FC: Responses to cost of privacy study from Swire, Smith, Sholtz

From: Declan McCullagh (declanat_private)
Date: Wed May 09 2001 - 15:59:01 PDT

  • Next message: Declan McCullagh: "FC: FBI reportedly recruited "Equalizer" hacker as informant"

    The Hahn/ACT cost-of-privacy report:
    http://www.politechbot.com/p-01999.html
    
    News coverage:
    http://www.wired.com/news/privacy/0,1848,43654,00.html
    http://www.postgazette.com/businessnews/20010509privacy5.asp
    http://www.zdnet.com/zdnn/stories/news/0,4586,2716528,00.html
    http://www.newsbytes.com/news/01/165458.html7
    
    Three criticisms follow, from Peter Swire, Richard Smith, and Paul Sholtz.
    
    -Declan
    
    **********
    
    Date: Wed, 9 May 2001 08:51:53 -0700 (PDT)
    From: peter swire <peterswireat_private>
    Subject: Reply to study that estimated $30 billion for Internet privacy
    To: declanat_private
    
    Declan:
    
    Here is my response to the study you posted yesterday
    that estimated possible costs of over $30 billion to
    comply with Internet privacy legislation.  It may be a
    few days before this can be posted to my web site, so
    sending it out in full would allow your readers to
    assess the merits of the issue.
    
    Peter
    ===================
    
    For release May 9, 2001:
    
    New Study Substantially Overstates Costs of Internet
    Privacy Protections
    
                         Professor Peter P. Swire
    
          I am writing in response to a study by Robert W.
    Hahn, a Resident Scholar of the
    American Enterprise Institute, entitled "An Assessment
    of the Costs of Proposed Online Privacy
    Legislation."  This study was reported on May 8 in the
    New York Times and elsewhere as
    estimating costs of $30 billion or more to comply with
    possible Internet privacy legislation.  The
    study was sponsored by the Association for Competitive
    Technology.  Unfortunately, based on
    the study's own assumptions, there are serious
    analytic flaws in the conclusions.  The estimates
    are far too high, and should not be relied upon for
    decisionmaking by policymakers.
    
          I have reached this conclusion based on my own
    extensive efforts to estimate the costs and
    benefits of privacy rules.  In 1998, the Brookings
    Institution published a book by Robert Litan and
    myself entitled "None of Your Business: World Data
    Flows, Electronic Commerce, and the
    European Privacy Directive."  As explained in Chapter
    2 of the book, Dr. Litan and I concluded
    after substantial effort that we could not create a
    useful estimate of the likely costs of complying
    with the European Union Data Protection Directive.
    
          In 1999, I entered the U.S. Office of Management
    and Budget as the Administration's
    Chief Counselor for Privacy.  In that position, I
    participated in numerous issues that involved
    qualitative and quantitative assessments of the
    effects of privacy rules.  Notably, I worked closely
    with the Department of Health and Human Services in
    developing the "regulatory impact
    assessment," or cost/benefit study, for the proposed
    medical privacy rule that was issued in
    October, 1999 and published in the Federal Register.
    After extensive public comments on the
    cost/benefit analysis and other issues, the final
    medical privacy rule was issued in December, 2000
    and took effect last month.  One omission of the Hahn
    study is that it makes no mention of that
    only published government analysis of which I am aware
    that makes quantitative estimates of the
    costs and benefits of privacy rules.  For the health
    care industry, which is far larger than the
    current Internet industry, HHS estimated costs
    averaging $1.9 billion per year for a medical
    privacy rule that is more detailed than most observers
    expect for any possible Internet privacy
    legislation.  Some industry estimates are higher than
    the HHS estimate, but the Hahn study would
    project out to costs per covered entity that are far
    higher than any estimate I have seen for
    medical privacy compliance.
    
          My concerns with the Hahn study fall into two
    categories.  First, the study does not
    adequately address the key issue for any cost estimate
    -- what is the baseline against which the
    cost comparison is made?  In measuring the difference
    between a world with legislation and one
    without legislation, what behavior do we expect in the
    world without legislation?  Without a clear
    picture of the world without legislation, we cannot
    assess the extra cost of the world with
    legislation.
    
