privacy & the internet

8/6/2019 Privacy & the Internet

1/31

Privacy & The Internet:

An Overview of Key Issues

Adam ThiererSenior Research FellowMercatus Center at George Mason University

May 19, 2011


2/31

Outline of Presentation

1) What do we mean by privacy?

2) Different approaches to defining / protecting

it

3) Trade-offs associated with privacy regulation

4) The challenge of information control

5) Specific regulatory proposals

6) An alternative vision / the 3-E Solution

2


3/31

What is Privacy?

Privacy is a remarkably vague concept Means different things to different people

Varies by cultures

An ever-changing concept

Reacts to evolving social norms & technologicalchange

If it is a right, we must determine how it plays

alongside other, well-established rights (ex:freedom of speech & press freedoms)

3


4/31

Privacys Fuzzy Concepts

Harm How do we define and measure harm?

Is creepiness a harm?

Should emotional harms (feelings) be actionable?

Ownership Who owns shared data?

What is personally identifying information?

Informed Consent

Are strict contracts possible?

Sensitive Data

Health, financial, what else?

4


5/31

Alan Westins 3 Visions / Paradigms

1. Privacy Fundamentalists: Absolutists about

privacy being a right & one that trumps

most other values / considerations

2. PrivacyPragmatists: Values privacy to

some extent but also sees benefits of

information sharing

3. Privacy Unconcerned: Have little concernabout who knows what about them

5


6/31

How to Enforce / Protect Privacy?(U.S. vs. E.U. Visions)

United States

Privacy not viewed as a

fundamental right

Issue-specific / Sectoral approach

Bottom-up case law / torts

States have role; often more

stringent than fed law

More focus on opt-out

Big Brother generally = govt

= a reactive regime

European Union

Privacy viewed as a

fundamental dignity right

Broad-based approach

Top-down directives

More focus on opt-in

Big Brother = private

sector as much as govt = apreemptive regime

6


7/31

The U.S. Sectoral / Issue-Specific

Approach to Privacy Law Privacy Act (1974) = govt data collection

FERPA (1974) = fed-funded education institutions

Cable Comm.Policy Act (1984) = cable data

Video PrivacyProt. Act (1988) = video rental records DriversPrivacyProt. Act (1994) = DMV records

HIPPA (1996) = health records

Gramm-Leach-Bliley (1999) = financial records

COPPA (1998) = kids (under 13) online privacy

CAN-SPAM Act (1993)

Do Not Callregistry (2003)

7


8/31

The Battle over Online Privacy

Policy battle has been raging since late 1990s

FTC & Congress appeared poised to actaround 2000, but...

Industry self-regulation was given a chance 9/11 preempted this debate to some extent

Framework for past decade:

Focus on Notice / Choice / Access / Security

Rise of self-regulatory bodies & mechanisms

Targeted FTC & state enforcement

8


9/31

New Fault Lines in the Online Privacy Wars

(and the legislative response)

New activity driven by: Fears of targeting & tracking = creepy factor

General unease with ubiquity of data access & availability

Proposals:

Baseline legislation / FIPPS (Kerry-McCain, Rush, Stearns) Do Not Track mechanism + regulation (Speier & Rockefeller bills)

Do Not Track Kids / COPPA expansion (Markey-Barton)

Internet Eraser Button (Markey-Barton)

Geolocation restrictions (Markey-Barton)

Data breach disclosure (Kerry-McCain) Data minimization requirements (Kerry-McCain, Rush)

ECPA vs. Data retention laws

9


10/31

Privacy Trade-Offs & Opportunity Costs

Internet feels like the ultimate free lunch; most sites,services & content are free of charge.

But, in reality, there is no free lunch.

The implicit quidpro quoof online life: you gotta give a little

to get a little (or a lot!). And most people like this deal. The Net is powered byadvertising& data collection.

Information is lifeblood of Digital Economy.

Info may be collected to facilitate a better browsing

experience or to help the site or service remain viable.

In essence, information used in lieu of payment.

Regulation could break thissystem& have other unintended

consequences.

10


11/31

The Problem of Information Control

Even if weagreeprivacyis importantandworthprotecting, itwillbeveryhard.

Information wants to be free - Stewart

Brand and that includes personal information

The Net interprets censorship as damage androutes around it. - John Gilmore

and privacy regulation is, at root, a form of dataflow censorship

11


12/31

10 Factors That Complicate

Information Control EffortsDrivers ResultsDigitization Convergence

Intangibility Decentralized, Distributed

Networking

Moores Law Scale & Scope

Falling Storage Costs Volume

Ubiquitous High-Speed

Networks

User-Generation of Content

and Self-Revelation of Data

12


13/31

Some Facts (or Why Putting

Genies Back in Bottles is So Hard) Facebook: users submit @ 650,000 comments on the 100

million pieces of content served up every minute on its site.

YouTube: over 35 hours of video uploaded every minute.

Twitter: 300 million users produce 140 million Tweets / day, =a billion Tweets every 8 days. (@ 1,600 per second)

Apple: more than three billion apps have been downloaded

from its App Store by customers in over 77 countries.

