Paper prepared for Cato Roundtable "Privacy vs, Innovation"
Self-regulation of the Internet has emerged in a number of contexts, including privacy. Internet filtering technology is also a species of "self-regulation." And then there is self-regulation of kind less trumpeted by pundits, but important and interesting none-the-less, such as the blacklisting of Internet Service Providers suspected of being spammer havens.
In "real" space, self-regulation of a number of different types has grown up. These include:
Some of these systems of self-regulation arrived in response to varying degrees of government pressure, including the MPAA ratings and proposals for self-regulation on privacy. The blacklisting of spammer Internet Service Providers by anti-spam groups like the Open Relay Blocking System and the MAPS Realtime Blackhole list, is a good example of purely private, market driven conduct.
From the standpoint of legislators or regulators, self-regulation is less costly than traditional command and control regulation. First, it is less costly to the economy. Command and control rules are for obvious reasons unsuited to the rapid changes of technology in the innovation age.
Second, self-regulation is less costly to the government, because authorities need not drastically expand their enforcement mechanisms. Sometimes, a push for self-regulation lets regulators avoid some of the cumbersome process of proposing particular rules, submitting them to public comment, and considering their costs and benefits.
From the standpoint of participants in markets, either industry or consumers, self-regulation might arise as a natural outgrowth of consumer demand. This "bottom-up" process is truly voluntary and likely to be highly decentralized. Kosher food labels are a good example, offering consumers a choice of many different standards. In response to the incredible diversity in consumer demand, the market offers many competing forms of self-regulation, not just a single standard. In the health and safety context, self-regulation might be more likely to look to a single standard, as with the Underwriters Laboratories--but even UL has a number of smaller competitors.
But in most cases no third party standards or oversight at all are necessary for "self-regulation." That is, true market-based self-regulation blurs into no regulation at all, with each company "regulating" itself according to internal standards of customer or client service and no third party oversight. Bad service is checked by competition.
Especially in the privacy context, "self-regulation" in response to government pressure is viewed as an alternative to top-down regulation. But such a system of self-regulation could easily share the drawbacks of top-down regulation.
One characteristic of demands made on e-commerce merchants respecting privacy "self-regulation" has been that the goals of the regulation are assumed to be known. Regulators have insisted that a system of self-regulation must ensure that customers have notice of how their data is being used, that they have a choice about whether it is not be collected or not, and so on. From time to time, regulators have worked themselves into a state of great concern over the question of whether or not these goals are being met.
In the real world, however, no one really knows what state of affairs "ought" to obtain with respect to privacy. There is some hand waving about privacy being important to human dignity and autonomy. But the question of when human beings will need to reveal information to gain trust, will be willing to offer trust without information, and will need to respect confidentiality to gain trust is a bafflingly complex question. It depends largely on individual preferences and needs. It may be resolved differently in different contexts from year to year--or even from minute to minute.
Furthermore, the default rules for how human beings exchange information about one another favor the freedom of information--with privacy being by special arrangement. Generally, human beings are free to make observations about other human beings, and record and report these--so long as they do not violate an express confidentiality agreement, hack into someone's web site, or break into their house. Usually our privacy rights have been bounded by property right and contract obligations, with a handful of very narrow privacy torts available at common law.
When regulators insist that a system of "self-regulation" must conform to certain fixed, top-down goals, they are clearly not talking about self-regulation that arises from market forces. In a market, goals are evolving, varied, and diverse. In the world of business ethics and customer relations, preferences about privacy and trust are evolving, varied and diverse. If advocates of self-regulation expect the system to produce an outcome that guarantees certain fixed goals, they are doomed to disappointment--and thence to top-down regulation. True self-regulation means choice, variety, and experimentation.
Self-regulation may seem to participants in the marketplace like a fairly good alternative to command and control regulation. Note, however, that self-regulation with a heavy element of government involvement in goal-setting and enforcement may have many of the same drawbacks as command-and-control--without the checks on lawmaking power that are provided by the Administrative Procedures Act, formal rulemaking processes, or public accountability more generally.
In particular, self-regulation in the privacy context threatens to evolve into a system where government makes vague rhetorical demands with no clear content or deadlines. Official involvement looms at every stage, and may be wildly unpredictable. We lose the benefits of a bottom-up learning process that occurs through the market, but also lose the benefits of certainty and accountability that come with formal rulemaking procedures.
One key element missing from the equation when government prematurely forces markets towards "self-regulation" is cost-benefit analysis. Even in formal rulemaking proceedings, agencies are notoriously oblivious to the need to perform such studies. The problem is exacerbated a thousand-fold when agencies pressure the market to regulate itself. In the privacy debate, for example, little or no attention has been paid to
Cost-benefit analysis in the privacy context seems to be confined to repeated assertions on the part of the FTC that consumers will not develop trust in electronic commerce without privacy regulation. There is something odd about this picture, for electronic commerce is clearly exploding. Might it be that answers to consumer surveys are misleading in some way? (I take this question up again further below).
Self-regulation with substantial government involvement is substantially different from a market process.
