Federal Standards for Internet Privacy: A Skeptical Approach

Share

Mr. Chairman, my name is Solveig Singleton and I am a lawyer atthe Cato Institute. In keeping with the truth in testimony rules, Inote that the Cato Institute does not receive any money at all fromthe federal government, nor has it in the past.

Today I will raise some key questions about the push for morefederal standards on privacy, and propose some answers. In a sense,the most valuable thing I have to offer will be the questions--it'shard to do the answers justice in a short period of time. But Ihope we can all agree that the questions I raise are serious ones.The persistence and nature of these questions in itself should giveCongress pause before it regulates.

Essentially, I'll make these points:

  • Strange assumptions about business ethics and markets underliethe push for federal standards.
  • Huge holes remain in our understanding of the economics ofe-commerce and of the economic benefits of the free flow ofinformation.
  • The standards by which self-regulation has been judged haveoften been quite unreasonable.

Privacy Premises About Morality

One key assumption behind the privacy movement is that we knowthat customers ought to have notice and consent about howinformation about them arising from a transaction should be used,as a matter of right.

But does this really make sense? Ordinarily, we are free to makeall kinds of observations about other people without their consent(this is how journalists make their living). If two people interactin a transaction, why should one party have a right to exclude theother from using the information arising from it? If I buy alawnmower from Sears, there's two entities involved in thetransaction--me, and Sears. Why should I have a sole claim on theinformation relating to that event? In a country that takes thefree flow of information seriously, why should I have the right toveto Sear's decision if it's managers choose to tell anotherbusiness about that transaction--communicating information aboutreal people and real events?

In the context of e-commerce, especially with sensitiveinformation, some businesses will give notice or experiment withmore sophisticated privacy options to retain customer loyalty--justas it has been vital for doctors to respect their patients'confidentiality. But this is a complex matter of businessethics--the one-size-fits-all approach won't work. Privacy is apreference that will vary from person to person, place to place,and over time. In some contexts it will matter to consumers andbusiness. In others, it will not.

In this country, with its long tradition of respect for businessand for the free flow of information, the assumption that thesecondary use of information collected from web sites ought to besending us into a frenzy of moral outrage is very peculiar. Toillustrate this point, a story ran in the New York Times about VicePresident Al Gore's "Write to the Vice President" web site.Somebody noticed that this site collected the names, addresses,grades, schools, and ages of children without requiring parentalconsent. Since then, its been changed. My point is about Al Gore'sweb master. I'm sure when his web master was designing that webpage it did not even occur to him that asking for this informationwithout getting consent was anything other than a normal, naturalthing to do. This illustrates just how new this is, how odd thetone of moral outrage that marks the movement towards federalstandards on privacy. It is removed from centuries of normal humanexperience.

The debate about privacy is not just a debate of right versuseconomics. It is a debate about the free flow of information versuscontrols on that information. Furthermore, the default rules forhow human beings exchange information about one another favor thefreedom of information--with privacy being by special arrangement.Generally, human beings are free to make observations about otherhuman beings, and record and report these--so long as they do notviolate a confidentiality agreement, hack into someone's web site,or break into their house. Usually our privacy rights have beenbounded by property right and contract obligations, with a handfulof narrow privacy torts available at common law.

Privacy Premises About Markets

A key unarticulated assumption behind the push for federalprivacy standards is that is that marketing exploits consumers andis not useful to them--so we don't need to worry much if ourregulation strangles targeted marketing. This is the old-fashionedview. But empirical research has established that marketing play acrucial role in getting information into the hands of consumers.Some of the information conveyed through advertising is biased(that's the point, and everyone knows it), but biased informationfrom a variety of sources is far better than none. Advertisingplays a key role in heightening competition, lowering prices, andimproving choice and quality; more targeting simply means it canplay that role at a lower cost. Consumers do not need to beprotected from these things.

There's another peculiar assumption here, and that is the ideathat somehow broad privacy protections (as opposed to just goodsecurity practices) are vital to the growth of electronic commerce,but somehow e-commerce companies are so silly that they won't moveforward and give consumers what they want on their own. Now if youstart with that assumption and look at the world--yes, you see alot of movement towards privacy seal programs--but not everyone isthere yet. And a lot of people then think, oh, there must be somekind of market failure. But what if the initial assumption isn'ttrue? What if the data we have on what consumers want, which we getfrom prompting them in a survey, is not that reliable?

