George Mason University Antonin Scalia Law School

PEP 2018 Year in Review

This dispatch of the PEP report takes a fly-over view of the year that just came to a close. Here are a few of the most important developments in policy and research related to privacy, data security, and data stewardship.

Story of the Year

Cambridge Analytica

News that Cambridge Analytica collected data on millions of Facebook users and exploited it to perform political consulting services has caused a seismic shift in privacy debates. For many observers, the scandal moved our attention to the particulars of data ownership over to more fundamental questions about the nature of data-related harm. Most of the observations from civil society describe that harm in terms of manipulation and deceit. For example, a report by the New America Foundation summarizes the Cambridge Analytica events and other related scandals this way:

The central theme in these scandals is the power of the major digital media platforms to track, target, and segment people into audiences that are highly susceptible to manipulation. These companies have all profited enormously from this market structure, and they have done little to mitigate potential harms.”

Continue reading “PEP 2018 Year in Review”

Cambridge Analytica and the Meaning of Privacy Harm

In 2014 and 2015, the research company Cambridge Analytica was able to amass a database of information on 87 million Facebook users, based on the survey results of just a few hundred thousand personality quiz participants. The company then used this data to try to get political consulting clients. In her new white paper, Program on Economics & Privacy Director Jane Bambauer argues that while almost everyone agrees that something went wrong here, defining the harm such that it can elucidate the best course for public policy is an exceedingly difficult task.

This issue raises multiple concerns, each deserving of careful consideration, but which have divergent implications for how policymakers should respond. Professor Bambauer’s paper uses the Cambridge Analytica episode to explore why the meaning of a privacy-related harm is so difficult to define and why lawmakers are wise to proceed with caution as they develop new privacy laws.

You can read the full paper here.

Are Firms and Consumers Investing Enough in Data Security?

In his new white paper, Are Firms and Consumers Investing Enough in Data Security?, Program on Economics & Privacy affiliated scholar, Sasha Romanosky surveys the cybersecurity terrain and shows the gaps in the tool set used to assess cyber risks and resulting harms in order to answer the question of whether firms and consumers take enough care to protect personal information.

Many consumer advocates and security and privacy professionals have concluded that companies are not spending enough on IT security. Their assessments are buttressed by the numerous reported cyber incidents and data spills over the past decade. Clearly, these security breaches, privacy intrusions, and software vulnerabilities show that companies are not spending enough to protect consumers’ data and produce safe applications. But there are two problems with this conventional wisdom. First, it ignores the consumer in the model of optimal data security. And second, it wrongly assumes that the right level of security investment would eliminate data breaches altogether.

This white paper helps correct the discussion on both counts.

Read the full report here.

The PEP Report – November 2018

The Federal Trade Commission is hosting a series of hearings on Big Data to air and understand our current evidence base. Last week, the hearings on “Competition and Consumer Protection in the 21st Century” were held at American University Washington College of Law. (You can watch the speakers here.) This post will provide a summary of the first panel of the hearings, which I thought was one of the highlights of the event.

Continue reading “The PEP Report – November 2018”

The PEP Report – October 2018

by Jane Bambauer

Welcome to the inaugural PEP Report, an occasional (roughly monthly) roundup of news, research, and events related to privacy and economics.

A lot is happening this year, including upcoming public hearings at the FTC on big data and consumer protection and the recent passage of California’s Consumer Privacy Protection Act. Future PEP Reports will focus on those developments. For now, I would like to highlight research presented at the 46th TPRC Conference on Communications, Information, and Internet Policy.

TPRC recently took place at American University Washington College of Law. (NB: It’s called TPRC because it used to stand for the Telecommunications Policy Research Conference, but the scope has since expanded to include the Internet, of course.) As usual, TPRC brought together a great lineup of papers from multiple disciplines tackling current and future problems in communications policy. Below are my thoughts on some of my favorite papers.

One note about the conference over all: TPRC has had a Privacy/Security track for several years now, but some of my favorite papers were in other tracks, and had only brief discussions of privacy law. This is telling. Too often, the authors of privacy papers are not forced to be in conversation with researchers who are trying to optimize the utility of information and communications technologies, and vice versa. In the future, I would love to see authors and audiences of privacy and data use papers in the same room so that tensions can be aired, acknowledged, and accounted for.

Click below to read about some of my favorite privacy-related papers from TPRC

Continue reading “The PEP Report – October 2018”

Scalia Law Students: An Opportunity to Attend the TPRC Research Conference on Communications, Information, and Internet Policy for Free

American University College of Law will host the TPRC Research Conference on Communications, Information, and Internet Policy on September 21-22. This is a terrific, multidisciplinary conference. If you are writing a student note or other research paper about Internet policy and would like to attend, please send me an email at As an academic sponsor, PEP can send one student to the whole conference for free.

For more information and the program agenda, visit the TPRC website here:

Greetings from Jane Yakowitz Bambauer, the New Director of PEP

I am honored and excited to carry on the unique work of the Program on Economics & Privacy. PEP is a great match for me because my interest in privacy law grew out of my experience running an economics research program.

