The Hahn/ACT cost-of-privacy report: http://www.politechbot.com/p-01999.html News coverage: http://www.wired.com/news/privacy/0,1848,43654,00.html http://www.postgazette.com/businessnews/20010509privacy5.asp http://www.zdnet.com/zdnn/stories/news/0,4586,2716528,00.html http://www.newsbytes.com/news/01/165458.html7 Three criticisms follow, from Peter Swire, Richard Smith, and Paul Sholtz. -Declan ********** Date: Wed, 9 May 2001 08:51:53 -0700 (PDT) From: peter swire <peterswireat_private> Subject: Reply to study that estimated $30 billion for Internet privacy To: declanat_private Declan: Here is my response to the study you posted yesterday that estimated possible costs of over $30 billion to comply with Internet privacy legislation. It may be a few days before this can be posted to my web site, so sending it out in full would allow your readers to assess the merits of the issue. Peter =================== For release May 9, 2001: New Study Substantially Overstates Costs of Internet Privacy Protections Professor Peter P. Swire I am writing in response to a study by Robert W. Hahn, a Resident Scholar of the American Enterprise Institute, entitled "An Assessment of the Costs of Proposed Online Privacy Legislation." This study was reported on May 8 in the New York Times and elsewhere as estimating costs of $30 billion or more to comply with possible Internet privacy legislation. The study was sponsored by the Association for Competitive Technology. Unfortunately, based on the study's own assumptions, there are serious analytic flaws in the conclusions. The estimates are far too high, and should not be relied upon for decisionmaking by policymakers. I have reached this conclusion based on my own extensive efforts to estimate the costs and benefits of privacy rules. In 1998, the Brookings Institution published a book by Robert Litan and myself entitled "None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive." As explained in Chapter 2 of the book, Dr. Litan and I concluded after substantial effort that we could not create a useful estimate of the likely costs of complying with the European Union Data Protection Directive. In 1999, I entered the U.S. Office of Management and Budget as the Administration's Chief Counselor for Privacy. In that position, I participated in numerous issues that involved qualitative and quantitative assessments of the effects of privacy rules. Notably, I worked closely with the Department of Health and Human Services in developing the "regulatory impact assessment," or cost/benefit study, for the proposed medical privacy rule that was issued in October, 1999 and published in the Federal Register. After extensive public comments on the cost/benefit analysis and other issues, the final medical privacy rule was issued in December, 2000 and took effect last month. One omission of the Hahn study is that it makes no mention of that only published government analysis of which I am aware that makes quantitative estimates of the costs and benefits of privacy rules. For the health care industry, which is far larger than the current Internet industry, HHS estimated costs averaging $1.9 billion per year for a medical privacy rule that is more detailed than most observers expect for any possible Internet privacy legislation. Some industry estimates are higher than the HHS estimate, but the Hahn study would project out to costs per covered entity that are far higher than any estimate I have seen for medical privacy compliance. My concerns with the Hahn study fall into two categories. First, the study does not adequately address the key issue for any cost estimate -- what is the baseline against which the cost comparison is made? In measuring the difference between a world with legislation and one without legislation, what behavior do we expect in the world without legislation? Without a clear picture of the world without legislation, we cannot assess the extra cost of the world with legislation. Second, the assumptions in the study drive toward substantially overstated costs. The study assumes that small sites would spend as much as large sites to comply. It assumes too many sites. Each site would have to achieve unrealistically demanding standards. And each site is assumed to spend the large premium needed for a customized first-of-a-kind system, with no packaged software and no learning from experience. A more complete analysis would address additional points. For instance, the Hahn study quantifies only the costs of privacy protection, with no estimate of the benefits. Yet it would be irrational to reach a conclusion on whether privacy should be protected without examining these benefits, as is done for example in the HHS regulatory impact analysis for the medical rule. 1. The importance of defining the baseline. The cost of privacy legislation is the difference between what industry would do in the absence of a law and what it would do if the law were enacted. As the Hahn study points out, Internet companies have made significant efforts in the privacy area. For instance, almost all significant Internet companies today have a stated privacy policy, and violations of the stated policy can lead to enforcement actions at the state and federal level. The cost of legislation is thus the extra, or incremental, cost of the new legislation. There are many reasons that Internet companies address privacy in the absence of federal legislation. For instance, they do so to promote consumer confidence in Internet transactions, or to comply with legal standards for customers outside of the U.S. Importantly, companies take many measures that are simply good business practice. For instance, any responsible company has a firewall for its web site. If a law were passed requiring a firewall (and I am not advocating such a law in making this point), then the cost of the legislation might be almost zero -- most companies would already be taking that action. The entire estimate of cost thus depends crucially on the baseline against which cost is measured. If companies are taking a level of appropriate action under self-regulation, as Hahn seems at some points to suggest, then a law setting that same standard would have low or no compliance costs. On the other hand, if companies are failing to follow basic good business practice, such as failing to have firewalls, then it is wrong to blame the law for the cost of the firewalls. The firewalls should be seen as part of the cost of doing business, and not some extraordinary burden imposed by legislation. As discussed in my 1998 book, it is a difficult challenge to define a baseline clearly enough to permit quantitative estimates of the costs and benefits of privacy legislation. After much effort, my co-author and I decided we could not provide a quantitative estimate in that instance. In the medical privacy rule, there is extensive discussion of this issue of baselines, and the eventual quantitative estimates are made after explicit discussion of the issue. Unfortunately, in the Hahn study, the baseline is not defined clearly enough, with the result I believe of overstating the likely costs of legislation. The study at some points seems to support the view that the Internet industry has already taken substantial and effective steps to provide privacy protection. Yet the expenses already incurred are never netted against the gross estimates of cost. It is as if one reports the cost of building a house without subtracting out the cost of a foundation and a couple of walls that are already in place. 2. The Study's assumptions lead to substantially overstated cost estimates. The principal assumptions that lead to an overstated cost estimate are the failure to distinguish between large and small sites, an excessive number of sites, the use of unrealistically demanding and expensive standards for each site, and the assumption that all compliance will be customized rather than having any reduction in cost after the first company has complied. (a) Large and small sites are different. The study surveys consultants about how much it would cost for a large site to comply, for a site with at least 100,000 current customers and the capability to scale to millions of customers. The survey finds an average cost per site of $100,000 (more on that figure below). But that cost is based entirely on the estimated cost for building a complex large site. As the study itself discusses, it is unreasonable to expect that a small Internet site will spend $100,000 for privacy compliance. Furthermore, as Response 2 to the survey illustrates, the cost would be much lower for a small site even though the survey failed to ask for the difference in cost. (b) Too many sites. The press release announcing the ACT/Hahn study says that "Analysis of Internet Privacy Regulation Says Costs Could Exceed $30 Billion." http://www.actonline.org/press_room/releases/050801.asp. Press accounts have reported the study as showing "costs of over $30 billion." Yet the $30 billion estimate, called "conservative" in the study, cannot be defended on the basis of the study itself. That estimate assumes that 360,000 sites do the expensive $100,000 compliance solution. But the study itself also says that there is a grand total of only 94,000 "medium to large" commercial Internet sites. The extra 246,000 sites are "small" sites, and the estimate for a site serving millions of customers simply does not apply. Each of these "small" sites, however, was counted at the $100,000 per site compliance rate. The study's lowest cost figure is $9 billion. That figure assumes that every single large and medium site spends the full $100,000 per site for compliance. (The study defines size based on the company size, with "large" having over 500 employees, "medium" 100 to 500 employees, and "small" fewer than 100 employees. Some "large" companies may not have consumer sites scalable to millions of customers, so they may not have "large" sites. Some "small" companies, but proportionately likely not many, may have large sites that are designed to serve millions of customers.) This $9 billion estimate thus assumes too many sites for at least two reasons. First, it assumes that medium-sized sites will have to pay the same as large sites. Second, it assumes that the medium and large sites do not already have significant self-regulatory programs in place to provide privacy protections. Yet many of these larger sites have already instituted significant privacy