Tag: common law

Rights in the Balance

The right to swing my fist ends where the other man’s nose begins.

The saying, it turns out, has some of its pedigree in Prohibition, during which the right to serve drinks was said to interfere with the rights of the family. But misapplication to “group rights” aside, it’s a phrase that captures our system of rights well. You are (or should be) free to do whatever you wish, so long as you don’t injure others in their rights.

You can see society hammering out the dividing line between rights in a case that produced a jury verdict last Friday: Hulk Hogan vs. Gawker. The provocative website published a mid-2000 video of the former wrestler and TV personality having sex with a friend’s wife. Hogan sued and won a verdict of $115 million, which Gawker will appeal.

The argument on Hulk’s side is that public exposure of a person’s intimate moments and bodily functions violates a right to privacy. The free speech argument is that a person has a right to broadcast and discuss anything he or she pleases.

These are both important rights. The privacy right is a little younger, having developed since about 1890. The free speech right pre-existed its 1791 acknowledgement in the Bill of Rights, so speech has a stronger heritage. But the dividing line will never be decided once and for all. Common practices and common mores will set and reset the line between these rights through accretion and erosion, the way a winding river divides a plain. That way of producing rules is very special: common law courts deciding in real cases what serves justice best.

Hackers Remotely Kill a Jeep

This is a very interesting development—one that’s been coming for a long time: Your car is a computer, some cars can be hacked, and now we know they can be hacked in dangerous ways.

The correct public policy response is implicit in this very good Wired article describing the whole thing. “Automakers need to be held accountable for their vehicles’ digital security,” writer Andy Greenberg says, quoting auto hacker Charlie Miller thus: “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers.”

That’s two very important consumer protection systems in a couple of brief sentences: In one, carmakers suffer lost sales if their cars are hackable or perceived as such. The market feedback system—including the article itself—causes automakers to work to make their cars less hackable.

Magna Carta Day

The liberties we Americans enjoy were hard-won over the centuries. Today we mark a major event in that struggle, the day in 1215 when English barons presented King John with a written list of rights they demanded he recognize. Known ultimately as Magna Carta, the Great Charter, it was a compact between the barons and their king, a political effort by subjects to secure their liberty by placing their ruler under the rule of law, thus limiting arbitrary power.

The charter has gone through several iterations, but it drew in part from the common law rights, especially rights of property, that judges in the king’s courts had been finding from reason and custom as they decided controversies the king’s subjects brought before them. What Magna Carta did was bring those same rights against the king. Most important for us today was the promise found in clause 29:

No freeman shall be taken or imprisoned or deprived of his freehold or of his liberties or free customs, or outlawed, or exiled, or in any manner destroyed, nor shall we go upon him, nor shall we send upon him, except by a legal judgment of his peers or by the law of the land.

Note first the broad terms of clause 29: that enabled it to apply not just to the issues at hand but to varied future situations. Second, notice that only “freemen” were protected. The barons came to realize, however, that if their rights were to be maintained against the king, they would need the cooperation of all classes. Thus, the charter came in time to protect “common” liberties.

Each of those issues has informed the American experience. First, Magna Carta itself inspired our Founders to limit power through a written document, our Constitution. Second, clause 29 is captured in the Fifth Amendment, which provides that no person shall be deprived of life, liberty, or property, without due process of law. And third, Magna Carta’s capacity to grow is reflected by the post-Civil War inclusion of the Due Process Clause in the Fourteenth Amendment. That brought the Bill of Rights to bear not only against the federal government, its original limit, but against the states as well. We owe much to this English inheritance.

Cross-posted at the National Constitution Center’s Constitution Daily.

E-Verify and Common Sense

This weekend, New York Times op-ed columnist Ross Douthat wrote a piece full of common sense thinking about immigration control and the E-Verify federal background check system.

“Common sense”—or “what most people think”—is an interesting thing: When generations of direct experience accumulate, common sense becomes one of the soundest guides to action. Think of common law, its source deep in history, molded in tiny increments over hundreds of years. Common law rules against fraud, theft, and violence strike a brilliant balance between harm avoidance and freedom.

