On March 12, 2019, PEP Director Jane Bambauer testified before the Senate Judiciary Committee on the likely impact of GDPR and the CCPA on innovation and consumer welfare. Following her testimony, Senator Lindsey Graham requested that Jane expand her testimony by answering a series of written questions. Jane provided her responses on April 3, 2019.

You can read the Committee’s questions and Jane’s responses here.

On Tuesday, March 12, 2019, PEP Director Jane Bambauer will give testimony to the Senate Judiciary Committee on The Perils of Privacy as Property: The Likely Impact of GDPR and the CCPA on Innovation and Consumer Welfare.

You can read Jane’s prepared testimony here.

This dispatch of the PEP report takes a fly-over view of the year that just came to a close. Here are a few of the most important developments in policy and research related to privacy, data security, and data stewardship.

Story of the Year

Cambridge Analytica

News that Cambridge Analytica collected data on millions of Facebook users and exploited it to perform political consulting services has caused a seismic shift in privacy debates. For many observers, the scandal moved our attention to the particulars of data ownership over to more fundamental questions about the nature of data-related harm. Most of the observations from civil society describe that harm in terms of manipulation and deceit. For example, a report by the New America Foundation summarizes the Cambridge Analytica events and other related scandals this way:

“The central theme in these scandals is the power of the major digital media platforms to track, target, and segment people into audiences that are highly susceptible to manipulation. These companies have all profited enormously from this market structure, and they have done little to mitigate potential harms.”

Continue reading “PEP 2018 Year in Review”

In his new white paper, Are Firms and Consumers Investing Enough in Data Security?, Program on Economics & Privacy affiliated scholar, Sasha Romanosky surveys the cybersecurity terrain and shows the gaps in the tool set used to assess cyber risks and resulting harms in order to answer the question of whether firms and consumers take enough care to protect personal information.

Many consumer advocates and security and privacy professionals have concluded that companies are not spending enough on IT security. Their assessments are buttressed by the numerous reported cyber incidents and data spills over the past decade. Clearly, these security breaches, privacy intrusions, and software vulnerabilities show that companies are not spending enough to protect consumers’ data and produce safe applications. But there are two problems with this conventional wisdom. First, it ignores the consumer in the model of optimal data security. And second, it wrongly assumes that the right level of security investment would eliminate data breaches altogether.

This white paper helps correct the discussion on both counts.

Read the full report here.

The Federal Trade Commission is hosting a series of hearings on Big Data to air and understand our current evidence base. Last week, the hearings on “Competition and Consumer Protection in the 21^st Century” were held at American University Washington College of Law. (You can watch the speakers here.) This post will provide a summary of the first panel of the hearings, which I thought was one of the highlights of the event.

Continue reading “The PEP Report – November 2018”

by Jane Bambauer

Welcome to the inaugural PEP Report, an occasional (roughly monthly) roundup of news, research, and events related to privacy and economics.

A lot is happening this year, including upcoming public hearings at the FTC on big data and consumer protection and the recent passage of California’s Consumer Privacy Protection Act. Future PEP Reports will focus on those developments. For now, I would like to highlight research presented at the 46^th TPRC Conference on Communications, Information, and Internet Policy.

TPRC recently took place at American University Washington College of Law. (NB: It’s called TPRC because it used to stand for the Telecommunications Policy Research Conference, but the scope has since expanded to include the Internet, of course.) As usual, TPRC brought together a great lineup of papers from multiple disciplines tackling current and future problems in communications policy. Below are my thoughts on some of my favorite papers.

One note about the conference over all: TPRC has had a Privacy/Security track for several years now, but some of my favorite papers were in other tracks, and had only brief discussions of privacy law. This is telling. Too often, the authors of privacy papers are not forced to be in conversation with researchers who are trying to optimize the utility of information and communications technologies, and vice versa. In the future, I would love to see authors and audiences of privacy and data use papers in the same room so that tensions can be aired, acknowledged, and accounted for.

Click below to read about some of my favorite privacy-related papers from TPRC

Continue reading “The PEP Report – October 2018”

American University College of Law will host the TPRC Research Conference on Communications, Information, and Internet Policy on September 21-22. This is a terrific, multidisciplinary conference. If you are writing a student note or other research paper about Internet policy and would like to attend, please send me an email at [email protected]. As an academic sponsor, PEP can send one student to the whole conference for free.

For more information and the program agenda, visit the TPRC website here:

http://www.tprcweb.com/

I am honored and excited to carry on the unique work of the Program on Economics & Privacy. PEP is a great match for me because my interest in privacy law grew out of my experience running an economics research program.

The research had nothing to do with privacy, but it used quantitative methods and was very dependent on access to data. I started to notice that the things I found most exciting about the Big Data revolution as an engine for rapidly expanding human knowledge and problem-solving was on a collision course with public distrust and consumer protection regulations. My comfort with, and appreciation for, quantitative methods give me an atypical perspective in the privacy policy community. I have openly questioned whether the most popular privacy proposals have defined the anticipated social problems with enough clarity, and whether there is a sufficient basis for alarm based on the available evidence.

PEP promotes and facilitates both types of academic work– research that defines a personal data problem with precision, and research that measures and analyzes the effects of modern data practices. This is invaluable work because we are entering a critical period for the digital economy and its regulation.

Outside of PEP, many of the policy discussions adopt the standard model for privacy protection, based on some variation of the Fair Information Practices. Those practices are built on outdated assumptions about how information can be collected and used, whereby the anticipated benefits and problems of digitized information are no different from a large warehouse of individual files handled by a very fast clerk. The FIPs are poorly designed when the benefits and problems stem from an entirely different model—where filtering and machine learning can make inferences and perform constrained optimization. Consequently, traditional privacy regulations that attempt to enforce notice and consent have a very crude relationship to the risks of Big Data. The risks that we need to understand are related to the societal effects of constrained optimization—whether the goal of optimization has repercussions that the market is unlikely to correct, for example. The traditional approach to privacy cannot do this work. The traditional approach was designed to resist large scale collection, sharing, and unexpected uses of personal data, yet these are critical elements for the success and social benefits of Big Data. Rapid improvements in service and innovation, for example, require data to be repurposed.

This year, PEP will facilitate economic research on Big Data policy issues through a works-in-progress workshop in December. We will share some of the leading research in this area at a public conference on May 10^th here at the law school. Please mark your calendars. We will also prepare comments for upcoming Federal Trade Commission hearings on privacy and big data.

Please get in touch with me if you have suggestions for issues that PEP should address or research that PEP should promote. I would love to hear from you. My email is [email protected].

PEP is excited to pass along a Request for Proposals from the Internet Association for their Internet Economy Research Fellowships. This is ideal for PhD or JD students, dost-docs, or professional researchers. Please click below to read the full announcement.

Continue reading “Request for Proposals – Internet Economy Research Fellowships”

In How Consumers Value Digital Privacy: New Survey Evidence, Program on Economics & Privacy affiliated scholar, Professor Caleb Fuller presents new data that sheds light on the “Privacy Paradox.”

Regardless of how they define it, few people would deny that they’d like more privacy. The rise of the data-driven economy has thrust privacy issues to the fore of the public consciousness and it is unsurprising that the average American citizen, when surveyed, expresses a desire for less privacy-invasive behavior by both private firms and by government. But are they willing to bear the costs associated with additional privacy protection? The case for government intervention in digital markets is made stronger if consumers value privacy highly and if they are highly uninformed.

Based on a random sample of Internet users, Professor Fuller finds: