Previous Politech messages: http://www.politechbot.com/2005/03/18/catos-jim-harper/ http://www.politechbot.com/2005/03/11/request-for-critique/ -------- Original Message -------- Subject: Privacy proposal. Date: Sun, 20 Mar 2005 16:48:05 -0500 From: Eric C. Grimm <eric.c.grimm@private> Reply-To: Eric C. Grimm <eric.c.grimm@private> To: jharper@private, declan@private, hoofnagle@private, dsolove@private, dave@private Declan, I think all three gentlemen make very good points. And it is pleasantly surprising to see Jim Harper take the view that some modest form of government intervention (through courts and the tort liability system, rather than by legislatures or regulatory agencies) can have a net welfare-beneficial effect, in the area of personal data protection. Indeed, there is good reason to be skeptical of legislative and regulatory intervention -- precisely because of the risk of "capture" by the very entities that are supposed to be regulated. Most of the bills introduced in Congress to regulate private information brokers, over the last several years, contain "pre-emption" clauses that essentially eliminate the ability of states (including the state courts in New Hampshire that Jim mentions favorably) to develop their own rules (either through legislation or through organic evolution of the common law). Based on occasional experience with the court system, however, I do not share Jim's optimism that we can rely on state courts to "evolve" fast enough to solve the problem. Rather, courts have been profoundly reluctant, in most cases, to empower ordinary individuals to police their own privacy. It has taken an extreme, horribly tragic case in New Hampshire, in order for the first glimmers of hope to be seen, from the standpoint of development of the common law. So, based on practical experience (and cognizant of the hundreds of cases that have not led to rapid developments in negligence law for entities like ChoicePoint), I think there is good reason to be skeptical as to whether the courts will really solve the problem. As you know, I'm a late-comer when it comes to opining about protecting individuals' privacy. Hoofnagle and Solove were way ahead of me, in seeing the big picture, so I have to give them credit for any modest insights I may have. When I first started bloviating (even occasionally on your list) on the topic, some years ago, it seemed obvious that a third-party insurance approach (liability insurance for the information brokers), would likely work better than an approach that attempted to address the problem like first-party health or disability insurance (that pays benefits to the victim after bad things happen). If consumers can sue for misuse of their personal information, and collect money damages, then Jim is right -- the brokers and collectors will sit up and take notice, and things will improve quite rapidly. Both people and businesses respond rationally, and quickly, to economic incentives. I'd just like to expand on Jim's point a little bit by pointing out how the rest of the process plays out. The next thing that happens, once ChoicePoint, Bank of America, and other entities, can be held liable in court by individuals, is that the insurance industry steps in. Liability lawsuits create demand for insurance and the insurance industry is always looking for new business opportunities to supply products and services. The insurance industry steps in with two related lines of products/services -- (1) risk management services (to reduce the risk of loss in the first place, by establishing robust levels of protection), and (2) liability insurance (to protect against the damages paid out when errors occur, and costs of suit). Yes, insurance costs money. But it makes a lot more sense to handle the risk through the mechanism of private insurance markets than just to leave customers with the loss (i.e., the people who are not in the best position to do much about data collection, and subsequent handling and dissemination of data, in the first place), and say "tough for you." It makes more sense because leaving the victims to suffer the loss (in classic economic "externality" speak) means that the information brokers essentially receive a subsidy, and do not internalize the full social costs of their activities. Does this mean that prices of information brokers' services may change? Perhaps. Of course, in a competitive marketplace, there will be natural constraints on how much prices can change. But they will have to adjust prices to reflect the cost of insurance (which, in turn, reflects in part the pay-out to victims, in the form of successfully-proven liability claims). But is that such a bad thing? Probably not -- and especially not if you are an incumbent information broker (already possessing a vast database). The more the law changes, the more that your inexpensively-gathered (relative to any new competitors' cost of replicating it) database asset, increases in market value. Incidentally, at about the time that Congress was bandying about a bunch of proposed legislation that contained federal "pre-emption" clauses, that would effectively shut down the very common-law evolution that Jim