When most people lack first-hand knowledge of a topic, though, common sense can go quite wrong. Such is the case with ”common sense” in the immigration area, which is not a product of experience but collective surmise. Douthat, who has the unenviable task of leaping from issue to issue weekly, indulges such surmise and gets it wrong.

Take, for example, the premise that American workers lose when immigration rates are high: “Amnesty,” says Douthat, would “be folly (and a political nonstarter) in this economic climate, which has left Americans without high school diplomas (who tend to lose out from low-skilled immigration) facing a 15 percent unemployment rate.”

On the whole, American workers do not lose out in the face of immigration. To the extent some do, it is penny-wise and pound foolish to retard our economy (in which displaced workers participate) and overall well-being (which affects displaced workers, too) in the name of protecting status quo jobs for a small number of native-borns.

Full immigration reform that includes generous opportunities for new low-skill workers is not folly, whatever its political prospects may be.

But I want to focus on Douthat’s conclusion that E-Verify is the way forward for immigration control. He cites a study finding that Arizona’s adoption of an E-Verify mandate caused the non-citizen Hispanic population of Arizona to fall by roughly 92,000 persons, or 17 percent, over the 2008–2009 period, and concludes:

[M]aybe — just maybe — America’s immigration rate isn’t determined by forces beyond any lawmaker’s control. Maybe public policy can make a difference after all. Maybe we could have an immigration system that looked as if it were designed on purpose, not embraced in a fit of absence of mind.

Though tentative, his implication is that a national E-Verify mandate is the solution. Everything that came before was the product of fevered impulses.  Maybe E-Verify is the most practical solution. Douthat’s calm tone sounds like common sense.

Ah, but neither Douhtat or the authors of the study have thought that problem all the way through (and the study doesn’t claim to): The decline in Arizona was not produced simply by moving illegal immigrants from Arizona back to Mexico and Central America. They went to Washington state and other places in the United States that are less inhospitable to immigrants. A national E-Verify mandate would offer no similar refuge, and the move to underground (or “informal”) employment would occur in larger proportion than it did in Arizona.

The report also cautions that the honeymoon in Arizona may not hold:

[T]he initial effects of the legislation are unlikely to persist if actors in the labor market learn that there are no consequences from violating these laws. Hence, for long-term effectiveness, policymakers should also consider the role of employer sanctions, which have not played a large role in Arizona’s results so far. However, policymakers must weigh the sought-after drop in unauthorized employment against the costs associated with shifting workers into informal employment.

That’s antiseptic language for: investigations of employers, raids on workers, heavy penalties on both, and growth in black markets and a criminal underground. “Balmy” is a way of describing the temperature potatoes pass through in a pressure cooker.

It’s hard, on analysis, to see Arizona’s experience being replicated or improved upon by an E-Verify mandate that’s national in scale without a great deal of discomfort and cost. I surveyed the demerits of electronic employment eligibility verification in “Franz Kafka’s Solution to Illegal Immigration.”

There is more not to love in the Douthat piece. Take a look at this shrug-o’-the-shoulders to the deep flaws in the concept of “internal enforcement” and E-Verify:

Arizona business interests called it unfair and draconian. (An employer’s business license is suspended for the first offense and revoked for the second.) Civil liberties groups argued that the E-Verify database’s error rate is unacceptably high, and that the law creates a presumptive bias against hiring Hispanics. If these arguments sound familiar, it’s because similar critiques are always leveled against any attempt to actually enforce America’s immigration laws. From the border to the workplace, immigration enforcement is invariably depicted as terribly harsh, hopelessly expensive and probably racist into the bargain.

We should disregard these problems because they’re familiar? With regard to E-Verify, they’re familiar because they are the natural consequence of dragooning the productive sector into enforcing maladjusted laws against free movement of people from a particular ethnic category to where their labor is most productive.

Problem-solving is welcome, and columnists like Ross Douthat have to at least point to a solution with regularity. But this effort, sounding in common sense, does not rise to the challenge. The solution is not even more enforcement of laws inimical to human freedom. The solution is reforming immigration laws to comport with … common sense!