programs. The cost of compliance should thus be reduced to take account of the measures already in place, and this was not done in the study. (c) Unrealistically strict criteria. The study asks consultants to estimate what it would cost to build a new system that complies with a set of criteria. Defining those criteria is crucial. If the criteria are easy, then costs will be low. For instance, it would cost little if the law says: "Mention the word privacy on your web page." If the criteria are strict, then costs will be high. For instance, it would cost a great deal if the law says: "Design a state-of-the-art system that handles personal information in complex new ways that have never been done before." The problem is that the study assumes criteria that resemble the latter. Two examples from a longer list give the flavor. First, the study assumes that every time personally identifiable information (PII) is sent to any third party the web site must have a complete tracking of all of its PII about that customer. If the web site sends out PII about that customer to someone the next day, it must keep a complete file of the changed PII that exists on that second day. This sort of time-and-date stamping of every item of information about every customer is either rare or unknown in the industry. It is highly unlikely to become law. Yet that is the system that the study assumes every web site will have to build. A second example is that the study assumes that the customer access rules will be significantly stricter than I believe anyone has seriously proposed legislating. In defining the access requirements so strictly, for instance, the study assumes not only that individuals will get online access to a complete log of every time their PII has gone to a third party. Customers will also gain access to the complete content of what is transferred to the third party. Again, this sort of time-and-date stamping of the content that is transferred is either rare or unknown in the industry. It is thus no surprise that the consultants estimated that it would be expensive for each web site to comply. The criteria included features that have not been implemented in the industry and not seriously contemplated in legislation. As the consultants imagined what it would cost to build these new types of systems for the first time, they correctly stated that it would be very expensive. But the $100,000 average estimated cost is a reflection of an unrealistically strict set of criteria, rather than of the likely cost of actual compliance with legislation. (d) All compliance is customized and there is no learning from experience. The survey asked consultants to estimate how much it would cost to build this complex, strict system for the first time. Their estimate of $100,000 per site for building a new system was then used as the average cost of compliance per site. The over $30 billion estimated total cost assumed that 360,000 sites (large and small) would each build a new system from scratch for that $100,000 per site. But that is not the way that software works today. According to the study's figures, most of those 360,000 sites are small or medium sites. These sites will not ask expensive consultants to write entirely new one-of-a-kind software. Instead, small, medium, and many larger sites will buy software packages. Implementation may include a moderate amount of tailoring for a particular company. But the cost of that tailoring is much less expensive, often by an order of magnitude, than writing software from scratch. The incremental cost of compliance will further be reduced because privacy compliance will likely be undertaken as part of a broader upgrading of a site, of the sort that is often done in the rapidly changing Internet environment, rather than as a stand- alone cost item. Put another way, the first system of a new type costs far more to build than the 360,000th. Experience gained in early systems makes it far less expensive to build later systems. Even if Congress surprises everyone by requiring every one of the unrealistically strict criteria that the study assumed, later systems will cost much less than the $100,000 that the study uses. And, Congress will not impose those criteria, so the cost of actual legislation will be even less. Conclusion. I have written this detailed analysis of the study because of my belief that it will be irresistably tempting for critics of privacy legislation to quote the $30 billion, or even the $9 billion, estimate as though these are realistic figures. For the reasons stated here, those estimates are far too high given the study's own assumptions. It is unrealistic to treat small web sites as though they will pay the same compliance fees as large web sites. It is unrealistic to estimate 360,000 sites paying the large-site cost when the study states that there are only 94,000 medium and large sites combined. It is unrealistic to use criteria for system performance that do not reflect industry practice or realistic Congressional outcomes. And it is unrealistic to believe that the 360,000th site will cost the same as a pioneer site that builds features that have never before been implemented. The combined effect of these unrealistic features