          Second, the assumptions in the study drive toward
    substantially overstated costs.  The
    study assumes that small sites would spend as much as
    large sites to comply.  It assumes too many
    sites.  Each site would have to achieve
    unrealistically demanding standards.  And each site is
    assumed to spend the large premium needed for a
    customized first-of-a-kind system, with no
    packaged software and no learning from experience.
    
          A more complete analysis would address additional
    points.  For instance, the Hahn study
    quantifies only the costs of privacy protection, with
    no estimate of the benefits.  Yet it would be
    irrational to reach a conclusion on whether privacy
    should be protected without examining these
    benefits, as is done for example in the HHS regulatory
    impact analysis for the medical rule.
    
          1.  The importance of defining the baseline.  The
    cost of privacy legislation is the
    difference between what industry would do in the
    absence of a law and what it would do if the
    law were enacted.  As the Hahn study points out,
    Internet companies have made significant efforts
    in the privacy area.  For instance, almost all
    significant Internet companies today have a stated
    privacy policy, and violations of the stated policy
    can lead to enforcement actions at the state and
    federal level.  The cost of legislation is thus the
    extra, or incremental, cost of the new legislation.
    
          There are many reasons that Internet companies
    address privacy in the absence of federal
    legislation.  For instance, they do so to promote
    consumer confidence in Internet transactions, or
    to comply with legal standards for customers outside
    of the U.S.  Importantly, companies take
    many measures that are simply good business practice.
    For instance, any responsible company has
    a firewall for its web site.  If a law were passed
    requiring a firewall (and I am not advocating such
    a law in making this point), then the cost of the
    legislation might be almost zero -- most
    companies would already be taking that action.
    
          The entire estimate of cost thus depends
    crucially on the baseline against which cost is
    measured.  If companies are taking a level of
    appropriate action under self-regulation, as Hahn
    seems at some points to suggest, then a law setting
    that same standard would have low or no
    compliance costs.  On the other hand, if companies are
    failing to follow basic good business
    practice, such as failing to have firewalls, then it
    is wrong to blame the law for the cost of the
    firewalls.  The firewalls should be seen as part of
    the cost of doing business, and not some
    extraordinary burden imposed by legislation.
    
          As discussed in my 1998 book, it is a difficult
    challenge to define a baseline clearly enough
    to permit quantitative estimates of the costs and
    benefits of privacy legislation.  After much effort,
    my co-author and I decided we could not provide a
    quantitative estimate in that instance.  In the
    medical privacy rule, there is extensive discussion of
    this issue of baselines, and the eventual
    quantitative estimates are made after explicit
    discussion of the issue.
    
          Unfortunately, in the Hahn study, the baseline is
    not defined clearly enough, with the result
    I believe of overstating the likely costs of
    legislation.  The study at some points seems to
    support
    the view that the Internet industry has already taken
    substantial and effective steps to provide
    privacy protection.  Yet the expenses already incurred
    are never netted against the gross estimates
    of cost.  It is as if one reports the cost of building
    a house without subtracting out the cost of a
    foundation and a couple of walls that are already in
    place.
    
          2.  The Study's assumptions lead to substantially
    overstated cost estimates.  The principal
    assumptions that lead to an overstated cost estimate
    are the failure to distinguish between large
    and small sites, an excessive number of sites, the use
    of unrealistically demanding and expensive
    standards for each site, and the assumption that all
    compliance will be customized rather than
    having any reduction in cost after the first company
    has complied.
    
          (a) Large and small sites are different. The
    study surveys consultants about how much it
    would cost for a large site to comply, for a site with
    at least 100,000 current customers and the
    capability to scale to millions of customers.  The
    survey finds an average cost per site of $100,000
    (more on that figure below).  But that cost is based
    entirely on the estimated cost for building a
    complex large site.  As the study itself discusses, it
    is unreasonable to expect that a small Internet
    site will spend $100,000 for privacy compliance.
    Furthermore, as Response 2 to the survey
    illustrates, the cost would be much lower for a small
    site even though the survey failed to ask for
    the difference in cost.
    
          (b) Too many sites.  The press release announcing
    the ACT/Hahn study says that
    "Analysis of Internet Privacy Regulation Says Costs
    Could Exceed $30 Billion."
    http://www.actonline.org/press_room/releases/050801.asp.
      Press accounts have reported the
    study as showing "costs of over $30 billion."  Yet the
    $30 billion estimate, called "conservative"
    in the study, cannot be defended on the basis of the
    study itself.  That estimate assumes that
    360,000 sites do the expensive $100,000 compliance
    solution.  But the study itself also says that
    there is a grand total of only 94,000 "medium to
    large" commercial Internet sites.  The extra
    246,000 sites are "small" sites, and the estimate for
    a site serving millions of customers simply
    does not apply.  Each of these "small" sites, however,
      was counted at the $100,000 per site
    compliance rate.
    
          The study's lowest cost figure is $9 billion.
    That figure assumes that every single large
    and medium site spends the full $100,000 per site for
    compliance.  (The study defines size based
    on the company size, with "large" having over 500
    employees, "medium" 100 to 500 employees,
    and "small" fewer than 100 employees.  Some "large"
    companies may not have consumer sites
    scalable to millions of customers, so they may not
    have "large" sites.  Some "small" companies,
    but proportionately likely not many, may have large
    sites that are designed to serve millions of
    customers.)  This $9 billion estimate thus assumes too
    many sites for at least two reasons.  First, it
    assumes that medium-sized sites will have to pay the
    same as large sites.  Second, it assumes that
    the medium and large sites do not already have
    significant self-regulatory programs in place to
    provide privacy protections.  Yet many of these larger
    sites have already instituted significant
    privacy programs.  The cost of compliance should thus
    be reduced to take account of the
    measures already in place, and this was not done in
    the study.
    
          (c) Unrealistically strict criteria.  The study
    asks consultants to estimate what it would cost
    to build a new system that complies with a set of
    criteria.  Defining those criteria is crucial.  If the
    criteria are easy, then costs will be low.  For
    instance, it would cost little if the law says:
    "Mention
    the word privacy on your web page."  If the criteria
    are strict, then costs will be high.  For
    instance, it would cost a great deal if the law says:
    "Design a state-of-the-art system that handles
    personal information in complex new ways that have
    never been done before."
    
          The problem is that the study assumes criteria
    that resemble the latter.  Two examples
    from a longer list give the flavor.  First, the study
    assumes that every time personally identifiable
    information (PII) is sent to any third party  the web
    site must have a complete tracking of all of its
    PII about that customer.  If the web site sends out
    PII about that customer to someone the next
    day, it must keep a complete file of the changed PII
    that exists on that second day.  This sort of
    time-and-date stamping of every item of information
    about every customer is either rare or
    unknown in the industry.  It is highly unlikely to
    become law.  Yet that is the system that the study
    assumes every web site will have to build.  A second
    example is that the study assumes that the
    customer access rules will be significantly stricter
    than I believe anyone has seriously proposed
    legislating.  In defining the access requirements so
    strictly, for instance, the study assumes not
    only that individuals will get online access to a
    complete log of every time their PII has gone to a
    third party.  Customers will also gain access to the
    complete content of what is transferred to the
    third party.  Again, this sort of time-and-date
    stamping of the content that is transferred is either
    rare or unknown in the industry.
    
          It is thus no surprise that the consultants
    estimated that it would be expensive for each
    web site to comply.  The criteria included features
    that have not been implemented in the industry
    and not seriously contemplated in legislation.  As the
    consultants imagined what it would cost to
    build these new types of systems for the first time,
    they correctly stated that it would be very
    expensive.  But the $100,000 average estimated cost is
    a reflection of an unrealistically strict set
    of criteria, rather than of the likely cost of actual
    compliance with legislation.
    