Krugman and Oil Spills, cont’d

Last week Paul Krugman seized on the Gulf oil spill as another occasion to bash libertarians in general and the great Milton Friedman in particular. On Friday David skewered the Times columnist over his odd rhetorical ploy of treating politicians’ failure to follow Friedman’s principles as a refutation of those principles. Now economist Alex Tabarrok at Marginal Revolution reports that Krugman also completely misunderstands the current set of laws governing oil spill liability:

The Oil Pollution Act of 1990 (OPA), which is the law that caps liability for economic damages at $75 million, does not override state law or common law remedies in tort (click on the link and search for common law or see here). Thus, Milton Friedman’s preferred remedy for corporate negligence, tort law, continues to operate and there is no doubt that BP’s potential liability under common law alone would be in the billions of dollars.

…The point of the OPA was not to limit tort law but to supplement it.

Tort law, as traditionally understood, could only be used to recover damages to people and property rather than force firms to pay cleanup costs per se. Thus, in the OPA as I read it – and take the details with a grain of salt since I’m not a lawyer–there is no limit on cleanup costs. Moreover, the OPA makes the offender strictly liable for cleanup costs which means that if these costs are proven the offender must pay them regardless (there are a few defenses, such as an act of war, but they are unlikely to apply). The offender is also strictly liable for up to $75 million in economic damages above and beyond cleanup costs. Thus the $75 million is simply a cap on the strictly liable damages, the damages that if proven BP has to pay regardless. But there is no limit, even under the OPA, on economic damages in the event that BP failed to follow regulations or is otherwise shown to be negligent (same as under common law).

The link Krugman supplies, and perhaps the source of his error, was this Talking Points Memo item baldly describing “the maximum liability for oil companies after a spill” as “a paltry $75 million.” Even the most passing acquaintance with the aftermath of real-world oil spills should have been enough for Krugman and TPM author Zachary Roth to realize that liability for assessments to this one federal rainy-day fund is but one component, perhaps but a minor one, of liability for overall spill damage. And even as regards this one specialized federal fund, Krugman and Roth got it wrong, as a glance at the May 1 edition of Krugman’s own paper would have revealed:

When a rich and well-insured company like BP is responsible for the spill, the government will seek reimbursement of what it spends on cleanup from the company and its insurers.

So Krugman’s post not only strained to take a cheap shot at libertarians, but also thoroughly botched a factual background that it would have been easy enough for him to have looked up. Other that that, it was fine.

On Notice

I’m delighted that Julian Sanchez has joined us at Cato. He’s as smart as they come. I’m equally pleased that I’ll have an intellectual sparring partner here on some of my issues from time to time. I encouraged Julian to share here some of what we had been discussing about privacy notices via email.

There are lots of dimensions to our conversation, but I’ll summarize it as follows: Can federal statutes protect Web surfers’ privacy? (We’re talking about privacy from other private actors, not privacy from government. Government self-control expressed in federal statutes could obviously improve privacy from government.)

Julian can see a couple of statutes helping: a requirement that third-party trackers provide a link explaining what they do, and a requirement that privacy policies be enforceable.

I think the former is a fine thing if people want it. I’m dubious about its benefits, though, and wouldn’t mandate it. The latter is the outcome I prefer—strongly!—but a federal statute is the wrong way to get there.

As you read Julian’s comment and mine, I think the divide you’ll see is a common one among libertarians. Some of us love efficiency and wealth creation, which is such a delightful product of free markets. And some of us love freedom for its own sake, not just for free markets, efficiency, and wealth creation. We’ll give up a little efficiency and wealth (in the short term) to protect liberty.

I’ll discuss the topic in the order I would as a legislative staffer (which I was), treating first the subject Julian left to last: whether the federal government has a constitutional role.

Is It Constitutional?

As we all know, the U.S. constitution gave the federal government limited powers, reserving the rest to the states and people. This was for a number of reasons, including contemporary experience with the imperiousness of a remote government.

Technology and communications might eventually change things, but so far nothing has overcome the proclivity of remote powers to misunderstand their subjects and act badly toward them, ignorant of their needs. (I’ll discuss how little the federal government—or anyone—knows about consumers’ privacy interests below.)

The constitution did give the federal government power to “regulate commerce with foreign nations, and among the several states, and with the Indian tribes.” Under the articles of confederation, the states had fallen into trade protectionism, and the purpose of this power was to suppress this form of parochialism.

