TESTIMONY OF
PAUL H. RUBIN, Ph.D.

BEFORE THE
SENATE COMMITTEE ON
COMMERCE, SCIENCE AND TRANSPORTATION

OCTOBER 3, 2000

Mr. Chairman and Members of the Committee:

I want to thank you for inviting me to testify on this important matter this morning. I am appearing before you today in my capacity as a Senior Fellow at The Progress & Freedom Foundation. While the views expressed are my own and do not necessarily represent those of the Foundation, its board, officers or staff, you should know that I am the lead investigator in a major study of the costs and benefits of regulating privacy now underway at the Foundation.¹ The study is not complete, but we have found enough to raise some questions relevant for this morning’s hearing. The issue as we see it is whether market forces will be able do handle issues of privacy, or whether government regulation will improve the functioning of the market.

I first discuss the market for privacy. I then address the issue of whether we can expect government regulation to improve the situation. I stress that these are preliminary results. To summarize, those results suggest that legislation at this time would be premature. While consumers clearly are concerned about on-line privacy, the risk of unforeseen consequences from proposals for government intervention is very high, and those consequences could be to impede the development of the new medium to the detriment of consumers and the economy alike.

THE MARKET

A transaction between a consumer and the owner or operator of a website is a two-party transaction. Therefore, in principle the parties are free to negotiate the terms of that transaction. One of the terms that can be negotiated in this way is the use of whatever information the consumer gives to the website. There is no obvious reason why the consumer cannot make the transaction conditional on the use of the information, or why the marketplace will not offer the kinds of choices consumers desire

For example, consider two competing websites both selling a product – say, CDs. Assume that site CDP has a strong privacy policy, and makes a strong and binding commitment to maintain privacy, and that site CDNP has no privacy policy, and makes use of the information provided by consumers for other purposes. Presumably, CDNP will sell CDs cheaper than will CDP, because it earns revenue from the sale of information received from consumers and so can charge a lower price for CDs and still make a profit. But consumers might still prefer to deal with CDP because the information is worth more to them than to the website. This means that consumers would be willing to pay a higher price for CDs and retain their rights in the information, rather than paying a lower price and losing their rights. If this is the preference of consumers, then at equilibrium CDP will get more business than CDNP, and ultimately CDP’s business model will prevail in the marketplace. Alternatively, if the information were worth more to the website than to the consumer, then consumers will prefer to deal with CDNP because of the lower price, and CDNP’s business model will prevail.

A more likely result is that some consumers will prefer more privacy and deal with CDP, and others will prefer lower prices and deal with CDNP. Merchants often offer different terms of sale and prices (Wal-Mart and Macy’s) and there is no reason to expect more uniformity of terms in the market for information than in the markets for other sorts of contractual provisions.

There are of course various assumptions in the above story. One of the most important is that consumers know and understand the privacy policies of the two websites. If they do not, then the market will not function as described. For example, consumers who value the information more than does the website might shop at CDNP because of its lower price. Such consumers would be harmed, because they would be transferring information at a price below its value to them.

Government mandated notice requirements, such as those proposed in the Federal Trade Commission's recent Report to Congress,² and in the bills under consideration today, assume that consumers do not understand the privacy policies of alternative websites and that government action is needed to make such information available. As a general matter, however, there are strong incentives for the marketplace to provide such information to consumers. In the example above, CDP will have an incentive to tell consumers that they will guarantee privacy. They may do so by explicitly comparing themselves with CDNP, but even if they do not, consumers will be able to learn that CDP provides privacy. When they visit site CDNP they will not see any mention of privacy, and will rationally assume that the site does not provide this benefit.³ This competition between websites over privacy policies is potentially important, although many analysts have ignored such competition.

It is sometimes argued that it may be too expensive for a given site to provide useful information. This argument suggests that, if consumers do not understand privacy issues, it would be costly for a particular site to explain these issues, and other sites could free ride on the efforts of one site to explain. Moreover, it would take a substantial amount of time for a consumer to read and absorb the privacy information provided by a site, and it may well be that the cost of obtaining this information is greater than the value. This could lead consumers either to avoid the Web altogether, or to "mistakenly" purchase from sites like CDNP and suffer a net loss.

