Four Unintended Consequences of Misapplied Privacy Regulation

Today Reason has published my policy paper addressing privacy concerns created by search, social networking and Web-based e-commerce in general.

These web sites have been in regulatory crosshairs for some time, although Congress and the Federal Trade Commission have been hesitant to push forward with restrictive legislation such as “Do Not Track” and mandatory opt-in or top-down mandates such as the White House drafted “Privacy Bill of Rights.” An the U.S. seems unwilling to go to the lengths Europe is, contemplating such unworkable rules like demanding an “Internet eraser button”—a sort of online memory hole that would scrub any information about you that is accessible on the Web, even if it is part of the public record.

In my paper, It’s Not Personal: The Dangers of Misapplied Policies to Search, Social Media and Other Web Content, I discuss the difficulty of regulating personal disclosure because different people have different thresholds for privacy. We all know people who refuse to go on Facebook because they are wary of allowing too much information about themselves to circulate. Where it gets dicey is when authority figures take a paternalistic attitude and start deciding what information I will not be allowed to share, for what they claim is my own good.

Top down mandates really don’t work, mainly because popular attitudes are always in flux. Offer me 50 percent off on a hotel room, and I may be willing to tell you where I’m vacationing. Find me interesting books and movies, and I may be happy to let you know my favorite titles.

Instead, ground-up guidelines that arise as users become more comfortable with the medium, and sites work to establish trust, work better. True, Google and Facebook often push the envelope in trying to determine where user boundaries are, but pull back when run into user protest. And when the FTC took up Google’s and Facebook’s practices, while the agency shook a metaphorical finger at both companies’ aggressiveness, it assessed no fines or penalties, essentially finding that no consumer harm was done.

This course has been wise. The willingness of users to exchange information about themselves in return for value is an important element of e-commerce. It is worth considering some likely consequences if the government pushes too hard to prevent sites from gathering information about users.

Free Services Go Away

Hundreds of thousands, if not millions, of sites support themselves through targeted advertising. If the federal government began to clamp down on websites’ ability to use consumer information to target ads, an immediate consequence would be a decline in the amount of free content, information and services available on the Web. A University of Toronto study of Web sites in Europe, where targeted advertising is heavily regulated, found that advertising effectiveness decreased 65 percent relative to counterparts in the rest of the world, and predicts that of European sites will see a declining share of the $8 billion in global online ad revenues decrease over time because they can’t effectively deliver an audience of interested customers.

This may explain why there are no European search of social media sites that rival Google and Facebook, and why Hyves, a Netherlands-based social networking sites, charges a fee for users access most of the benefits Facebook, LinkedIn, Google+ and Pinterest users get for free.

‘Mother, May I?’ trumps experimentation

Regulation forces companies to evaluate compliance issues before pursuing a potentially innovative product or service direction. As a result, innovation is slowed, or does not happen at all, not because of market considerations, but on the advice of legal counsel. This is a major risk of any regulation or legislation in technology, an area that is constantly changing and evolving, and where success and survival often hinge on out-of-the-box thinking. It is another reason why guidelines are preferable to law.

Regulations against information-sharing undermine the community-building benefit of the medium

One of the reasons people go online is to meet and interact others who share interests and passions. Individuals with unique interests—from birdwatching to Axis & Allies gaming—can connect with far more like-minded individuals than they might in their own geographic community. These communities in turn build knowledge bases that the general population of users can turn to from time to time. For example, someone planning a vacation in New York City can use Google to find a bevy of bulletin boards and forums, some quite granular, that provide information about shows, restaurants and attractions, all from people who have shared their experience. These boards thrive because search engines like Google and social networks like Facebook drive traffic to them—all based on preferences. Regulate this technology away and the Web loses its unique community-building character.

Privacy regulation won’t address information security issues

Politicians often conflate privacy and security. The two are related, but are not the same thing.

Security pertains to the protection of critical user information that, if disclosed, can result in theft or fraud. Neither Do Not Track nor the on-line privacy “bill of rights” truly addresses security issues related to on-line information.

Wire fraud laws already make it illegal to steal user information. Identity theft and identity fraud are crimes. Companies that fail to adequately protect confidential and sensitive information, such as social security numbers, banking information or specific health-related data, that in the wrong hands could be used for malicious purposes. By contrast, the information websites collect, collate and process for targeted marketing is not highly personal and confidential, but has to do with individual habits and preferences that could otherwise be easily observed—does the person prefer beer or wine? The Cubs or the White Sox? Mystery novels or biographies? For the most part, it is anonymized. True, Facebook and other sites allow users to post pictures and disclose more intimate personal details such as religion or sexual orientation, but again, users can decide whether to disclose these facts and, if they do, decide who may see them. Opt-in, Do Not Track and privacy bills of rights are all about substituting government mandates for individual discretion. They do not strengthen or expand on any current laws against online fraud or theft, which by themselves are quite strong.

Make no mistake, personal choice must be respected, and the right to confidentiality should be protected. Yet specific harms must be understood, delineated and targeted in any legislation or regulation before it goes forward. The information economy is called so for a reason. Nothing would be more counterproductive to it than clumsy government policies designed to generally inhibit the voluntary exchange and use of information. Right now, search, social media and informational websites are the most visible users of consumer information, but in the background, many of the automated, intelligent services we expect the Web to support will need to trade in user information. These include such basic applications as Web-enabled home appliances, such as refrigerators that sense when you’re low on milk to more critical services such as health care management. This is why it’s best to derive privacy policies from a strong and constantly evolving knowledge base of best practices, rather than to codify them into laws that, in their failure to foresee innovation, will discourage it.