It’s a straightforward inference from the grant of like authority over international, interstate, and tribal commerce that this was not a general grant to regulate all things we today call “commercial.” It was authority to make regular the buying and selling of things across jurisdictional lines. The Supreme Court allowed the limits on the commerce power to be breached in the New Deal era.

Has the constitutional design of our government been rendered quaint by the emergence of national markets for goods and services? By that international marketplace for goods, services, and ideas that we call the Internet?

No. Because the constitution and the commerce clause were not a commercial charter. They were the design of what we would today call a “political economy.” The framers designed in competition for power among branches of the federal government and between the states and federal government. Government powers contesting against each other would leave the people more free. I won’t recite how federalism works in every detail, but I encourage people to familiarize themselves with its genius.

National markets and the Internet do weaken federalism in some respects. They make it harder for businesses to exit states that make themselves unfriendly through high taxes, poor services, and inefficient regulation. Thus it is harder to hold state officials accountable. But this is no argument for removing their power to a more remote level of government, from which consumers and businesses have no power of exit save leaving the country! Establishing federal commercial rules would cut tendons in the political economy that the constitution created.

And with the whole country under the same rule, there would be almost no way to learn whether a better rule is preferable. A national rule established in ignorance of what the future holds (and they all are) stands a decent chance of being inefficient, unjust, or ill-adapted to new developments in technology, consumer demand, or business models. But there’s no corrective mechanism. Short-term efficiency gained by stabilizing expectations comes at the cost of long-term sclerosis.

There are ways consistent with the constitution to harmonize state laws while leaving states free to innovate in response to change, I hasten to point out.

The “national markets” argument for federal preemption is supported by many efficiency-oriented libertarians. But as markets globalize, the argument will support global regulation equally well. This is something that many of those same libertarians oppose. Perhaps they believe that American politicians can be trusted but not foreign ones—I don’t know, and I don’t see much difference between them. There are many good reasons for preferring local or personal regulation to national or global.

Does Notice Work?

But let’s assume the federal government is going to act in this area, and that we have been assigned to write a statute that promotes the privacy of Web-surfers. Does requiring third-party trackers to provide notice do that? I don’t think so.

First, let’s be more precise about the problem we’re trying to fix. Julian says that there exists a set of consumer expectations that are not being met. “Empirically,” he says, most people don’t expect to be monitored all the time unless they’ve been explicitly warned otherwise. I take Julian’s point to be that this lack of notice is depriving them of information they need to exercise privacy-protective self-help. The result is less privacy than consumers would have with notice and lower consumer welfare.

I haven’t seen the research on which Julian bases his statement about consumer expectations, and I don’t know of any public opinion research that has overcome the deficits Solveig Singleton and I identified in our 2001 paper on privacy polling.

If people have these expectations, they’re counterfactual. I’m willing to be corrected if it’s no longer true, but I believe that most servers record and store the IP addresses from which they have received requests for data, monitoring and archiving records of all visitors in at least an elemental sense.

I don’t think consumers’ expectations are terribly clear. Expectations are still being set, and my recent post about the White House’s cookie policy was a volley in the battle to set them.

My preference is for consumers to be empowered and required to protect themselves from cookie-based tracking that they don’t want. I believe consumers are responsible for their choices in computers, software, Internet connection, and security. No computer is ever “coaxed” into releasing information if it hasn’t been set up to allow it.

Protection against unwanted data release isn’t easy in a changing technology environment, but Internet users have a great deal of help in making their choices, and they will get better at it if their well-being requires it. The alternative is nannying and regulation of the type most libertarians object to.

In his post, Julian appears to agree that people shouldn’t expect privacy in messages posted to public fora but then switches the subject slightly. Drawing an analogy between Web surfing and a changing room at a clothing store, he suggests that much online behavior is like undressing in a cordoned-off area on someone else’s premises. Decency (and, Julian says, law) requires notice when people might be observed in that setting.

I fear that Julian has lumped a lot of very different kinds of interaction together, making the online world legible for the purpose of writing a uniform rule about how it should work. Planners must do away with complexity, of course, but that is why planning fails so badly compared to the self-organizing done in markets and reflected in common law rules.