champions, CitiBank and Travelers (since merged), and (presumably) other credit card issuers, started peddling first-party "identity theft" insurance. They started collecting premiums from consumers, in exchange for a promise to pay to help straighten out the consequences of identity theft, when it occurred. I leave it to your readers to ask whether that approach is the best way to stop identity theft and other harms from happening in the first place. IMHO, that approach is fundamentally inferior to an approach based on tort liability and empowerring individuals to police their own privacy. -- Eric C. Grimm Calligaro & Meyering, P.C. 20600 Eureka Road, Ste 900 Taylor, MI 48180 734.283.2727 -------- Original Message -------- Subject: RE: Privacy proposal. Date: Mon, 21 Mar 2005 15:59:13 -0500 From: Jim Harper <jharper@private> To: Eric C. Grimm <eric.c.grimm@private>, <declan@private>, <hoofnagle@private>, <dsolove@private>, <dave@private> Thanks for the note, Eric. I often find myself debating people who are debating the cartoon version of The Cato Institute or libertarianism. In the cartoon version, there's no role for government at all and libertarians are wild-eyed fanatics. In the real version, the role of government is to prevent people from harming each other, leaving them otherwise free to act as they wish. (Perhaps still wild-eyed, but with a darn good point.) The common law meets (or at least should meet) every harm with a remedy. That follows the libertarian vision because it allows the maximum freedom of action while addressing harmful behavior. Regulation at its best proscribes a set of actions in order to prevent harm. This means that regulation often proscribes non-harmful (even beneficial and productive) actions to get at the harmful subset of the proscribed actions. When it's not at its best, regulation is not even premised on a theory of harm. Rather, whatever interest has captured the legislative and regulatory processes just uses them to tell the rest of the society how it can behave - or it installs regulation that allows harmful behavior. You've referred to "hundreds" of cases where the common law has not "empowered ordinary individuals to police their own privacy." That loose phraseology obscures the most important question: Were people harmed? I know of few cases where people have been harmed in legally cognizable ways by data practices. I mean really harmed, not mildly inconvenienced, disconcerted, or nonplussed. I'm talking about monetary loss, property loss, or mental distress that causes physical symptoms, loss of work, or destruction of family and professional relationships. This might reflect my ignorance or it might reflect the fact that people are rarely actually harmed by mainstream information practices. Perhaps, though, we should adopt new theories of harm. (If Declan posts, I make this suggestion specifically to anyone aching to flame about the last paragraph. Get out of your own head and speak in general terms about what data practices injure people and how they do that - not just what pisses you off.) Solove and Hoofnagle would do wonders if they articulated and defended a general theory of privacy - to underlie either common law development or regulation. Most folks propose a suite of rules, insist that they represent what is "fair," and call for their adoption based on that assertion. These are appealing in a free-lunch sort of way - "You can live in the Information Age and have low prices, easy credit, low mortgage interest rates, cheap insurance, free online content, and good customer service, without sharing 'your' personal information." I wouldn't want a new theory of harm to be adopted quickly, by the way. It should be adopted slowly so that we can be sure it really works and really nests with our society's values and functioning. Because it develops by accreting case after real-world case, common law is much better than regulation for discovering rules that actually work, on every level. You're exactly right that a liability regime is taken into account by market actors, including insurance companies which require their clients to undertake protective measures. This accounts for the objection that tort liability is retrospective. It's not really about the right to sue, but the protections installed in light of the right to sue. These protections are at least equal to the protections required by regulation because regulations consistently miss the new threats while over-responding to the old ones. (See ChoicePoint and the response thereto, now playing out before us.) Again, thanks Eric. Jim Jim Harper Director of Information Policy Studies The Cato Institute and Editor Privacilla.org -------- Original Message -------- Subject: A Taxonomy of Privacy Date: Mon, 21 Mar 2005 17:05:25 -0500 From: Daniel Solove <dsolove@private> To: 'Jim Harper' <jharper@private>, 'Eric C. Grimm' <eric.c.grimm@private>, <declan@private>, <hoofnagle@private>, <dave@private> Jim, Thanks for your continued commentary about our proposal. Thank you Eric as well. Jim writes: "Solove and Hoofnagle would do wonders if they articulated and defended a general theory of privacy -- to underlie either common law development or regulation." I recently attempted such a project, posting a paper on SSRN called "A Taxonomy of Privacy." In that paper, I develop a taxonomy of different activities that present privacy harms or problems and articulate why. The paper, A Taxonomy of Privacy, is available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=667622 ABSTRACT: Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from "an embarrassment of meanings." Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of "privacy" do not fare well when pitted against more concretely-stated countervailing interests. In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms. A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law I hope that this paper at least in part answers the challenge you posed above. Regards, Dan Daniel J. Solove Associate Professor of Law George Washington University Law School 2000 H Street, NW Washington, DC 20052 (202) 994-9514 Website: http://www.law.gwu.edu/facweb/dsolove/ -------- Original Message -------- Subject: RE: A Taxonomy of Privacy Date: Mon, 21 Mar 2005 17:57:12 -0500 From: Jim Harper <jharper@private> To: Daniel Solove <dsolove@private>, Eric C. Grimm <eric.c.grimm@private>, <declan@private>, <hoofnagle@private>, <dave@private> I read your paper. It's good - and spot-on for what it does, which is to describe the different (and conflicting, in my opinion) strains of "privacy." What's needed is your normative / prescriptive view of privacy. That is what *should* privacy be as a concept. The best job I've done with mine is in the first section of my Cato paper from last fall, Understanding Privacy -- and the Real Threats to It. http://www.cato.org/pub_display.php?pub_id=1652 "Privacy is the subjective condition that people experience when they have power to control information about themselves and when they exercise that power consistent with their interests and values." That isn't simple because privacy's not simple, but the pages that follow this definition parse it. People are using the word privacy to reach a number of different interests, which is a mistake. The word privacy should be used to describe one specific concept (described in my paper), while "fairness"; "anonymity"; "security"; "crime control"; "freedom from marketing" and so on should be used each in the circumstances relevant to those different concepts. All in my "normative" opinion. (The only thing keeping me from taking poison for my academic, obtuse language is that I didn't use the word "heuristic" or "deconstruction" just now. If I'd a had more time, I'd a written a shorter letter.) Jim -------- Original Message -------- Subject: RE: A Taxonomy of Privacy Date: Mon, 21 Mar 2005 21:01:17 -0500 From: Daniel J. Solove <dsolove@private> To: Jim Harper <jharper@private>, Eric C. Grimm <eric.c.grimm@private>, <declan@private>, <hoofnagle@private>, <dave@private> Jim, I look forward to reading your paper with interest, but I doubt I'll agree with you. I've written about why I believe attempts to conceptualize privacy as a unitary concept fail in my paper, Conceptualizing Privacy: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=313103 I believe that my taxonomy piece is discussing my view of what privacy should be as a concept. I don't see why one has to choose between different dimensions of privacy (unless there's an irreconcilable conflict, which in many cases there need not be). I also don't believe that privacy is a purely subjective individualistic condition. My paper explains this in much greater detail; I won't attempt to engage in a longer discussion because I haven't read your paper (you might just convince me) and because it took me 60 pages in the other paper to explain why I disagree with the kind of conception that you propose (as well as the method of conceptualizing you are using) -- and I doubt I could make a convincing case in a short email. I look forward to your thoughts; it's always fun to engage in a philosophical discussion! Dan Daniel J. Solove Associate Professor of Law George Washington University Law School 2000 H Street, NW Washington, DC 20052 (202) 994-9514 Website: http://www.law.gwu.edu/facweb/dsolove/ -------- Original Message -------- Subject: [Politech] Cato's Jim Harper replies to Solove-Hoofnagle privacy regulation proposal [priv] Date: Fri, 18 Mar 2005 10:47:03 -0800 From: Hancock, John, ISD To: <declan@private> Declan, Jim Harper's thoughtful piece misses two important points. 