This is an excerpt from the prospectus for Sloan and Warner, Unauthorized Access: The Crisis in Online Privacy and Security, forthcoming.
The Law and Economics of Liability for Unauthorized Access
A. Information: Collection, Use, and Distribution
Computers, database technology, and the Internet make it possible to collect, aggregate, store, analyze, and distribute vast amounts of information. The technology enables mass surveillance—constant surveillance of almost everyone over a wide range of activities. The result is a reduction in our ability to control when, how, and for what purpose information is being collected and used.
B. Privacy Harms and the Public/Private Distinction
Routine mass surveillance compromises privacy. Our explanation of the harms involved begins with the observation that our social interactions are governed in part by norms that define a public/private distinction. They do so by defining what personal information it is proper for others to know. It is proper for the pharmacy clerk to ask for your name and address but not for your vacation plans; your health insurance company may obtain and use detailed health information but the company would cross the line if it inquired whether you were currently happy in your marriage; your personal physician, however, may ask that.
We advance two claims. First, the technological developments described in the previous section have severely eroded the public/private distinction; what was widely regarded as private in the 1950’s is now regarded as a routinely available to a wide variety of businesses and organizations. The second claim is that some public/private distinction is essential. We contend that the erosion of the current distinction has had the following adverse consequences (to one degree or another): an increased risk of harm to individuals; information overload; the possession of easily abused power by credit agencies, insurance companies, and businesses generally; a chilling effect on decision-making; reduced opportunities for the development of the self; an increased ability to enforce rules and laws to an extent that creates a merciless “Big Brother” inconsistent with both justice and forgiveness.
C. The Current Legal Regime
This section provides an overview (easily accessible to non-lawyers) of the laws pertaining to privacy. The law has failed to respond adequately to the technological assault on the public/private distinction. To see why, we ask readers to turn the clock back to the mid-twentieth century. It was not difficult for each of us to ensure that whatever he or she thought should be private would in fact be private. Technology has largely taken this power away. It is now much more difficult for one to ensure that what one thinks ought to be private is in fact private. One may not know when information is being collected, used, or distributed. Even if one does know, one may have little control over when, how, or why the information is being processed. Our review of the law shows it has not yet responded adequately to the limitation in the ability to ensure that what one thinks ought to be private will in fact be private. We contend that an adequate response requires the development of norms defining a distinction between public and private.
D. Why Not Just Get Consent?
Why not, instead, simply require that businesses obtain our informed consent before they collect certain types of information? Doesn’t this requirement reestablish the power to ensure that what one thinks ought to be private will in fact be private? The problem is that one typically “gives consent” via standard-form, no-negotiation contracts. One does so when one visits a web site, obtains a mortgage, opens a bank account, and so on for an immense variety of interactions. Almost no one reads such contracts. So how can consent be informed? [Note, that we gave a much fuller argument in class; the powerpoint slides contain the argument.]
III. Tradeoffs, Economics, and Information Security
A. The Economic Advantages of Information Processing
We offer a framework to analyze privacy and security issues. Our goal is to provide an approach to determining how to trade privacy off against other values. We begin with the critical role that information plays in enabling the market exchanges that provide us with goods and services. An adequate flow information is essential to market efficiency. Efficiency is important: the more efficient one is in obtaining an end, the more one has left over to invest in other pursuits. We illustrate the point with three important uses of information: the facilitation of the extension of credit; targeting advertising, and price discrimination. These examples are hardly unique; information is also critical to setting insurance premiums, making employment decisions, and news reporting, to take just a few more examples.
1. