A market for privacy?

-- By MislavMataija - 06 Mar 2009

Can the collection of surfing habits, preferences, typed words and other datastreams left online, be compensated for on a market basis? Some people have suggested models in which that might work. Consumers, or perhaps "infomediaries" negotiating in their favor, would come to terms with online service providers wishing to acquire data about them. Sure, you lose some of your privacy, but you get something of value in return – money, goods, services, access.

The implication of having a workable model of this sort is that there is little need for government regulation. Instead of supposedly inefficient prohibitions and regulations on the use of personal data, the market could not only decide what happens to the data, but also police violations of the consumer-provider contract.

There are, of course, assumptions in these theories. First, privacy interests have to be stated in terms of economic value. Second, both parties have equal access to information and there are no significant transaction costs standing in the way. Third, the parties will abide by the terms of the bargain. Fourth, the buyer does not pass the data on – this would clearly be a distortion of the system in which every privacy concession is compensated by the buyer.

Incentives and the status quo

Unfortunately, none of these assumptions is realistic. More importantly, what is the incentive for sites that live on marketing their users' information to negotiate away their most valued asset? Everyday experience tells us, instead, that they make even the simplest steps such as unsubscribing from mailing lists, terminating your account as difficult as possible – not to mention keeping their privacy policies convoluted, lengthy and ever-changing. Since the ease of access to personal data is a central part of their business model, they are not likely to make concessions. The bargain, if one can speak of such a thing, is likely to be built into the system. For the customer it will probably remain a "take it or leave it" scenario. Since the risks are dispersed and require foresight, and the gains are immediate and clear, most people will take the offer. If there was any additional negotiation to be had at any point, someone would probably have come up with it by now.

BT's rollout of Phorm, a "service" which tracks users' surfing habits and serves them with targetted ads, is a case in point. No one seemed to have tried negotiating any sort of compensation for users. If the rollout happens, it will simply be a part of the broadband package offered by BT (perhaps it could be worked around or turned off, if the user is so inclined and sufficiently tech-savvy). To add insult to injury, it will probably be billed as a benefit – instead of just random advertising, you get context-specific product information tailored to your own interests. Everyone wins.

Who gets the data?

The problem, of course, is not only what the original provider – or contractor – uses the data for. It is also whether, and how much, he shares it with others. What Facebook knows is perhaps not as much a reason to worry as what the providers of all the third-party Facebook applications know, and where your data goes from there. The weakest link controls the spread, and even if you trust the honesty of Facebook there is simply no way of guaranteeing your data is protected once it is divulged to a third party.

In addition to social networking apps such as Facebook, the amount of data we now hold online for different reasons is another cause of concern. The files I have on my own computer easily come within 4th amendment protection, but what about all the Google Docs spreadsheets and other materials stored online, somewhere? Can I guarantee that all that data remains private? Once again, even if I know who I can negotiate with, and even if I trust their particular promises, all kinds of third parties can be involved. A company I am contracting with might tomorrow be contracting to store my data with someone else. The cloud is perhaps a fitting description for the place your data ends up going to.

Legal solutions

If the problem is really impossible to negotiate away, what are the alternatives? More robust regulation could be a step in the right direction. EU-like regulation of data protection, which limits the collection and use of data, at least provides a minimum standard and some sort of predictability for the person whose data is used, unlike the US system of piecemeal or "self"-regulation. It is still, however, questionable to what extent data protection rules are implemented and enforced, and how much they actually constrain anyone. In the US context, making constitutional guarantees less dependent on personal space, and therefore extending the right to privacy in your data even if it is located on a remote server, could also be a step in the right direction.

Legal guarantess, in other words, are helpful. Still, they do not get you very far. The first problem is enforcement. But a bigger problem is the fact that users do in fact "negotiate" their privacy away – even if they do so with no real consideration, in a context of asymmetric information and high transaction costs. To stop that from happening, something will have to change in the way people value their privacy. But the forces working in the other direction seem overwhelming. The business models of most of the popular social networking sites are centered around collecting personal data for marketing purposes, and every willing participant has a measurable market value from their perspective. For users with a high level of privacy awareness, that value will always be low. Consequently, anyone who cares enough to want to negotiate is probably not worth negotiating with anyway. As a benefit to users, privacy negotiation sounds like a thoroughly unrealistic idea.

Word count: 982

# * Set ALLOWTOPICVIEW = TWikiAdminGroup, MislavMataija