We should, therefore, avoid "self-regulation" tightly controlled from the top down; it has many of the drawbacks of command and control regulation, without accountability. But on the privacy front, we seem to be moving inexorably towards the command and control model, on the theory that self-regulation is not enough or is not working.
But this is not because there is any real problem with true self-regulation! The problem is that some expectations of what self-regulation is supposed to accomplish have become divorced from reality. When something makes us unhappy, it's worth asking, were our expectations reasonable? When we describe imperfections in a market, what ideal process are we comparing it too? Some people seem to be unhappy with the market if it reveals any imperfections at all--but delighted with government if it works even some of the time. Forestalling disappointment with respect to privacy issues means, not moving towards command and control, but understanding how self-regulation is likely to work. I sketch this out below.
What is a market? A market is a device for processing information. The economist Bastiat once commented that it is a miracle that Paris got fed every morning. For that to happen, Parisians' diverse tastes in breakfast foods must somehow become known to myriad bakers, café's, butchers, and grocers. Parisian consumers must obtain the knowledge that bread is available at the bakery, not at the tailors. The local needs of bakers and grocers must somehow become known to farmers and middlemen scattered around the countryside. Through the price system and other mechanisms, markets harness local knowledge and subjective tastes, setting in motion a process that results in the populace of Paris' being fed--all without any central planning or direction. This is extraordinary. Indeed, as we learn from our experience with communist economies (as economists Ludwig Von Mises and F.A. Hayek predicted decades ago), central planning cannot begin to coordinate the distribution of resources as effectively as the chaotic, decentralized market. Understanding that a market is a bottom-up learning process helps us to accept as inescapable realities several features of self-regulation.
First, establishing a system of self-regulation will take time. We should not forget that electronic commerce is still in its infancy.
Second, the goals of a system of self-regulation will evolve and change over time, and will vary widely across the e-commerce marketplace. Entrepreneurs will make informed guesses about privacy policies to allay their customer's fears (if any) of doing business online. Some entrepreneurs will get it wrong, and lose ground; others will get it right, succeed, and be imitated by late-comers. But entrepreneurs must be permitted to take their cues from the results of engaging in the marketplace, not from top-down commands.
One grave mistake made in the privacy arena is to dictate regulatory goals in response to surveys of consumer's views on privacy. Economists are extremely suspicious of using surveys to determine customer preferences, because no money is at stake. In markets, what counts are actions, not words. True preferences are revealed by actions. For example:
Talk is cheap. Surveys do not reveal customers' real attitudes nearly as well as actions. If concerns about privacy emerge in an ephemeral manner in response to a prompting from a survey, and are never acted upon, they are not worth transforming into regulatory goals. If, by contrast, concerns about privacy do affect consumer behavior, then they will emerge in the market with no need for regulation.
A second error in the debate about the state of privacy policies on the Internet has been the focus on absolute numbers of companies that have privacy policies--as opposed to the rate at which this number is increasing.
For example, the FTC's June 1998 survey of how many web sites posted privacy policies showed that 14% of a comprehensive sample posted privacy policies (around 70 percent of the 100 most popular sites did have such policies).
But the important question is not whether 4 web sites have privacy policies, or 40, or 400. Assuming for a moment that most sites ought to have privacy policies--the key question is how many web sites had such policies a year before? At what rate is the number of sites with such policies increasing? If the rate of increase is substantial, there is clearly no need for regulation, even if today the absolute numbers of sites remains relatively low.
Note that even if the rate of increase is low, or negative, does not make the case for regulation either; other key questions remain.
True systems of self-regulation are not enforced in a top-down manner. To state the blindingly obvious, these systems are voluntary. Companies opt to abide by the standards--or they do not. Some food companies might choose to qualify for a kosher food stamp shaped like the state of Texas, others will not. But generally, those who expect self-regulation to produce uniform enforcement across the electronic marketplace are not talking about self-regulation at all--they are talking about thinly masked government action.
This leads us to confront the possibility that comprehensive self-regulation on privacy will not take the marketplace entirely by storm, just as web site rating has not taken the Web by storm. Unlike UL ratings, questions about the content of speech--whether it is offensive or not respectful of privacy--are not life-or-death safety questions that invoke in all insurers a similar eagerness to avoid liability. Rather, questions about how much one cares about confidentiality or offensiveness are complex ethical preferences. Thus a market-based system of "self-regulation" is unlikely to look much like the UL system, where one standard is dominant. This suggests that both in the privacy context and the free speech context there will be many competing standards set by different third parties.
Indeed, in many sectors of the market, one might ask whether there is any reason for third-party supervised "self-regulation" to emerge at all. For example, take consumers of tropical fish equipment. Expert and "newbie" fish fanciers eagerly share information about web site sales and good products online. The hobby is expensive, and many are likely to welcome direct mailings offering discounts or other new information. Unlike medical devices, consumption of tropical fish supplies is unlikely to raise grave concerns about confidentiality. Ultimately, we might see nearly as many different privacy policies as there are e-commerce companies. A system of privacy "self-regulation" imposed uniformly on the market might well tend to collapse over time (rather as the Comics Code has) in any sector where there is little consumer demand for confidentiality. In some cases, no third-party rating systems would be able to capture the extraordinary variety of patterns of customer preferences that emerge.