Research Programs
More
What are you looking for?
Showing 9 of 181 Publications in Data Security & Privacy
Written Testimonies & Filings FTC Hearings on Competition & Consumer Protection in the 21 st Century. Comments of the International Center for Law & Economics: Understanding Competition in Markets Involving Data or Personal or Commercial Information. Hearing # 6 (Nov. 6-8, 2018). Submitted January 7, 2019.
Markets involving data and personal information have unique characteristics, but do not present such novel challenges that the well-developed tools of antitrust are incapable of incorporating them. Nonetheless, some critics continue to press for misguided antitrust intervention into data markets, often based on fundamental misunderstandings.
For a start, commonly repeated analogies between data and oil are highly misleading. Oil is physical commodity that is highly rivalrous (a user cannot use oil without impairing others’ ability to use the same oil) and readily excludable (it can easily be stored in ways that prevent use by non-authorized parties). By contrast, data is simply information that bears some of the traits of a public good: it is often non-rivalrous in consumption (the same information may be used by multiple parties without any degradation) and difficult to appropriate because it is difficult to prevent others’ use of the same data, it is difficult to ensure optimal investment in its creation). Moreover, in most instances, it is not data that is scarce, but the expertise required to generate and analyze it. In any case, most successful internet companies started life with little to no data. This suggests that data is more a byproduct of the ongoing operation of internet platforms than it is a critical input for their creation.
Further, data is unlikely to constitute a barrier to entry, and even less likely to amount to an essential facility. As George Stigler famously argued, a barrier to entry is “[a] cost of producing that must be borne by a firm which seeks to enter an industry but is not borne by firms already in the industry.” There is no reason that the cost of obtaining data for a new entrant should be any higher than it was for an incumbent. In fact, the opposite will often turn out to be true.
Other ills that allegedly plague data-rich markets (and the merits of proposed solutions) are equally dubious. This is notably the case for the relationship between mandated data portability and competition. Contrary to what some scholars have advanced, it is far from clear that mandated data portability will increase consumer welfare in data-reliant markets. Not only is this type of portability unlikely to significantly affect switching costs for consumers but, even if it did, this would have ambiguous consumer welfare consequences (as is generally the case for consumer lock-in and regulatory interventions to overcome it). To make matters worse, mandated data portability is not without its risks. Most notably, data portability poses data security and user privacy risks.
Likewise, fears of costly price discrimination and widespread algorithmic collusion are greatly overblown. While it is true that big data may have a transformative effect on firms’ ability to price discriminate, there is no strong reason to believe that this would have a detrimental effect on consumer welfare. Instead, as with all forms of price discrimination, it may potentially expand output and allow less well-off consumers to participate in markets they might otherwise be priced out of. Similarly, the idea that big data and algorithms will lead to collusion is deeply flawed. Fears of collusion rest on the faulty premise that online marketplaces and the use of big data will dramatically increase transparency, thus facilitating collusion. In fact, the opposite is just as likely (and, in any case, the manifest benefits of increased transparency, likely outweigh the speculative costs).
In short, the advent of data-enabled markets does not have implications that support the calls for a significant expansion of antitrust tools and antitrust enforcement being made. Data is not irrelevant, of course, but it is just one amongst a plethora of factors that enforcement authorities and courts should consider when they analyze firms’ behavior.
Click here to read the full comments.
Scholarship Although the FTC is well-staffed with highly skilled economists, its approach to data security is disappointingly light on economic analysis. The unfortunate result of this lacuna is an approach to these complex issues lacking in analytical rigor and the humility borne of analysis grounded in sound economics.
Although the FTC is well-staffed with highly skilled economists, its approach to data security is disappointingly light on economic analysis. The unfortunate result of this lacuna is an approach to these complex issues lacking in analytical rigor and the humility borne of analysis grounded in sound economics. In particular, the Commission’s “reasonableness” approach to assessing whether data security practices are unfair under Section 5 of the FTC Act lacks all but the most superficial trappings of the well-established law and economics of torts, from which the concept is borrowed.
In actuality, however, the Commission’s manufactured “reasonableness” standard — which, as its name suggests, purports to evaluate data security practices under a negligence-like framework — actually amounts in effect to a rule of strict liability for any company that collects personally identifiable data. This is manifestly not what Section 5 intends.
In its recent LabMD opinion, the Commission describes its approach as “cost-benefit analysis.” But simply listing out (some) costs and benefits is not the same thing as analyzing them. Recognizing that tradeoffs exist is a good start, but it is not a sufficient end, and “reasonableness” — if it is to be anything other than the mercurial preferences of three FTC commissioners — must contain analytical content.
Persistent and unyielding uncertainty over the contours of the FTC’s data security standard means that companies may be required to accept the reality that, no matter what they do short of the extremes, liability is possible. Worse, there is no way reliably to judge whether conduct (short of obvious fringe cases) is even likely to increase liability risk.
The FTC’s recent LabMD case highlights the scope of the problem and the lack of economic analytical rigor endemic to the FTC’s purported data security standard. To be sure, other factors also contribute to the lack of certainty and sufficient rigor, (i.e., matters of process at the agency), but at root sits a “standardless” standard, masquerading as an economic framework.
This paper explores these defects, paying particular attention to the FTC’s decision in LabMD and subsequent district court proceedings in the case.
Presentations & Interviews ICLE founder and president Geoffrey Manne participated in FTC Hearing #9: Data security on the panel entitled, FTC Data Security Enforcement, on Wednesday, December 12, . . .
ICLE founder and president Geoffrey Manne participated in FTC Hearing #9: Data security on the panel entitled, FTC Data Security Enforcement, on Wednesday, December 12, 2018 at the FTC Constitution Center Auditorium Washington, DC.
The data security hearings included five panel discussions and additional discussion of research related to data breaches and data security threats. The first day’s panel discussions examined incentives to invest in data security and consumer demand for data security. Discussions on the second day focused on data security assessments, the U.S. framework related to consumer data security, and the FTC’s data security enforcement program.
Read the full transcript here. Video of the event is embedded below.
Regulatory Comments ICLE submitted comments to the National Telecommunications and Information Administration (NTIA) on Developing the Administration’s Approach to Consumer Privacy.
Last week, ICLE submitted comments to the National Telecommunications and Information Administration (NTIA) on Developing the Administration’s Approach to Consumer Privacy. Scholars Geoffrey Manne, Kristian Stout, and Dirk Auer urge the agency to avoid legislation mandating tight controls on private companies’ use of consumer data akin to the EU’s General Data Protection Regulation (GDPR).
Although the US does not have a single, omnibus, privacy regulation, this does not mean that the US does not have “privacy law.” In the US, there already exist generally applicable laws at both the federal and state level that provide a wide scope of protection for individuals, including consumer protection laws that apply to companies’ data use and security practices, as well as those that have been developed in common law (property, contract, and tort) and criminal codes.
In addition, there are specific regulations pertaining to certain kinds of information, such as medical records, personal information collected online from children, credit reporting, as well as the use of data in a manner that might lead to certain kinds of illegal discrimination.
Getting regulation right is always difficult, but it is all the more so when confronting evolving technology, inconsistent and varied consumer demand, and intertwined economic effects — all conditions that confront online privacy regulation. Given this complexity, and the limits of our knowledge regarding consumer preferences and business conduct in this area, ICLE’s evaluation suggests that the proper method of regulating privacy is, for now at least, the course that the Federal Trade Commission (FTC) has historically taken: case-by-case examination of actual privacy harms, without ex ante regulations, coupled with narrow legislation targeted at problematic uses of personal information.
Many (if not most) services on the Internet are offered on the basis that user data can, within certain limits, be used by a firm to enhance its services and support its business model, thereby generating benefits to users. To varying degrees (and with varying degrees of granularity), services offer consumers the opportunity to opt-out of this consent to the use of their data, although in some cases the only way effectively to opt-out is to refrain from using a service at all.
Critics of the US approach to privacy sometimes advocate for a move to an opt-in regime (as is the case in the GDPR). But the problem is that “‘[o]pt-in’ provides no greater privacy protection than ‘opt-out’ but imposes significantly higher costs with dramatically different legal and economic implications.” In staunching the flow of data, opt-in regimes impose both direct and indirect costs on the economy and on consumers, reducing the value of certain products and services not only to the individual who does not opt-in, but to the broader network as a whole. Not surprisingly, these effects fall disproportionately on the relatively poor and the less technology-literate.
U.S. privacy regulators have generally evidenced admirable restraint and assessed the relevant tradeoffs, recognizing that the authorized collection and use of consumer information by data companies confers enormous benefits, even as it entails some risks. Indeed, the overwhelming conclusion of decades of intense scrutiny is that the application of ex ante privacy principles across industries is a fraught exercise as each firm faces a different set of consumer expectations about its provision of innovative services, including privacy protections.
This does not mean that privacy regulation should never be debated, nor that a more prescriptive regime should never be considered. But any such efforts must begin with the collective wisdom of the agencies, scholars, and policy makers that have been operating in this space for decades, and with a deep understanding of the business realities and consumer welfare effects involved.
Read the full comments here.
Presentations & Interviews ICLE Director of Law & Economics Programs Gus Hurwitz discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet . . .
ICLE Director of Law & Economics Programs Gus Hurwitz discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet human rights standards, though they can be fixed without dumping bulk collection. And I marvel that France is urging the European Court of Justice, which needs little encouragement to indulge its anti-Americanism, to impose Europe’s “right to be forgotten” censorship regime on Americans and on other users around the world. That’s a position so extreme that it was even opposed by the European Commission. The full episode is embedded below.
https://www.steptoe.com/podcasts/TheCyberlawPodcast-231.mp3
Presentations & Interviews ICLE Senior Scholar Joshua Wright participated in the FTC’s Hearing #1: The Current Landscape of Competition and Privacy Law and Policy on the panel, Has . . .
ICLE Senior Scholar Joshua Wright participated in the FTC’s Hearing #1: The Current Landscape of Competition and Privacy Law and Policy on the panel, Has the US Economy Become More Concentrated and Less Competitive: A Review of the Data. Read the full transcript here. Video of the event is embedded below.
Written Testimonies & Filings FTC Hearings on Competition & Consumer Protection in the 21st Century. Comments of the International Center for Law & Economics: The Rise of Neo-Brandeisian Competition Policy: Populism and Political Power and the Threat to Economically Grounded, Evidence-Based. Competition Law and Consumer Protection Regulation. Submitted August 20, 2018.
In 1995, then-FTC-Chairman Pitofsky convened a set of hearings — the Global Competition and Innovation hearings (“Pitofsky Hearings”) — aimed at investigating the implications for antitrust law, economics, and policy of “increasing globalization and rapid innovation.”2 As the Pitofsky Hearings report noted:
These changes create new possibilities and raise new problems for consumers, businesses, and government agencies. It is in everyone’s interest that government understand these developments in order to make sure that the marketplace continues to work competitively for businesses and consumers.
Two decades later — a near eternity in Internet time — the same changes are proceeding apace, and the need for greater understanding remains; arguably, it is even more acute today.
By the 1990s, the global marketplace had already grown dramatically, and technology startups were beginning to test new regulatory and legal fault lines. Today we face an even-more-tightly integrated world market, along with the intensification of international tariff disputes, the creative imposition of non-tariff trade barriers (including antitrust enforcement), and the increased brazenness of politicized industrial policy implementation that expanded global competition brings.
Meanwhile, several of the tech companies that were at most fledglings (if they existed at all) in 1995 have grown to become some of the most highly valued companies in the world. Their success — and the dramatic evolution of the world economy it has brought about — has engendered a new wave of hand wringing over firm size, industry structure, the social consequences of economic and technological change, and the proper role of antitrust and consumer protection law in addressing them.
Chairman Simon and the Commission should be commended for undertaking these hearings. Greater understanding of the antitrust and consumer protection implications of significant economic developments is always welcome. In particular, there remains much about the welfare implications of competition policy decisions surrounding innovation that we still don’t understand.
Yet, while some of the business, economic, and legal specifics are novel, important, and worthy of investigation, the core policy issues we face today are nothing new, and they weren’t new even in the 1990s. The innovation that drives economic growth, while generally beneficial, nonetheless inevitably causes adverse effects for some businesses and/or the interests of some social commentators, and this has resulted in attempts to politicize antitrust in order to protect those businesses and/or social interests. What is troubling is how little we seem to remember of what we do know, even as slightly different versions of the same antitrust debates continue to recur.
Fundamentally, what we know is this: First, unless and until a demonstrably better alternative is offered (and none has been, either today or over the course of antitrust’s 100-year history), the consumer welfare standard — warts and all — is the appropriate touchstone for antitrust enforcement and adjudication. Whether specific firm conduct or enforcement decisions promote consumer welfare is, of course, always up for discussion. But that antitrust law, enforcement decisions, and policy should not intentionally incorporate or be informed by inherently idiosyncratic and inevitably politicized public policy preferences is beyond doubt.
Second, competition and consumer protection policy should be economically grounded and evidence-based. Similarly, decisions regarding policy changes should be based on rigorous, economically robust, and constantly tested empirical knowledge. But it is insufficient to point to even well-supported empirical claims regarding aggregated market effects or specific case outcomes as the basis for (often-dramatic) policy prescriptions. Rather, decisions regarding competition and consumer protection policy must be undertaken with a robust understanding of the institutional structures and agency processes by which they are implemented.
Arguments abound that we should ratchet up antitrust and consumer protection enforcement in various ways in order to tackle hot-button issues like excessive concentration, insufficient privacy protection, fake-news, wealth inequality, and the like. But few of them rest on solid empirical evidence, and fewer still (if any) seriously address whether or how defects in policy and enforcement decisionmaking processes may have led to the claimed problems and whether or how altering those processes would correct them. Such arguments should not simply be ignored, but nor should they be taken seriously unless and until they are rigorously supported by economic, empirical, and institutional analysis.
TOTM The Eleventh Circuit’s LabMD opinion came out last week and has been something of a rorschach test for those of us who study consumer protection law. Neil Chilson found the result to be a disturbing sign of slippage in Congress’s command that the FTC refrain from basing enforcement on “public policy.” Berin Szóka, on the other hand, saw the ruling as a long-awaited rebuke against the FTC’s expansive notion of its “unfairness” authority.
