big step back when your identity data and appearance are captured for law enforcement to use at whim simply because you showed up. (ht: PrivacyActivism.org)
I’m currently plugging away at a big working paper with the running title, “Argumentum in Cyber-Terrorem: A Framework for Evaluating Fear Appeals in Internet Policy Debates.” It’s an attempt to bring together a number of issues I’ve discussed here in my past work on “techno-panics” and devise a framework to evaluate and address such panics using tools from various disciplines. I begin with some basic principles of critical argumentation and outline various types of “fear appeals” that usually represent logical fallacies, including: argumentum in terrorem,
argumentum ad metum, and argumentum ad baculum. But I’ll post more about that portion of the paper some other day. For now, I wanted to post a section of that paper entitled “The Problem with the Precautionary Principle.” I’m posting what I’ve got done so far in the hopes of getting feedback and suggestions for how to improve it and build it out a bit. Here’s how it begins…
________________
The Problem with the Precautionary Principle
“Isn’t it better to be safe than sorry?” That is the traditional response of those perpetuating techno-panics when their fear appeal arguments are challenged. This response is commonly known as “the precautionary principle.” Although this principle is most often discussed in the field of environment law, it is increasingly on display in Internet policy debates.
The “precautionary principle” basically holds that since every technology and technological advance poses
some theoretical danger or risk, public policy should be crafted in such a way that no possible harm will come from a particular innovation before further progress is permitted. In other words, law should mandate “just play it safe” as the default policy toward technological progress. Continue reading →
PaidContent.org has posted a chart showing “Who’s Getting Buzz Settlement Money.” This refers to the $9.5 million payout following the Federal Trade Commission settlement with Google a class action suit over its “Buzz” social networking service. Last week, the Federal Trade Commission entered into a consent decree with Google over its botched rollout of Buzz saying the search giant violated its own privacy policy. Google will also pay out to various advocacy groups according to the distribution seen in the chart as part of a separate class action. Payouts to advocates like this are not uncommon, although they are more often the result of a class action settlement than a regulatory agency consent decree. [Update/Correction 5:13 pm: I should have made it clear that this payout was the result of a class action lawsuit against Google and not the direct result of the FTC settlement. Apologies for that mistake, but still interested in the questions raised below.]
But that got me wondering whether this might make for good fodder for a case study by a public choice economist or political scientist. There are some really interesting questions raised by settlements like this that would be worth studying.
Continue reading →
I’ve posted a long article on Forbes.com this morning on the Global Network Initiative. A non-profit group aimed at improving human rights though the agency of information technology companies, GNI has never really gotten off the ground.
Since its formal launch in 2008, following two years of negotiations among tech companies, human rights groups and academics, not a single company has agreed to join beyond the original members–Google, Yahoo and Microsoft.
This despite considerable pressure from supporters of GNI, including Senator Richard Durbin (D-IL), Chair of the Senate Judiciary’s Subcommittee on Human Rights. Indeed, in the wake of uprisings in Tunisia, Egypt, Libya and elsewhere and the seminal role played by social media and other IT, a full-court press has been launched against Facebook and Twitter in particular for failing to sign up. Continue reading →
Here’s an interesting SmartPlanet interview with Paul Ohm, associate professor of law at the University of Colorado Law School, in which he discusses his concerns about “reidentification” as it relates to privacy issues. “Reidentification” and “de-anonymization” fears have been set forth by Ohm and other computer scientists and privacy theorists, who suggest that because the slim possibility exists of some individuals in certain data sets being re-identified even after their data is anonymized, that fear should trump all other considerations and public policy should be adjusted accordingly (specifically, in the direction of stricter privacy regulation / tighter information controls).
I won’t spend any time here on that particular issue since I am still waiting for Ohm and other “reidentification” theorists to address the cogent critique offered up by Jane Yakowitz in an important new study that I discussed here last week. Once they do, I might have more to say on that point. Instead, I just wanted to make some brief comments on one particular passage from the Ohm interview in which he outlines a bold new standard for privacy regulation:
We have 100 years of regulating privacy by focusing on the information a particular person has. But real privacy harm will come not from the information they have but the inferences they can draw from the data they have. No law I have ever seen regulates inferences. So maybe in the future we may regulate inferences in a really different way; it seems strange to say you can have all this data but you can’t take this next step. But I think that’s what the law has to do.
This is a rather astonishing new legal standard and there are two simple reasons why, as Ohm suggests, “no law… regulates inferences” and why, in my opinion, no law should. Continue reading →
Last night, Declan McCullagh of CNet posted two tweets related to the concerns already percolating in the privacy community about a new Apple and Android app called “Color,” which allows those who use it to take photos and videos and instantaneously share them with other people within a 150-ft radius to create group photo/video albums. In other words, this new app marries photography, social networking, and geo-location. 
And because the app’s default setting is to share every photo and video you snap openly with the world, Declan wonders “How long will it take for the #privacy fundamentalists to object to Color.com’s iOS/Android apps?” After all, he says facetiously, “Remember: market choices can’t be trusted!” He then reminds us that there’s really nothing new under the privacy policy sun and that we’ve seen this debate unfold before, such as when Google released its GMail service to the world back in 2004.
Indeed, for me, this debate has a “Groundhog Day” sort of feel to it. I feel like I’ve been fighting the same fight with many privacy fundamentalists for the past decade. The cycle goes something like this: Continue reading →
I guess the search for market failure in the privacy area is interesting to me. I wrote about it the other week too. It’s nice that those who prefer regulation feel obligated to justify that preference. It’s acknowledgment of the fact, increasingly well-accepted worldwide, that functioning free markets do a better job of discovering and satisfying consumers’ interests than any other method for organizing societies’ resources.
A recent market failure blog post called “Privacy and the Market for Lemons, or How Websites Are Like Used Cars,” seems to have piqued Adam’s interest. (See the comments.) In it, privacy and anonymity researcher Arvind Narayanan makes the case for privacy market failure. (Evidently, it’s an argument that others have made before.)
“In the realm of online privacy and data collection,” he says, “information asymmetry results from a serious lack of transparency around privacy policies. The website or service provider knows what happens to data that’s collected, but the user generally doesn’t.” Several economic, architectural, cognitive and regulatory limitations/flaws “have led to a well-documented market failure—there’s an arms race to use all means possible to entice users to give up more information, as well as to collect it passively through ever-more intrusive means.”
Alas, there’s no link at “well-documented.” I would like to see that documentation. But more importantly, what Narayanan appears to be speaking of as market failure—an arms race to get more information from Web users—is not one. That’s market action that Narayanan doesn’t like.
So where’s the market failure? Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.