Gabrielle Bauer, a Toronto-based medical writer, has just published one of the most concise explanations of what’s wrong with the precautionary principle that I have ever read. The precautionary principle, you will recall, generally refers to public policies that limit or even prohibit trial-and-error experimentation and risk-taking. Innovations are restricted until their creators can prove that they will not cause any harms or disruptions. In an essay for The New Atlantis entitled, “Danger: Caution Ahead,” Bauer uses the world’s recent experiences with COVID lockdowns as the backdrop for how society can sometimes take extreme caution too far, and create more serious dangers in the process. “The phrase ‘abundance of caution’ captures the precautionary principle in a more literary way,” Bauer notes. Indeed, another way to look at it is through the prism of the old saying, “better to be safe than sorry.” The problem, she correctly observes, is that, “extreme caution comes at a cost.” This is exactly right and it points to the profound trade-offs associated with precautionary principle thinking in practice.

In my own writing about the problems associated with the precautionary principle (see list of essays at bottom), I often like to paraphrase an ancient nugget of wisdom from St. Thomas Aquinas, who once noted in his Summa Theologica that, if the highest aim of a captain were merely to preserve their ship, then they would simply keep it in port forever. Of course, that is not the only goal of a captain has. The safety of the vessel and the crew is essential, of course, but captains brave the high seas because there are good reasons to take such risks. Most obviously, it might be how they make their living. But historically, captains have also taken to the seas as pioneering explorers, researchers, or even just thrill-seekers.

This was equally true when humans first decided to take to the air in balloons, blimps, airplanes, and rockets. A strict application of the precautionary principle would have instead told us we should keep our feet on the ground. Better to be safe than sorry! Thankfully, many brave souls ignored that advice and took the heavens in the spirit of exploration and adventure. As Wilbur Wright once famously said, “If you are looking for perfect safety, you would do well to sit on a fence and watch the birds.” Needless to say, humans would have never mastered the skies if the Wright brothers (and many others) had not gotten off the fence and taken the risks they did.

Opportunity Costs Matter

Here we get to the true danger of strict versions of the precautionary principle: It essentially becomes a crime to get off the fence and do anything risky at all. This sets up the potential for stasis and stagnation as societal learning is severely curtailed. Progress becomes harder because there can be no reward without some risk. — both individually or societally. “Caution makes sense except when it doesn’t,” Bauer notes. She continues on to note:

Used too liberally, the precautionary principle can keep us stuck in a state of extreme risk-aversion, leading to cumbersome policies that weigh down our lives. To get to the good parts of life, we need to accept some risk.

As I argued in a book on these issues, the root problem with precautionary principle thinking is that “living in constant fear of worst-case scenarios—and premising public policy on them—means that best-case scenarios will never come about.” If societal attitudes and public policy will not tolerate the idea of any error resulting from experimentation with new and better ways of doing things, then we will obviously not get many new and better things! Scientist Martin Rees refers to this truism about the precautionary principle as “the hidden cost of saying no.”

The opportunity cost of inaction or stasis can be hard to quantify but imagine if we organized our entire society around a rigid application of the precautionary principle. Bauer notes that this is basically what we did during COVID. And the results are in. “It’s far past time we ask ourselves when  abundance really means excess, when our precautionary measures against Covid have gone too far, when we have ignored the costs and lost all sense of proportionality.” Unfortunately, the precautionary mindset–which is always rooted in fear of the unknown–took control. As Bauer notes:

It should have been socially acceptable to debate the merits of these tradeoffs, with nuance and without censure. But that is not what happened. Early in the pandemic, an unspoken rule — thou shalt not question the costs — sprang up and stifled discourse.

“And here’s the worst of it: the costs of excess caution can persist long after the initial danger has passed,” she notes. “It’s no different with Covid: our knee-jerk caution may have downstream effects that persist after the virus has ceased to be a threat.” She cites many compelling examples of the negative effects associated with extreme precautionary thinking during COVID, noting how, “[t]he impact of travel and trade restrictions on food security and childhood vaccination in developing countries will likely reverberate for decades.” Moreover:

The Covid-19 pandemic has laid bare the risks of extreme protection: lost businesses, lost livelihoods, lost graduations, lost loves, lost goodbyes; the loss of personal agency over life’s most intimate and meaningful moments; the loss, quite possibly, of our cherished principles of liberal democracy. A recent report by International IDEA, a democracy advocacy organization, concluded that many countries had become more authoritarian as they took steps to contain the pandemic.

This list of lockdown trade-offs goes on and the aggregate costs will be staggering once economists and others get around to better estimating them. As noted, gauging those costs will be challenging because of the many variables and values that come into play. But it remains vital that society takes risk analysis and trade-offs more seriously so that we don’t make these mistakes again and again.

Proportionality is the Key

Toward that end, Bauer makes “a plea for proportionality.” She wants society to strike a more reasonable balance when it comes to policy measures that might block actions and research that could help us better understand how to deal with risk uncertainties. Accordingly, “we must understand when to apply the precautionary principle and when to move on from it.”

“The precautionary principle doesn’t come with such checks and balances. On the contrary, it tends to perpetuate itself and acquire a life of its own,” she notes. In other words, once set in place initially for a given issue or sector, precautionary principle thinking tends to grow like bad weeds until it has taken over everything in sight. (To see the consequences of that in fields like aviation, space, nanotech, and others, please check out J. Storrs Hall’s amazing new book, Where Is My Flying Car?)

Of course, proportionality cuts both ways, and as I noted in my last two books, there are some instances in which at least a light version of the precautionary principle should be preemptively applied, but they are limited to scenarios where the threat in question is tangible, immediate, irreversible, and catastrophic in nature. In such cases, I argue, society might be better suited thinking about when an “anti-catastrophe principle” is needed, which narrows the scope of the precautionary principle and focuses it more appropriately on the most unambiguously worst-case scenarios that meet those criteria. Generally speaking, however, this test is not satisfied in the vast majority of cases. “Innovation Allowed” should be our default principle. 

Conclusion

The single most important thing that we must always remember when debating precautionary principle-based policies is that, just because someone has good intentions and claims safety as their goal, that does not automatically make the world a safer place. To repeat: Excessive safety-related measure can result in less safety overall. Or again, as Bauer says, “extreme caution comes at a cost.”

No one ever summarized this truism more clearly than the great political scientist Aaron Wildavsky, who devoted much of his life’s work to proving how efforts to create a risk-free society would instead lead to an extremely unsafe society. In his 1988 book, Searching for Safety, Wildavsky warned of the dangers of “trial without error” reasoning, and contrasted it with the trial-and-error method of evaluating risk and seeking wise solutions to it. He argued that wisdom is born of experience and that we can learn how to be wealthier and healthier as individuals and a society only by first being willing to embrace uncertainty and even occasional failure. Here was the crucial takeaway:

The direct implication of trial without error is obvious: If you can do nothing without knowing first how it will turn out, you cannot do anything at all. An indirect implication of trial without error is that if trying new things is made more costly, there will be fewer departures from past practice; this very lack of change may itself be dangerous in forgoing chances to reduce existing hazards. . . . Existing hazards will continue to cause harm if we fail to reduce them by taking advantage of the opportunity to benefit from repeated trials.

Trial and error is the basis of all societal learning, and without it, humanity will be less safe and less prosperous over the long run. Gabrielle Bauer’s new essay captures that insight better than anything I’ve read since Wildavsky was writing about the dangers of the precautionary principle. I beg you to jump over to New Atlantis and read her entire article. It’s absolutely essential.

Additional reading from Adam Thierer on the precautionary principle

• Adam Thierer, “How Many Lives Are Lost Due to the Precautionary Principle?” The Bridge, October 31, 2019.
• Adam Thierer, “How to Get the Future We Were Promised,” Discourse, January 18, 2022.
• Adam Thierer, “Failing Better: What We Learn by Confronting Risk and Uncertainty,” in Sherzod Abdukadirov (ed.), Nudge Theory in Action: Behavioral Design in Policy and Markets (Palgrave Macmillan, 2016): 65-94.
• Adam Thierer, “Innovation and the Trouble with the Precautionary Principle,” AIER, April 20, 2020.
• Adam Thierer, “Are ‘Permissionless Innovation’ and ‘Responsible Innovation’ Compatible?” Technology Liberation Front, July 12, 2017.
• Adam Thierer, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, 2nd ed. (Arlington, VA: Mercatus Center at George Mason University, 2016).
• Adam Thierer, “Problems with Precautionary Principle-Minded Tech Regulation & a Federal Robotics Commission,” Medium, September 22, 2014.
• Adam Thierer, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology 14, no. 1 (2013): 312–50.

In preparation for a Federalist Society teleforum call that I participated in today about the compliance costs of the EU’s General Data Protection Regulation (GDPR), I gathered together some helpful recent articles on the topic and put together some talking points. I thought I would post them here and try to update this list in coming months as I find new material. (My thanks to Andrea O’Sullivan for a major assist on coming up with all this.)

Key Points :

• GDPR is no free lunch; compliance is very costly

• • • All regulation entails trade-offs, no matter how well-intentioned rules are
    • $7.8 billion estimated compliance cost for U.S. firms already
    • Punitive fees can range from €20 million to 4 percent of global firm revenue
    • Vagueness of language leads to considerable regulatory uncertainty — no one knows what “compliance” looks like
    • Even EU member states do not know what compliance looks like: 17 of 24 regulatory bodies polled by Reuters said they were unprepared for GDPR

• GDPR will hurt competition & innovation; favors big players over small

• • • Google, Facebook & others beefing up compliance departments. (“ EU official, Vera Jourova: “They have the money, an army of lawyers, an army of technicians and so on.”)
    • Smaller firms exiting or dumping data that could be used to provide better, more tailored services
    • PwC survey found that 88% of companies surveyed spent more than $1 million on GDPR preparations, and 40% more than $10 million.
    • Before GDPR, half of all EU ad spend went to Google. The first day after it took effect, an astounding 95 percent went to Google.
    • In essence, with the GDPR, the EU is surrendering on the idea of competition being possible going forward
    • The law will actually benefit the same big companies that the EU has been going after on antitrust grounds. Meanwhile, the smaller innovators and innovations will suffer.

• GDPR likely to raise costs to consumers, or diminish choice/quality

• • • Consumers care about privacy, but they also care about choice, convenience, and low-cost services
    • The modern data-driven economy has given consumers access to an unparalleled cornucopia of information and services and it is remarkable how much of that content and how many of those services are offered to the public at no charge to them. That’s a real benefit.  
    • But if you take all the data out of the Data Economy, you won’t have much of an economy left
    • “Many organizations will pass these costs on to consumers either by erecting paywalls or forcing users to view more ads.”
    • Websites blacked out post GDPR: Instapaper, Los Angeles Times , Chicago Tribune (all Tronc- and Lee Enterprises-owned media platforms), A&E Networks websites.
    • “EU-only” web experience: stripped down websites without illustration or images. NPR and USA Today .
    • Washington Post is charging for a more expensive GDPR compliant subscription.

• GDPR hurts global flow of information; worsens problem of data localization

• • Rules only allow data to move to jurisdictions that offer an adequate level of protection
  • Cloud computing? Cloud architects are building costly new infrastructure that can isolate and inspect EU data to ensure it is not “sent” to the wrong jurisdiction.
  • Another step toward a more “bordered” Internet
  • Likely to just create more walled gardens
  • Max Schrems: “Unfortunately data localization is probably the best solution right now. It’s not really a solution that appeals to me a lot, but I think we need data localization for other reasons anyways, like load times and so on.”
  • Roundabout way to impose tariffs? Data-based firms are largely external to EU.

• GDPR doesn’t solve bigger problem of government access to data

• • EU Data Retention Directive: third parties must keep data for law enforcement for two years (passed after terrorist attacks).
  • EU member states often have no FISA-like body overseeing government wiretap requests. France and the UK have no court apparatus governing surveillance — instead issued directly by administrative bodies. In Germany, their FBI equivalent can install a “Federal Trojan” virus directly into third party platforms without their knowledge.

• GDPR doesn’t really move the needle much in terms of real privacy protection

• • heavy-handed, top-down regulatory regimes don’t always accomplish their goals when it comes to privacy
  • what consumers need is new competitive options and privacy innovations
  • Unfortunately, the world won’t get the new choices we need if regulations like the GDPR essentially punish them with regulatory compliance costs that only the largest current incumbents can possibly absorb

Related Research & Articles :

• Oliver Smith, “The GDPR Racket: Who’s Making Money From This $9bn Business Shakedown,” Forbes , May 2, 2018, https://www.forbes.com/sites/oliversmith/2018/05/02/the-gdpr-racket-whos-making-money-from-this-9bn-business-shakedown/#44d6f57b34a2  
• John Battelle, “How GDPR Kills The Innovation Economy,” NewCoShift , May 25, 2018, https://shift.newco.co/amp/p/844570b70a7a .
• Daniel Lyons, “GDPR: Privacy as Europe’s tariff by other means?” AEIdeas , July 3, 2018, https://www.aei.org/publication/gdpr-privacy-as-europes-tariff-by-other-means/
• Will Rinehart, “The Law & Economics of ‘Owning Your Data,’” American Action Forum, Insight , April 10, 2018, https://www.americanactionforum.org/insight/law-economics-owning-data/#ixzz5Klci9G
• Adam Thierer, “How Well-Intentioned Privacy Regulation Could Boost Market Power of Facebook & Google,” Technology Liberation Front , April 25, 2018, https://techliberation.com/2018/04/25/how-well-intentioned-privacy-regulation-could-boost-market-power-of-facebook-google/
• Andrea O’ Sullivan, “The EU’s New Privacy Rules Are Already Causing International Headaches,” Reason, June 12, 2018, https://reason.com/archives/2018/06/12/the-eus-new-privacy-rules-are-already-ca
• Alice Calder & Anne Hobson, “Data Privacy at a Price,” Medium , May 25, 2018, https://readplaintext.com/data-privacy-at-a-price-398634622f8b
• Daisuke Wakabayashi and Adam Satariano, “ How Looming Privacy Regulations May Strengthen Facebook and Google ,” New York Times , April 23, 2018,
• Sam Schechner and Nick Kostov, “ Google and Facebook Likely to Benefit From Europe’s Privacy Crackdown ,” Wall Street Journal , April 23, 2018, https://www.wsj.com/articles/how-europes-new-privacy-rules-favor-google-and-facebook-1524536324
• Nick Kostov and Sam Schechner, “Google Emerges as Early Winner From Europe’s New Data Privacy Law,” Wall Street Journal , May 31, 2018, https://www.wsj.com/articles/eus-strict-new-privacy-law-is-sending-more-ad-money-to-google-1527759001   https://www.wsj.com/articles/eus-strict-new-privacy-law-is-sending-more-ad-money-to-google-1527759001  
• Daniel Castro & Michael McLaughlin, “Why the GDPR Will Make Your Online Experience Worse,” Fortune , May 23, 2018, http://fortune.com/2018/05/23/gdpr-compliant-privacy-facebook-google-analytics-policy-deadline/
• Brent Skorup & Jennifer Huddleston Skees, “It’s Not About Facebook; It’s about the Next Facebook,” Real Clear Policy , June 01, 2018, https://www.realclearpolicy.com/articles/2018/06/01/its_not_about_facebook_its_about_the_next_facebook_110654.html
• Jennifer Skees & Jordan Reimschisel, “GDPR and Me: how the EU data rules could impact genetic testing,” Medium , May 18, 2018, https://readplaintext.com/gdpr-and-me-how-the-eu-data-rules-could-impact-genetic-testing-851494e55dd3 

The National Academies of Sciences, Engineering, and Medicine has released an amazing new report focused on, “Assessing the Risks of Integrating Unmanned Aircraft Systems (UAS) into the National Airspace System.” In what the Wall Street Journal rightly refers to as an “unusually strongly worded report,” the group of experts assembled by the National Academies call for a sea change in regulatory attitudes and policies toward regulation of Unmanned Aircraft Systems (or “drones”) and the nation’s airspace more generally.

