George Mason University Antonin Scalia Law School

PEP 2018 Year in Review

This dispatch of the PEP report takes a fly-over view of the year that just came to a close. Here are a few of the most important developments in policy and research related to privacy, data security, and data stewardship.

Story of the Year

Cambridge Analytica

News that Cambridge Analytica collected data on millions of Facebook users and exploited it to perform political consulting services has caused a seismic shift in privacy debates. For many observers, the scandal moved our attention to the particulars of data ownership over to more fundamental questions about the nature of data-related harm. Most of the observations from civil society describe that harm in terms of manipulation and deceit. For example, a report by the New America Foundation summarizes the Cambridge Analytica events and other related scandals this way:

The central theme in these scandals is the power of the major digital media platforms to track, target, and segment people into audiences that are highly susceptible to manipulation. These companies have all profited enormously from this market structure, and they have done little to mitigate potential harms.”

Continue reading “PEP 2018 Year in Review”

Are Firms and Consumers Investing Enough in Data Security?

In his new white paper, Are Firms and Consumers Investing Enough in Data Security?, Program on Economics & Privacy affiliated scholar, Sasha Romanosky surveys the cybersecurity terrain and shows the gaps in the tool set used to assess cyber risks and resulting harms in order to answer the question of whether firms and consumers take enough care to protect personal information.

Many consumer advocates and security and privacy professionals have concluded that companies are not spending enough on IT security. Their assessments are buttressed by the numerous reported cyber incidents and data spills over the past decade. Clearly, these security breaches, privacy intrusions, and software vulnerabilities show that companies are not spending enough to protect consumers’ data and produce safe applications. But there are two problems with this conventional wisdom. First, it ignores the consumer in the model of optimal data security. And second, it wrongly assumes that the right level of security investment would eliminate data breaches altogether.

This white paper helps correct the discussion on both counts.

Read the full report here.

The PEP Report – November 2018

The Federal Trade Commission is hosting a series of hearings on Big Data to air and understand our current evidence base. Last week, the hearings on “Competition and Consumer Protection in the 21st Century” were held at American University Washington College of Law. (You can watch the speakers here.) This post will provide a summary of the first panel of the hearings, which I thought was one of the highlights of the event.

Continue reading “The PEP Report – November 2018”

The PEP Report – October 2018

by Jane Bambauer

Welcome to the inaugural PEP Report, an occasional (roughly monthly) roundup of news, research, and events related to privacy and economics.

A lot is happening this year, including upcoming public hearings at the FTC on big data and consumer protection and the recent passage of California’s Consumer Privacy Protection Act. Future PEP Reports will focus on those developments. For now, I would like to highlight research presented at the 46th TPRC Conference on Communications, Information, and Internet Policy.

TPRC recently took place at American University Washington College of Law. (NB: It’s called TPRC because it used to stand for the Telecommunications Policy Research Conference, but the scope has since expanded to include the Internet, of course.) As usual, TPRC brought together a great lineup of papers from multiple disciplines tackling current and future problems in communications policy. Below are my thoughts on some of my favorite papers.

One note about the conference over all: TPRC has had a Privacy/Security track for several years now, but some of my favorite papers were in other tracks, and had only brief discussions of privacy law. This is telling. Too often, the authors of privacy papers are not forced to be in conversation with researchers who are trying to optimize the utility of information and communications technologies, and vice versa. In the future, I would love to see authors and audiences of privacy and data use papers in the same room so that tensions can be aired, acknowledged, and accounted for.

Click below to read about some of my favorite privacy-related papers from TPRC

Continue reading “The PEP Report – October 2018”

Scalia Law Students: An Opportunity to Attend the TPRC Research Conference on Communications, Information, and Internet Policy for Free

American University College of Law will host the TPRC Research Conference on Communications, Information, and Internet Policy on September 21-22. This is a terrific, multidisciplinary conference. If you are writing a student note or other research paper about Internet policy and would like to attend, please send me an email at jyakowit@gmu.edu. As an academic sponsor, PEP can send one student to the whole conference for free.

For more information and the program agenda, visit the TPRC website here:

http://www.tprcweb.com/

Greetings from Jane Yakowitz Bambauer, the New Director of PEP

I am honored and excited to carry on the unique work of the Program on Economics & Privacy. PEP is a great match for me because my interest in privacy law grew out of my experience running an economics research program.

The research had nothing to do with privacy, but it used quantitative methods and was very dependent on access to data. I started to notice that the things I found most exciting about the Big Data revolution as an engine for rapidly expanding human knowledge and problem-solving was on a collision course with public distrust and consumer protection regulations. My comfort with, and appreciation for, quantitative methods give me an atypical perspective in the privacy policy community. I have openly questioned whether the most popular privacy proposals have defined the anticipated social problems with enough clarity, and whether there is a sufficient basis for alarm based on the available evidence.

PEP promotes and facilitates both types of academic work– research that defines a personal data problem with precision, and research that measures and analyzes the effects of modern data practices. This is invaluable work because we are entering a critical period for the digital economy and its regulation.