1. Jim proposes the simple and attractive rule that companies owe a duty to those whose data they collect and use, and should be liable in damages when they mess up and injure the (as the Europeans say) data subjects. This assumes perfect knowledge, perfect efficiency and zero transaction costs. Remsburg was a great case, but it is probably atypical. Proving causation in an identity theft case may be all but impossible. Suppose I am normally quite careful in privacy matters. If ChoicePoint loses my data, and one month later all sorts of bogus charges and accounts in my name start to show up, most of us would have little doubt that ChoicePoint's carelessness caused all the loss, irritation and aggravation I will now go through. But convincing a jury of a cause-effect relationship -- not to mention the cost of convincing that jury, with the expense of lawyers and evidence and witnesses and investigations -- may be rather tricky. Especially now that Bush has made class actions more difficult to maintain, using the courts to address losses of a few hundred to a few thousand dollars per person by hundreds or thousands of people is grossly inefficient and ineffective. Leaving "ChoicePoint" type injuries to the courts is, in effect, denying anyone a remedy. A statutory regime is much more effective, overlaid of course on private liability actions where a given individual has significant enough losses or fortitude to pursue his own claim in court. 2. Jim points out that people choose other things over privacy all the time -- convenience, even a T-shirt -- and says government should not intervene to disallow people's choices. This is the same view that would allow people to arrange for their own retirement by privatizing social security. Again, this assumes perfect knowledge, which few people I know -- even really smart ones -- have. Companies routinely violate their privacy policies. To make an enlightened and appropriate choice over whether to give a company my information, I need perfect knowledge of the company's history and culture (do they do what they say?), its future (will new management take over and decide to sell my data for a quick profit?) and the implications of all this for me (do I really know what it will be like to deal with the identity theft I'm all but inviting? Have I even heard of identity theft?). This kind of exhaustive research before each of the dozens or hundreds of transactions we do each day is -- well, it would be idiotic to assume that anyone can or will do this, even a privacy nut. In short, Jim assumes markets and people who participate in them are perfect, knowledge is total and transactions are free. In my experience, that is false. These errors are consistent with the Cato Institute's general bias, but they lead to conclusions that are simply wrong. John Hancock (please omit email address if you post this.) -------- Original Message -------- Subject: RE: [Fwd: [Politech] Cato's Jim Harper replies to Solove-Hoofnagle privacy regulation proposal [priv]] Date: Fri, 18 Mar 2005 20:09:36 -0500 From: Jim Harper <jharper@private> To: JHancock CC: <declan@private> Thanks for your thoughts, JH - and I appreciate your role in the founding of the nation - but I don't think the "perfect knowledge" critique is viable. A company subject to liability for a data breach could gamble that it's responsibility would never be discovered and compound its liability in doing so. Or it could come forward early and aggressively to fix what it's done. I'm sure some companies might choose the former (just as some companies might hide breaches from regulators), but not mature companies with an eye on building and preserving shareholder value. Liability incentivizes disclosure and - more important - prevention of harm to consumers through responses that are precisely proportionate to the nature of breaches. Rather than nakedly assert that a statutory regime is "much more effective," try to describe why. You'll find that you run right up against your own "perfect knowledge" argument. To protect the public through regulation, don't bureaucrats and politicians need that same "perfect knowledge" you've thrown up against liability? Hold regulation to the same standard you've just held liability to and you'll find the answer is Yes. (And overlaying regulation with liability isn't consistent - you just tried to debunk liability.) It's true that I believe in freedom and responsibility with respect to privacy, retirement savings, and everything else, but I don't see how "perfect knowledge" is required to make real-world privacy choices, to save and invest for retirement, or to do anything else. We do take risks (of privacy loss, of poor investments, and so on) but usually choose well and succeed in living fruitful lives. Lack of "perfect knowledge" doesn't keep us from doing that. I think your assertion of my bias and Cato's reveals your own. And I think you've fixated on "perfect knowledge" because you're thinking about these problems as if you were working on a machine rather than a social system. Jim -------- Original Message -------- Subject: RE: [Fwd: [Politech] Cato's Jim Harper replies to Solove-Hoofnagle privacy regulation proposal [priv]] Date: Mon, 21 Mar 2005 16:21:23 -0800 From: Hancock, John, ISD <JHancock360@private> To: Jim Harper <jharper@private> CC: <declan@private> Jim, Actually I'm pleased to have heard back from you directly. Let's deal with your points separately. 