The report uses the term “conservative” or “overly conservative” more than a dozen times to describe the Federal Aviation Administration’s (FAA) problematic current approach toward drones. They point out that the agency has “a culture with a near-zero tolerance for risk,” and that the agency needs to adjust that culture to take into account “the various ways in which this new technology may reduce risk and save lives.” (Ch. S, p.2) The report continues on to say that:

The committee concluded that “fear of making a mistake” drives a risk culture at the FAA that is too often overly conservative, particularly with regard to UAS technologies, which do not pose a direct threat to human life in the same way as technologies used in manned aircraft. An overly conservative attitude can take many forms. For example, FAA risk avoidance behavior is often rewarded, even when it is excessively risk averse, and rewarded behavior is repeated behavior. Balanced risk decisions can be discounted, and FAA staff may conclude that allowing new risk could endanger their careers even when that risk is so minimal that it does not exceed established safety standards.  The committee concluded that a better measure for the FAA to apply is to ask the question, “Can we make UAS as safe as other background risks that people experience daily?” As the committee notes, we do not ground airplanes because birds fly in the airspace, although we know birds can and do bring down aircraft. [. . . ] In many cases, the focus has been on “What might go wrong?” instead of a holistic risk picture: “What is the net risk/benefit?” Closely related to this is what the committee considers to be paralysis wherein ever more data are often requested to address every element of uncertainty in a new technology. Flight experience cannot be gained to generate these data due to overconservatism that limits approvals of these flights. Ultimately, the status quo is seen as safe. There is too little recognition that new technologies brought into the airspace by UAS could improve the safety of manned aircraft operations, or may mitigate, if not eliminate, some nonaviation risks. (p. S-2)

Importantly, the report makes it clear that the problem here is not just that “an overly conservative risk culture that overestimates the severity and the likelihood of UAS risk can be a significant barrier to introduction and development of these technologies,” but, more profoundly, the report highlights how,  “Avoiding risk entirely by setting the safety target too high creates imbalanced risk decisions and can degrade overall safety and quality of life.” (p. 3-6,7) In other words, we should want a more open and common sense-oriented approach to drones, not only to encourage more life-enriching innovation, but also because it could actually make us safer as a result.

No Reward without Some Risk

What the National Academies report is really saying here is that  there can be no reward without some risk.  This is something I have spent a great deal of time writing about in my last book, a recent book chapter, and various other essays and journal articles over the past 25 years.  As I noted in my last book, “living in constant fear of worst-case scenarios—and premising public policy on them—means that best-case scenarios will never come about.”  If we want a wealthier, healthier, and safer society, we must embrace change and risk-taking to get us there.

This is exactly what that National Academies report is getting at when they note that the FAA”s “overly conservative culture prevents safety beneficial operations from entering the airspace. The focus is on what might go wrong. More dialogue on potential benefits is needed to develop a holistic risk picture that addresses the question, What is the net risk/benefit?” (p. 3-10)

In other words, all safety regulation involves trade-offs, and if (to paraphrase a classic Hardin cartoon you’ll see to your right) we consider every potential risk except the risk of avoiding all risks, the result will be not only a decline in short-term innovation, but also a corresponding decline in safety and overall living standards over time.

Countless risk scholars have studied this process and come to the same conclusion. “We could virtually end all risk of failure by simply declaring a moratorium on innovation, change, and progress,” notes engineering historian Henry Petroski. But the costs to society of doing so would be catastrophic, of course. “The history of the human race would be dreary indeed if none of our forebears had ever been willing to accept risk in return for potential achievement,” observed H.L. Lewis, an expert on technological risk trade-offs.

The most important book ever written on this topic was Aaron Wildavsky’s 1988 masterpiece, Searching for Safety. Wildavsky warned of the dangers of “trial without error” reasoning and contrasted it with the trial-and-error method of evaluating risk and seeking wise solutions to it. Wildavsky argued that real wisdom is born of experience and that we can learn how to be wealthier and healthier as individuals and a society only by first being willing to embrace uncertainty and even occasional failure. As he put it:

The direct implication of trial without error is obvious: If you can do nothing without knowing first how it will turn out, you cannot do anything at all. An indirect implication of trial without error is that if trying new things is made more costly, there will be fewer departures from past practice; this very lack of change may itself be dangerous in forgoing chances to reduce existing hazards. . . . Existing hazards will continue to cause harm if we fail to reduce them by taking advantage of the opportunity to benefit from repeated trials.

When this logic takes the form of public policy prescriptions, it is referred to as the “precautionary principle,” which generally holds that, because new ideas or technologies could pose some theoretical danger or risk in the future, public policies should control or limit the development of such innovations until their creators can prove that they won’t cause any harms.

Again, if we adopt that attitude, human safety actually suffers because it holds back beneficial experiments aimed at improving the human condition. As the great economic historian Joel Mokyr argues, “technological progress requires above all tolerance toward the unfamiliar and the eccentric.” But the regulatory status quo all too often rejects “the unfamiliar and the eccentric” out of an abundance of caution. While usually well-intentioned, that sort of status quo thinking holds back new and better was of doing old things better, or doing all new things. The end result is that real health and safety advances are ignored or forgone.

How Status Quo Thinking at the FAA Results in Less Safety

This is equally true for air safety and FAA regulation of drones. “Ultimately, the status quo is seen as safe,” the National Acadamies report notes. “There is too little recognition that new technologies brought into the airspace by UAS could improve the safety of manned aircraft operations, or may mitigate, if not eliminate, some nonaviation risks.” The example of the life-saving potential of drones have already been well-documented.

Drones have already been used to monitor fires, help with search-and-rescue missions for missing people or animals, assist life guards by dropping life vests to drowning people, deliver medicines to remote areas, and help with disaster monitoring and recovery efforts. But that really just scratches the surface in terms of their potential.

Some people scoff at the idea of drones being used to deliver small packages to our offices or homes. But consider how many of those packages are delivered by human-operated vehicles that are far more likely to be involved in dangerous traffic accidents on our over-crowded roadways. If drones were used to make some of those deliveries, we might be able to save a lot of lives. Or how about an elderly person stuck at home during storm, only to realize they are out of some essential good or medicine that is a long drive away. Are we better off having them (or someone else) get behind the wheel to drive and get it, or might a drone be able to deliver it more safely?

The authors of the National Academies report understand this, as they made clear when they concluded that, “operation of UAS has many advantages and may improve the quality of life for people around the world. Avoiding risk entirely by setting the safety target too high creates imbalanced risk decisions and can degrade overall safety and quality of life.” (Ch. 3, p. 5-6)

Reform Ideas: Use the “Innovator’s Presumption” & “Sunsetting Imperative”

Given that reality, the National Academies report makes several sensible reform recommendations aimed at countering the FAA’s hyper-conservatism and bias for the broken regulatory status quo. I won’t go through them all, but I think they are an excellent set of reforms that deserve to be taken seriously.

I do, however, want to highly recommend everyone take a close look at this one outstanding recommendation in Chapter 3, which is aimed at keep things moving and making sure that status quo thinking doesn’t freeze beneficial new forms of airspace innovation. Specifically, the National Academies report recommends that:

The FAA should meet requests for certifications or operations approvals with an initial response of “How can we approve this?” Where the FAA employs internal boards of executives throughout the agency to provide input on decisions, final responsibility and authority and accountability for the decision should rest with the executive overseeing such boards. A time limit should be placed on responses from each member of the board, and any “No” vote should be accompanied with a clearly articulated rationale and suggestion for how that “No” vote could be made a “Yes.” (Ch. 3, p. 8)

I absolutely love this reform idea because it essentially combines elements of two general innovation policy reform ideas that I discussed in my recent essay, “Converting Permissionless Innovation into Public Policy: 3 Reforms.” In that piece, I proposed the idea of instituting an “Innovator’s Presumption” that would read: “Any person or party (including a regulatory authority) who opposes a new technology or service shall have the burden to demonstrate that such proposal is inconsistent with the public interest.” I also proposed a so-called “Sunsetting Imperative” that would read: “Any existing or newly imposed technology regulation should include a provision sunsetting the law or regulation within two years.”

The National Academies report recommendation above basically embodies the spirit of both the Innovator’s Presumption and the Sunsetting Imperative. It puts the burden of proof on opponents of change and then creates a sort of shot clock to keep things moving.

These are the kind of reforms we need to make sure status quo thinking at regulatory agencies doesn’t hold back life-enriching and life-saving innovations. It’s time for a change in the ways business is done at the FAA to make sure that regulations are timely, effective, and in line with common sense. Sadly, as the new National Academies report makes clear, today’s illogical policies governing airspace innovation are having counter-productive results that hurt society.

Two weeks ago, as Facebook CEO Mark Zuckerberg was getting grilled by Congress during a two-day media circus set of hearings, I wrote a counterintuitive essay about how it could end up being Facebook’s greatest moment. How could that be? As I argued in the piece, with an avalanche of new rules looming, “Facebook is potentially poised to score its greatest victory ever as it begins the transition to regulated monopoly status, solidifying its market power, and limiting threats from new rivals.”

With the exception of probably only Google, no firm other than Facebook likely has enough lawyers, lobbyists, and money to deal with layers of red tape and corresponding regulatory compliance headaches that lie ahead. That’s true both here and especially abroad in Europe, which continues to pile on new privacy and “data protection” regulations. While such rules come wrapped in the very best of intentions, there’s just no getting around the fact that  regulation has costs. In this case, the unintended consequence of well-intentioned data privacy rules is that the emerging regulatory regime will likely discourage (or potentially even destroy) the chances of getting the new types of innovation and competition that we so desperately need right now.

Others now appear to be coming around to this view. On April 23, both the  New York Times and The Wall Street Journal ran feature articles with remarkably similar titles and themes. The New York Times article by Daisuke Wakabayashi and Adam Satariano was titled, “How Looming Privacy Regulations May Strengthen Facebook and Google,” and The Wall Street Journal’s piece, “Google and Facebook Likely to Benefit From Europe’s Privacy Crackdown,” was penned by Sam Schechner and Nick Kostov. “In Europe and the United States, the conventional wisdom is that regulation is needed to force Silicon Valley’s digital giants to respect people’s online privacy. But new rules may instead serve to strengthen Facebook’s and Google’s hegemony and extend their lead on the internet,” note Wakabayashi and Satariano in the  NYT essay. They continue on to note how “past attempts at privacy regulation have done little to mitigate the power of tech firms.” This includes regulations like Europe’s “right to be forgotten” requirement, which has essentially put Google in a privileged position as the “chief arbiter of what information is kept online in Europe.” Meanwhile, the  WSJ article opens with this interesting story about the epiphany EU regulator Věra Jourová had upon visiting with the supposed victims of the EU’s new General Data Protection Regulation, or GDPR:

When the European Union’s justice commissioner traveled to California to meet with Google and Facebook last fall, she was expecting to get an earful from executives worried about the Continent’s sweeping new privacy law. Instead, she realized they already had the situation under control. “They were more relaxed, and I became more nervous,” said the EU official, Věra Jourová. “They have the money, an army of lawyers, an army of technicians and so on.”

Indeed they do. And that means that they are better positioned to absorb the significant costs of compliance that will be associated with the new GDPR rules, which are somewhat ambiguous and will require a great deal of ongoing interpretation and legal wrangling.  The Journal essay also cites an unnamed Brussels lobbyist for an media-measurement firm saying, “The politicians wanted to teach Google and Facebook a lesson. And yet they favor them.” Consider this paragraph from the WSJ essay about how the two firms worked diligently to come into compliance with the new GDPR regulations:

Once the law passed in spring 2016, Google and Facebook threw people at the problem. Google involved lawyers in the U.S., Ireland, Brussels and elsewhere to pore over contracts and procedures, said people close to the company. Facebook mobilized hundreds of people in what it describes as the largest interdepartmental team it has ever assembled. Facebook lawyers spent a year scrutinizing the law’s lengthy text. Designers and engineers then toiled over how to implement changes, according to Stephen Deadman, Facebook’s global deputy chief privacy officer. During the process, Facebook got frequent access to regulators across Europe. It met with Helen Dixon, the data protection commissioner in Ireland, where the company bases its European operations, and her staff to run through changes Facebook was planning. Ms. Dixon’s agency provided the firm with feedback on the wording of its consent requests, Facebook said.

Now ask yourself how many other smaller existing or new firms would be in a position to do the same thing. Answer: Not many. We’re already seeing the deleterious effects of the GDPR on market structure, the  Journal reports. “Some advertisers are planning to shift money away from smaller providers and toward Google and Facebook,” Schechner and Kostov note. And they end their essay with the telling thoughts of Bill Simmons, co-founder and chief technology officer of Dataxu, Boston-based company that helps buy targeted ads, who says, “It is paradoxical. The GDPR is actually consolidating the control of consumer data onto these tech giants.” The  NYT essay included a funny tidbit about how “Some privacy advocates also bristle at the idea that these new restrictions would help already powerful internet companies, noting that is a well-worn argument employed by tech giants to try to prevent future regulation.” That’s a highly unfortunate attitude. If privacy advocates really care about improving the situation on the ground, then the best way to do that is with more and better choices. Sadly, it seems that with each passing day the write off the idea of any new competition emerging to today’s tech giants. “Can Facebook be replaced?” asks Olivia Solon writing in The Guardian today. Some probably think not, but as Solon notes, “prominent Silicon Valley investor Jason Calacanis, who was an early investor in several high-profile tech companies including Uber certainly hopes so. He has launched a competition to find a ‘social network that is actually good for society,'” and his “Openbook Challenge will offer seven “purpose-driven teams” $100,000 in investment to build a billion-user social network that could replace the technology titan while protecting consumer privacy.” In a blog post announcing the Challenge, Calacanis wrote: “All community and social products on the internet have had their era, from AOL to MySpace, and typically they’re not shut down by the government — they’re slowly replaced by better products. So, let’s start the process of replacing Facebook.” I don’t have any idea whether this Openbook Challenge will succeed. It’s hard building big, scalable digital platforms that satisfy the diverse needs of a diverse world. But this is exactly the sort of innovation that we should be encouraging. Even the very threat of new competition will keep the big dogs on their toes. Alas, all the new regulations being consider will likely just leave us with fewer choices and regulations that probably won’t even do all that much to truly better protect our data or privacy. But hey, at least it was all well-intentioned!

Updates :

• Nick Kostov and Sam Schechner, “Google Emerges as Early Winner From Europe’s New Data Privacy Law,” Wall Street Journal, May 31, 2018, https://www.wsj.com/articles/eus-strict-new-privacy-law-is-sending-more-ad-money-to-google-1527759001

In theory, the Food & Drug Administration (FDA) exists to save lives and improve health outcomes. All too often, however, that goal is hindered by the agency’s highly bureaucratic, top-down, command-and-control orientation toward drug and medical device approval.

