The Tech Policy Greenhouse is an online symposium where experts tackle the most difficult policy challenges facing innovation and technology today. These are problems that don't have easy solutions, where every decision involves tradeoffs and unintended consequences, so we've gathered a wide variety of voices to help dissect existing policy proposals and better inform new ones.

Giving People Property Rights In Data Will Not Solve Privacy, But...

Privacy

from the property-rights-and-privacy dept

Mon, Jun 1st 2020 12:30pm — Jim Harper

Online privacy can’t be solved by giving people new property rights in personal data. That idea is based on a raft of conceptual errors. But consumers are already exercising property rights, using them to negotiate the trade-offs involved in using online commercial products.

People mean a lot of different things when they say “privacy.” Let’s stipulate that the subject here is control of personal information. There are equal or more salient interests and concerns sometimes lumped in with privacy. These include the fairness and accuracy of big institutions’ algorithmic decision-making, concerns with commodification or commercialization of online life, and personal and financial security.

Consumers’ use of online services will always have privacy costs and risks. That tension is a competitive dimension of consumer Internet services that should never be “solved.” Why should it be? Some consumers are entirely rational to recognize the commercial and social benefits they get from sharing information. Many others don’t want their information out there. The costs and risks are too great in their personal calculi. Services will change over time, of course, and consumers’ interests will, too. Long live the privacy tension.

Online privacy is not an all-or-nothing proposition. People adjust their use of social media and online services based on perceived risks. They select among options, use services pseudonymously, and curtail and shade what they share. So, to the extent online media and services appear unsafe or irresponsible, they lose business and thus revenue. There is no market failure, in the sense used in economics.

Of course, there are failures of the common sort all around. People say they care about privacy, but don’t do much to protect it. Network effects and other economies of scale make for fewer options in online services and social media, so there are fewer privacy options, much less bespoke privacy policies. And companies sometimes fail to understand or abide by their privacy policies.

Those privacy policies are contracts. They divide up property rights in personal information very subtly—so subtly, indeed, that it might be worth reviewing what property is: a bundle of rights to possess, use, subdivide, trade or sell, abandon, destroy, profit, and exclude others from the things in the world.

The typical privacy policy vests the right to possess data with the service provider—a bailment, in legal terminology. The service provider gets certain rights to use the data, the right to generate and use non-personal information from the data, and so on. But the consumer maintains most rights to exclude others from data about them, which is all-important privacy protection. That’s subject to certain exceptions, such as responding to emergencies, protecting the network or service, and complying with valid legal processes.

When companies violate their privacy promises, they’re at risk from public enforcement actions—from Attorneys General and the Federal Trade Commission in the United States, for example—and lawsuits, including class actions. Payouts to consumers aren’t typically great because individualized damages aren’t great. But there are economies of scale here, too. Paying a little bit to a lot of people is expensive.

A solution? Hardly. It’s more like an ongoing conversation, administered collectively and episodically through consumption trends, news reporting, public awareness, consumer advocacy, lawsuits, legislative pressure, and more. It’s not a satisfactory conversation, but it probably beats politics and elections for discovering what consumers really want in the multi-dimensional tug-of-war among privacy, convenience, low prices, social interaction, security, and more.

There is appeal in declaring privacy a human right and determining to give people more of it, but privacy itself fits poorly into a fundamental-rights framework. People protect privacy in the shelter of other rights—common law and constitutional rights in the United States. They routinely dispense with privacy in favor of other interests. Privacy is better thought of as an economic good. Some people want a lot of it. Some people want less. There are endless varieties and flavors.

In contrast to what’s already happening, most of the discussion about property rights in personal data assumes that such rights must come from legislative action—a property-rights system designed by legal and sociological experts. But experts, advocates, and energetic lawmakers lack the capacity to discern how things are supposed to come out, especially given ongoing changes in both technology and consumers’ information wants and needs.

An interesting objection to creating new property rights in personal data is that people might continue to trade personal data, as they do now, for other goods such as low- or no-cost services. That complaint—that consumers might get what they want—reveals that most proposals to bestow new property rights from above are really information regulations in disguise. Were any such proposal implemented, it would contend strongly in the metaphysical contest to be the most intrusive yet impotent regulatory regime yet devised. Just look at the planned property-rights system in intellectual property legislation. Highly arguable net benefits come with a congeries of dangers to many values the Internet holds dear.