Again, given the thousands of different contexts of online communication, I don’t think people’s expectations are settled or static. People’s expectations when clicking from site to site sweep across a much wider, newer landscape than when they are buying a toaster, in which expectations truly are relatively settled.

But assuming that people do have the expectations Julian says, will notice that their expectations are not being met make them aware of it? Will it empower them to protect their privacy? Our experience with first-party tracking suggests otherwise.

In the late 1990s, the U.S. commercial Internet adopted a strong custom of posting privacy policies. It’s worth noting that this was adopted without government coercion (though there was the threat of coercion—in our business, we never get controlled experiments). Well-intended though this was, it has not spawned a culture of privacy.

What evidence there is suggests that people don’t read privacy policies. When people choose online service providers, they don’t compare the written policies of different providers. Their sources of information instead include news stories, friends, blogs—a marketplace of information much more robust than these privacy policies.

Consumers do adjust the online products and providers they use, mostly by shunning what they find scary. Firms adjust their privacy practices in light of their own and other firms’ flubs. I think much or all of this would happen regardless of whether there was a privacy notice on every homepage. (Again, we lack controlled experiments.)

The few privacy advocates who read notices—and even many privacy advocates don’t bother—routinely complain about how permissive they are. Many notices say, essentially, “We care about your privacy a lot! And we do whatever we please with the information you give us!”

Consumers do not seem willing to punish them for having such information policies. One possibility is that consumers don’t care about privacy in many circumstances. That’s not crazy. Another is that notices don’t inform. There’s a good chance that consumers take the existence of notice as an indication that they are being accorded privacy, regardless of what’s in the policy. Privacy notices may fool consumers into thinking they’re protected when they’re not.

In the main I can’t say our online culture is necessarily shaping up wrongly, but the presence of notice about first-party tracking has not made consumers much better off in terms of privacy. It may have given information to advocacy groups and watchdogs that they otherwise wouldn’t have gotten so easily, but links on every homepage are just ritual. The privacy conversation happens elsewhere. I don’t think this ritual should be extended and deepened with more notice about more things.

Julian is not alone in thinking it should, of course. There are many who would impose comprehensive notice regimes or refine the ones we’ve got. Many of these people confuse privacy notices with privacy, and privacy laws with privacy. I don’t think mandating privacy notices bears up as an effective consumer protection.

Easier Said Than Done

I also think there are a lot of practical problems and costs to mandating privacy notices.

As so many have before him, Julian asks for an “ordinary-language explanation” of what is going on. But we don’t yet have a reliable and well-understood language for describing all the things that happen with data. Much less do we know what features of data use are salient to consumers. Many blame corporate obfuscation for long, confusing privacy policies, but just try describing what happens to information about you when you walk down the street and the difficulty with writing privacy policies become clear.

Then there’s avoidance. A lot of tracking is fungible, and new innovations in tracking are sure to come, both on the technical side and the business side. If a notice regime were to stir consumer opposition to third-party tracking, the tracking could well shift back to first parties who could then serve up the products of tracking as third parties do now. What will the rule have done, then, but distort and raise costs in information markets without improving privacy?

The answer when notice fails to protect privacy, of course, is to ban tracking altogether, a goal that I think some privacy advocates maintain sub rosa. This would undercut the free-content Internet, which is supported by advertising, and which uses tracking for targeting. Mandating notice is a step toward giving people privacy they may not want while taking away content they do.

Julian would propose an elegant rule, of course, but would it survive the trip through a legislature? We have experience there, too, with California’s privacy policy mandate. Does it look simple to you? As statutes go, it actually is. (California Business and Professions Code Section 22575-22579, you’ve just been damned with faint praise…!)

There are plenty of seams in it, though. Take what it means to “conspicuously post” a privacy notice—a defined term in the legislation. Last year, a brouhaha broke out over the meaning of “conspicuously post” with regard to Google’s privacy policies. It would have been funny if it weren’t so stupid. By the reckoning of many, Google was failing to “conspicuously post” its privacy policy by failing to put a link to it on its homepage.

Google, of course, is a search engine. It helped bring about the end of the portal era, during which we went to sites with great masses of links. Google works hard to maintain a clean, crisp, “anti-portal” homepage, and its privacy policy was and is easily found via search. But it could not withstand the pressure to post a privacy link on its home page. Today, more people probably click on that link by mistake than on purpose.