Today’s case in point involves families of children with diabetes, many of whom are increasingly frustrated with the FDA’s foot-dragging when it comes to approval of medical devices that could help their kids. Writing today in The Wall Street Journal, Kate Linebaugh discusses how “Tech-Savvy Families Use Home-Built Diabetes Device” to help their kids when FDA regulations limit the availability of commercial options. She documents how families of diabetic children are taking matters into their own hands and creating their own home-crafted insulin pumps, which can automatically dose the proper amount of proper amount of the hormone in response to their child’s blood-sugar levels. Families are building, calibrating, and troubleshooting these devices on their own. And the movement is growing. Linebaugh reports that:

More than 50 people have soldered, tinkered and written software to make such devices for themselves or their children. The systems—known in the industry as artificial pancreases or closed loop systems—have been studied for decades, but improvements to sensor technology for real-time glucose monitoring have made them possible. The Food and Drug Administration has made approving such devices a priority and several companies are working on them. But the yearslong process of commercial development and regulatory approval is longer than many patients want, and some are technologically savvy enough to do it on their own.

Linebaugh notes that this particular home-built medical project (known as OpenAPS), was created by Dana Lewis, a 27-year-old with Type 1 diabetes in Seattle. Linebaugh says that:

Ms. Lewis began using the system in December 2014 as a sort of self-experiment. After months of tweeting about it, she attracted others who wanted what she had. The only restriction of the project is users have to put the system together on their own. Ms. Lewis and other users offer advice, but it is each one’s responsibility to know how to troubleshoot. A Bay Area cardiologist is teaching himself software programming to build one for his 1-year-old daughter who was diagnosed in March.

In essence, these individuals and families are engaging in a variant of the sort of decentralized “biohacking” that is becoming increasingly prevalent in society today. As I discussed in a recent law review article, biohacking refers to the efforts of average citizens (often working together in a decentralized fashion) to enhance various human capabilities. This can include implanting things inside one’s body or using external devices to supplement one’s abilities or to address health-related issues.

I documented other examples of this trend in my essays on average citizens making 3D-printed prosthetics (The Right to Try, 3D Printing, the Costs of Technological Control & the Future of the FDA) as well as retainers (“In a World Where Kids Can 3D-Print Their Own Retainers, What Should Regulators Do?”) As “software eats the world” and allows for this sort of democratized medical self-experimentation, more and more citizens are likely going to be engaging in biohacking. In the process, they will often be doing an end-around the FDA and its complex maze of regulatory restrictions on health innovation.

Stated more provocatively, thanks to new technological capabilities and networking platforms, the public may increasingly enjoy a de facto “right to try” for many new medical devices and treatments. Technological innovation will decentralize and democratize medical decisions even when the legal status of such actions is unclear or even flatly illegal.

But is a world of increasingly decentralized, democratized, and such highly personalized medicine actually safe? Well, all risk is relative and as I discussed extensively in my recent book and other work on innovation policy, sometimes the greatest risk of all is the refusal to take any risk to begin with. If you disallow or limit efforts to engage in certain risky endeavours, ultimately, you could end up doing more harm because there can be no reward without a corresponding amount of risk-taking. It is only through constant trial and error experimentation that we find new and better ways of doing things. That is particularly true as it pertains to life-enriching or even life-saving medical treatments. While the FDA likes to think that its hyper-cautious approach to medical drug and device approval ultimately saves lives, in the aggregate, we have no idea how many lives are actually being lost (or how much pain and suffering is occurring) due to FDA prohibitions on our freedom to experiment with new products and services.

One of the parents Linebaugh interviewed for her story made the following remark: “Diabetes is dangerous anyway. Insulin is dangerous. I think what we are doing is actually improving that and lowering the risk.” That is exactly right. This father understands the reality of risk trade-offs. There are certainly risks associated with what these families are doing for their children. But these families also have a very palpable sense of the opposite problem: There is a profound and immediate risk of doing nothing and waiting for the FDA to finally get around to approving the devices that their children need  right now.

All this raises another interesting policy question: Why is it legal for these parents to engage in this sort of medical self-experimentation–experimentation on their children, no less!–while it remains flatly illegal for any commercial operator to offer similar products that could help these families? Many modern regulatory regimes accord differential treatment to commercial activities. Non-commercial versions of some activities are left alone, but as soon as commercial opportunities arise, policymakers seek to apply regulation.

Does this sort of commercial vs. non-commercial regulatory asymmetry make any sense? As far as I can tell, this regulatory distinction is mostly rooted in the fact that deep-pocked commercial operators make easier targets for regulators to go after when compared to harassing average citizens.  Going after average citizens would be bad PR and a serious legal hassle as well because issues pertaining to personal autonomy or parental rights would likely be raised both in the court of public opinion and courts of law.

Regardless, let’s not kid ourselves into thinking that this regulatory distinction is rooted in safety considerations. After all, it is almost certainly the case that those commercial medical innovators are likely building safer products, made by medical professionals with years of experience. Moreover, commercial operators are more likely to carry insurance to address any problems that may develop, and they possess strong reputational incentives to be good market actors. Commercial operators have to maintain brand loyalty to earn new or repeat business, or perhaps just to avoid stiff legal liability that non-commercial operators might not face. 

In any event, one thing should be abundantly clear: If the FDA doesn’t change its ways, we can expect an increasing number of citizens to begin pursuing medical treatments outside the boundaries of the law (and potentially outside the realm of common sense). Many people want a right to try new devices and therapies, and in our modern networked world, they are increasingly going to get it whether regulators like it or not.

Lawmakers in Congress need to exercise better oversight of rogue agencies like the FDA, which face no serious penalties for the sort of endless regulatory foot-dragging that threatens public welfare. If the agency was required by Congress to improve its drug and device approval process, then perhaps fewer Americans would be forced to take matters into their own hands to begin with. Down below, I’ve included a few reports suggesting how we might get this much-needed reform process started.

Additional reading from Mercatus Center scholars:

• white paper: “US Medical Devices: Choices and Consequences,” by Richard Williams, Robert Graboyes & Adam Thierer
• white paper: “The Proper Role of the FDA for the 21st Century,” by Joseph V. Gulfo, Jason Briggeman, Ethan Roberts
• white paper: “How Productive Is the FDA’s Devices Program?” by Richard Williams, Jason Briggeman, Ethan Roberts
• special report: “From Fortress to Frontier: How Innovation Can Save Health Care,” by Robert Graboyes
• blog post: “The Right to Try, 3D Printing, the Costs of Technological Control & the Future of the FDA,” by Adam Thierer
• blog post: “In a World Where Kids Can 3D-Print Their Own Retainers, What Should Regulators Do?” by Adam Thierer

Wallach’s latest book is entitled, A Dangerous Master: How to Keep Technology from Slipping beyond Our Control. And, as I’ve noted here recently, the greatly expanded second edition of my latest book, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, has just been released.

Of all the books of technological criticism or skepticism that I’ve read in recent years—and I have read stacks of them!— A Dangerous Master is by far the most thoughtful and interesting. I have grown accustomed to major works of technological criticism being caustic, angry affairs. Most of them are just dripping with dystopian dread and a sense of utter exasperation and outright disgust at the pace of modern technological change.

Although he is certainly concerned about a wide variety of modern technologies—drones, robotics, nanotech, and more—Wallach isn’t a purveyor of the politics of panic. There are some moments in the book when he resorts to some hyperbolic rhetoric, such as when he frets about an impending “techstorm” and the potential, as the book’s title suggests, for technology to become a “dangerous master” of humanity. For the most part, however, his approach is deeper and more dispassionate than what is found in the leading tracts of other modern techno-critics.

Many Questions, Few Clear Answers

Wallach does a particularly good job framing the major questions about emerging technologies and their effect on society. “Navigating the future of technological possibilities is a hazardous venture,” he observes. “It begins with learning to ask the right questions—questions that reveal the pitfalls of inaction, and more importantly, the passageways available for plotting a course to a safe harbor.” (p. 7) Wallach then embarks on a 260+ page inquiry that bombards the reader with an astonishing litany of questions about the wisdom of various forms of technological innovation—both large and small. While I wasn’t about to start an exact count, I would say that the number of questions Wallach poses in the book runs well into the hundreds. In fact, many paragraphs of the book are nothing but an endless string of questions.

Thus, if there is a primary weakness with A Dangerous Master, it’s that Wallach spends so much time formulating such a long list of smart and nuanced questions that some readers may come away disappointed when they do not find equally satisfying answers. On the other hand, the lack of clear answers is also completely understandable because, as Wallach notes, there really are no simple answers to most of these questions.

Just Slow Down!

Moving on to substance, let me make clear where Wallach and I generally see eye-to-eye and where we part ways.

Generally speaking, we agree about the need to come up with better “soft governance” systems for emerging technologies, which might include multistakeholder process, developer codes of conduct, sectoral self-regulation, sensible liability rules, and so on. (More on those strategies in a moment.)

But while we both believe it is wise to consider how we might “bake-in” better ethics and norms into the process of technological development, Wallach seems much more inclined than me to expect that we will be able to pre-ordain (or potentially require?) all this happens before much of this experimentation and innovation actually moves forward. Wallach opens by asking:

Determining when to bow to the judgment of experts and whether to intervene in the deployment of a new technology is certainly not easy. How can government leaders or informed citizens effectively discern which fields of research are truly promising and which pose serious risks? Do we have the intelligence and means to mitigate the serious risks that can be anticipated? How should we prepare for unanticipated risks? (p. 6)

Again, many good questions here! But this really gets to the primary difference between Wallach’s preferred approach and my own: I tend to believe that many of these things can only be worked out through ongoing trial and error, the constant reformulation of the various norms that govern the process of innovation, and the development of sensible ex post solutions to some of the most difficult problems posed by turbulent technological change.

By contrast, Wallach’s generally attitude toward technological evolution is probably best summarized by the phrases: “Slow down!” and, “Let’s have a conversation about it first!” As he puts it in his own words: “Slowing down the accelerating adoption of technology should be done as a responsible means to ensure basic human safety and to support broadly shared values.” (p. 13)

But I tend to believe that it’s not always possible to preemptively determine which innovations to slow down, or even how to determine what those “shared values” are that will help us make this determination. More importantly, I worry that there are very serious potential risks and unintended consequences associated with slowing down many forms of technological innovation, which could improve human welfare in important ways. There can be no prosperity, after all, without a certain degree of risk-taking and disruption.

Getting Out Ahead of the Pacing Problem

Yet, what concerns Wallach most is the much-discussed issue from the field of the philosophy of technology, the so-called “pacing problem.” Wallach concisely defines the pacing problem as “the gap between the introduction of a new technology and the establishment of laws, regulations, and oversight mechanisms for shaping its safe development.” (p. 251) “There has always been a pacing problem,” he notes, but he is concerned that technological innovation—especially highly disruptive and potentially uncontrollable forms of innovation—is now accelerating at an absolutely unprecedented pace.

(Just as an aside for all the philosophy nerds out there…  Such a rigid belief in the “pacing problem” represents a techno-deterministic viewpoint that is, ironically, sometimes shared by technological skeptics like Wallach as well as technological optimists like Larry Downes and even many in the middle of this debate, like Vivek Wadhwa. See, for example, The Laws of Disruption by Downes and “Laws and Ethics Can’t Keep Pace with Technology” by Wadhwa. Although these scholars approach technology ethics and politics quite differently, they all seem to believe that the pace of modern technological change is so relentless as to almost be an unstoppable force of nature. I guess the moral of the story is that, to some extent, we’re all technological determinists now!)

Despite his repeated assertions that modern technologies are accelerating at such a potentially uncontrollable pace, Wallach nonetheless hopes we can achieve some semblance of control over emerging technologies before they reach a critical “inflection point.” In the study of history and science, an inflection point generally represents a moment when a situation and trend suddenly changes in a significant way and things begin moving rapidly in a new direction. These inflections points can sometimes develop quite abruptly, ushering in major changes by creating new social, economic, or political paradigms. As it relates to technology in particular, inflection points can refer to the moment with a particular technology achieves critical mass in terms of adoption or, more generally, to the time when that technology begins to profoundly transform the way individuals and institutions act.

Another related concept that Wallach discusses is the so-called “Collingridge dilemma,” which refers to the notion that it is difficult to put the genie back in the bottle once a given technology has reached a critical mass of public adoption or acceptance. The concept is named after David Collingridge, who wrote about this in his 1980 book, The Social Control of Technology. “The social consequences of a technology cannot be predicated early in the life of the technology,” Collingridge argued. “By the time undesirable consequences are discovered, however, the technology is often so much part of the whole economics and social fabric that its control is extremely difficult.”

On “Having a Discussion” & Coming Up with “a Broad Plan”

These related concepts of inflection points and the Collingridge dilemma constitute the operational baseline of Wallach’s worldview. “In weighing speedy development against long-term risks, speedy development wins,” he worries. “This is particularly true when the risks are uncertain and the perceived benefits great.” (p. 85)

Consequently, throughout his book, Wallach pleads with us to take what I will call Technological Time Outs. He says we need to pause at times so that we can have “a full public discussion” (p. 13) and make sure there is a “broad plan in place to manage our deployment of new technologies” (p. 19) to make sure that innovation happens only at “a humanly manageable pace” (p. 261) “to fortify the safety of people affected by unpredictable disruptions.” (p. 262) Wallach’s call for Technological Time Outs is rooted in his belief that “the accelerating pace [of modern technological innovation] undermines the quality of each of our lives.” (p. 263)

That is Wallach’s weakest assertion in the book and he doesn’t really offer much evidence to prove that the velocity of modern technological is hurting us rather than helping us, as many of us believe. Rather, he treats it as a widely accepted truism that necessitates some sort of collective effort to slow things down if the proverbial genie is about to exit the bottle, or to make sure those genies don’t get out of their bottles without a lot of preemptive planning regarding how they are to be released into the world. In the following passage on pg. 72, Wallach very succinctly summarizes his approach recommended throughout A Dangerous Master:

this book will champion the need for more upstream governance: more control over the way that potentially harmful technologies are developed or introduced into the larger society. Upstream management is certainly better than introducing regulations downstream, after a technology is deeply entrenched or something major has already gone wrong. Yet, even when we can access risks, there remain difficulties in recognizing when or determining how much control should be introduced. When does being precautionary make sense, and when is precaution an over-reaction to the risks? (p. 72)

Those who have read my Permissionless Innovation book will recall that I open by framing innovation policy debates in almost exactly the same way as Wallach suggests in that last line above. I argue in the first lines of my book that:

The central fault line in innovation policy debates today can be thought of as ‘the permission question.’  The permission question asks: Must the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations? How that question is answered depends on the disposition one adopts toward new inventions and risk-taking, more generally.  Two conflicting attitudes are evident. One disposition is known as the ‘precautionary principle.’ Generally speaking, it refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harm to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions. The other vision can be labeled ‘permissionless innovation.’ It refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if any develop, can be addressed later.

So, by contrasting these passages, you can see what I am setting up here is a clash of visions between what appears to be Wallach’s precautionary principle-based approach versus my own permissionless innovation-focused worldview.

How Much Formal Precaution?

But that would be a tad bit too simplistic because just a few paragraphs after Wallach makes the statement just above about “upstream management” being superior to ex post solutions formulated “after a technology is deeply entrenched,” Wallach begins slowly backing away from an overly-rigid approach to precautionary principle-based governance of technological processes and systems.

He admits, for example, that “precautionary measures in the form of regulations and governmental oversight can slow the development of research whose overall society impact will be beneficial,” (p. 26) and that can “be costly” and “slow innovation.” For countries, Wallach admits, this can have real consequences because “Countries with more stringent precautionary policies are at a competitive disadvantage to being the first to introduce a new tool or process.” (p. 74)

So, he’s willing to admit that what we might call a hard precautionary principle usually won’t be sensible or effective in practice, but he is far more open to soft precaution. But this is where real problems begin to develop with Wallach’s approach, and it presents us with a chance to turn the tables on him a bit and begin posing some serious questions about his vision for governing technology.

Much of what follows below are my miscellaneous ramblings about the current state of the intellectual dialogue about tech ethics and technological control efforts. I have discussed these issues at greater length in my new book as well as a series of essays here in past years, most notably: “On the Line between Technology Ethics vs. Technology Policy; “What Does It Mean to “Have a Conversation” about a New Technology?”; and, “Making Sure the “Trolley Problem” Doesn’t Derail Life-Saving Innovation.”

As I’ve argued in those and other essays, my biggest problem with modern technological criticism is that specifics are in scandalously short supply in this field! Indeed, I often find the lack of details in this arena to be utterly exasperating. Most modern technological criticism follows a simple formula:

TECHNOLOGY –>> POTENTIAL PROBLEMS –>> DO SOMETHING!

But almost all the details come in the discussion about the nature of the technology in question and the apparent many problems associated with it. Far, far less thought goes into the “DO SOMETHING!” part of the critics’ work. One reason for that is probably self-evident: There are no easy solutions. Wallach admits as much at many junctures throughout the book. But that doesn’t excuse the need for the critics to give us a more concrete blueprint for identifying and then potentially rectifying the supposed problems.

Of course, the other reason that many critics are short of specifics is because what they really mean when they quip how much we need to “have a conversation” about a new disruptive technology is that we need to have a conversation about stopping that technology.

Where Shall We Draw the Line between Hard and Soft Law?

But this is what I found most peculiar about Wallach’s book: He never really gives us a good standard by which to determine when we should look to hard governance (traditional top-down regulation) versus soft governance (more informal, bottom-up and non-regulatory approaches).

On one hand, he very much wants society to exercise greatly restraint and precaution when it comes to many of the technologies he and others worry about today. Again, he’s particularly concerned about the potential runaway development and use of drones, genetic editing, nanotech, robotics, and artificial intelligence. For at least one class of robotics—autonomous military robots—Wallach does call for immediate policy action in the form of an Executive Order to ban “killer” autonomous systems. (Incidentally, there’s also a major effort underway called the “Campaign to Stop Killer Robots” that aims to make such a ban part of international law through a multinational treaty.)

But Wallach also acknowledges the many trade-offs associated with efforts to preemptively controls on robotics and other technology. Perhaps for that reason, Wallach doesn’t develop a clear test for when the Precautionary Principle should be applied to new forms of innovation.

Clearly there are times when it is appropriate, although I believe it is only in an extremely narrow subset of cases. In the 2 ^nd Edition of my Permissionless Innovation book, I tried to offer a rough framework for when formal precautionary regulation (i.e., highly-restrictive policy defaults are necessary, such as operational restrictions, licensing requirements, research limitations, or even formal bans) might be necessary. I do not want to interrupt the flow of this review of Wallach’s book too much, so I have decided to just cut-and-paste that portion of Chapter 3 of my book (“When Does Precaution Make Sense?”) down below as an appendix to this essay.

The key takeaway of that passage from my book is that all of us who study innovation policy and the philosophy of technology—Wallach, myself, the whole darn movement—have done a remarkably poor job being specific about precisely when formal policy precaution is warranted. What is the test? All too often, we get lazy and apply what we might call an “I-Know-It-When-I-See-It” standard. Consider the possession of bazookas, tanks, and uranium. Almost all of us would agree that citizens should not be allowed to possess or use such things. Why? Well, it seems obvious, right? They just shouldn’t! But what is the exact standard we use to make that determination.

In coming years, I plan on spending a lot more time articulating a better test by which Precautionary Principle-based policies could be reasonably applied. Those who know me may be taken aback by what I just said. After all, I’ve spend many years explaining why Precautionary Principle-based thinking threatens human prosperity and should be rejected in the vast majority of cases. But that doesn’t excuse the lack of a serious and detailed exploration of the exact standard by which we determine when we should impose some limits on technological innovation.

Generally speaking, while I strongly believe that “permissionless innovation” should remain the policy default for most technologies, there certainly exists some scenarios where the threat of harm associated with a new innovation might be highly probable, tangible, immediate, irreversible, and catastrophic in nature. If so, that could qualify it for at least a light version of the Precautionary Principle. In a future paper or book chapter I’m just now starting to research, I hope to fuller develop those qualifiers and formulate a more robust test around them.

I would have very much liked to see Wallach articulate and defend a test of his own for when formal precaution would make sense. And, by extension, when should we default to soft precaution, or soft law and informal governance mechanisms for emerging technologies.

We turn to that issue next.

Toward Soft Governance & the Engineering of Better Technological Ethics

Even though Wallach doesn’t provide us with a test for determining when precaution makes sense or when we should instead default to soft governance, he does a much better job explaining the various models of soft law or informal governance that might help us deal with the potential negative ramifications of highly disruptive forms of technological change.

What Wallach proposes, in essence, is that we bake a dose of precautionary directly into the innovation process through a wide variety of informal governance/oversight mechanisms. “By embedding shared values in the very design of new tools and techniques, engineers improve the prospect of a positive outcome,” he claims. “The upstream embedding of shared values during the design process can ease the need for major course adjustments when it’s often too late.” (p. 261)

Wallach’s favored instrument of soft governance is what he refers to as “Governance Coordinating Committees” (GCCs). These Committees would coordinate “the separate initiatives by the various government agencies, advocacy groups, and representatives of industry” who would serve as “issue managers for the comprehensive oversight of each field of research.” (p. 250) He elaborates and details the function of GCCs as follows:

These committees, led by accomplished elders who have already achieved wide respect, are meant to work together with all the interested stakeholders to monitor technological development and formulate solutions to perceived problems. Rather than overlap with or function as a regulatory body, the committee would work together with existing institutions. (p. 250-51)

Wallach discussed the GCC idea in much greater detail in a 2013 book chapter he penned with Gary E. Marchant for a collected volume of essays on Innovative Governance Models for Emerging Technologies. (I highly recommend you pick up that book if you can afford it! Many terrific essays in that book on these issues.) In their chapter, Marchant and Wallach specify some of the soft law mechanisms we might use to instill a bit of precaution preemptively. These mechanisms include: “codes of conduct, statements of principles, partnership programs, voluntary programs and standards, certification programs and private industry initiatives.”

If done properly, GCCs could provide exactly the sort of wise counsel and smart recommendations that Wallach desires. In my book and many law review articles on various disruptive technologies, I have endorsed many of the ideas and strategies Wallach identifies. I’ve also stressed the importance of many other mechanisms, such as education and empowerment-based strategies that could help the public learn to cope with new innovations or use them appropriately. In addition, I’ve highlighted the many flexible, adaptive ex post remedies that can help when things go wrong. Those mechanisms include common law remedies such as product defects law, various torts, contract law, property law, and even class action lawsuits. Finally, I have written extensively about the very active role played by the Federal Trade Commission (FTC) and other consumer protection agencies, which have broad discretion to police “unfair and deceptive practices” by innovators.

Moreover, we already have a quasi-GCC model developing today with the so-called “multistakeholder governance” model that is often used in both informal and formal ways to handle many emerging technology policy issues.  The Department of Commerce (the National Telecommunications and Information Administration in particular) and the FTC have already developed many industry codes of conduct and best practices for technologies such as biometrics, big data, the Internet of Things, online advertising, and much more. Those agencies and others (such as the FDA and FAA) are continuing to investigate other codes or guidelines for things like advanced medical devices and drones, respectively. Meanwhile, I’ve heard other policymakers and academics float the idea of “digital ombudsmen,” “data ethicists,” and “private IRBs” (institutional review boards) as other potential soft law solutions that technology companies might consider. Perhaps going forward, many tech firms will have Chief Ethical Officers just as many of them today have Chief Privacy Officers or Chief Security Officers.

In other words, there’s already a lot of “soft law” activities going on in this space. And I haven’t even begun an inventory of the many other bodies or groups that already exist in each sector today that has set forth their own industry self-regulatory codes, but they exist in almost every field that Wallach worries about.

So, I’m not sure how much his GCC idea will add to this existing mix, but I would not be opposed to them playing the sort of coordinating “issue manager” role he describes. But I still have many questions about GCC’s, including:

• How many of them are needed and how we will know which one is the definitive GCC for each sector or technology?
• If they are overly formal in character and dominated by the most vociferous opponents of any particular technology, a real danger exists that a GCC could end up granting a small cabal a “heckler’s veto” over particular forms of innovation.
• Alternatively, the possibility of “regulatory capture” could be a problem for some GCCs if incumbent companies come to dominate their membership.
• Even if everything went fairly smoothly and the GCCs produced balanced reports and recommendations, future developers might wonder if and why they are to be bound by older guidelines.
• And if those future developers choose not to play by the same set of guidelines, what’s the penalty for non-compliance?
• And how are such guidelines enforced in a world where what I’ve called “global innovation arbitrage” is an increasing reality?

Challenging Questions for Both Hard and Soft Law

To summarize, whether we are speaking of “hard” or “soft” law approaches to technological governance, I am just not nearly as optimistic as Wallach seems to be that we will be able to find consensus on these three things:

(1) what constitutes “harm” in many of these circumstances;

(2) which “shared values” should prevail when “society” debates the shaping of ethics or guiding norms for emerging technologies but has highly contradictory opinions about those values (consider online privacy as a good example, where many people enjoy hyper-sharing while other demand hyper-privacy); and,

(3) that we can create a legitimate “governing body” (or bodies) that will be responsible for formulating these guidelines in a fair way without completely derailing the benefits of innovation in new fields and also remaining relevant for very long.

Nonetheless, as he and others have suggested, the benefit of adopting a soft law/informal governance approach to these issues is that it at least seeks to address these questions in more flexible and adaptive fashion. As I noted in my book, traditional regulatory systems “tend to be overly rigid, bureaucratic, inflexible, and slow to adapt to new realities. They focus on preemptive remedies that aim to predict the future, and future hypothetical problems that may not ever come about. Worse yet, administrative regulation generally preempts or prohibits the beneficial experiments that yield new and better ways of doing things.” ( Permissionless Innovation, p. 120)

So, despite the questions I have raised here, I welcome the more flexible soft law approach that Wallach sets forth in his book. I think it represents a far more constructive way forward when compared to the opposite “top-down” or “command-and-control” regulatory systems of the past. But I very much want to make sure that even these new and more flexible soft law approaches leave plenty of breathing room for ongoing trial-and-error experimentation with new technologies and systems.

Conclusion

In closing, I want to reiterate that not only did I appreciate the excellent questions raised by Wendell Wallach in A Dangerous Master, but I take them very seriously. When I sat down to revise and expand my Permissionless Innovation book last year, I decided to include this warning from Wallach in my revised preface: “The promoters of new technologies need to speak directly to the disquiet over the trajectory of emerging fields of research. They should not ignore, avoid, or superficially dampen criticism to protect scientific research.” (p. 28–9)

As I noted, in response to Wallach: “I take this charge seriously, as should others who herald the benefits of permissionless innovation as the optimal default for technology policy. We must be willing to take on the hard questions raised by critics and then also offer constructive strategies for dealing with a world of turbulent technological change.”

Serious questions deserve serious answers. Of course, sometimes those posing those questions fail to provide many answers of their own! Perhaps it is because they believe the questions answer themselves. Other times, it’s because they are willing to admit that easy answers to these questions typically prove quite elusive. In Wallach’s case, I believe it’s more the latter.

To wrap up, I’ll just reiterated that both Wallach and I share a common desire to find solutions to the hard questions about technological innovation. But the crucial question that probably separates his worldview and my own is this: Whether we are talking about hard or soft governance, how much faith should we place in preemptive planning vs. ongoing trial and error experimentation to solve technological challenges? Wallach is more inclined to believe we can divine these things with the sagacious foresight of “accomplished elders” and technocratic “issue managers,” who will help us slow things down until we figure out how to properly ease a new technology into society (if at all). But I believe that the only way we will find many of the answers we are searching for is by allowing still more experimentation with the very technologies that he and others seek to control the development of. We humans are outstanding problem-solvers and have the uncanny ability among all mammals to adapt to changing circumstances. We roll with the punches, learn from them, and become more resilient in the process. As I noted in my 2014 essay, “Muddling Through: How We Learn to Cope with Technological Change”:

we modern pragmatic optimists must continuously point to the unappreciated but unambiguous benefits of technological innovation and dynamic change. But we should also continue to remind the skeptics of the amazing adaptability of the human species in the face of adversity. [. . .] Humans have consistently responded to technological change in creative, and sometimes completely unexpected ways. There’s no reason to think we can’t get through modern technological disruptions using similar coping and adaptation strategies.

Will the technologies that Wallach fears bring about a “techstorm” that overwhelms our culture, our economy, and even our very humanity? It’s certainly possible, and we should continue to seriously discuss the issues that he and other skeptics raise about our expanding technological capabilities and the potential for many of them to do great harm. Because some of them truly could.

But it is equally plausible—in fact, some of us would say, highly probable—that instead of overwhelming us, we learn how to bend these new technological capabilities to our will and make them work for our collective benefit. Instead of technology becoming “a dangerous master,” we will instead make it our helpful servant, just as we have so many times before.

APPENDIX: When Does Precaution Make Sense?

[excerpt from chapter 3 of Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom. Footnotes omitted. See book for all references.]

But aren’t there times when a certain degree of precautionary policymaking makes good sense? Indeed, there are, and it is important to not dismiss every argument in favor of precautionary principle–based policymaking, even though it should not be the default policy rule in debates over technological innovation.

The challenge of determining when precautionary policies make sense comes down to weighing the (often limited) evidence about any given technology and its impact and then deciding whether the potential downsides of unrestricted use are so potentially catastrophic that trial-and-error experimentation simply cannot be allowed to continue. There certainly are some circumstances when such a precautionary rule might make sense. Governments restrict the possession of uranium and bazookas, to name just two obvious examples.

Generally speaking, permissionless innovation should remain the norm in the vast majority of cases, but there will be some scenarios where the threat of tangible, immediate, irreversible, catastrophic harm associated with new innovations could require at least a light version of the precautionary principle to be applied.  In these cases, we might be better suited to think about when an “anti-catastrophe principle” is needed, which narrows the scope of the precautionary principle and focuses it more appropriately on the most unambiguously worst-case scenarios that meet those criteria.

But most cases don’t fall into this category. Instead, we generally allow innovators and consumers to freely experiment with technologies, and even engage in risky behaviors, unless a compelling case can be made that precautionary regulation is absolutely necessary.  How is the determination made regarding when precaution makes sense? This is where the role of benefit-cost analysis (BCA) and regulatory impact analysis is essential to getting policy right.  BCA represents an effort to formally identify the tradeoffs associated with regulatory proposals and, to the maximum extent feasible, quantify those benefits and costs.  BCA generally cautions against preemptive, precautionary regulation unless all other options have been exhausted—thus allowing trial-and-error experimentation and “learning by doing” to continue. (The mechanics of BCA are discussed in more detail in section VII.)

This is not the end of the evaluation, however. Policymakers also need to consider the complexities associated with traditional regulatory remedies in a world where technological control is increasingly challenging and quite costly. It is not feasible to throw unlimited resources at every problem, because society’s resources are finite.  We must balance risk probabilities and carefully weigh the likelihood that any given intervention has a chance of creating positive change in a cost-effective fashion.  And it is also essential to take into account the potential unintended consequences and long-term costs of any given solution because, as Harvard law professor Cass Sunstein notes, “it makes no sense to take steps to avert catastrophe if those very steps would create catastrophic risks of their own.”  “The precautionary principle rests upon an illusion that actions have no consequences beyond their intended ends,” observes Frank B. Cross of the University of Texas. But “there is no such thing as a risk-free lunch. Efforts to eliminate any given risk will create some new risks,” he says.

Oftentimes, after working through all these considerations about whether to regulate new technologies or technological processes, the best solution will be to do nothing because, as noted throughout this book, we should never underestimate the amazing ingenuity and resiliency of humans to find creative solutions to the problems posed by technological change.  (Section V discusses the importance of individual and social adaptation and resiliency in greater detail.) Other times we might find that, while some solutions are needed to address the potential risks associated with new technologies, nonregulatory alternatives are also available and should be given a chance before top-down precautionary regulations are imposed. (Section VII considers those alternative solutions in more detail.)

Finally, it is again essential to reiterate that we are talking here about the dangers of precautionary thinking as a public policy prerogative—that is, precautionary regulations that are mandated and enforced by government officials. By contrast, precautionary steps may be far more wise when undertaken in a more decentralized manner by individuals, families, businesses, groups, and other organizations. In other words, as I have noted elsewhere in much longer articles on the topic, “there is a different choice architecture at work when risk is managed in a localized manner as opposed to a society-wide fashion,” and risk-mitigation strategies that might make a great deal of sense for individuals, households, or organizations, might not be nearly as effective if imposed on the entire population as a legal or regulatory directive.

Finally, at times, more morally significant issues may exist that demand an even more exhaustive exploration of the impact of technological change on humanity. Perhaps the most notable examples arise in the field of advance medical treatments and biotechnology. Genetic experimentation and human cloning, for example, raise profound questions about altering human nature or abilities as well as the relationship between generations.

The case for policy prudence in these matters is easier to make because we are quite literally talking about the future of what it means to be human.  Controversies have raged for decades over the question of when life begins and how it should end. But these debates will be greatly magnified and extended in coming years to include equally thorny philosophical questions.  Should parents be allowed to use advanced genetic technologies to select the specific attributes they desire in their children? Or should parents at least be able to take advantage of genetic screening and genome modification technologies that ensure their children won’t suffer from specific diseases or ailments once born?

Outside the realm of technologically enhanced procreation, profound questions are already being raised about the sort of technological enhancements adults might make to their own bodies. How much of the human body can be replaced with robotic or bionic technologies before we cease to be human and become cyborgs?  As another example, “biohacking”—efforts by average citizens working together to enhance various human capabilities, typically by experimenting on their own bodies —could become more prevalent in coming years.  Collaborative forums, such as Biohack.Me, already exist where individuals can share information and collaborate on various projects of this sort.  Advocates of such amateur biohacking sometimes refer to themselves as “grinders,” which Ben Popper of the Verge defines as “homebrew biohackers [who are] obsessed with the idea of human enhancement [and] who are looking for new ways to put machines into their bodies.”

These technologies and capabilities will raise thorny ethical and legal issues as they advance. Ethically, they will raise questions of what it means to be human and the limits of what people should be allowed to do to their own bodies. In the field of law, they will challenge existing health and safety regulations imposed by the FDA and other government bodies.

Again, most innovation policy debates—including most of the technologies discussed throughout this book—do not involve such morally weighty questions. In the abstract, of course, philosophers might argue that every debate about technological innovation has an impact on the future of humanity and “what it means to be human.” But few have much of a direct influence on that question, and even fewer involve the sort of potentially immediate, irreversible, or catastrophic outcomes that should concern policymakers.

In most cases, therefore, we should let trial-and-error experimentation continue because “experimentation is part and parcel of innovation” and the key to social learning and economic prosperity.  If we froze all forms of technological innovation in place while we sorted through every possible outcome, no progress would ever occur. “Experimentation matters,” notes Harvard Business School professor Stefan H. Thomke, “because it fuels the discovery and creation of knowledge and thereby leads to the development and improvement of products, processes, systems, and organizations.”

Of course, ongoing experimentation with new technologies always entails certain risks and potential downsides, but the central argument of this book is that (a) the upsides of technological innovation almost always outweigh those downsides and that (b) humans have proven remarkably resilient in the face of uncertain, ever-changing futures.

In sum, when it comes to managing or coping with the risks associated with technological change, flexibility and patience is essential. One size most certainly does not fit all. And one-size-fits-all approaches to regulating technological risk are particularly misguided when the benefits associated with technological change are so profound. Indeed, “[t]echnology is widely considered the main source of economic progress”; therefore, nothing could be more important for raising long-term living standards than creating a policy environment conducive to ongoing technological change and the freedom to innovate.

One of my favorite themes, and not just in the field of tech policy, is the “Unintended Consequences of Well-Intentioned Regulations.” I believe that all laws and regulations have dynamic effects and that to fully appreciate the true impact of any particular public policy, you must always closely investigate the potential opportunity costs and unintended consequences associated with those policies. Because all too often laws and regulations are hastily put on the books with the very best of intentions in mind, only to later be shown to produce the opposite of what was intended.

Today’s case in point comes from a Wall Street Journal article by Rachel Bachman and it involves how the growing wave of cycling helmet laws are having a net negative impact on public health because they discourage ridership in the aggregate. Thus, those potential riders are then either (a) just less active overall or (b) driving their cars to get where they need to go. And both of those results are, ultimately, riskier than cycling without a helmet. For that reason, Bachman reports, cycling advocates “are pushing back against mandatory bike-helmet laws in the U.S. and elsewhere. They say mandatory helmet laws, particularly for adults, make cycling less convenient and seem less safe, thus hindering the larger public-health gains of more people riding bikes.” Supporting evidence comes from this 2012 paper in the journal Risk Analysis by Piet de Jong, a professor in the department of applied finance and actuarial studies at Sydney’s Macquarie University. His paper included an empirical model that showed how mandatory bike-helmet laws “have a net negative health impact.”

This strikes me as one of the very best examples of how to do dynamic benefit-cost analysis and show the full range of societal impacts associated with well-intentioned regulations. And it reminds me of the playground example I use in several of my papers: Laws and liability threats discouraged tall playground climbing structures in the ’80s and ’90s. As a result of those policies, kids have been shown to not only be less active on playgrounds over the past two decades, but even more interesting is the fact that some studies suggest this led to phobias and anxieties about heights later in life when those children became adults. Again, dynamic effects matter! In this case, social learning and resiliency was stunted when children lacked the ability to explore and push boundaries. In essence, it’s the “Boy in the Bubble” problem. [Read this 2012 law review article of mine for all the details on this particular case study.]

Of course, those of you who have read your Frédéric Bastiat have already identified these case studies as excellent examples of what the nineteenth-century French economic philosopher was talking about when he famously explained the importance of considering the many unforeseen, second-order effects of economic change and policy. Many pundits and policy analysts pay attention to only the first-order effects—what Bastiat called “the seen”—and ignore the subsequent and often “unseen” effects. In both these cases, policymakers were myopically obsessed with the short-term “seen” benefit of bike helmet laws or playground safety restrictions. At first blush, it probably seemed like their was no downside to such rules. Of course, a fuller exploration of the potential dynamic effects associated with those policies revealed the opposite effect: They discouraged public health in the aggregate.

Again, every action—especially political and regulatory action—has dynamic consequences. Paternalistic public policies may sound sensible on the surface, but as Milton Friedman taught us long ago, “One of the great mistakes is to judge policies and programs by their intentions rather than their results. We all know a famous road that is paved with good intentions.”

[ Note: If you are interested in more examples like this, I encourage you to read, “The Unintended Consequences of Safety Regulation” by my Mercatus Center colleague Sherzod Abdukadirov.]

I want to highlight an important new blog post (“Slow Down That Runaway Ethical Trolley“) on the ethical trade-offs at work with autonomous vehicle systems by Bryant Walker Smith, a leading expert on these issues. Writing over at Stanford University’s Center for Internet and Society blog, Smith notes that, while serious ethical dilemmas will always be present with such technologies, “we should not allow the perfect to be the enemy of the good.” He notes that many ethical philosophers, legal theorists, and media pundits have recently been actively debating variations of the classic “Trolley Problem,” and its ramifications for the development of autonomous or semi-autonomous systems. (Here’s some quick background on the Trolley Problem, a thought experiment involving the choices made during various no-win accident scenarios.) Commenting on the increased prevalence of the Trolley Problem in these debates, Smith observes that:

Unfortunately, the reality that automated vehicles will eventually kill people has morphed into the illusion that a paramount challenge for or to these vehicles is deciding who precisely to kill in any given crash. This was probably not the intent of the thoughtful proponents of this thought experiment, but it seems to be the result. Late last year, I was asked the “who to kill” question more than any other — by journalists, regulators, and academics. An influential working group to which I belong even (briefly) identified the trolley problem as one of the most significant barriers to fully automated motor vehicles. Although dilemma situations are relevant to the field, they have been overhyped in comparison to other issues implicated by vehicle automation. The fundamental ethical question, in my opinion, is this: In the United States alone, tens of thousands of people die in motor vehicle crashes every year, and many more are injured. Automated vehicles have great potential to one day reduce this toll, but the path to this point will involve mistakes and crashes and fatalities. Given this stark choice, what is the proper balance between caution and urgency in bringing these systems to the market? How safe is safe enough?

That’s a great question and one that Ryan Hagemann and put some thought into as part of our recent Mercatus Center working paper, “Removing Roadblocks to Intelligent Vehicles and Driverless Cars.” That paper, which has been accepted for publication in a forthcoming edition of the Wake Forest Journal of Law & Policy, outlines the many benefits of autonomous or semi-autonomous systems and discusses the potential cost of delaying their widespread adoption. When it comes to “Trolley Problem”-like ethical questions, Hagemann and I argue that, “these ethical considerations need to be evaluated against the backdrop of the current state of affairs, in which tens of thousands of people die each year in auto-related accidents due to human error.” We continue on later in the paper:

Autonomous vehicles are unlikely to create 100 percent safe, crash-free roadways, but if they significantly decrease the number of people killed or injured as a result of human error, then we can comfortably suggest that the implications of the technology, as a whole, are a boon to society. The ethical underpinnings of what makes for good software design and computer-generated responses are a difficult and philosophically robust space for discussion. Given the abstract nature of the intersection of ethics and robotics, a more detailed consideration and analysis of this space must be left for future research. Important work is currently being done on this subject. But those ethical considerations must not derail ongoing experimentation with intelligent-vehicle technology, which could save many lives and have many other benefits, as already noted. Only through ongoing experimentation and feedback mechanisms can we expect to see constant improvement in how autonomous vehicles respond in these situations to further minimize the potential for accidents and harms. (p. 42-3)

None of this should be read to suggest that the ethical issues being raised by some philosophers or other pundits are unimportant. To the contrary, they are raising legitimate concerns about how ethics are “baked-in” to the algorithms that control autonomous or semi-autonomous systems. It is vital we continue to debate the wisdom of the choices made by the companies and programmers behind those technologies and consider better ways to inform and improve their judgments about how to ‘optimize the sub-optimal,’ so to speak. After all, when you are making decisions about how to minimize the potential for harm — including the loss of life — there are many thorny issues that must be considered and all of them will have downsides. Smith considers a few when he notes:

Automation does not mean an end to uncertainty. How is an automated vehicle (or its designers or users) to immediately know what another driver will do? How is it to precisely ascertain the number or condition of passengers in adjacent vehicles? How is it to accurately predict the harm that will follow from a particular course of action? Even if specific ethical choices are made prospectively, this continuing uncertainty could frustrate their implementation.

Again, these are all valid questions deserving serious exploration, but we’re not having this discussion in a vacuum. Ivory Tower debates cannot be divorced from real-world realities. Although road safety has been improving for many years, people are still dying at a staggering rate due to vehicle-related accidents. Specifically, in 2012, there were 33,561 total traffic fatalities (92 per day) and 2,362,000 people injured (6,454 per day) in over 5,615,000 reported crashes. And, to reiterate, the bulk of those accidents were due to human error.

That is a staggering toll and anything we can do to reduce it significantly is something we need to be pursuing with great vigor, even while we continue to sort through some of those challenging ethical issues associated with automated systems and algorithms. Smith argues, correctly in my opinion, that “a more practical approach in emergency situations may be to weight general rules of behavior: decelerate, avoid humans, avoid obstacles as they arise, stay in the lane, and so forth. … [T]his simplified approach would accept some failures in order to expedite and entrench what could be automation’s larger successes. As Voltaire reminds us, we should not allow the perfect to be the enemy of the good.”

Quite right. Indeed, the next time someone poses an an ethical thought experiment along the lines of the Trolley Problem, do what I do and reverse the equation. Ask them about the ethics of slowing down the introduction of a technology into our society that would result in a (potentially significant) lowering of the nearly 100 deaths and over 6,000 injuries that occur because of vehicle-related fatalities each day in the United States. Because that’s no hypothetical thought experiment; that’s the world we live in right now.

(P.S. The late, great political scientist Aaron Wildavsky crafted a framework for considering these complex issues in his brilliant 1988 book, Searching for Safety. No book has had a more significant influence on my thinking about these and other “risk trade-off” issues since I first read it 25 years ago. I cannot recommend it highly enough. I discussed Wildavsky’s framework and vision in my recent little book on “Permissionless Innovation.” Readers might also be interested in my August 2013 essay, “On the Line between Technology Ethics vs. Technology Policy,” which featured an exchange with ethical philosopher Patrick Lin, co-editor of an excellent collection of essays on Robot Ethics: The Ethical and Social Implications of Robotics. You should add that book to your shelf if you are interested in these issues.

Freelance journalist Laurence Cruz was kind enough to call me recently looking for comment on whether broadband should be considered a human right. Well, actually, he probably didn’t have many options. If you do a quick search on the topic, you’ll find an endless stream of essays in favor of the proposition.  Then, somewhere in the mix, you’ll find a few dissenting rants I’ve penned here in the past. So I’m getting used to playing the baddie in this drama.

Cruz’s essay is now up over at “The Network,” which is Cisco’s technology news site. Here’s what I had to say in opposition to the proposition:

Not everyone is so ready to jump aboard this particular broadband bandwagon. “I don’t think there is any such thing as a human right to free, unlimited broadband service,” says Adam Thierer, a senior research fellow at the Mercatus Center, a market-oriented academic research institution at George Mason University in Arlington, Va. “The entitlement or rights mentality in America today is completely out of control.”

Thierer says he’s a firm believer in such fundamental human rights as freedom of speech, expression, movement and association—so-called “negative rights” that don’t require any assertion of government authority or demand payment from anybody. But he says any proposed right to broadband access is a different animal altogether—one likely to come at taxpayers’ expense and to have all manner of unintended consequences, from squelching competition to providing a poor level of service.

Thierer says the universal telephone service provided in America in the early 20th century by the original AT&T should serve as a cautionary tale against governments stepping in to provide universal broadband. He says the government-sanctioned Bell System monopoly provided mediocre telephone service to 93 percent of the U.S. population at best—whereas TV and radio hit 98 percent and 99 percent respectively, even though neither was subsidized or regulated. And what of the Bell System’s cheap prices? “We have no idea if it could have been much cheaper because competition was not allowed to develop,” Thierer says.

To clarify that last point… I’m certainly aware that broadcast TV and radio were regulated in various ways. In fact, I’ve spent a lifetime writing about it. But policymakers did not regulate broadcasting as aggressively as telephony in an attempt to achieve universal service. Indeed, “universal service” was the driving force behind communications monopolization in this country, but it had horrific consequences for consumers as I noted in my 1994 history of how communications competition was destroyed in the U.S. (See:  “Unnatural Monopoly: Critical Moments in the Development of the Bell System Monopoly.”)