could easily be to reduce the cost of compliance by an order of magnitude or even more. The actual costs of compliance should likely further be reduced to account for the actions industry would take and has already taken in the absence of legislation. And any ultimate decision about the desirability of legislation should consider the benefits of privacy protection, which this study does not do in a systematic way. With all that said, the study does make the correct point that badly drafted legislation, in privacy as in other areas, can impose substantial and undesirable costs. If Internet privacy legislation is enacted, then it should be based on careful attention to how principles such as notice, choice, access, security, and enforcement would work in practice. My own goal, as a private citizen and while in the Clinton Administration, is to promote sharing of information where that is beneficial and to keep information confidential in appropriate situations, such as where the information is especially sensitive or is gathered or used contrary to the wishes of the individual. In seeking to discern useful information flows from invasions of privacy, policymakers need to rely on more realistic estimates of the effects of legislation than I am afraid this study provides. There have been other studies released in recent months, sponsored by other groups, that have estimated the costs and benefits of privacy legislation. These other studies also deserve ======= Peter P. Swire is Professor of Law at the Ohio State University. In the 2001-2002 academic year, he will be a Visiting Professor of Law at George Washington University. From 1999 until early 2001, Professor Swire served as the first Chief Counselor for Privacy in the U.S. Office of Management and Budget. With Lawrence Lessig, he is Editor of the Cyberspace Law Abstracts of the Social Science Research Network. Many of his writings appear at www.osu.edu/units/law/swire.htm. E-mail at swire.1at_private Phone: (301) 213-9587. Privacy documents from the Clinton Administration are available at the Presidential Privacy Archives of the Technology Policy Group, at www.privacy2000.org. ********** From: Richard M. Smith [mailto:rmsat_private] Sent: Tuesday, May 08, 2001 9:05 AM To: rhahnat_private Cc: vsampsonat_private; jzuckat_private; Richard M. Smith Subject: Where are the B-to-C Web sites? Hi Robert, I have a question about today's report that was released by ACT: "An Assessment of the Costs of Proposed Online Privacy Legislation" http://www.actonline.org/pubs/HahnStudy.pdf In the beginning report the following statement is made: "A fundamental issue in the privacy debate relates to the ownership of information. Does a company have the right to take and use personally identifiable information (PII) from a consumer and use that information for profit?" My question is how come no business-to-consumer Web sites took part in the survey? Looking over the list of companies from the survey, it appears to me that most of them are either software tool companies or consultants to other businesses. If privacy is a consumer issue, why were B-to-B companies interviewed exclusively for the survey? Does not compute. Attached is a list of companies from the report. Thanks, Richard M. Smith CTO, Privacy Foundation ========================================================================== Active Designs Aegis Consulting Clarity Consulting Compuware Crosstier DevX i3 Solutions Information Strategies IXL Mariner MetroSharp Online Consulting Progressive Systems Consulting, Inc Proxicom Rocketworks, Inc. Rubicon Technologies WebBranch ********** From: Paul Sholtz Sent: Wednesday, May 09, 2001 12:21 AM To: 'rhahnat_private ' Subject: cost of privacy article Dear Mr. Hahn, I just read through your recent report (published on May 8) concerning the costs of privacy. It is an interesting report, but I disagree with you on several points. You point out in your paper that privacy is a problem in data ownership. Define who owns what data, and you've solved the privacy problem. I agree with that. In fact, I think you've solved lots of other problems as well, such as all the IP issues surrounding Napster, etc. However, problems in ownership and property rights can often be modeled and resolved using the Coase Theorem. You refernece some academic work that has been done in property rights, but none of it references the Coase Theorem, which outlines correlations between property rights and transaction costs. I have made a number of economic arguments in favor of consumer property rights over personal information, based largely on the Coase Theorem (it is now cheaper for a company to tag permissions w/ data throughout the enterprise than it is to risk a privacy breach). You can find some of my papers at: http://www.firstmonday.org/issues/current_issue/sholtz/index.html (<-- transaction costs + Coase Theorem) http://www.firstmonday.org/issues/issue5_9/sholtz/index.html (<-- more general economics) I think from a 50,000-ft view, these papers outline reasons why consumer privacy saves money over the long term.. (instead of costing tens of billions like you say). In terms of the rest of your article, I have the following points: (*) you indicate (on p.3) that