Is html the last protocol? How do you implement a link to a privacy notice on services of the future that don’t necessarily use the Web? How much money and time should a revolutionary new Internet device or service using a new protocol spend arguing to the Federal Trade Commission that it should be allowed to proceed?

Of course, every new regulation is wafer-thin. I don’t oppose them because each and every one of them lack any merit—only because the entirety of them do more harm than alternatives would. So let’s now turn to my preferred alternative: common law.

Common Law Rules Rule

Julian analogizes his third-party notice rule to the common law contract doctrine of implied warranty, of which I approve because it has shown over generations to be a fair and efficient rule. Things sold as toasters are supposed to toast bread. If you’re selling a toaster that doesn’t do that, and if you don’t make that clear, you violate a term implied by common law into sales contracts. But rules that haven’t been tested and proven over time like this don’t deserve to be laws.

Until recently (in historical terms), all law was common law. People made up the laws that suited their needs and passed them from generation to generation. Julian’s description of common law as “parasitic” on social practice is inapt. Social practice and common law are on a continuum. When a custom is so deeply ingrained and wrapped up with the rights we accord people, we treat that custom as law and penalize or punish deviations through coercive means. (I don’t think there should be a lot of law, of course.)

With our habit for personality cults, we like to think that Hammurabi, Justinian, and Napoleon were “law-givers,” but what they did was write down law that already existed in the practices of the people. (In an age of mass illiteracy, it’s doubtful that writing something down did much to affect people’s behavior.)

When civil law countries started writing summaries of their law, they took one road: expert lawmakers would decide the rules that govern society.  Common law countries went down another path, in which courts formalized the law discovery process but did not seek to supplant it.

Legislatures in both systems today are typically bodies of non-experts—neither legal experts nor subject matter experts—who deign to script how society should work rather than letting society decide for itself. As we see daily in Washington, D.C., the result is not a system that gravitates toward fairness or efficiency, but a series of compromises dividing goodies (money and rules) among the best-represented interests in society, the rest of the population be damned.

No legislature today, and for all his smarts not Julian, has the knowledge needed to write an appropriate rule about what (if anything) people should be told when they go to a Web site or click on a link. With users having the ability to discern what a link does, and having knowledge that the Internet is a big copying machine, I think that the most efficient, fair, and protective rule will probably be caveat clickor. But I am willing to wait and see if that is best.

If consumers want to know something before they click, they are well equipped to let Web sites know their preferences. Let social customs evolve to meet the needs of consumers in light of ongoing multi-layered change in the Internet and its use.

“But doesn’t an ever-changing Internet make the case for some modest regulation? The Internet is so new! We really must have baseline rules or we’ll have costly disorder! We pay the price every day for our failure to regulate because people aren’t going online like they would if they were confident of their privacy!”

These are arguments regulators and social engineers make to sound “market friendly.” The problem is that they rest on the same unsupported assertions that Julian has made about privacy expectations, notice, human wants, and the interactions among these things.

There is plenty of surmise but little good evidence that people are staying offline because of privacy concerns. There is little understanding of how to get people to protect their privacy. Notice is at best an unproven technique, more probably a waste of time.

You can regulate in haste, but you won’t necessarily achieve anything. And it’s not the job of legislators—certainly not Congress—to make the privately owned and operated Internet more user-friendly.

Julian has it backward to suggest that statutes should move in to stabilize expectations when technology is fast-changing. That’s precisely the wrong time to congeal the rules.

When existing law doesn’t serve new conditions, custom followed by common law slowly discover adaptations to satisfy them. It takes some time—and it’s time that should be taken. The alternative, statutory law, has no corrective function to undo regulations that fail to suit later circumstances.

The notice rule Julian proposes is planning of the type we deplore when it comes to industrial production, the layout of towns and cities, transportation, energy, educational curricula, and so on. Why support it when it comes to online rules of engagement?

In my withering, fun attack on Julian’s notice rule, I’ve left out whether privacy notices should be enforceable. They should. As contract terms. I look forward to that rule being adopted at common law. I regret it each time the Federal Trade Commission disrupts the conditions that would establish that rule. And I’m eager to learn how society will solve the problem of damages.