Last Thursday, the Federal Trade Commission (FTC) hosted its first PrivacyCon (0). FTC Chair Edith Ramirez said (1) the event was an effort to “bridge the gap between the academic, tech, and policy worlds” and noted that some of the research presented “will lend support for current privacy and data security policies” while others “may lead us to rethink our assumptions.” The event’s call for proposals brought 90 abstracts (2), of which the FTC selected 19. Ten authors of rejected submissions were asked to be discussants. The day’s events revealed a lot about the FTC’s thinking regarding the policymaking process on online consumer privacy.
The FTC deserves commendation for its first attempt to hold a conference on the topic and for its open invitation for papers. That this regulator engaged in collecting information fulfills the classic notion of good regulation. It would seem that reviewing the research on the topic would be a necessary first step in defining a problem and determining whether regulatory intervention is needed.
Two ways of thinking about online privacy
All regulation is founded on underlying assumptions (3). This is true also when it comes to consumer privacy, which can be seen from two competing paradigms. One model is that of rational choice, in which an individual weighs the cost and benefits of privacy and makes a decision accordingly. The other view, often referred to as the “behavioral research” approach, paints the user as being at the mercy of external factors that determine whether she reveals or conceals herself. The former tends to support solutions and technologies that empower consumers to make their own choices and suggests that firms, valuing their customers, will take proactive steps to steward their experience. The latter holds that privacy tools are inevitably unreliable and that firms take predatory advantage of users. According to this view, regulation is needed to keep firms in check and to protect consumers.
It would seem like focusing its first privacy conference on the examination of these two paradigms would be a natural place for the FTC to start. Indeed, one submitted (but unfortunately rejected) paper (4) reviews three experiments that test the two paradigms against each other. Instead, the FTC set the stage with a preconceived behavioralist view. The first three sessions, while bearing objective-sounding titles such as “The state of online privacy” and “Consumers’ privacy expectations,” featured 11 papers that all posited the user in a perilous situation needing FTC rescue. Thus, by featuring “academic papers,” the FTC created the appearance of a balanced, evidenced-based approach. In reality, however, the agency carefully selected papers that support its enforcement policy and rejected the ones that do not.
The submissions the FTC chose to ignore
Here are some of the rejected submissions that would have helped the FTC “rethink its assumptions”:
1. “Privacy concern, trust, and desire for content personalization (5)” concludes that further study of the benefits, not just the costs, of personalization could be helpful for policy research (Stevenson and Pasek).
2. “Information privacy and information glut (6)” discusses the limitations of regulation to promote privacy (Harley and Zwienenberg).
3. “Towards a modern approach to privacy-aware government data releases (7)” explores the privacy challenges associated with government information (Gasser).
4. “Tor: Privacy enhancing technology in real life (8)” by GitHub’s Jim Rennie and “How changes to privacy policies impact consumers: An empirical study of PayPal and its customer relationship (9)” by Karl Muth and Vanessa Burrows of PayPal feature real-world stories of how companies resolve privacy dilemmas.
5. “Markets for privacy and data security: An economic and legal analysis for the Internet of Things (10)” suggests a limiting principle of applying unfair and deceptive standards to machine-to-machine communications (Manne and Sperry). Separately, Gus Hurwitz has also described the judicial censure of the FTC’s overzealous interpretation of Section 5 of the FTC Act as it relates to data security (11).
The FTC faces pushback
The FTC also faced pushback from some of the discussants. Notable was Omer Tene of the International Association of Privacy Professionals (IAPP), who observed that IAPP’s membership has doubled in the last three years and now stands at 25,000. This fact demonstrates that firms on their own accord are making an investment in privacy expertise. The IAPP’s annual Privacy Governance report (12), which was rejected by the FTC, noted that companies in less regulated industries (for example, Internet companies, marketing firms, and retail firms) tend to invest more in privacy than do companies in heavily regulated industries (for example, health care, finance, and telecommunications), which must comply with privacy regulations. IAPP also found that, despite Europe’s strict privacy regulations, privacy maturity is actually greater among American firms.
The “Economics of privacy and security” session paid some attention to the rational user paradigm, and the session on “Security and usability” highlighted promising technical solutions. Discussant Siona Listokin had perhaps the most important conclusion of the entire day: namely, that the FTC lacks a valid metric for the empirical study of data privacy and security. (Surprise — her paper (13) was rejected too.) Discussant James Cooper, whose paper on pooling equilibrium (14) was also rejected, deftly observed that the selected papers failed not only to quantify consumer harm but also to even prove the presence of harm.
Given the lip service the FTC paid to the concept of privacy by design, one of the more glaring omissions was a paper coauthored (15) by a Microsoft employee on that very topic. It describes the practical reasons privacy by design has not taken hold, which include convoluted regulation, poor definitions, regulatory focus on compliance rather than innovation as a means to address social concerns, preference for ad hoc legal responses rather than fundamental reinvention, and challenges within the industrial design process.
Challenges to the FTC’s paradigm also came from outside the conference. On the same day as the conference, Pew released a report that belied the characterization of consumers as resigned, mystified, and deceived on privacy issues. The Pew report suggests a more nuanced picture of consumers’ expectations and concludes that consumers generally think “free is a good price.” (The FTC also rejected the ITIF paper “The privacy panic cycle, (16)” which describes a similar nuance.)
A missed opportunity
PrivacyCon was a missed opportunity for the FTC to provide a more accurate picture of the state of consumer privacy in America. While we can applaud the FTC for holding the event, the agency purposely selected research that supports its enforcement agenda while omitting that which would have challenged its assumptions.