1. Perfect knowledge, perfect efficiency and zero transaction costs. Knowledge isn't free. There is a cost to developing information about what a company (or person or governmental unit) does, what it plans, what it has done in the past and indeed any factual, technical or other information at all. In a given case where a person's loss may be modest -- say, one or two thousand dollars -- the cost of developing that knowledge may, and often does, deny any fair resolution of that loss. It is this problem that underlies the efficacy of class actions: the costs of developing information can be amortized over many modest losses, so that the information cost becomes tractable. Unfortunately, court processes necessarily ignore many externalities and may effectively become a vehicle for enriching the attorneys rather than compensating losses. (Of course, as long as the wrongdoer is out the cash, even enriching the attorneys may act to deter future wrongful acts.) Moreover, through arbitration clauses, various waivers including class action waivers, forum and venue selection clauses and the like, businesses have learned to gut many of the court processes which have traditionally redressed wrongs in the U.S.. Obviously, we could spend many days discussing the comparative merits of arbitration and litigation, the notion that consumers "agree" to the the teeny-tiny light-gray print on the back of documents they sign, and the like, but perhaps we should forego that for the moment. So, accepting your invitation to identify the advantage of regulatory/statutory approaches, those are the key advantages. Factfinding costs can be amortized, externalities can be assessed, technical expertise can be more efficiently tapped, parties not directly affected can provide additional information, and in general social values can be more effectively applied to the situation. Joe Blow is in no position to negotiate with Blue Cross over the use of his personal information, nor is it efficient to expect that. Government has both the power and the reach to determine an approach that reasonably approximates social norms. The time and money used to determine that approach are spread across all transactions, and become manageable. Regrettably, nothing is perfect. Politicians grandstand, regulators are captured by the industries they regulate. Moreover, people have different choices (see below) and the common social approach will be too much for some, too little for others. But government can get closer, at a reasonable per-transaction cost, than take-it-or-leave-it offerings from large organizations. Which supports a continuing role for liability and a private right of action. Additionally, the litigation process which you say I've debunked is just dandy for addressing the problem of A damaging B big time, so that it's worth B's time and money to recover directly from A. Liability is great for addressing sizeable losses. In short: In the real world, with limited time, knowledge and resources, governmental efforts are more effective in certain areas than case-by-case efforts. 2. Freedom and choices. Freedom and choices are certainly what we would like to see in all matters. However, we rarely have the time or ability to evaluate all factors of our transactions, and certainly not to separately negotiate each aspect of everyday transactions. If I buy a car, I may evaluate price, performance, color, "luxury", handling, fuel economy, and a host of other factors. Information sources are available on these matters, and the car's price is so high that I can readily invest the time and money to choose wisely. Or maybe I just think a Trans Am is a hot car, and buy it. It is certainly true that government should minimize interfering with these choices and these approaches. However, there are many factors (for example, what the auto company will do with my personal information) which just aren't on the radar. There are other more important considerations. That doesn't mean that car companies (or hospitals in medical situations, or banks in financial situations) should just do whatever they please with my information. The most efficient way to honor social norms for these factors is simply to impose them, governmentally, at least on a "lowest common denominator" basis. Toyota will not negotiate over this with me. Or Sears, or Citibank. Or, for that matter, ChoicePoint, with which I had no opportunity at all to negotiate. Sure, there are solid companies that take the long view and try to do the right thing. There's also Enron, Tyco, Arthur Andersen and Adelphia. Investors trying to make informed, free choices were hurt badly by those companies. Californians trying to keep their houses warm in winter lost singificantly to energy companies in the deregulated "free" market. Choice simply does not always work for everything, because markets are highly imperfect, transaction costs are significant, knowledge is limited and some market participants are bad guys. For secondary factors, and privacy often is one, choice is rarely germane. In short: In the real world, with limited time and knowledge, governmental action to establish a "floor" of social norms is sometimes more efficient and effective than choice, especially for secondary factors in transactions. _________ Jim, I suspect you haven't had an epiphany and decided to adopt my views. Nevertheless, I've enjoyed the exchange. If you're inclined to respond, please do so. By the way, of course I have biases, we all do. It's a shorthand way of capturing learning, right? John Hancock _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Mon Mar 21 2005 - 20:36:29 PST