TESTIMONY of

Solveig Singleton
Director of Information Studies, Cato Institute

before the

U.S. House of Representatives Subcommittee on Telecommunications, Trade and Consumer Protection

Federal Standards for Internet Privacy: A Skeptical Approach

Electronic Commerce: The Current Status of Privacy Protections for Online Consumers, July 13, 1999

Mr. Chairman, my name is Solveig Singleton and I am a lawyer at the Cato Institute. In keeping with the truth in testimony rules, I note that the Cato Institute does not receive any money at all from the federal government, nor has it in the past.

Today I will raise some key questions about the push for more federal standards on privacy, and propose some answers. In a sense, the most valuable thing I have to offer will be the questions--it's hard to do the answers justice in a short period of time. But I hope we can all agree that the questions I raise are serious ones. The persistence and nature of these questions in itself should give Congress pause before it regulates.

Essentially, I'll make these points:

• Strange assumptions about business ethics and markets underlie the push for federal standards.
• Huge holes remain in our understanding of the economics of e-commerce and of the economic benefits of the free flow of information.
• The standards by which self-regulation has been judged have often been quite unreasonable.

Privacy Premises About Morality

One key assumption behind the privacy movement is that we know that customers ought to have notice and consent about how information about them arising from a transaction should be used, as a matter of right.

But does this really make sense? Ordinarily, we are free to make all kinds of observations about other people without their consent (this is how journalists make their living). If two people interact in a transaction, why should one party have a right to exclude the other from using the information arising from it? If I buy a lawnmower from Sears, there's two entities involved in the transaction--me, and Sears. Why should I have a sole claim on the information relating to that event? In a country that takes the free flow of information seriously, why should I have the right to veto Sear's decision if it's managers choose to tell another business about that transaction--communicating information about real people and real events?

In the context of e-commerce, especially with sensitive information, some businesses will give notice or experiment with more sophisticated privacy options to retain customer loyalty--just as it has been vital for doctors to respect their patients' confidentiality. But this is a complex matter of business ethics--the one-size-fits-all approach won't work. Privacy is a preference that will vary from person to person, place to place, and over time. In some contexts it will matter to consumers and business. In others, it will not.

In this country, with its long tradition of respect for business and for the free flow of information, the assumption that the secondary use of information collected from web sites ought to be sending us into a frenzy of moral outrage is very peculiar. To illustrate this point, a story ran in the New York Times about Vice President Al Gore's "Write to the Vice President" web site. Somebody noticed that this site collected the names, addresses, grades, schools, and ages of children without requiring parental consent. Since then, its been changed. My point is about Al Gore's web master. I'm sure when his web master was designing that web page it did not even occur to him that asking for this information without getting consent was anything other than a normal, natural thing to do. This illustrates just how new this is, how odd the tone of moral outrage that marks the movement towards federal standards on privacy. It is removed from centuries of normal human experience.

The debate about privacy is not just a debate of right versus economics. It is a debate about the free flow of information versus controls on that information. Furthermore, the default rules for how human beings exchange information about one another favor the freedom of information--with privacy being by special arrangement. Generally, human beings are free to make observations about other human beings, and record and report these--so long as they do not violate a confidentiality agreement, hack into someone's web site, or break into their house. Usually our privacy rights have been bounded by property right and contract obligations, with a handful of narrow privacy torts available at common law.

Privacy Premises About Markets

A key unarticulated assumption behind the push for federal privacy standards is that is that marketing exploits consumers and is not useful to them--so we don't need to worry much if our regulation strangles targeted marketing. This is the old-fashioned view. But empirical research has established that marketing play a crucial role in getting information into the hands of consumers. Some of the information conveyed through advertising is biased (that's the point, and everyone knows it), but biased information from a variety of sources is far better than none. Advertising plays a key role in heightening competition, lowering prices, and improving choice and quality; more targeting simply means it can play that role at a lower cost. Consumers do not need to be protected from these things.

There's another peculiar assumption here, and that is the idea that somehow broad privacy protections (as opposed to just good security practices) are vital to the growth of electronic commerce, but somehow e-commerce companies are so silly that they won't move forward and give consumers what they want on their own. Now if you start with that assumption and look at the world--yes, you see a lot of movement towards privacy seal programs--but not everyone is there yet. And a lot of people then think, oh, there must be some kind of market failure. But what if the initial assumption isn't true? What if the data we have on what consumers want, which we get from prompting them in a survey, is not that reliable?