The better property rights system is the one we’ve got. Through it, real consumers are roughly and unsatisfactorily pursuing privacy as they will. They often—but not always—cede privacy in favor of other things they want more, learning the ideal mix of privacy and other goods through trial and error. In the end, the “privacy problem” will no more be solved than the “price problem,” the “quality problem,” or the “features problem.” Consumers will always want more and better stuff at a lower cost, whether costs are denominated in dollars, effort, time, or privacy.

Jim Harper is a visiting fellow at the American Enterprise Institute and a senior research fellow at the University of Arizona James E. Rogers College of Law.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: contracts, data, privacy, property rights

12 Comments

Greenhouse Panel Discussion

Is there a transparency forcing function?

by Mike Masnick, on 1 Jun 2020 @ 11:59pm

Jim, this is a great and useful post. I fear that way too many people rush in to say that a property rights regime for our data would solve many problems, though (as you allude to), I fear that would actually make the situation much worse.

However, I do want to raise a question concerning your overall thesis that the system we have now works, and that most people will willingly give up their privacy to obtain various services.

I think there's truth to that -- and we see that empirically. But my argument has long been that privacy is a series of conditional tradeoffs where the key is judging if the tradeoffs are worth it (e.g., me leaving my house to go shopping entails some "privacy" risk in that people could see me and what I buy, but the "risk" side is so low, I don't mind it and it doesn't feel like a violation). But there are cases where the risk is real -- and I wouldn't take that bargain (e.g., publicly sharing my account and password to my bank account).

Those are obviously two extremes, but in both cases, you can pretty easily judge the tradeoffs -- both the size of the benefits and the potential risk. But I think the problem many people have with "privacy" in the online environment today is that the risks are absolutely obscured (and sometimes the benefits are not entirely clear either). It's that part that makes people uncomfortable.

So, the question I keep coming back around to is whether or not there's a way to create more transparency so that people understand the tradeoffs, and recognize whether what benefit they get is worth whatever "risk" may be there in revealing some amount of information?
On Transparency Forcing

by Jim Harper, on 2 Jun 2020 @ 6:10am

Thanks, Mike, for the kind words. (Though I notice that you have yet to pan a Greenhouse post!) I should emphasize that I'm arguing against manufactured property rights and in favor of organic property rights.

It seems to me like your query would be well-placed with any product or marketplace. Consumers could always know more about the goods or services they buy. Alas, they're awfully insistent on knowing just enough. On aggregate, I think the average transaction makes people at least a little better off, so unhampered markets move clunkily forward on making people wealthier and happier.

In a new and changing marketplace, which the "information economy" certainly still is, the risks are less clear, and they may rapidly change. So it's harder to be certain that things are going the right direction. But I think the "right direction" should always be consumer-defined.

Experts like you or me are not in a position to know better than consumers what they want. And there isn't a method better than trial-and-error for learning what the full costs and benefits of products and services are. So privacy advocates should shout from the rooftops "beware," and reporters should continue to tout wrongs and harms. Two major conduits of transparency.

But I don't see "forcing" transparency here. Consumers are highly resistant to it, and I think it's unlikely to make them better off than informing them in organic ways.
Resistance?

by Mike Masnick, on 3 Jun 2020 @ 11:39am

I'm not sure what you mean when you say that consumers are "resistant" to transparency?

I get the fact that things are changing and it's likely that we'll settle in to certain norms over time (and one might argue that's already happened to some extent), but I'm not convinced this all works out so easily. Part of the issues is that the lack of transparency right now means that consumers don't fully recognize what risks they've taken on. I do think that the overall risks may be overblown, but that is not always the case -- and with the setup of the market today, it's unclear to me that there is a legitimate way to get people towards that increased level of transparency.

What I do think is true is that the transparency does need to come naturally in some form or another, and that a legislative forcing function is likely to backfire (badly). I mean, we're already seeing that with various "cookie" disclosure requirements. That "transparency" has just annoyed people into clicking through on useless popups.

Reader Comments

Subscribe: RSS

View by: Thread

Bruce C., 1 Jun 2020 @ 12:41pm

Property rights in data...
an interesting idea. But it seems as ripe for abuse to get "copyright" over data collections as notify and takedown in copyright law is abused as a tool of censorship. The law would have to be exceedingly narrow in scope, possibly to the point where it would be difficult to obtain ownership over data that is claimed to be "anonymized" but really isn't.
[ link to this | view in chronology ]
Anonymous Coward, 1 Jun 2020 @ 12:51pm

I don't see how the "valid legal process" can be carried out in the presence of the transnational entity.