          (d) All compliance is customized and there is no
    learning from experience.  The survey
    asked consultants to estimate how much it would cost
    to build this complex, strict system for the
    first time.  Their estimate of $100,000 per site for
    building a new system was then used as the
    average cost of compliance per site.  The over $30
    billion estimated total cost assumed that
    360,000 sites (large and small) would each build a new
    system from scratch for that $100,000 per
    site.
    
          But that is not the way that software works
    today.  According to the study's figures, most
    of those 360,000 sites are small or medium sites.
    These sites will not ask expensive consultants to
    write entirely new one-of-a-kind software.  Instead,
    small, medium, and many larger sites will buy
    software packages.  Implementation may include a
    moderate amount of tailoring for a particular
    company.  But the cost of that tailoring is much less
    expensive, often by an order of magnitude,
    than writing software from scratch.  The incremental
    cost of compliance will further be reduced
    because privacy compliance will likely be undertaken
    as part of a broader upgrading of a site, of
    the sort that is often done in the rapidly changing
    Internet environment, rather than as a stand-
    alone cost item.
    
          Put another way, the first system of a new type
    costs far more to build than the 360,000th.
    Experience gained in early systems makes it far less
    expensive to build later systems.  Even if
    Congress surprises everyone by requiring every one of
    the unrealistically strict criteria that the
    study assumed, later systems will cost much less than
    the $100,000 that the study uses.  And,
    Congress will not impose those criteria, so the cost
    of actual legislation will be even less.
    
          Conclusion.
    
          I have written this detailed analysis of the
    study because of my belief that it will be
    irresistably tempting for critics of privacy
    legislation to quote the $30 billion, or even the $9
    billion, estimate as though these are realistic
    figures.  For the reasons stated here, those estimates
    are far too high given the study's own assumptions.
    It is unrealistic to treat small web sites as
    though they will pay the same compliance fees as large
    web sites.  It is unrealistic to estimate
    360,000 sites paying the large-site cost when the
    study states that there are only 94,000 medium
    and large sites combined.  It is unrealistic to use
    criteria for system performance that do not
    reflect industry practice or realistic Congressional
    outcomes.  And it is unrealistic to believe that
    the 360,000th site will cost the same as a pioneer
    site that builds features that have never before
    been implemented.  The combined effect of these
    unrealistic features could easily be to reduce the
    cost of compliance by an order of magnitude or even
    more.  The actual costs of compliance
    should likely further be reduced to account for the
    actions industry would take and has already
    taken in the absence of legislation.  And any ultimate
    decision about the desirability of legislation
    should consider the benefits of privacy protection,
    which this study does not do in a systematic
    way.
    
          With all that said, the study does make the
    correct point that badly drafted legislation, in
    privacy as in other areas, can impose substantial and
    undesirable costs. If Internet privacy
    legislation is enacted, then it should be based on
    careful attention to how principles such as notice,
    choice, access, security, and enforcement would work
    in practice.  My own goal, as a private
    citizen and while in the Clinton Administration, is to
    promote sharing of information where that is
    beneficial and to keep information confidential in
    appropriate situations, such as where the
    information is especially sensitive or is gathered or
    used contrary to the wishes of the individual.
    In seeking to discern useful information flows from
    invasions of privacy, policymakers need to
    rely on more realistic estimates of the effects of
    legislation than I am afraid this study provides.
    
          There have been other studies released in recent
    months, sponsored by other groups, that
    have estimated the costs and benefits of privacy
    legislation.  These other studies also deserve
    
    =======
    
    Peter P. Swire is Professor of Law at the Ohio State
    University.  In the 2001-2002 academic year,
    he will be a Visiting Professor of Law at George
    Washington University.  From 1999 until early
    2001, Professor Swire served as the first Chief
    Counselor for Privacy in the U.S. Office of
    Management and Budget.  With Lawrence Lessig, he is
    Editor of the Cyberspace Law Abstracts
    of the Social Science Research Network.  Many of his
    writings appear at
    www.osu.edu/units/law/swire.htm. E-mail at
    swire.1at_private  Phone: (301) 213-9587.  Privacy
    documents from the Clinton Administration are
    available at the Presidential Privacy Archives of
    the Technology Policy Group, at www.privacy2000.org.
    