These are the questions we should be asking, especially when we look out at the world and see electronic commerce taking off. Especially when there seems to be no reason in principle, looking at the economics of the matter, for entrepreneurs to perversely ignore any aspect of consumer demand. Given the benefits that consumers have gotten from high-tech businesses in the last decade, the vast diversification of markets in response to a million variations on customer tastes, the view that business would not respond to privacy preferences is an extraordinarily bizarre view. If they are not responding across the board, maybe its because demand isn't strong across the board.

Privacy: Reviewing Empirical Evidence On Privacy

We ought to look more closely at the type of evidence being collected and considered in the privacy debate. Frankly, the empirical work done so far has been dazzlingly shallow.

A good bit of that information comes from self-reported data on surveys, from asking consumers "do you care about privacy?" Now, who would say "no" in answer to this question? Is the respondent distinguishing privacy from security issues? From spam? Even if they are, talk is cheap. Real preferences are revealed by consumer's actions, when they must consider the time and cost of actually obtaining what the survey offers them for free. Self-reporting is simply not that reliable--try wandering around among some of the tourists assembled in the mall for the Fourth of July and ask them if their kids are smarter or dumber than average. As Chet Thompson of Prodigy once noted, "Market surveys told Prodigy that people wanted to do their grocery shopping by computer. They didn't."

Here are some other studies that ought to be performed in order to better judge the impact on consumers of federal privacy standards:

• A study of whether businesses that have not posted privacy policies have experienced similar rates of growth to those who have.
  
  
• A study of the impact on small business and startups of top-down privacy regulation.
  
  
• A study of how businesses, especially startups, use information to enter new markets & to develop new products.
  
  
• A study of the cost saving obtained by doing targeted rather than direct marketing.
  
  
• A study, not of the number of sites that post privacy policies in absolute terms--but of the number of sites that post such polices as compared to the number that posted such policies a year ago, a year and a half ago, 2 years ago. What is the rate of increase?

What all these studies have in common is that they all reflect actual behaviors and costs, not hypothetical preferences. (One caveat; in emphasizing these holes in our understanding I do not mean to imply that an empirical finding, for example, that consumers really do want privacy, would justify regulation--the conflict in principle between privacy and the free flow of information is still inescapable, as is the need for evidence of market failure).

Imagine if Congress to address the question of cable rate deregulation simply by directing the FCC to ask consumers if they would prefer lower cable prices. Clearly, that would be disastrous. Yet we see some policymakers cheerfully considering privacy regulation for electronic commerce largely on the basis of survey data, as if regulating the Internet is a casual thing, like tossing off a Christmas mailing.

Judging Self-Regulation

I will leave it to other presenters to present figures about how the use of privacy seal programs has grown, and to describe those programs. I am going to talk about how to assess these programs. It's important to start with realistic expectations.

• What should the goals of self-regulation be?

  The goals of a system of self-regulation should be evolve over time in the marketplace. One characteristic of demands made on e-commerce merchants respecting privacy "self-regulation" has been that the goals of the regulation are assumed to be known. Regulators have insisted that a system of self-regulation must ensure that customers have notice of how their data is being used, that they have a choice about whether it is not be collected or not, and so on.

  In the real world, however, no one really knows what state of affairs "ought" to obtain with respect to privacy. The question of when human beings will need to reveal information to gain trust, will be willing to offer trust without information, and will need to respect confidentiality to gain trust is a bafflingly complex question.

  The goals of systems of self-regulation will evolve and change over time, and will vary widely across the e-commerce marketplace. Entrepreneurs will make informed guesses about privacy policies to allay their customer's fears (if any) of doing business online. Some entrepreneurs will get it wrong, and lose ground; others will get it right, succeed, and be imitated by late-comers. But entrepreneurs must be permitted to take their cues from the results of engaging in the marketplace, not from top-down commands.
  
  

• How long should self-regulation take?