The research had nothing to do with privacy, but it used quantitative methods and was very dependent on access to data. I started to notice that the things I found most exciting about the Big Data revolution as an engine for rapidly expanding human knowledge and problem-solving was on a collision course with public distrust and consumer protection regulations. My comfort with, and appreciation for, quantitative methods give me an atypical perspective in the privacy policy community. I have openly questioned whether the most popular privacy proposals have defined the anticipated social problems with enough clarity, and whether there is a sufficient basis for alarm based on the available evidence.

PEP promotes and facilitates both types of academic work– research that defines a personal data problem with precision, and research that measures and analyzes the effects of modern data practices. This is invaluable work because we are entering a critical period for the digital economy and its regulation.

Outside of PEP, many of the policy discussions adopt the standard model for privacy protection, based on some variation of the Fair Information Practices. Those practices are built on outdated assumptions about how information can be collected and used, whereby the anticipated benefits and problems of digitized information are no different from a large warehouse of individual files handled by a very fast clerk. The FIPs are poorly designed when the benefits and problems stem from an entirely different model—where filtering and machine learning can make inferences and perform constrained optimization. Consequently, traditional privacy regulations that attempt to enforce notice and consent have a very crude relationship to the risks of Big Data. The risks that we need to understand are related to the societal effects of constrained optimization—whether the goal of optimization has repercussions that the market is unlikely to correct, for example. The traditional approach to privacy cannot do this work. The traditional approach was designed to resist large scale collection, sharing, and unexpected uses of personal data, yet these are critical elements for the success and social benefits of Big Data. Rapid improvements in service and innovation, for example, require data to be repurposed.

This year, PEP will facilitate economic research on Big Data policy issues through a works-in-progress workshop in December. We will share some of the leading research in this area at a public conference on May 10th here at the law school. Please mark your calendars. We will also prepare comments for upcoming Federal Trade Commission hearings on privacy and big data.

Please get in touch with me if you have suggestions for issues that PEP should address or research that PEP should promote. I would love to hear from you. My email is

Request for Proposals – Internet Economy Research Fellowships

PEP is excited to pass along a Request for Proposals from the Internet Association for their Internet Economy Research Fellowships. This is ideal for PhD or JD students, dost-docs, or professional researchers. Please click below to read the full announcement.

Continue reading “Request for Proposals – Internet Economy Research Fellowships”

6th Annual Public Policy Symposium on the Law & Economics of Privacy and Data Security

The Program on Economics & Privacy, with the support of the Federalist Society’s Regulatory Transparency Project, will hold its 6th Annual Public Policy Symposium on the Law & Economics of Privacy and Data Security, on Friday, June 1, 2018 at George Mason University Antonin Scalia Law School in Arlington, VA.

In the wake of the Facebook-Cambridge Analytica affair and recent high-profile data breaches, we are at an inflection point. There are increasing calls to rethink regulation of the digital economy, Congress is considering several bills to overhaul the laws governing the collection and use of consumer data, and the impact of the GDPR will be felt in the US in less than a month. What’s more, a new slate of FTC Commissioners has just started work.

Join us on June 1 for the 6th Annual Symposium on the Law & Economics of Privacy and Data Security where we tackle these issues with thought leaders from government, academia, think tanks, and industry.

This year’s symposium will include remarks from the new Director of the FTC’s Bureau of Consumer Protection, Andrew Smith.

The symposium will also feature panels on A New Regulatory Regime for Digital Platforms?, Algorithmic “Fairness”, What Does the GDPR Mean for the US?, and Researching Bug Bounty Programs.

Click here to view the agenda.

Third Annual Digital Information Policy Scholars Conference

The Third Annual Digital Information Policy Scholars Conference will be held on Friday, April 27, 2018 at George Mason University Antonin Scalia Law School in Arlington, Virginia. Registration and breakfast will start at 8:00 am, and the program will begin at 9:00 am. The conference is hosted by the Program on Economics & Privacy whose mission is to promote the sound application of economic analysis to issues surrounding the digital information economy through original research, policy outreach, and education.

The Conference will feature a luncheon keynote from Andrew E. Stivers, Deputy Director for Consumer Protection, Bureau of Economics, Federal Trade Commission.

This conference will feature 12 original research papers, including:

SEC Financial Filings 
Ginger Jin (University of Maryland and National Bureau of Economic Research) and Yi Cao (University of Maryland Robert H. Smith School of Business)

Privacy Literacy and Self-Efficacy in Establishing Value of Privacy
Dmitry Epstein and Kelly Quinn (University of Illinois at Chicago)

Sponsored Search Advertisement and Consumer Prices
Eduardo Schnadower MustriAlessandro Acquisti (Carnegie Mellon University), and Idris Adjerid (University of Notre Dame)

Infrastructural Solutions to the Analog Keyhole Problem
David Sidi and Laura Brandimarte (The University of Arizona)

Are Digital Markets Different?
John Newman (University of Memphis Cecil C. Humphreys School of Law)

Airbnb, Anonymity, and Illegal Actors
Liad Wagman (IIT Stuart School of Business)

See the full agenda HERE.