Humankind shared 65 exabytes ofinformation in 2007, theequivalentofeveryperson in the world sending out the contents

ofsix newspapers every day. - Hilbert and Lopez

13


14/31

The Privacy Paradox

People value theirprivacy, but then gooutoftheir way to give it up. Larry Downes, Laws ofDisruption

We give away information aboutourselvesvoluntarily leave visible footprints ofour daily

livesbecause we judge, perhaps without

thinking about it very much, that the benefits

outweigh the costs. To be sure, the benefits

are many. Abelson, Ledeen & Lewis, Blown to Bits

14


15/31

What We Must Learn to Accept

Once information is out there, it is very hard to keep

trackofwho has it and what he has done with it. --David Friedman, Future Imperfect

Privacy is not dead as some have claimed, but it is

different than it was in past

New realities of info dissemination, accessibility,

searchability

Rushed, heavy-handed solutions will be costly and

perhaps not effective anyway

15


16/31

Policy Responses

(and their problems)


17/31

Do Not Track The Theory

Could be voluntary, but might be mandated.

Would demand that websites honor amachine-readable header indicating that the

user did not want to be tracked. In theory, this will allow privacy-sensitive web

surfers to signal to websites they would like toopt-out of any targeted advertising, or not

have any information about them collectedwhen visiting sites.

17


18/31

Do Not Track Potential Downsides

Costs: If law breaks the quidpro quo something must give Paywalls and higher prices?

less relevant or more intrusive advertising?

Fewer services? Less media content?

Intl Competitiveness: Goldfarb & Tucker - after the [EUs]

Privacy Directive was passed [in 2002], advertisingeffectiveness decreased on average by around 65 % inEurope. Because regulation decreases ad effectiveness,this may change the number and types of businessessustained by the advertising-supporting Internet.

Prac

tical?

Does DNT scale? Apply internationally? To otherdevices?

Regulatorycreep: Will it serve as a template for otherforms of Net regulation?

18


19/31

COPPA Expansion Background

Special concerns about youth & online

marketing

COPPA (98) was first attempt to deal with it

Requires verifiable parental consent for sites

directed at children that collect info

FTC defines rules (safe harbors) and enforces

Never constitutionally challenged

19


20/31

COPPA Expansion Potential Problems

What works for under 13 not likely to work for

teens

Would basically require mandatory age

verification ofallweb surfers COPPA becomes COPA? = unconstitutional

Serious free speech issues

Irony = in name of protecting privacy, more infoabout users would need to be collected!

20


21/31

Internet Eraser Button Concept

Goal: Make it easier for people (esp. kids) to

delete posted comments or content they later

regret

PracticalProblem: Where is this button? Who

controls it? What if info is shared content? Back-

door to fraud / abuse?

Principled Problem: Conflicts mightily withfreedom of speech & press freedoms

21


22/31

A Different VisionforPrivacy Protection


23/31

The Conflict of Visions:

Anticipatory Regulation vs. Resiliency Long-standing conflict of visions about how to

best manage risks:

1. Anticipa

tion

Prevention is prime value

Focus on the Precautionary Principle

2. Resiliency

Experimentation is prime value

Focus on Learning / Coping

23


24/31

Anticipatory vs. Resiliency-Based

SolutionsAnticipatoryReg Approach

Mandatory Do Not Track

Mandatory Opt-In for all

data collection Bans on apps / functionality

Restrictions on sharing / all

defaults to private

Eraser Button mandates /

demands for data deletion

Resiliency Approach

Voluntary Do Not Track

Offer opt-outs (encourages

experimentation & innovation) No preemptive bans on tech

No restrictions on sharing, but

education about downsides

Voluntary data purges &

data hygiene

24


25/31

Constructive Alternatives to Regulation

1. Be careful @ how harm & market failuredefined. (ex: Creepiness not a likely harm; databreech likely a harm)

2. Focus on a 3-ESolution to problems:Education, Empowerment, & (Targeted)Enforcement

3. Encourage corporate and personal responsibility

4. Think of privacy as an evolving set ofnorms,interactions & experiments

5. Dont Panic! We can learn to cope withtechnological change.

25


26/31

26

The 3-E Solution


27/31

#1: Educational Solutions

Education at all levels Awareness campaigns from privacy advocates,

govt, industry, educators, etc.

Encouraging better online

netiq

uette anddata hygiene

Push for better transparency across the board

Better notice & labeling

Need more watch-dogging of privacy promisesmade by companies

27


28/31

#2: Empowerment Solutions

= Helping users help themselves

User self-help toolsare multiplying

AdBlockPlus, NoScript, other browser tools

Industry self-regulation More cross-industry collaboration on privacy

programs

More education efforts (better notice)

Best practices & better defaults More and better tools to respond to new

developments and needs

28


29/31

#3: Enforcement Solutions

Holding companies to the promises they make

stepped-up FTC Sec. 5 enforcement

Demand better

notic

e&

tra

nspar

ency

Mandatory disclosure of data breaches

Targeted regulation of sensitive data, but with

flexibility

29


30/31


31/31

privacy & the internet

Documents