Outside of PEP, many of the policy discussions adopt the standard model for privacy protection, based on some variation of the Fair Information Practices. Those practices are built on outdated assumptions about how information can be collected and used, whereby the anticipated benefits and problems of digitized information are no different from a large warehouse of individual files handled by a very fast clerk. The FIPs are poorly designed when the benefits and problems stem from an entirely different model—where filtering and machine learning can make inferences and perform constrained optimization. Consequently, traditional privacy regulations that attempt to enforce notice and consent have a very crude relationship to the risks of Big Data. The risks that we need to understand are related to the societal effects of constrained optimization—whether the goal of optimization has repercussions that the market is unlikely to correct, for example. The traditional approach to privacy cannot do this work. The traditional approach was designed to resist large scale collection, sharing, and unexpected uses of personal data, yet these are critical elements for the success and social benefits of Big Data. Rapid improvements in service and innovation, for example, require data to be repurposed.

This year, PEP will facilitate economic research on Big Data policy issues through a works-in-progress workshop in December. We will share some of the leading research in this area at a public conference on May 10th here at the law school. Please mark your calendars. We will also prepare comments for upcoming Federal Trade Commission hearings on privacy and big data.

Please get in touch with me if you have suggestions for issues that PEP should address or research that PEP should promote. I would love to hear from you. My email is jyakowit@gmu.edu.

Request for Proposals – Internet Economy Research Fellowships

PEP is excited to pass along a Request for Proposals from the Internet Association for their Internet Economy Research Fellowships. This is ideal for PhD or JD students, dost-docs, or professional researchers. Please click below to read the full announcement.

Continue reading “Request for Proposals – Internet Economy Research Fellowships”

How Consumers Value Digital Privacy: New Survey Evidence 

In How Consumers Value Digital Privacy: New Survey Evidence, Program on Economics & Privacy affiliated scholar, Professor Caleb Fuller presents new data that sheds light on the “Privacy Paradox.”

Regardless of how they define it, few people would deny that they’d like more privacy. The rise of the data-driven economy has thrust privacy issues to the fore of the public consciousness and it is unsurprising that the average American citizen, when surveyed, expresses a desire for less privacy-invasive behavior by both private firms and by government. But are they willing to bear the costs associated with additional privacy protection? The case for government intervention in digital markets is made stronger if consumers value privacy highly and if they are highly uninformed.

Based on a random sample of Internet users, Professor Fuller finds:

      • 71% of Google users would prefer the same experience without tracking. For these users, privacy is an economic good of which they would prefer more, ceteris paribus.
      • Only 15% of Google users would be willing to pay anything to avoid tracking, suggesting that at least for this group the ceteris paribus assumption is key.
      • Of this group, the average annual willingness to pay to avoid tracking was $77, substantially lower than the $850 the average American spends on soft drinks each year.
      •  Among all Google users, 90% respond that they are aware of Google’s information collection, suggesting that, at least with respect to Google, ignorance regarding the practice of information collection is not widespread.

These findings lead Professor Fuller to conclude that “the ‘privacy paradox’ may not be a result of biases causing consumers to act inconsistently with their true preferences. Rather, it’s possible that the paradox may be explained on simpler grounds: surveys often take an unconstrained approach; behavior online always incurs a real cost (even if it’s a very small opportunity cost).”

Professor Fuller will be presenting his paper, Is the Market for Digital Privacy a Failure?, which draws on this new evidence, at the FTC’s PrivacyCon on February 28.

Read the full report here.

Call for Papers: Third Annual Digital Information Policy Scholars Conference

George Mason University Antonin Scalia Law School
Program on Economics & Privacy

Third Annual Digital Information Policy Scholars Conference

April 27, 2018

Antonin Scalia Law School at George Mason University, Arlington, VA


The Program on Economics & Privacy (PEP) at Antonin Scalia Law School will host a scholars conference on the economics of digital information policy on April 27, 2018. The conference will be open to the public.

The mission of PEP is to promote the sound application of economic analysis to issues surrounding the digital information economy through original research, policy outreach, and education. The annual Digital Information Policy Scholars Conference is intended to further this goal by providing a forum to present original research on this important area of the US economy.

Topics:

Topics of interest include, but are not limited to:

      • Consumer valuation of privacy
      • Markets for privacy
      • The impact of state and federal privacy & data security regulation on consumers and firms
      • The GDPR and other European privacy regulations
      • Private litigation under state and federal privacy and data security laws
      • Liability issues surrounding the Internet of Things
      • The use of big data for consumers scoring
      • The intersection of privacy and competition policy
      • Competition policy and Internet platforms
      • Student privacy
      • Consumer responses to disclosures
      • Privacy and data security issues surrounding biometrics

     

    Submissions:

    Please send your paper or abstract by February 19, 2018, to Jeff T. Smith, Coordinator of PEP, at jsmithq@gmu.edu. Preference will be given to completed papers. The selection committee includes Alessandro Acquisti (Carnegie Mellon), Jane Bambauer (University of Arizona, James E. Rogers College of Law), Michael Baye (Indiana University, Kelley School of Business), James Cooper (George Mason University Antonin Scalia Law School), Sasha Romanosky (RAND), Andrew Stivers (Federal Trade Commission), and Catherine Tucker (MIT, Sloan School of Management). Selections will be made by March 5, 2018.

    Selected authors will receive a $300 honorarium and will be provided lodging for the night of April 26, 2018. There will be a dinner for participants on April 26. Selected authors will be responsible for submitting a final version of their paper by April 13, 2017. In addition to presenting their paper, selected authors will be expected to serve as a discussant for one paper at the conference.