The Eleventh Circuit’s LabMD opinion came out last week and has been something of a rorschach test for those of us who study consumer protection law.
Read the full piece here.
Regulatory Comments In its description of this workshop, the Commission notes that “consumers may suffer injury when information about them is misused,” and suggests that this workshop “will address questions such as how to best characterize these injuries, how to accurately measure such injuries,” and so on.
In its description of this workshop, the Commission notes that “consumers may suffer injury when information about them is misused,” and suggests that this workshop “will address questions such as how to best characterize these injuries, how to accurately measure such injuries,” and so on. While these are crucial questions, we offer these comments in order to address another set of questions that is missing from the event’s description: How should the Commission determine whether or not, in fact, the conduct leading to such injuries constitutes actionable “misuse[]?” The question is a fundamental one that must be addressed in order to evaluate how businesses, consumers, and the Commission itself do and should respond to purported informational injuries.
Fundamentally, there is a great deal of ambiguity about how consumer protection law should treat data and data breaches. When there is a data breach, the calculation of the extent of informational harm (if any) to consumers is a difficult one. This is complicated, of course, by the sometimes tenuous connection between conduct and injury. It is further complicated, even assuming that particularized harm can be accurately assessed, by the need to balance harms against the benefits conferred by decisions within the firm to optimize a product or service, to lower prices, or to promote other consumer-valued features, such as ease-of-use, performance, and so forth. Where the same conduct that may produce informational injury also produces consumer benefit, determining whether the net effect is, in fact, harmful or not is essential.
The Commission purports to evaluate injury (along with the other elements required by Section 5(n) of the FTC Act) under a so-called “reasonableness” standard. Superficially, at least, this seems sensible: Unfairness entails a balancing of risk, benefits, and harms, and a weighing of avoidance costs consistent with a negligence regime.3 Easily seen and arguably encompassed within this language are concepts from the common law of negligence such as causation, foreseeability and duty of care. The FTC collapses this into its “reasonableness” approach, specifically eschewing strict liability:
The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities…. [T]he Commission… does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law.
Giving purchase to a reasonableness approach under the Commission’s own guidance would seem to require establishing (i) a clear baseline of appropriate conduct, (ii) a company’s deviation from that baseline, (iii) proof that its deviation caused, or was significantly likely to cause, harm, (iv) substantial harm, (v) proof that the benefits of (e.g., the cost savings from) a company’s conduct didn’t outweigh the expected costs, and (vi) a demonstration that consumers’ costs of avoiding harm would have been greater than the cost of the harm.
Unfortunately, by eliding the distinct elements of a Section 5 unfairness analysis in the data security context, the FTC’s reasonableness approach risks ignoring Congress’ plain requirement that the Commission demonstrate duty, causality and substantiality, and perform a cost-benefit analysis of risk and avoidance costs.
While the FTC pays lip service to addressing these elements, its inductive, short-cut approach of attempting to define reasonableness by reference to the collection of practices previously condemned by its enforcement actions need not — and, in practice, does not — actually entail doing so. Instead, we “don’t know… whether… practices that have not yet been addressed by the FTC are ‘reasonable’ or not,” and we don’t know how the Commission would actually weigh them in an actual rigorous analysis.
At the root of this workshop is the implicit recognition that some, including the FTC itself, have asserted that the unauthorized exposure of private information may be, in and of itself, a harm to individuals, apart from any concrete economic consequences that may result from the exposure. In the FTC’s Opinion in LabMD, for instance, the Commission asserted that
the disclosure of sensitive health or medical information [that] causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n)… disclosure of the mere fact that medical tests were performed irreparably breached consumers’ privacy, which can involve “embarrassment or other negative outcomes, including reputational harm.”
We would contend, however, that defining and evaluating the types of “informational harms” that should be actionable in the case of a data breach, requires that the Commission also address fundamental problems with its overall approach to identifying cognizable injury and determining liability under Section 5.
As we discuss below and explain in detail in the attached paper, the FTC’s current “reasonableness standard” for liability under Section 5 runs the risk of being no standard at all. And it is impossible to escape the troubling conclusion that ultimately (and wrongly) the mere retention of data by a firm could be enough to violate Section 5 under this approach.
Such an approach does not comport with the scope of the Congressional grant of authority in Section 5, particularly as it was explicitly limited by Section 5(n). Instead, it converts what should be thought of fundamentally as a demanding cost-benefit requirement meant to limit the Commission’s discretion into a lenient strict liability standard. Before the Commission can understand how to fit different sorts of potential harms into its enforcement framework, it should clarify its approach, and ensure that it is in line with the text and intent of Section 5.