At least not with regards to data privacy...
[ link to this | view in chronology ]
Ryan Nicholl, 1 Jun 2020 @ 7:49pm

The problem with "privacy"
The problem with privacy is that it is as a concept somewhat incompatible with free speech. You cannot both have a right to prevent someone from talking about you and them also have a right to speak about you. Privacy and free speech are opposing rights, you have to pick one. Our constitution picked free speech. There is some limited room for privacy in a free speech world when it comes to our own devices. For example, we can make it illegal to distribute apps that secretly spy on you. But if consent is involved and information freely shared thereafter, any "privacy right" becomes a speech restriction. Should that stand? I think not. GDPR is used to remove court cases from the internet. I think we shouldn't have such things able to be buried by "privacy" if we want to keep citizens well informed. The right to privacy is the antithesis to an informed society.
[ link to this | view in chronology ]
- Ryan Nicholl, 1 Jun 2020 @ 7:51pm
  
  Re: The problem with "privacy"
  Not saying you can't have privacy in your own devices/papers. Just that the essence of privacy is the protection of your own devices and documents. Handing information over to a third party and claiming the right to prevent them from talking about it is the antithesis of free speech.
  [ link to this | view in chronology ]
- Jim Harper (profile), 2 Jun 2020 @ 6:25am
  
  Re: The problem with "privacy"
  I think your comment is well suited to governmental regulation aimed at privacy: "You (corporation) may not use or share this true information." But privacy is as much a product of people withholding information from others or sharing it subject to restrictions. When people conceal information about themselves, the First Amendment and free speech are not implicated. And when they share information subject to promises that restrict further sharing and use, that is also perfectly consistent with free speech law. People and companies can contract away their free speech rights, and they regularly do. I, too, find it bizarre that there are laws requiring true information to be "disappeared" from public view. I think that can't happen here in the U.S., but I've been wrong in my predictions about legal developments before.
  [ link to this | view in chronology ]
tz1 (profile), 1 Jun 2020 @ 8:06pm

A simpler solution
REQUIRE an option where they don't track, monitize, distribute, etc. your data or even use it to "provide a better experience" tier which is paid. Right now there is only the "free except you agree to give your soul to the devil when you die" contract. You can't pay Apple, Google, Amazon, F**kbook to not privacy rape you, that is not an option. Reminds me of the old Bertrand Russel joke: BR: Would you go to bed with me for $1Million? woman: well,... yes I would. BR: Would you do it for $5? (early 20th century) woman: What do you think I am? BR: Madame, we have established what you are, we only disagree about the price. I can fly, if I let the TSA grope my "junk" and be porn scanned. Completely voluntary. Or charter a private Jet (why can't they crash into Trump Tower?).
[ link to this | view in chronology ]
bobob, 1 Jun 2020 @ 9:39pm

If a company can sell my data, why am I not entitled to the money they made on it? Also, if my data are not a property right, then I ought to at least be able to forbid the aggregation of it by companies who then use it to sell an assessment of me, e.g. equifax and so on.
[ link to this | view in chronology ]
- Mike Masnick (profile), 2 Jun 2020 @ 12:03am
  
  Re:
  If a company can sell my data, why am I not entitled to the money they made on it?
  
  I think the question itself tells you the answer. You're making a big assumption -- that the data is "yours". You're assuming that there's a property right there. But does that always make sense? Is the data truly "yours"? If I run an online shop and I track what you've bought, whose "data" is that? Under a property rights regime, you could argue that it's yours because you made the purchase, but I might argue that it's mine, since I set up the store, sourced the product, and handled the transaction.
  
  It gets tricky quite quickly.
  
  Also, if my data are not a property right, then I ought to at least be able to forbid the aggregation of it by companies who then use it to sell an assessment of me, e.g. equifax and so on.
  
  But that formulation is only possible if property rights are involved. Again, in the view of Equifax, for better or for worse, it's not "your" data. It's data they have collected on you. See the difference? That doesn't make equifax good, but it certainly means we need to think through things way beyond "they can't do that." Because if you just say that you don't want me to collect any data about you.. well, then I can't let you comment here any more, because the nature of commenting means you're providing some data.
  
  There are middle grounds, but property rights and controlling data raises a lot more questions than it answers and you probably won't be thrilled with the end result.
  [ link to this | view in chronology ]
  - bobob, 2 Jun 2020 @ 1:59pm
    
    Re: Re:
    I would agree that data taken in public setting where I have no privacy interest would not be my property. But data axquired from private financial transactions, internet service and other things where I do have a privacy interest ought to be my personal property. What I purchase, what I read and what I view is personal, In addition, if there is a property interest that makes it possible to sell my data, then there IS a property interest and it's only a matter of who is entitled to it.
    [ link to this | view in chronology ]