But here’s the critical point: We live in a world of trade-offs and there is no free lunch. One doesn’t just mandate broadband for all and then expect there won’t be any costs — both direct and indirect. The direct cost is the cost to taxpayers or ratepayers in form of higher taxes or bills. The indirect costs usually arrive in the form of diminished competition, limited innovation, lackluster options, and the various problems associated with the regulatory capture that will ensue.

We must never forget that the best universal service policy is market competition. When we get the basic framework right — low taxes, property rights, contractual enforcement, anti-fraud standards, etc. — competition takes care of the rest.

For example, last week we learned that the number of wireless phone subscribers in the U.S. is now greater than the nation’s population: 327.6 million wireless subscriptions compared to a total population of 315.5 million people. That’s a penetration rate of nearly 104%. Of course, some of this is due to multiple subscription households. Even so, this is a rather astonishing development, and no one doubts that more Americans of every demographic group today have available to them an unprecedented array of wireless phones and plans. Prepaid plans are currently the hottest growth segment, in fact.

This amazing “universal service” story didn’t happen because of regulation or subsidies. It was vigorous competition and incessant innovation that spurred the spread of better, faster, and cheaper phones and service. We should remember that lesson next time anyone starts calling broadband–or other technological services–an inalienable human right.

Yesterday, the Federal Trade Commission (FTC) released its long-awaited proposed revisions to the Children’s Online Privacy Protection rule (the “COPPA Rule”). Below I offer a few brief thoughts on the draft document. My remarks assume a basic level of knowledge about COPPA so that I don’t have to spend pages explaining the intricacies of this complex law and regulatory regime. If you need background on the COPPA law and rule, please check out this paper by Berin Szoka and me: “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech.”

Dodging the COPA / Mandatory Age Verification Bullet

The most important takeaway from yesterday’s proposal involves something the FTC chose not to do: They agency very wisely decided to ignore some requests to extend the coverage of COPPA’s regulatory provisions from children under 13 all the way up to teens up to 18.  An effort to expand COPPA’s “verifiable parental consent” requirements to all teens would have raised thorny First Amendment issues as well as a host of practical enforcement concerns.  In essence, it would have required Internet-wide age verification of children and adults in order to ensure that everyone was exactly who they claimed to be online. We already had an epic decade-long legal battle over that issue when the constitutionality of the Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA, was tested many times over and always found to be in violation of the First Amendment.

Regardless, the FTC didn’t go there yesterday, so this concern is off the table for now. The agency deserves credit for avoiding this constitutional thicket.

Why Eliminate “Email Plus” Verification?

The FTC proposes the elimination of the current “e-mail plus” method of obtaining veritable parental consent. Under the COPPA rule’s so-called sliding scale approach, sites:

may obtain verifiable parental consent through an email from the parent, so long as the email is coupled with an additional step.  Such additional steps have included: obtaining a postal address or telephone number from the parent and confirming the parent’s consent by letter or telephone call, or sending a delayed confirmatory email to the parent after receiving consent.  The purpose of the additional step is to provide greater assurance that the person providing consent is, in fact, the parent.  This consent method is often called “email plus.”

The FTC says that “email plus has outlived its usefulness and should no longer be a recognized approach to parental consent.” That’s crazy. A great number of sites and service that live under COPPA use this method to stay in compliance with the law. This pulls the rug out from under them and creates major short-term marketplace uncertainty.

So, why has the agency done this? It’s not really because email plus has “has outlived its usefulness,” rather, it’s because the agency believes that “continued reliance on email plus has inhibited the development of more reliable methods of obtaining verifiable parental consent.  In fact, the Commission notes that few, if any, new methods for obtaining parental consent have emerged since the sliding scale was last extended in 2006.” [p. 68]

That’s a very interesting observation. But while I agree that few new parental consent methods have been introduced over the past five years, the FTC has not offered any conclusive evidence here that the existence of “email plus” is to blame. The fact of the matter is that online verification is hard, even the parental consent variety. In a different context, banks are still just having people pump in 4-digit PINs at ATMs after a few decades of debit cards being on the market. That doesn’t necessarily mean that the PIN# approach has stifled other forms of authentication, rather, it’s still just the most simple and efficient way of doing things. The same is true of “email plus” in the COPPA context. Yet, the FTC is upending the process in the name of kickstarting innovation in the authentication space. It’s an interesting gamble, but has the agency thought through the consequences of failure?

Importantly, sites and services that cater to children have also been focusing on putting other safety procedures and practices into place during this period. It’s not like parental notification is the end of the online safety story. As I have always noted in all my work on COPPA, it is not what happens before getting in the door that counts. It is what happens after kids get inside that really counts. The FTC ignores that distinction here and just keeps insisting that we can find better ways to perfect “verifiable parental consent” mechanisms.

All this begs the question: Just what is it that the FTC is looking for that would be superior to “email plus”? For the reasons noted above, they obviously cannot force full-blown online age verification on the Internet. But does the agency want a more rigid, second-best verification system perhaps with a possible government role in the formal authentication process? They might. Read on..

So, What’s This about Bringing Government IDs Into the Process?

The FTC makes another interesting proposal on the bottom of pg. 63 when it is discussing other mechanisms for obtaining verifiable parental consent. After rejecting SMS text messages and electronic “sign and send” methods for various reasons, the agency continues on to propose the following:

The Commission also proposes allowing operators to collect a form of government issued identification – such as a driver’s license, or a segment of the parent’s social security number – from the parent, and to verify the parent’s identity by checking this identification against databases of such information, provided that the parent’s identification is deleted by the operator from its records promptly after such verification is complete.

In one sense, this isn’t at all surprising. Our government already engages in some official credentialing activities, so why not use the ones that we’ve already required to get to help out with COPPA enforcement?  How one answers that question depends on your disposition toward large government databases and the purposes to which they might be put. If you are inherently distrustful of government aggregating and cross-referencing massive amounts of data about the citizenry, the idea of using driver’s licenses and Social Security numbers for yet another thing in this world will make you a bit nervous. It certainly makes me a bit paranoid, but mostly because of what I think might come next. If the FTC gets people accustomed to the idea of using “official” forms of identification to authorize online activities, that could be a slippery slope to something far more troubling. It may just start with just driver’s licenses and the last four digits of your Social Security numbers, but that might not be where it ends. Why not throw some biometric identifiers in the mix? Let’s have kids get retinal scans as the schoolhouse door at the beginning of each school year and then make mom and dad get one too so that we can match the whole gang up next time junior wants to visit Club Penguin! [By the way, who in government collects all this info and gets to use it?]

Moreover, if the FTC is now getting rid of the “email plus” verification process and dismissing text messages and electronic “sign and send” methods as alternative, then one could argue that–at least indirectly, if not intentionally–the FTC is starting to tip the market in favor of government solutions to online credentialing.

Perhaps I’m being a bit paranoid here. But when I was serving on the Harvard Berkman Center online child safety task force a few years ago, I saw all sorts of online verification schemes pitched to us, some of which would have government requiring biometric identifiers or other types of digital tokens be utilized in an effort satisfy some amorphous online authentication requirements. I’m not saying that’s where this particular FTC is taking us, but they’re at least opening the door to more “official” government credentialing efforts in the future with this proposal.

Video Conferencing as a Verification Method? Really?

Just as an aside, I must say that I find one of the few new verification methods the FTC endorses–“having a parent connect to trained personnel via video-conference”–to be a bit surprising. (Seriously, did the lobbyists at Skype sneak this proposal in there?!)  The agency states:

The Commission agrees that now commonly-available technologies such as electronic scans and video conferencing are functionally equivalent to the written and oral methods of parental consent originally recognized by the Commission in 1999.  Therefore, the Commission proposes to recognize these two methods in the proposed Rule.

A couple of people on Twitter yesterday pointed out how unlikely it is that video conferencing could be a scalable, workable solution to obtaining verifiable parental consent. Of course, to be fair, this is not the only consent mechanism the agency is suggesting, so I suppose FTC officials would say it’s just an additional verification method from which sites can choose.

But what I have a hard time imagining is that any parent would want to sit down in front of a webcam, fire up Skype (or whatever other video conferencing service they prefer), and start a video chat with some random bloke who works for an online site or service. A lot of parents will find that annoying; potentially even a bit creepy!

More practically, smaller sites probably just don’t have the manpower or resources to make this solution work. Making people available at all hours to get on a video chat with a parent so that their kid can get on the site is just not going to be a workable verification solution for anyone except the largest online sites and services.

Do Data Deletion Requirements Foreshadow a Push for “Eraser Button” / “Right to be Forgotten”?

On pg. 78, the FTC proposes adding a new data retention and deletion provision to the COPPA regulatory regime:

The proposed provision states that operators shall retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.  In addition, it states that an operator must delete such information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

In one sense this is commendable. It really would be wise for more online sites and services–especially those who handle kids info–to consider purging unneeded data more frequently. It helps minimize the potential for data security breaches and other problems.

That being said, I have to wonder how this proposal plays into the emerging debate over mandatory online “eraser buttons” and what the Europeans call “the right to be forgotten.” I recently released a Mercatus Center working paper (“Kids, Privacy, Free Speech & the Internet: Finding The Right Balance”), which examined these notions in greater detail. Simply put, an Internet “eraser button” is challenged by practical realities and principled concerns. It’s unclear how to even enforce such a notion. Moreover, if it could be enforced, it would raise profound free speech issues since it is tantamount to digital censorship and specifically threatens press freedoms. And the economic costs of such a mandate — especially on smaller operators — could be quite significant. See my recent Forbes essay for a discussion of those problems.

Again, the FTC is not proposing a formal “eraser button” in its latest COPPA revision. But by pushing for additional steps to be taken on the data deletion front, the agency might encourage more congressional interest in this topic. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have already included an eraser button proposal in their “Do Not Track Kids Act of 2011.” It will be interesting to see what happens next on this front.  Free speech and privacy rights are on a major collision course here if steps to encourage data deletion become formalized as law or regulatory proposals.

Conclusion

There’s much, much more in the FTC draft to consider that I’m going to hold judgment on for now. For example, plenty has already been said by others regarding the FTC’s proposal to update the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising.  That’s going to lead to all sorts of heartburn for a wide variety of online sites and service providers. It’s also going to complicate the wireless world as geolocation services expand and become a more ubiquitous part of our mobile digital experiences. But, again, I’m going to hold off on saying more on that for now.

In closing, the broader, more important questions that need to be asked are:

• Will these new proposed amendments and expanded regulatory requirements really do anything to make kids safer or their information more secure?
• Has the FTC even attempted to conduct a rough cost-benefit analysis of these new regulations?
• Have the specific burdens these new rules might impose on smaller operators even been considered?
• Correspondingly, will expanded COPPA regulations discourage new innovations that could offer kids and parents more rewarding online experiences?
• And, finally, will the new rules have an impact on the online cost equation by forcing various sites and services to charge higher prices–or charge prices for services that were previously free?

The Commission gives some lip service to these concerns toward the end of the document when it notes on page 94:

While the Rule’s compliance obligations apply equally to all entities subject to the Rule, it is unclear whether the economic burden on small entities will be the same as or greater than the burden on other entities.  That determination would depend upon a particular entity’s compliance costs, some of which may be largely fixed for all entities (e.g., website programming) and others variable (e.g., Safe Harbor participation), and the entity’s income or profit from operation of the website itself (e.g., membership fees) or related sources (e.g., revenue from marketing to children through the site).  As explained in the Paperwork Reduction Act section, in order to comply with the rule’s requirements, website operators will require the professional skills of legal (lawyers or similar professionals) and technical (e.g., computer programmers) personnel.  As explained earlier, the Commission staff estimates that there are approximately 2,000 website or online services that would qualify as operators under the proposed Rule, and that approximately 80% of such operators would qualify as small entities under the SBA’s Small Business Size standards.  The Commission invites comment and information on these issues.

It’ll be interesting to see what sort of feedback the FTC gets on that point. What I hope the agency and others understand is that questions like these are not just about the future of online business interests. Rather, these questions cut to the core of whether the public– including children–will be served with more and better digital innovations in the future. As we’ve noted countless times before here, there is no free lunch. Regulation–even well-intentioned regulation like COPPA–is not a costless exercise. There are profound trade-offs for online content and culture that must always be considered.

Additional Resources / Reading:

• FTC press release announcing new COPPA revisions
• the new proposed amendments [122 pages]
• summary of revisions by IT Law Group
• summary of revisions by Information Law Group
• Fulbright & Jaworski- “Think the FTC’s Proposed Changes to the Children’s Online Privacy Rule Don’t Affect Your Company? Think Again!”
• analysis from Emma Llanso of CDT
• comments on proposed changes from COPPA expert Izzy Neis
• “COPPA: What happens when a generation ignores a law?” – by Robert Niles
• “How will the FTC’s new digital privacy rules impact developers?” by Jason Ankeny
• “Proposed COPPA Rules: A Mobile Perspective” – by Cooley LLP
• my recent paper on potential dangers of COPPA expansion & mandatory “eraser button”
• my paper with Berin Szoka, “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech“

Today I filed roughly 30 pages worth of comments with the Federal Trade Commission (FTC) in its proceeding on “Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policy Makers.” [Other comments filed in the proceeding can be found here.] Down below, I’ve attached the Table of Contents from my filing so you can see the major themes I’ve addressed, and I’ve also attached the entire document in a Scribd reader. In coming days and weeks, I’ll be expanding upon some of these themes in follow-up essays.

In my filing, I argue that while it remains impossible to predict with precision the impact a new privacy regulatory regime will have the Internet economy and digital consumers, regulation will have consequences; of that much we can be certain.  As the FTC  and other policy makers move forward with proposals to expand regulation in this regard, it is vital that the surreal “something-for-nothing” quality of current privacy debate cease. Those who criticize data collection or online advertising and call for expanded regulation should be required to provide a strict cost-benefit analysis of the restrictions they would impose upon America’s vibrant digital marketplace.

In particular, it should be clear that the debate over Do Not Track and online advertising regulation is fundamentally tied up with the future of online content, culture, and services. Thus, regulatory advocates must explain how the content and services supported currently by advertising and marketing will be sustained if current online data collection and ad targeting techniques are restricted.

The possibility of regulation also retarding vigorous marketplace competition—especially new innovations and entry—is also very real. Consequently, the Commission bears the heavy burden of explaining how such results would be consistent with its long-standing mission to protect consumer welfare and promote competition. Importantly, the “harm” that critics claim online advertising or data collection efforts gives rise to must be shown to be concrete, not merely conjectural. Too much is at stake to allow otherwise.

Finally, as it pertains to solutions for those who remain sensitive about their privacy online, education and empowerment should trump regulation. Regulation would potentially destroy innovation in this space by substituting a government-approved, “one-size-fits-all” standard for the “let-a-thousand-flowers-bloom” approach, which offers diverse tools for a diverse citizenry. Consumers can and will adapt to changing privacy norms and expectations, but the Commission should not seek to plan that evolutionary process from above.

Download my comments here or just scroll down and read them below.