The economics of transactions costs and various approaches to minimizing such costs are one of the areas we are examining in our study. As a general matter, however, issues like those above would be of greatest concern if consumers were broadly ignorant of privacy issues. While this may have been the case in the early days of the Internet, it no longer is. Indeed, as summarized in Table One, privacy has become a major concern of users of the Internet, with most polls showing that majorities of users are concerned with privacy. Some take this level of concern as a justification for government regulation. But, in fact, it is the opposite: If enough consumers are concerned with privacy, the marketplace will be more likely to respond to their concerns.

The FTC's report seems to suggest the market is responding as one might expect. In its 1998 report, the FTC indicated that only 14% of websites disclosed their information practices. In the 2000 report, 88% of a random sample of sites and 100% of the Most Popular sites had some privacy disclosure.⁴ Thus, in a very short time, the percentage of sites voluntarily providing information about privacy policies has increased from a small fraction of websites to all of the most popular, and most of the others.

There is substantial additional evidence that consumers and firms are already making well informed decisions about privacy matters. For example:

• In one survey, the most common reasons for not registering at a website are that the terms and conditions of the use of information are not clearly specified, or that revealing the requested information is not worth registering and being able to access the site.⁵

• Many companies, including IBM and Walt Disney, do not advertise on websites that do not have privacy policies.⁶

• Companies are increasingly hiring "privacy officers" and giving them substantial power and discretion in setting company policies. In fact, Alan Westin, a well known privacy advocate and expert, offers a training course for this position.⁷

There are other mechanisms available to minimize the costs of dealing with privacy issues. One such mechanism is the use of voluntary standards, as defined and explained by a consortium of web operators. Large firms – Microsoft, AOL, Intel – make enough money and are large enough forces so that it pays for them to internalize production of various standards.⁸

As a general matter, there are voluntary standards organizations that deal with a wide variety of issues. ANSI (the American National Standards Institute), for example, is an umbrella organization for over 1000 members.⁹ The American Society for Testing and Materials (ASTM) is another voluntary standards organization.¹⁰ Defining a standard of Internet privacy is in principle no different than defining other standards. A standard can establish a set of defaults and can serve to inform consumers of the options and issues involved in privacy. In other words, a standard can serve to define the property rights so that transactions can occur and the right can be properly assigned through market processes.

For example, the World Wide Web Consortium (W3C) is a consortium of 434 members, including the largest players in the Internet, such as Microsoft, America Online and Cisco.¹¹ This consortium is in the process of drafting a major private privacy protocol, the Privacy Preferences Project, P3P.¹² While P3P is not yet operational, there are numerous private seal programs already in place, including TRUSTe and BBBOnline.¹³ The Direct Marketing Association also has various voluntary standards in place, including a method consumers can use to have their names removed from email lists, and members of the Association must meet certain requirements regarding privacy on the web.¹⁴ Thus, organizations such as the BBB, TRUSTe or W3C can define property rights and provide information about them and about alternatives.

GOVERNMENT

While the market appears to be responding well to consumer demands for more control over their personal information, some still argue that there is a role for government regulation. Government, perhaps, might move more quickly than the marketplace, or provide a greater degree of uniformity, or better reflect the "value" of personal privacy in ways the market would not. These are all issues we are examining in our work.

One cautionary note about government regulation, however: It is extremely inflexible. Once a major law is passed, it tends to establish a regulatory framework that lasts for a long time. For example, the Federal Communications Commission began allocating licenses using inefficient methods such as administrative hearings when it was founded, and it took many years until the agency began using an auction, although economists and others advocated sale of licenses at least as early as 1951.¹⁵ This danger has been referred to as "freezing technology" – that is, destroying incentives for innovation, since innovations will not satisfy the government requirements.