    **********
    
    From: Richard M. Smith [mailto:rmsat_private]
    Sent: Tuesday, May 08, 2001 9:05 AM
    To: rhahnat_private
    Cc: vsampsonat_private; jzuckat_private; Richard M. Smith
    Subject: Where are the B-to-C Web sites?
    
    Hi Robert,
    
    I have a question about today's report that was
    released by ACT:
    
        "An Assessment of the Costs of Proposed Online Privacy Legislation"
        http://www.actonline.org/pubs/HahnStudy.pdf
    
    In the beginning report the following statement is made:
    
        "A fundamental issue in the privacy debate relates
        to the ownership of information. Does a company have
        the right to take and use personally identifiable
        information (PII) from a consumer and use that
        information for profit?"
    
    My question is how come no business-to-consumer Web sites
    took part in the survey?  Looking over the list of
    companies from the survey, it appears to me that
    most of them are either software tool companies or consultants
    to other businesses.  If privacy is a consumer issue,
    why were B-to-B companies interviewed exclusively
    for the survey?  Does not compute.
    
    Attached is a list of companies from the report.
    
    Thanks,
    Richard M. Smith
    CTO, Privacy Foundation
    
    ==========================================================================
    
    Active Designs
    Aegis Consulting
    Clarity Consulting
    Compuware
    Crosstier
    DevX
    i3 Solutions
    Information Strategies
    IXL
    Mariner
    MetroSharp
    Online Consulting
    Progressive Systems Consulting, Inc
    Proxicom
    Rocketworks, Inc.
    Rubicon Technologies
    WebBranch
    
    **********
    
    From: Paul Sholtz
    Sent: Wednesday, May 09, 2001 12:21 AM
    To: 'rhahnat_private '
    Subject: cost of privacy article
    
    Dear Mr. Hahn,
    
    I just read through your recent report (published on May 8) concerning the
    costs of privacy. It is an interesting report, but I disagree with you on
    several points.
    
    You point out in your paper that privacy is a problem in data ownership.
    Define who owns what data, and you've solved the privacy problem. I agree
    with that. In fact, I think you've solved lots of other problems as well,
    such as all the IP issues surrounding Napster, etc.
    
    However, problems in ownership and property rights can often be modeled and
    resolved using the Coase Theorem. You refernece some academic work that has
    been done in property rights, but none of it references the Coase Theorem,
    which outlines correlations between property rights and transaction costs.
    
    I have made a number of economic arguments in favor of consumer property
    rights over personal information, based largely on the Coase Theorem (it is
    now cheaper for a company to tag permissions w/ data throughout the
    enterprise than it is to risk a privacy breach).
    
    You can find some of my papers at:
    
    http://www.firstmonday.org/issues/current_issue/sholtz/index.html (<--
    transaction costs + Coase Theorem)
    http://www.firstmonday.org/issues/issue5_9/sholtz/index.html (<-- more
    general economics)
    
    I think from a 50,000-ft view, these papers outline reasons why consumer
    privacy saves money over the long term.. (instead of costing tens of
    billions like you say).
    
    In terms of the rest of your article, I have the following points:
    
    (*) you indicate (on p.3) that the lost in revenue in PII-related
    advertising would be significant. In fact, ALL advertising is based on PII
    ultimately (in some way or another), and frankly, in today's economy w/ the
    Internet, ALL advertising is economically inefficient (although I won't get
    the details of why here)
    
    The purpose of technology is to replace old, inefficient ways of doing
    business with newer, more efficient models. To say that we cannot have
    privacy b/c it decreases PII-related ad revenue is like telling Henry Ford
    he can't build cars b/c they negatively impact the business of building
    horse-carriages.
    