Contents

I.       Introduction

II.      No Showing of Harm or Market Failure Has Been Made

1. How Do We Conduct Cost-Benefit Analysis When “Creepiness” Is the Alleged Harm?
2. Privacy Regulation & the Precautionary Principle.
3. On “Informed Consent” & Information as Currency
4. On “Commonly Accepted Practices”
5. The Mythical Harm of Consumer “Walk Aways”

III.    Privacy Regulation Is an Information Control Regime That Faces Formidable Enforcement Challenges

1. Media & Technological Convergence
2. Decentralized, Distributed Networking
3. Unprecedented Scale of Networked Communications
4. Explosion of the Overall Volume of Information
5. Unprecedented Individual Information Sharing Through User-Generation of Content and Self-Revelation of Data

IV.    The Commission’s Proposed “Do Not Track” Regime Creates Potential Risks to Consumers, Culture, Competition, and Global Competitiveness

1. Potential Direct Cost to Consumers
2. Potential Indirect Costs / Impact on Content & Culture
3. Competition & Market Structure
4. International Competitiveness
5. “Silver-Bullet” Solutions Rarely Adapt or Scale Well
6. Implications of This New Regime in Other Contexts

V.     Privacy Regulation Raises Serious Free Speech & Press Freedom Issues

VI.    Better, Less-Restrictive Solutions Exist to Privacy-Related Concerns

1. Education, Empowerment & Self-Regulation
2. Simplified” Privacy Policies, Enhanced Notice & “Privacy by Design”
3. Increased Sec. 5 Enforcement, Targeted Statutes & the Common Law

VII.  Conclusion

Comment in FTC Do Not Track Proceeding (Adam Thierer – Mercatus Center) http://d1.scribdassets.com/ScribdViewer.swf

This is a response to Nick Carr’s recent piece, “The Attack on Do Not Track,” in which he goes after me for some comments I made in this essay about the trade-offs at work in the privacy and online advertising debates.  In his critique of my essay, he argues:

What the FTC is suggesting is that the unwritten quid pro quo be written, and that the general agreement be made specific. Does Thierer really believe that invisible tradeoffs are somehow better than visible ones? Shouldn’t people know the cost of “free” services, and then be allowed to make decisions based on their own cost-benefit analysis? Isn’t that the essence of the free market that Thierer so eloquently celebrates?

My response to Nick follows.

Nick…  Did I anywhere suggest that “invisible tradeoffs are somehow better than visible ones?” I can’t remember saying that anywhere, so perhaps you can point to where I did.  I don’t think you’ll find anything when you conduct your search since I know for a fact that I have never suggested such a thing.

That being said, strict contracting and consent models are not always possible in a free market economy, even if they are ideal.  In essence, much of the history of advertising and marketing is built on the sort of “unwritten quid pro quos” you deride in your essay.  Are you against radio or television advertising on similar grounds? Print ads? Direct mail?  Billboards?  There are steps you can take to avoid advertising and marketing in those contexts, but few of us would expect any sort of formal contact and consent form to be delivered to our attention beforehand.  And opt-ing out of them entirely is very difficult.  So, while I agree that, generally speaking, “people [should] know the cost of ‘free’ services, and then be allowed to make decisions based on their own cost-benefit analysis,” let’s understand that such ideal textbook models of perfect information and informed consent aren’t always possible.

I will admit, however, that the difference with online advertising is that personal information may be collected about the consumer of the advertising in question.  That did not always occur as part of those previous advertising “quid pro quos.”  Understandably, this raises the blood pressure of those who want to “property-tize” personal information and, in essence, apply a copyright-like permissions-based regime to any collection or reproduction of such information.  Such an information control regime will be challenging to enforce, especially in light of the significant amounts of personal information that we voluntarily place online about ourselves.  [See my earlier essay, “Privacy as an Information Control Regime: The Challenges Ahead” for further discussion.]

Nonetheless, an ideal world would be one in which trade-offs were more visible and consent / contracting was easier, whether we are talking about privacy, copyrighted material, or anything else.  For example, in the context of online child safety and potentially objectionable media content, I have long argued that:

The ideal state of affairs, therefore, would be a nation of fully empowered parents who have the ability to perfectly tailor their family’s media consumption habits to their specific values and preferences. Specifically, parents or guardians would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information. Importantly, those tools and methods would give them the ability to not only block objectionable materials, but also to more easily find content they feel is appropriate for their families.

My former colleague Berin Szoka has applied this same ‘ideal world’ model to privacy in this filing to the Federal Trade Commission:

In an ideal world, adults would be fully empowered to tailor privacy decisions, like speech decisions, to their own values and preferences (“household standards”).  Specifically, in an ideal world, adults (and parents) would have (1) the information necessary to make informed decisions and (2) the tools and methods necessary to act upon that information.  Importantly, those tools and methods would give them the ability to block the things they don’t like—annoying ads or the collection of data about them, as well as objectionable content.

Again, this would move us close to an explicit contracting / consent regime for the media content in question in both cases.  Is it desirable? You bet.  Is it possible?  Likely not.  Can we strive to get closer to the ideal state?  Yes, but not without costs. And that’s the key point I was trying to get across in my earlier essay on Do Not Track.  The trade-offs here are real and could be quite profound for online content and culture.   If we move toward a more rigorous information control regime to restrict personal information flows in the name of protecting privacy, we should not be surprised when that trade-off becomes more explicit–and expensive.

One final point.  You argue that “the suggestion that people shouldn’t be allowed to make informed choices about their privacy because some businesses may suffer as a result of those choices is ludicrous and even offensive.”  Again, I’ve already said that we can strive for more and better informed consent models, but you are pretending here it’s far simpler than it is in reality.  And I’ve already noted that the important point here is not protecting businesses, per se, but rather understanding that online content and culture is currently primarily subsidized by advertising business models that will be forcibly broken by regulation, and that we should consider the trade-offs that entails.  Finally, is there any role for personal responsibility in your view?  After all, there are steps that websurfers can take to address unwanted advertising and data collection techniques. Here’s a short list of privacy solutions that my former PFF colleagues put together.  If we expect consumers to exercise some personal responsibility to avoid unwanted content or communications in the free speech / online child safety context, why not here in the privacy context as well?

In his essay today, “Go On, Opt Out. Just Don’t Come Cryin’ To Me …,” John Battelle has some very sensible thinking on the “Do Not Track” idea and privacy regulation more generally:

Look, if you want to, you can put yourself on a “do not track” list in the Real World. As you walk around in our Real World, where small shopkeepers and Starbucks alike attempt to lure you into their stores, you can simply decide to ignore their come ons. You can refuse to get a grocery card, and forego the discounts they offer. You can forego the countless coupons, come ons, and catalogs that come through your newspaper, browser, or your community mailer, and if you work at it, you can even opt out through some specialized services (with more coming soon, if the FTC gets its way). And you can turn off your television (cause lord knows even the shows are trying to influence you now), and you can ignore your friends when they talk about the latest, coolest promotion that Verizon or ATT has pushed them through their cell phones. If folks insist on talking about stuff that might smack of someone selling you something, heck, you can start to dress like the Unabomber and withdraw entirely from our obviously commercial culture. You might look weird, but at least folks will leave you alone. And if you do, your world will either be better, or it will suck more. Your call. But don’t come crying to me when you realize that in opting out of our marketing-driven world, you’ve also opted out of, well, a pretty important part of our ongoing cultural conversation, one that, to my mind, is getting more authentic and transparent thanks to digital platforms. And, to my mind, you’ve also opted out of being a thinking person capable of filtering this stuff on your own, using that big ol’ bean which God, or whoever you believe in, gave you in the first place.   Life is a conversation, and part of it is commercial. We need to buy stuff, folks. And we need to sell stuff too.

Amen, brother.  This is a point Berin Szoka and I have made repeatedly here in the past: The debate over privacy regulation is fundamentally tied up with the future of online content and culture. The idea of a cost-free opt-out model for the all online data collection / advertising may sound seductive to some, but we must take into account the opportunity costs of regulation.  The real world is full of trade-offs and, despite what the Federal Trade Commission seems to think, there is no such thing as a free lunch.

A report in the U.K. Telegraph notes that the European Union is seeking to create a so-called “right to be forgotten” online, and has “drafted potential legislation that would include new, unprecedented privacy rights for citizens sharing personal data.” Details are sparse at this point, but according to this new 20-page European Commission document, “A Comprehensive Approach on Personal Data Protection in the European Union,” the EU will be:

clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person’s consent and when he or she withdraws consent or when the storage period has expired. (p.8)

Two brief comments on this.  First, it should be apparent that any “right to be forgotten” conflicts mightily with free speech rights and press freedom. As I discussed at greater length in this review of Solove’s Understanding Privacy as well as my essay on “Two Paradoxes of Privacy Regulation,” the problem with enshrining expansive privacy “rights” into law is that it means there will need to be stricter limits placed on speech and press freedoms.  As Eugene Volokh noted in his 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You“:

The difficulty is that the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

Of course, there’s no First Amendment in the E.U.  But while there’s not as strong of a tradition of freedom of speech / press in Europe as in the U.S., it would still be shocking to see the E.U. go down this path.  Consider what it means for the press, in particular.  When I was in journalism school back in the late 1980s, one of my favorite professors once told my class that a good journalist was really nothing more than a nosy person who knew how to write.  But being “nosy” — digging for stories, gathering facts, reporting on the world around us — is fundamentally at odds with “privacy,” strictly defined.  For example, could someone claim “a right to be forgotten” when a journalist pens an article about them beating their wife or committing corporate fraud?  Believe it or not, Germany already has a law like this for convicted criminals who have served their time.  They can have old facts about their crimes repressed after they’ve served their sentences.  [Note: If someone could forward me additional details about that German law, I would appreciate it. Specifically, I would like a better understanding of how enforcement works.]

Second, there are economic trade-offs that must always be considered here.  Enshrining “a right to be forgotten” into law would necessitate a fairly significant expansion in the rules and regulations governing information sectors and actors.  Enforcement would certainly be challenging. As always, there is no free lunch; something has to give.  If online sites and service providers are faced with onerous new regs that limit their ability to collect data or serve up online advertising, those sites and services will need to find new methods of financing ongoing operations.  The impact on innovation could be substantial.  Indeed, one could argue that one of the reasons America’s high-tech sector and digital companies are the global leaders in so many of their fields is precisely because they have not been strapped with top-down privacy regimes and data directives that would have constrained their ability to innovate using information collection.

Information — yes, including personal information — is the fuel of the Digital Economy.  Restricting the flow of that information, or its use for advertising and marketing purposes, will have an undeniably negative impact on online content and culture.  Ask yourself this: Would you be willing to pay $19.95/month to use a social networking site, or to be charged a fee for each query you enter into a search engine?  Those subscription-based or pay-per-use business models certainly shouldn’t be prohibited, but it would seem most Netizens are comfortable with the current arrangement: Free access/use in exchange for information collection and ads.

Of course, this “right to be forgotten” regulatory regime is currently only being considered in Europe.  Some here in the U.S., therefore, might be tempted to cheer on their expansive reading of privacy “rights” in light of the hobbling effect it has on their information and high-tech sectors!   But those rules will hurt U.S. players, too, since many of them offer services across Europe.  Moreover, this regulatory paradigm could become a model for privacy advocates in the U.S. and set the stage for a major push for new legislation / regulation here.  Let’s hope that’s not the case.

By Adam Thierer & Berin Szoka

Last Friday, Common Sense Media (CSM) held an event  (video) at the National Press Club featuring the chairmen of the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC). The regulatory activist group released a new poll on children and privacy (Exec Summary & Full Survey). Unfortunately, like almost every other privacy-related poll, theirs is more geared towards fueling a privacy panic than on exploring the real-world trade-offs between legislating “greater privacy” (a hopelessly abstract concept in most conversations) and losing the consumer benefits of data sharing: innovation in online services and the quality and quantity of services and content supported by data-driven advertising.

What better way to drum up Congressional support for paternalistic privacy legislation (restrictions on online data use) than by asserting that this is what the electorate already wants? The poll asks whether “Congress should update laws that relate to online privacy and security for children and teens.”  Three-fifths (61% of parents, 62% of adults) said yes. But earlier in the survey, only 16% knew that the Children Online Privacy Protection Act of 1998 already prohibits “online companies… from collecting or using personal information from children under the age of thirteen without a parent’s permission.” (53% weren’t sure.) If parents don’t know what Congress has already done, how meaningful is it for them to say they think Congress needs to do more? (There’s a reason we don’t have direct democracy.)

Indeed, how useful are such polls, anyway? Ultimately, what such polls really tell us is that, if you ask parents—or adults in general—whether they’re concerned about protecting kids, of course most will say yes, because nobody wants to think of themselves as the kind of person who doesn’t care about kids.

This bias becomes even more problematic when the choice at issue involves such stark trade-offs—especially when we’re talking about throwing a wrench (restrictions on data use and collection) in the economic engine that has again and again provided funding for media and services that users just won’t pay for. As we’ve noted here before, privacy polls and surveys reveal only what the public will tell pollsters in response to the particular questions asked. On privacy, those questions are almost invariably designed to solicit responses suggesting an urgent need for more laws and government action. Even the fairest of these surveys is no substitute for real-world experiments in which people make real choices, in real time, often with real money, and face many real trade-offs.

What this debate comes down to is the unarticulated trade-off between the benefits of receiving tailored (relevant!) ads and the costs of that tailoring. Yet, too often, policymakers and even the public seem oblivious to that trade-off.  There’s too much “assume-a-platform” thinking going on out there: CSM and their ilk imagine all these free online sites and services we and our children enjoy today just fall like manna from heaven—and will keep working no matter how they’re hamstrung.  Worse yet, discussions about “harms” take place at such a level of abstraction as to be almost meaningless.

For example, during Friday’s press conference announcing the poll results, Common Sense Media founder and CEO Jim Steyer pushed hard for aggressive Internet regulation to “protect privacy”—yet for all his adamance, he couldn’t identify a single clear harm demanding further government intervention. (He barely mentioned existing regulation, like the FTC’s enforcement of corporate promises or the Fair Credit Reporting Act, which restricts the use of personal data for credit decisions, where a real harm could occur to users.)

Steyer actually asserted—repeatedly—that regulation will not burden online operators, and blithely suggested that, in essence, if dot-com entrepreneurs are smart enough to build all these cool sites and services, they can also figure out how to craft or live with new rules for how the Internet economy should work.  Ah, yes… everything will be just fine and dandy once the regulatory wrecking ball comes and requires every online site that currently uses advertising—powered by data collection—to completely change the way they do business and find new business models that involve getting someone other than advertisers to pay for all that free stuff.  More on that Beltwayland fantasy in a minute!

First, however, CSM deserves some credit for at least asking respondents two survey questions that gets to the heart of our concern about trade-offs. Specifically, survey question #14 asked, ” Some social networks and search engines that offer online services for free say they can only do so by selling advertising tailored to user habits and interests. Do you believe this is true?”  Of course, that statement is obviously true: There’s no such thing as a free lunch.  Something has to pay for all theses services; that something is advertising and marketing techniques that are powered by data aggregation about users’ apparent interests. Regardless, CSM left the question open-ended, either becuase they don’t buy that notion or they wanted to suggest to respondents that it’s actually an open question (as if site operators are just lying about having to pay their bills somehow!)  Responses split almost perfectly:

Importantly, however, in the next question, CSM asked: ” Would you prefer to pay for services currently provided for free on search engines and social networking sites in lieu of having information about you sold to advertisers?”  Nearly half (45%) of all adults and, surprisingly, an even higher (51%) proportion of parents, said they would not prefer to pay for services but instead continue to allow data collection / advertising to fund online content and services.