These are the questions we should be asking, especially when welook out at the world and see electronic commerce taking off.Especially when there seems to be no reason in principle, lookingat the economics of the matter, for entrepreneurs to perverselyignore any aspect of consumer demand. Given the benefits thatconsumers have gotten from high-tech businesses in the last decade,the vast diversification of markets in response to a millionvariations on customer tastes, the view that business would notrespond to privacy preferences is an extraordinarily bizarre view.If they are not responding across the board, maybe its becausedemand isn't strong across the board.

Privacy: Reviewing Empirical Evidence OnPrivacy

We ought to look more closely at the type of evidence beingcollected and considered in the privacy debate. Frankly, theempirical work done so far has been dazzlingly shallow.

A good bit of that information comes from self-reported data onsurveys, from asking consumers "do you care about privacy?" Now,who would say "no" in answer to this question? Is the respondentdistinguishing privacy from security issues? From spam? Even ifthey are, talk is cheap. Real preferences are revealed byconsumer's actions, when they must consider the time and cost ofactually obtaining what the survey offers them for free.Self-reporting is simply not that reliable--try wandering aroundamong some of the tourists assembled in the mall for the Fourth ofJuly and ask them if their kids are smarter or dumber than average.As Chet Thompson of Prodigy once noted, "Market surveys toldProdigy that people wanted to do their grocery shopping bycomputer. They didn't."

Here are some other studies that ought to be performed in orderto better judge the impact on consumers of federal privacystandards:

  • A study of whether businesses that have not posted privacypolicies have experienced similar rates of growth to those whohave.
  • A study of the impact on small business and startups oftop-down privacy regulation.
  • A study of how businesses, especially startups, use informationto enter new markets & to develop new products.
  • A study of the cost saving obtained by doing targeted ratherthan direct marketing.
  • A study, not of the number of sites that post privacy policiesin absolute terms--but of the number of sites that post suchpolices as compared to the number that posted such policies a yearago, a year and a half ago, 2 years ago. What is the rate ofincrease?

What all these studies have in common is that they all reflectactual behaviors and costs, not hypothetical preferences. (Onecaveat; in emphasizing these holes in our understanding I do notmean to imply that an empirical finding, for example, thatconsumers really do want privacy, would justify regulation--theconflict in principle between privacy and the free flow ofinformation is still inescapable, as is the need for evidence ofmarket failure).

Imagine if Congress to address the question of cable ratederegulation simply by directing the FCC to ask consumers if theywould prefer lower cable prices. Clearly, that would be disastrous.Yet we see some policymakers cheerfully considering privacyregulation for electronic commerce largely on the basis of surveydata, as if regulating the Internet is a casual thing, like tossingoff a Christmas mailing.

Judging Self-Regulation

I will leave it to other presenters to present figures about howthe use of privacy seal programs has grown, and to describe thoseprograms. I am going to talk about how to assess these programs.It's important to start with realistic expectations.

  • What should the goals of self-regulationbe?

    The goals of a system of self-regulation should be evolve overtime in the marketplace. One characteristic of demands made one-commerce merchants respecting privacy "self-regulation" has beenthat the goals of the regulation are assumed to be known.Regulators have insisted that a system of self-regulation mustensure that customers have notice of how their data is being used,that they have a choice about whether it is not be collected ornot, and so on.

    In the real world, however, no one really knows what state ofaffairs "ought" to obtain with respect to privacy. The question ofwhen human beings will need to reveal information to gain trust,will be willing to offer trust without information, and will needto respect confidentiality to gain trust is a bafflingly complexquestion.

    The goals of systems of self-regulation will evolve and changeover time, and will vary widely across the e-commerce marketplace.Entrepreneurs will make informed guesses about privacy policies toallay their customer's fears (if any) of doing business online.Some entrepreneurs will get it wrong, and lose ground; others willget it right, succeed, and be imitated by late-comers. Butentrepreneurs must be permitted to take their cues from the resultsof engaging in the marketplace, not from top-down commands.

  • How long should self-regulation take?

    What is a market? A market is a device for processinginformation. The economist Bastiat once commented that it is amiracle that Paris got fed every morning. For that to happen,Parisians' diverse tastes in breakfast foods must somehow becomeknown to myriad bakers, café's, butchers, and grocers.Parisian consumers must obtain the knowledge that bread isavailable at the bakery, not at the tailors. The local needs ofbakers and grocers must somehow become known to farmers andmiddlemen scattered around the countryside. Through the pricesystem and other mechanisms, markets harness local knowledge andsubjective tastes, setting in motion a process that results in thepopulace of Paris' being fed--all without any central planning ordirection. This is extraordinary. Indeed, as we learn from ourexperience with communist economies (as economists Ludwig Von Misesand F.A. Hayek predicted decades ago), central planning cannotbegin to coordinate the distribution of resources as effectively asthe chaotic, decentralized market.

    Understanding that a market is a bottom-up learning processhelps us to expect that establishing systems of self-regulationwill longer than a year, two years, or three years. The embryonicprivacy seals programs we see now will ultimately be supplementedby gated "safe" communities online (such as AOL and E-bay), andintelligent "bots" and infomediaries to guide consumers through,and other technological and business innovations. The process willnever really end.

  • What if not everyone participates?

    FTC Commissioner Orson Swindle pointed out recently that thegoalposts for privacy regulation are moving. A year ago, theconcern was we would not have thriving e-commerce if we don't solvethe privacy problem. Well, electronic commerce took off, andthere's a lot of progress with the privacy problem. So the wordinghas changed. Now, we can hear that e-commerce will never rise toit's full potential, because the market hasn't moved fast enough.Maybe the idea is that if the trained seal balances the ball on hisnose the first time, we'll just keep adding balls and sooner orlater they'll fall off and then we'll call that a marketfailure.

    Given the vast numbers of start-ups, wild experiments, and smallbusinesses that will be the next generation of pioneers ine-commerce, it would be unlikely that all of them willautomatically concede the importance of having a privacy seal ontheir sites, unless and until they see significant indication ofcustomer demand for it. Perhaps some sites that participate willhave some sinister purpose in mind, but most of them will simply beordinary businesses who simply don't share the vision of a privacyimperative. A lot of them will be noncommercial, amateur sites, orsites that are borderline commercial or noncommercial.

    It would be a grave mistake to assume that because a businessdoesn't have a seal or post a notice, it ought to become a targetof regulation. Lacking a privacy policy simply isn't even close tobeing evidence that that site poses a danger to consumers, in anyreal sense. Treating these sites as legitimate enforcement targetswould be wrong, and deeply insulting to hundreds of honestentrepreneurs. And it creates some serious practical problems, too.Enforcement efforts will be far, far more effective if they can betargeted against actual perpetrators of identity theft, fraud, andso on. Requiring enforcers to disperse their focus to hundreds ofsites simply because those sites don't have a seal would be anincredible waste of time.

    What about bad actors? Sites that actually do perpetrate fraudor scams of some sort? There are many laws already against fraudand deceptive practices.

    Self-regulation that arises as a natural outgrowth of consumerdemand is truly voluntary and decentralized. Kosher food labels area good example, offering consumers a choice of many differentstandards--or none at all. But for many quality and customerservice issues, no third party standards or oversight at all arenecessary for "self-regulation." That is, true market-basedself-regulation blurs into no regulation at all, with each company"regulating" itself according to internal standards of customer orclient service and no third party oversight. Bad service is checkedby competition.

    Ultimately, we might see nearly as many different privacypolicies as there are e-commerce companies. A system of privacy"self-regulation" imposed uniformly on the market might well tendto collapse over time (rather as the Comics Code has) in any sectorwhere there is little consumer demand for confidentiality. In somecases, no third-party rating systems would be able to capture theextraordinary variety of patterns of customer preferences thatemerge.

Conclusion: What is Minimal Regulation?

Given the flurry of concern about privacy, even legislators andbusinesses worried about the impact on electronic commerce arealmost ready to concede the need for "minimal regulation"--justrequiring sites to post their policies, that's all. But from mystandpoint that's too radical a step, both unnecessary and not wellinformed. What kind of enforcement mechanism would we create? Do wereally want to penalize the honest owner of a 50 year-old hardwarestore in Peoria because he put up his web site without a privacynotice? Why should enforcement resources be devoted to this? Foronce, the Cato Institute's position isn't the radical one. Thingsare working fine as they are; leave the Internet alone.

Solveig Singleton

Subcommittee on Telecommunications, Trade and Consumer Protection
United States House of Representatives