There are several reasons for the relative inflexibility of government regulation. First, simply getting Congress to pass a major piece of legislation is difficult. Congress has limited ability to pass such legislation, and does not tend to re-examine an issue frequently. Second, there is the regulatory time interval required to implement the law. Third, and perhaps most important, the passage of a law and subsequent promulgation of regulations create interest groups with an interest in maintaining that law. For example, attorneys specialize in dealing with the law as it exists, and become a vocal group in opposing changes. Firms come into being specializing in institutions that comply with the law, and these firms also lobby to retain the current law. Regulatory authorities in charge of enforcing particular laws lobby for the retention of these laws, an important component of the FCC delay mentioned above. The institutions created by the law themselves become barriers to entry, as potential entrants must adapt to these institutions. On the other hand, those who could benefit from changes in the law have difficulty in making their voices heard.

It is a cliché to say that the Internet is dynamic. But it is true. Any regulation at this time would freeze some aspects of the Internet in their current state. Even if the regulators were able to regulate perfectly for today’s environment, any regulations would quickly become obsolete as the Internet changes. The P3P release is P3P 1.0, indicating that, like software in general, the drafters expect that the privacy policies embedded in the document will change over time. Indeed, at several places in the document itself there are indications of directions for change in future versions. While such expectations drive software and the development of the web, laws passed by government do not come with release numbers – because there is no expectation that they will be changed quickly (or ever). While change is the normal state of affairs for the Internet and for software and other elements that interact with the Internet, it is not the way in which government operates.

It is important to remember that technological and marketplace developments in the privacy and security arena are happening almost daily. One new program has increased the ability of websites to identify consumers logging on to the website.¹⁶ The technology allows the Checkfree website, in conjunction with Equifax, the credit reporting agency, to identify customers quickly and accurately, thus increasing security. Another relatively new service, PayPal from X.com, enables consumers to pay bills on the Internet anonymously.¹⁷ A virtually infinite array of such technologies is in development.¹⁸ Any regulation passed by Congress could interfere in unknown and unpredictable ways with such technological progress.

It is also important to keep in mind that government regulation is of necessity of the "one size fits all" variety. But with respect to Internet privacy, different consumers have different preferences. These are documented carefully in a survey on Internet privacy by AT&T.¹⁹ For example, those most concerned about Internet privacy – those the AT&T report calls "privacy fundamentalists" – often already protect themselves using a variety of techniques, such as anonymous remailers.²⁰ On the other hand, at least one company, AllAdvantage.com, pays consumers for the right to monitor their browsing, and some consumers are apparently willing to join this program.²¹ Thus, consumers clearly have different preferences regarding Internet privacy.

Furthermore, it seems likely that consumers have different privacy preferences regarding different types of information. In one survey, for example, consumers were less willing to provide social security and credit card numbers than other types of information. Similarly, 78% would accept cookies to provide a customized service; 60% would accept a cookie for customized advertising; and 44% would accept cookies that conveyed information to many web sites.²²

Incorporating such nuances in a government regulation would be difficult, and any privacy notice that resulted would have to be exceedingly complex, perhaps to the point that most people would be unwilling to read such a detailed notice. The very value of information to advertisers is evidence that at least some consumers benefit from the information being available to sellers. Advertisers would not value information if they could not use it to sell products. But if consumers buy products based on being contacted by merchants, then consumers must benefit, else they would not buy the products. The modern theory of advertising indicates that most or all advertising provides valuable information, and if advertising leads to sales than at least some subset of consumers is benefiting from the advertising.

SUMMARY

In summary, there are reasons for expecting the market to manage privacy issues efficiently. There are also substantial dangers from inappropriate government intervention. If we rely on the market and the decision turns out to be incorrect, we can always pass legislation later. But if we regulate, it is much more difficult to change our position. At The Progress & Freedom Foundation, we are working to produce a report to help Congress and other policymakers evaluate the relative merits of market-based approaches, on the one hand, and government regulation on the other. The results of that research, at this stage, suggest that premature legislation and/or regulation is likely to do more harm than good.