Interestingly, CSM never mentions these important findings in their press release or online summary of the poll.  Instead, they play up survey results suggesting that plenty of people, especially parents, have general concerns about privacy. Well, of course they do!  That’s like asking if you have general concerns about the flu or (if you live in Florida) hurricanes. But, again, there has to be some context and some acknowledgment of the fact that the world is full of trade-offs and that regulation has consequences. Regrettably, but perhaps unsurprisingly, CSM downplays the questions in their survey that speak to this. It’s one of the rare instances of trade-offs even being mentioned in a privacy poll, probably because those who generally conduct privacy polls had political motivations:  They want federal privacy regulation and, therefore, they selectively ask only leading questions about generic privacy concerns that are always going to produce lop-sided results.

We applaud CSM for breaking with that unfortunate tradition—the polling equivalent of “stuffing the ballot box”—and at least asking people if they understand there’s a trade-off here and whether they’d be willing to pick up the full freight of what the online services and content they consume actually cost.  Of course, once CSM heard that, when faced with that stark choice, the majority of people would not want to pay, the organization decided to essentially bury that result and instead highlight the other “Do you love your mother?” sort of questions that produce predictable results precisely because they are consequence-free. (Perhaps they only included these questions because they know we’ve been so relentless in our criticism of previous polls for failing to ask any questions even approximating trade-offs?)

What’s even more concerning about the way CSM chose to play these poll result is the shameless scare tactics Jim Steyer used during the press conference. At one point, he compared these privacy concerns to “tainted meat” and unregulated meatpackers!  You know, because people are dying left and right from “consuming” unregulated web content. This analogy is nothing less than insulting to web entrepreneurs, those who use them, and the policymakers Steyer is grandstanding for.

The fantasy-land mentality continued when Steyer said CSM wants someone in the Internet industry to develop some sort of “eraser button” to wipe out portions of our online pasts. “We can’t tell you how to do that,” Steyer said, but the onus is on industry to do it—and he expects them to get on it immediately. Right… perhaps the Internet’s Director of Operations can issue all companies and consumers one of those Staples “EASY” buttons for their desks, except this one would just say “ERASE” and magically clean up our online pasts!  Again, this is consequence-free thinking at work and it is dangerous—especially to smaller website operators who just can’t absorb endless regulatory mandates without suffering profound consequences.

Speaking of scare tactics, it’s quite revealing that CSM chose to phrase Question #2 as follows: ” Of the following, which do you feel is the main reason you are concerned about children revealing personal information online?” And then they listed a few possible responses with the first being  “sexual predators.” Nothing like fanning the flames of moral panic by asking about child predation! CSM has certainly studied the literature closely enough to know how completely out of proportion this concern has been blown. Read the final report of the Harvard Berkman Center “Enhancing Child Safety” blue ribbon task force to get the definitive word on that.

But it’s equally interesting that, despite all the hand-wringing at Friday’s press conference about targeted marketing, only 4% of respondents to this poll felt product marketing was the primary concern relating to collection of information about children online.  Nonetheless, CSM is still demanding more regulation in the name of protecting kids from some amorphous corporate bogeyman. Complicating matters is the fact that, during the press conference, Jim Steyer said that for CSM, a “kid” is anyone under 18. This was consistent with comments that CSM submitted to the FTC in July as part of the agency’s review of the Children’s Online Privacy Protection Act (COPPA), CSM advocated not just expanded educational efforts, which we applaud, but also expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.”

Incidentally, during Friday’s press conference, a sharp audience member asked how, exactly, government or websites would go about differentiating kids from adults for purposes of expanded “kids’ privacy” regulation. Good question!—and one that Steyer promptly ignored. He went silent at that point, perhaps recognizing that CSM was wading into the unconstitutional waters of COPA-like age verification mandates for the Internet without the slightest clue of the real-world implementation of their proposals. FTC Chairman Jon Leibowitz  jumped in to suggest that it could be done because marketers already know how to track kids and have sophisticated techniques to figure out who is who and what age they are.  But that’s simply not true.

The reality, as we have noted here before many times [see 1, 2, 3, 4, 5, 6, 7] is that there is no easy way to verify the ages of kids online becuase they lack the sort of credentialing records (driver’s licenses, credit cards, tax records, home mortgages, work or military records, etc) that adults possess. Thus, if you say you want to verify kids’ ages online, what you are really saying is that you want to verify adults online.  Again, this gets us right back into the thorny COPA world which has already been litigated to the hilt and found unconstitutional many times over because of the free speech and privacy issues it raises to create the equivalent of an online “show-us-your-papers” regulatory regime.

We object to other CSM proposals, including their call for new laws and regulations that deny any ability to serve up targeted ads and opt-in mandates for geo-location and changes of personal information, and their call for “independent privacy ratings,” which seems to echo their old call for “universal ratings” for all media content.  But we haven’t seen all the details on those, so we’ll have to address them later.

What is clear, though, is that Common Sense Media is back on the regulatory warpath, again advocating comprehensive regulation of the Internet in the name of “protecting the children.”  We can certainly join hands with CSM in their call for more education on all these issues, and we can also live with the FTC holding companies to the promises or claims they make when it comes to the personal information they collect and what they do with it.  But what Common Sense Media is asking here is for the Internet to be re-engineered through a sweeping regulatory regime that could decimate the “free” and open Internet as we know it.  That’s what this battle is all about.

Additional Reading

• Joint CDT-PFF-EFF Comments on FTC’s COPPA Review & the Dangers of COPPA Expansion
• “Privacy Polls v. Real-World Trade-Offs” – by Berin Szoka
• “Comments at FTC Workshop Panel on Privacy Polls & Surveys” – by Adam Thierer
• “Troubling COPPA Filing by Common Sense Media” – by Adam Thierer
• “COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech” – by Berin Szoka & Adam Thierer
• “Privacy Trade-Offs: How Further Regulation Could Diminish Consumer Choice, Raise Prices, Quash Digital Innovation & Curtail Free Speech” – by Berin Szoka, (Comments to the Federal Trade Commission at the Privacy Roundtables, Nov. 10, 2009)

I was reading this Sun Magazine interview with the always-interesting Nick Carr and I liked what he had to say here about the public’s inconsistent views on privacy:

If you ask people whether they’re concerned about the ability of the government or corporations to gather information about them online, they’ll say yes. But if you look at how they behave online, they don’t display much fear of exposing themselves. What that says about people — and it’s true for most of us — is that we will readily forgo our privacy in exchange for convenient and useful services, particularly if they’re free. That’s a trade-off you make all the time on the Internet. Even if people were more conscious of how this information might be exploited, I doubt most would change their behavior.

This reminds me of the classic “hamburgers for DNA” quip from security expert Bruce Schneier who once famously noted that:

If McDonalds in the United States would give away a free hamburger for an DNA sample they would be handing out free lunches around the clock. So people care about their privacy, but they don’t care to pay for it. In the United States we have frequent shopper cards, which will track down people’s purchases for a 5 cents discount on a can of tuna fish. I don’t think you can convince the public to care about it.

The key point here, as Berin Szoka and I noted in our recent paper on targeted online advertising, consumers vary widely in their attitudes towards the inherently nebulous concept of privacy. As our TLF colleague Jim Harper has demonstrated:

Privacy is a state of affairs or condition having to do with the amount of personal information about individuals that is known to others. People maintain privacy by controlling who receives information about them and on what terms. Privacy is the subjective condition that people experience when they have power to control information about themselves and when they exercise that power consistent with their interests and values. […] An important conclusion flows from the observation that privacy is a subjective condition: government regulation in the name of privacy is based only on politicians’ and bureaucrats’ guesses about what ‘privacy’ should look like.

In a nutshell, ask anyone if they care about their privacy and almost 100% of them will say, yes, absolutely. But then ask them about what they do both online and offline on a daily basis and most of them will reveal a very different set of preferences or values when it comes to what “protecting privacy” would mean in practice. That’s because privacy is, as Harper notes, a highly subjective condition, and that’s true even in a micro sense. We’re constantly making privacy trade-offs on the fly. Every time we enter a contest, sign up for a shopper discount card, enter absurd amounts of personal info on social networking sites, and so on, we are making privacy trade-offs. Sometimes we think them through carefully; other times we don’t. But most of the time people will trade away their supposed “privacy rights” in for even the most trivial things. A Big Mac, 5 cents off a can of tuna fish, or whatever else.

With the publication of Understanding Privacy (Harvard University Press 2008), George Washington University Law School professor Daniel J. Solove has firmly established himself as one of America’s leading intellectuals in the field of information policy and cyberlaw.  Solove had already made himself a force to be reckoned with in this field with the publication of important books like The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press 2007), The Digital Person: Technology and Privacy in the Information Age (NYU Press 2004) and his treatise on Information Privacy Law with Paul M. Schwartz of the Berkeley School of Law (Aspen Publishing, 2d ed. 2006).  But with Understanding Privacy, Solove has now elevated himself to that rarefied air of “people worth watching” in the cyberlaw field; an intellectual — like Lawrence Lessig or Jonathan Zittrain — whose every publication becomes something of an event in the field to which all eyes turn upon release.

Like those other intellectuals, however, my respect for their stature should not be confused with agreement with their positions.  In fact, my disagreements with Lessig and Zittrain are frequently on display here and, we have been critical of Solove here in the past as well. [Here’s Jim Harper’s review of Solove’s last book, with which I am in wholehearted agreement.]  In a similar vein, although I greatly appreciate what Prof. Solove attempts to accomplish in Understanding Privacy — and I am sure it will change the way we conceptualize and debate privacy policy in the future — I found his approach and conclusions highly problematic.

Let me begin by summarizing Solove’s bold objective in Understanding Privacy. In the book, he attempts “to set forth a theory of privacy that will guide our understanding of privacy issues and the crafting of effective laws and policies to address them.” (p. 2) Solove’s “pragmatic” proposal to rethink privacy requires us to abandon the ways we have traditional thought about it. He begins by rightly noting that privacy has long been a “conceptual jungle” (p. 196) and a “concept in disarray.” (p. 1) “[T]he attempt to locate the ‘essential’ or ‘core’ characteristics of privacy has led to failure,” he says. (pg. 8 )

Consequently — and this is what make’s his approach so unique and important — Solove’s proposal to rethink privacy begins with a call to abandon the entire philosophical exercise of trying to tie privacy rights to some “common denominator” (pg. 8 ) since “Nobody can articulate what it means.” (p. 1) Actually, what he really means to say is that plenty of theorists can articulate what it means, it’s just that there is rarely any strong consensus about what justifies a particular theory of privacy. Indeed, in Chapter 2, he walks the reader through a half-dozen “conceptions of privacy” and illustrates how each has intellectual weaknesses and suffers from over- and under-breadth problems in terms of what it types of privacy it protects.

More importantly, according to Solove, not only has the effort “to locate the ‘essence’ of privacy” failed, but there is never any hope of it succeeding. Instead of continuing the futile search for such a grand, unified theory of privacy, Solove says we should tackle privacy issues from the “bottom up” by looking to “solve certain problems” (p. 75) The key to making it all work, he says, is “balancing”:

Because privacy conflicts with other fundamental values, such as free speech, security, curiosity, and transparency, we should engage in a candid and direct analysis of why privacy interests are important and how they ought to be reconciled with other interests. We cannot ascribe a value to privacy in the abstract. The value of privacy is not uniform across all contexts. We determine the value of privacy when we seek to reconcile privacy with opposing interests in the particular situations. (p. 87)

It is tempting to applaud Solove’s attempt to unhinge privacy from any “common denominator” and instead get more concrete about how to work through the details of practical privacy problems. After all, it is easy to get frustrated with some modern theories of privacy that have been tied up with amorphous, warm-and-fuzzy terms like “personhood” and “intimacy.” The inherent subjectivity of some of those terms makes it challenging to derive bright-line principles and tests to help craft law or resolve privacy disputes when they come before the courts.

But I believe there are serious problems with any attempt to completely divorce privacy policy from a theory of rights or justice. In my opinion, you can’t just dynamite all conceptual frameworks to the ground; value judgments will persist and references to rights theory will always be required. Even Solove’s pragmatic, bottom-up approach is value-laden; he just doesn’t acknowledge it. The majority of privacy controversies he attempts to work through in Chapter 5’s ambitious 16-part “Taxonomy of Privacy” mostly end up coming down in favor of taking stronger steps (i.e., rules, regulations, lawsuits, etc) to enhance privacy rights. He clearly has a bias in favor of enhancing and extending privacy rights relative to many other rights, but he doesn’t bother grounding it in any substantive theory of rights or justice.

Simply stated, even though Solove claims he can construct a new paradigm based strictly on a “pragmatic,” utilitarian, “problem-solving” approach, there is just no getting around the fact that, at some point, you are going to have to provide a more robust theory of rights or justice to explain why one right trumps another.

For example, let’s consider the frequent clash between privacy and free speech rights. As any casual reader of this blog knows, I feel quite passionately about the First Amendment and free speech rights. And, in all but the most extreme cases or circumstances, I will argue that speech rights should trump privacy rights. When would speech rights not trump privacy rights? For me, that would only occur when a clear, quantifiable harm resulted from the speech. But what is “clear, quantifiable harm”?  Reputation, for example, is not something one can easily quantify the loss of. When a company or a government agency loses or sells your personal health records without permission, however, that privacy violation gets a little more quantifiable. And in the case of someone stealing your personal information to engage in identity theft, the harm becomes still more quantifiable. But those cases often involve monetary damages, whereas something like defamation is much more difficult to quantify. However, when considering privacy-vs.-free speech trade-offs, I would first look to identify and quantify to concrete harm to an individual before allowing the state to curtain freedom of speech.

Solove acknowledges these privacy-speech trade-offs and cites the work of scholars like Eugene Volokh, Fred Cate, Virginia Postrel, and Solveig Singleton, who have all discussed these problems in their work. Volokh, for example, wrote an incredibly important 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You.” As he pointed out in that piece:

The difficulty is that the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

Without reference to some higher set of first principles or theory of rights / justice, I believe it is very difficult to sort through thorny problems like these. We need to know how and when one right trumps another. A theory of rights that focuses on avoiding direct, tangible harm to others — but largely leaves individuals otherwise free to do what they wish — would generally place speech rights above many privacy “rights” (some of which perhaps should not quality be rights at all). Of course, this more libertarian construction of rights remains quite controversial in our modern society, and there are other theories of rights and justice that would minimize the importance of speech rights relative to privacy.

Importantly, there also needs to be some recognition of the qualitative difference between government threats to privacy versus private threats. The harm that can come from government violations of privacy are generally far more troubling (surveillance, taxation, fines, imprisonment, etc) than potential private harms. I don’t think Solove’s framework appreciates that distinction.

Regardless of which approach one adopts — reasoning from first principles, or working from the “bottom up” (a la Solove) — there will always be fair degree of “balancing” undertaken by legislatures and the courts when crafting privacy policies. Indeed, in many ways, I see Solove’s more “pragmatic” approach often getting us to the same point we would find ourselves in if we took a more philosophical, first principles-based approach. It’s just that under his approach, he would often give the nod to privacy concerns over other rights whereas others (like me) would first look to enhance other values, especially free speech.

In sum, I believe that if one attempts to divorce the exercise of “understanding privacy” from any theory of rights, inevitably, you end right back in the same “conceptual jungle” you were in before. In that sense, I regret to say that Solove’s approach in Understanding Privacy ultimately fails. There’s just no escaping a fight over first principles.

But make no doubt about it, Daniel Solove’s book — and his approach to classifying and dealing with privacy problems — will have a profound impact on all future privacy debates. In that sense, it is a vital text; a must read for all who follow, or engage in, privacy debates.

P.S. Prof. Solove contributed an article to this month’s big Scientific American special issue on “The Future of Privacy.” Many articles in that issue worth reading.