the lost in revenue in PII-related advertising would be significant. In fact, ALL advertising is based on PII ultimately (in some way or another), and frankly, in today's economy w/ the Internet, ALL advertising is economically inefficient (although I won't get the details of why here) The purpose of technology is to replace old, inefficient ways of doing business with newer, more efficient models. To say that we cannot have privacy b/c it decreases PII-related ad revenue is like telling Henry Ford he can't build cars b/c they negatively impact the business of building horse-carriages. (*) You also say the PII-related ad market is small (p.3). In fact, conservative estimates place the value of the American direct marketing industry at roughly $600 billion annually. The DMA would like to think its over $1 trillion annually.. I'm not sure what he's talking about in saying that PII-related advertising is a small business - it's about 1/7 of the US GDP.. When you're talking about a market that is worth $1 trillion, then $30 billion (<--that's roughly your cost of privacy estimate, isn't it?) of upgrades in that market to make it more efficient is a TINY drop in the bucket. It's less than 1/10th of 1%.. (*) On page 9, I'd like to indicate that the REAL distinction between online and offline privacy are the transaction costs involved in how the information is collected. You don't address this, and instead only focus on the type and use of the information collected. These points are obviously important, but the change in transaction costs is what necessitates the change in property rights (under the Coase Theorem). (*) On page 13, you point out that Yahoo! depends almost exclusively on banner ad revenue and that privacy legislation would destroy companies like that. In fact, Yahoo and banner advertising is an extremely inefficient business. Yahoo is that ONLY company in world history that ever turned a profit from banner advertising, and now even Yahoo can't do it anymore (b/c businesses are realizing that banner ads are not an efficient use of thier resources). If only ONE company in the world can profit from a business model (and when it's a business model that bazillions of companies are TRYING to profit from), common sense would suggest there is something EXTREMELY WRONG w/ that business model.. (*) on Page 14, When a user first opts-in, and then opts-out, you suggest that all the organizations with which info was shared in the intervening period would have to be notified. Well - yes and no. Today that is still frankly a technicality. The consumer has still created value for herself by opting out, even though some info was released beforehand. More importantly, if you REALLY own personal data, you should be able to publish changes in teh data or terms of use in one place and have all "subscribers" to that data notified simultaneously. For instance, whenever you move you have to change your magazine subscriptions. It's a real pain to fill out change-of-address forms for each magazine you are subscribed to .. it would be easier to fill out the change once and have it propagate through to all relevant magazines. This technology/business paradigm does not exist today, although it should. It is possible to do, and much cheaper than the current system. This is (in part) what a property rights system over personal data would look like. The fact that such technology/business paradigms do not exist is what you are referring to in your opt-in/opt-out dilemma.. In fact, this economic paradigm is FAR MORE efficient than banner ads at Yahoo! (in terms of being a model that "monetizes" personal data, as people from Yahoo like to say) (*) The focus of this article is on why it is hard and expensive for businesses to upgrade IT to meet privacy demands. You cite (on p. 17) that the biggest cost is in integration and in having businesses offer the "services" they need in order to make privacy happen. In fact, there is a trend currently underway in IT called "Web services" that allows businesses to quickly and easily segment their IT according to discrete "Services" they offer to their customers. Businesses are already adopting Web services (willingly) and Web services allow businesses to quickly and easily add privacy services in the process of upgrading IT (<-- I am currently writing an article on this topic for an IT magainze - I'll let you know when it's done) (*) on p. 24, yes I agree that the market is reacting to address privacy, but the market needs the (slight) nudge of law to help it along. Property rights IS the market-based answer to privacy, but you can't have property rights unless you have a government that defines a right to property. The whole concept of Coase is that the government can create a market for scarce goods where none would otherwise exist. Once you have this system of property rights in place, then yes, market based alternatives work (that said, of course it will still cost businesses SOME money to implement them, but the business will save lots of money over the long run). Best Regards, Paul Sholtz PrivacyRight, Inc. - www.privacyright.com Chief Technology Officer ********** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed May 09 2001 - 16:59:36 PDT