  What is a market? A market is a device for processing information. The economist Bastiat once commented that it is a miracle that Paris got fed every morning. For that to happen, Parisians' diverse tastes in breakfast foods must somehow become known to myriad bakers, café's, butchers, and grocers. Parisian consumers must obtain the knowledge that bread is available at the bakery, not at the tailors. The local needs of bakers and grocers must somehow become known to farmers and middlemen scattered around the countryside. Through the price system and other mechanisms, markets harness local knowledge and subjective tastes, setting in motion a process that results in the populace of Paris' being fed--all without any central planning or direction. This is extraordinary. Indeed, as we learn from our experience with communist economies (as economists Ludwig Von Mises and F.A. Hayek predicted decades ago), central planning cannot begin to coordinate the distribution of resources as effectively as the chaotic, decentralized market.

  Understanding that a market is a bottom-up learning process helps us to expect that establishing systems of self-regulation will longer than a year, two years, or three years. The embryonic privacy seals programs we see now will ultimately be supplemented by gated "safe" communities online (such as AOL and E-bay), and intelligent "bots" and infomediaries to guide consumers through, and other technological and business innovations. The process will never really end.
  
  

• What if not everyone participates?

  FTC Commissioner Orson Swindle pointed out recently that the goalposts for privacy regulation are moving. A year ago, the concern was we would not have thriving e-commerce if we don't solve the privacy problem. Well, electronic commerce took off, and there's a lot of progress with the privacy problem. So the wording has changed. Now, we can hear that e-commerce will never rise to it's full potential, because the market hasn't moved fast enough. Maybe the idea is that if the trained seal balances the ball on his nose the first time, we'll just keep adding balls and sooner or later they'll fall off and then we'll call that a market failure.

  Given the vast numbers of start-ups, wild experiments, and small businesses that will be the next generation of pioneers in e-commerce, it would be unlikely that all of them will automatically concede the importance of having a privacy seal on their sites, unless and until they see significant indication of customer demand for it. Perhaps some sites that participate will have some sinister purpose in mind, but most of them will simply be ordinary businesses who simply don't share the vision of a privacy imperative. A lot of them will be noncommercial, amateur sites, or sites that are borderline commercial or noncommercial.

  It would be a grave mistake to assume that because a business doesn't have a seal or post a notice, it ought to become a target of regulation. Lacking a privacy policy simply isn't even close to being evidence that that site poses a danger to consumers, in any real sense. Treating these sites as legitimate enforcement targets would be wrong, and deeply insulting to hundreds of honest entrepreneurs. And it creates some serious practical problems, too. Enforcement efforts will be far, far more effective if they can be targeted against actual perpetrators of identity theft, fraud, and so on. Requiring enforcers to disperse their focus to hundreds of sites simply because those sites don't have a seal would be an incredible waste of time.

  What about bad actors? Sites that actually do perpetrate fraud or scams of some sort? There are many laws already against fraud and deceptive practices.

  Self-regulation that arises as a natural outgrowth of consumer demand is truly voluntary and decentralized. Kosher food labels are a good example, offering consumers a choice of many different standards--or none at all. But for many quality and customer service issues, no third party standards or oversight at all are necessary for "self-regulation." That is, true market-based self-regulation blurs into no regulation at all, with each company "regulating" itself according to internal standards of customer or client service and no third party oversight. Bad service is checked by competition.

  Ultimately, we might see nearly as many different privacy policies as there are e-commerce companies. A system of privacy "self-regulation" imposed uniformly on the market might well tend to collapse over time (rather as the Comics Code has) in any sector where there is little consumer demand for confidentiality. In some cases, no third-party rating systems would be able to capture the extraordinary variety of patterns of customer preferences that emerge.

Conclusion: What is Minimal Regulation?

Given the flurry of concern about privacy, even legislators and businesses worried about the impact on electronic commerce are almost ready to concede the need for "minimal regulation"--just requiring sites to post their policies, that's all. But from my standpoint that's too radical a step, both unnecessary and not well informed. What kind of enforcement mechanism would we create? Do we really want to penalize the honest owner of a 50 year-old hardware store in Peoria because he put up his web site without a privacy notice? Why should enforcement resources be devoted to this? For once, the Cato Institute's position isn't the radical one. Things are working fine as they are; leave the Internet alone.