Mr. Chairman and Members of the Committee, that completes my prepared statement. I would of course be pleased to respond to any questions you may have.

Table 1: Is Privacy Important to Internet Users?

References for Table One:

American Association of Retired Persons, "AARP National Survey on Consumer Preparedness and E-Commerce: A Survey of Computer Users Age 45 and Older." March, 2000.

AT&T Labs, "Beyond Concern: Understanding Net Users’ Attitudes about Online Privacy". Available online, April, 1999.

Cyber Dialogue, "Capturing Visitor Feedback." Available online, March, 1997.

Cyber Dialogue, "Privacy vs. Personalization: A Delicate Balance." Available online, 1999.

Cyber Dialogue, "Privacy vs. Personalization Part III." Available online, 2000.

Harris Black International, "The Use and Abuse of Personal Consumer Information." Available online, January, 2000.

Georgetown University, "Georgetown Internet Privacy Policy Survey: Report to the Federal Trade Commission". Available online, June, 1999.

IBM, "Multi-National Consumer Privacy Survey." October, 1999.

Louis Harris and Associates, Inc. and Dr. Alan F Westin, "E-Commerce and Privacy: What Net Users Want", press release. Available online, July, 2000

National Consumers League, "Consumers and the 21st Century". Available online, 1999.

NFO Interactive, "Online Retail Monitor: Branding, Segmentation, & Web Sites". 1999.

Privacy and American Business,"Personalized Marketing and Privacy on the Net: What Consumers Want. " November, 1999.

Privacy and American Business, "’Freebies’ and Privacy: What Net Users Think." Available online, July, 2000.

Endnotes

1.  I am also a professor of economics and law at Emory University.

2.  "Privacy Online: Fair Information Practices in the Electronic Marketplace: a Report to Congress," Federal Trade Commission, May, 2000.

3.  Sanford Grossman (1981), "The Informational Role of Warranties and Private Disclosure About Product Quality," Journal of Law and Economics v. 24, December: pp. 461-483.

4.  Data from "Privacy Online," pp. i, ii.

5.  GVU’s 7^th WWW User Survey, available online.

6.  "It’s Time for Rules in Wonderland," Business Week, March 20, 2000.

7.  D. Ian Hopper, "Companies Adding Privacy Officers," AP, July 11, 2000.

8.  Peter Swire (1997), "Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information," in Privacy and Self-Regulation in the Information Age, U. S. Department of Commerce, Washington, DC. http://www.ntia.doc.gov/reports/privacy/selfreg1.htm.

9.  See http://www.ansi.org/

10.  http://www.astm.org/index.html

11.  For the W3C homepage, see http://www.w3.org. For the list of members, see http://www.w3.org/Consortium/Member/List.

12.  http://www.w3.org/P3P/.

13.  http://www.bbbonline.org/

14.  http://www.the-dma.org.

15.  Thomas W. Hazlett (1998), "Assigning Property Rights to Radio Spectrum Users: Why Did FCC License Auctions Take 67 Years?" 41 Journal of Law and Economics, Number 2, Part 2, October.

16.  D. Ian Hopper, "New Way Found to ID Web Customers," AP, July 17, 2000.

17.  Michelle Slatalla, "Easy Payments Put Hole in the Pocketbook," New York Times, June 29, 2000.

18.  Peter Wayner, "New Tools to Protect Online Privacy," New York Times, November 11, 1999.

19.  Lorrie Faith Cranor, Joesph Reagle, and Mark S. Ackerman, (1999), "Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy," AT&T Labs-Research Technical Report TR 99.4.3, http://www.research.att.com/library/trs/TRs/99/99.4/

20.  Lorrie Faith Cranor, "Agents of Choice: Tools That Facilitate Notice and Choice about Web Site Data Practices", available online.

21.  http://www.alladvantage.com/home.asp?refid=

22. Cranor et al., 1999.