    (*) You also say the PII-related ad market is small (p.3). In fact,
    conservative estimates place the value of the American direct marketing
    industry at roughly $600 billion annually. The DMA would like to think its
    over $1 trillion annually.. I'm not sure what he's talking about in saying
    that PII-related advertising is a small business - it's about 1/7 of the US
    GDP..
    
    When you're talking about a market that is worth $1 trillion, then $30
    billion (<--that's roughly your cost of privacy estimate, isn't it?) of
    upgrades in that market to make it more efficient is a TINY drop in the
    bucket. It's less than 1/10th of 1%..
    
    (*) On page 9, I'd like to indicate that the REAL distinction between online
    and offline privacy are the transaction costs involved in how the
    information is collected. You don't address this, and instead only focus on
    the type and use of the information collected. These points are obviously
    important, but the change in transaction costs is what necessitates the
    change in property rights (under the Coase Theorem).
    
    (*) On page 13, you point out that Yahoo! depends almost exclusively on
    banner ad revenue and that privacy legislation would destroy companies like
    that. In fact, Yahoo and banner advertising is an extremely inefficient
    business. Yahoo is that ONLY company in world history that ever turned a
    profit from banner advertising, and now even Yahoo can't do it anymore (b/c
    businesses are realizing that banner ads are not an efficient use of thier
    resources). If only ONE company in the world can profit from a business
    model (and when it's a business model that bazillions of companies are
    TRYING to profit from), common sense would suggest there is something
    EXTREMELY WRONG w/ that business model..
    
    (*) on Page 14, When a user first opts-in, and then opts-out, you suggest
    that all the organizations with which info was shared in the intervening
    period would have to be notified.
    
    Well - yes and no. Today that is still frankly a technicality. The consumer
    has still created value for herself by opting out, even though some info was
    released beforehand.
    
    More importantly, if you REALLY own personal data, you should be able to
    publish changes in teh data or terms of use in one place and have all
    "subscribers" to that data notified simultaneously.
    
    For instance, whenever you move you have to change your magazine
    subscriptions. It's a real pain to fill out change-of-address forms for each
    magazine you are subscribed to .. it would be easier to fill out the change
    once and have it propagate through to all relevant magazines.
    
    This technology/business paradigm does not exist today, although it should.
    It is possible to do, and much cheaper than the current system. This is (in
    part) what a property rights system over personal data would look like. The
    fact that such technology/business paradigms do not exist is what you are
    referring to in your opt-in/opt-out dilemma.. In fact, this economic
    paradigm is FAR MORE efficient than banner ads at Yahoo! (in terms of being
    a model that "monetizes" personal data, as people from Yahoo like to say)
    
    (*) The focus of this article is on why it is hard and expensive for
    businesses to upgrade IT to meet privacy demands. You cite (on p. 17) that
    the biggest cost is in integration and in having businesses offer the
    "services" they need in order to make privacy happen.
    
    In fact, there is a trend currently underway in IT called "Web services"
    that allows businesses to quickly and easily segment their IT according to
    discrete "Services" they offer to their customers. Businesses are already
    adopting Web services (willingly) and Web services allow businesses to
    quickly and easily add privacy services in the process of upgrading IT (<--
    I am currently writing an article on this topic for an IT magainze - I'll
    let you know when it's done)
    
    (*) on p. 24, yes I agree that the market is reacting to address privacy,
    but the market needs the (slight) nudge of law to help it along. Property
    rights IS the market-based answer to privacy, but you can't have property
    rights unless you have a government that defines a right to property. The
    whole concept of Coase is that the government can create a market for scarce
    goods where none would otherwise exist.
    
    Once you have this system of property rights in place, then yes, market
    based alternatives work (that said, of course it will still cost businesses
    SOME money to implement them, but the business will save lots of money over
    the long run).
    
    Best Regards,
    
    Paul Sholtz
    PrivacyRight, Inc. - www.privacyright.com
    Chief Technology Officer
    
    **********
    
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if it remains intact.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Wed May 09 2001 - 16:59:36 PDT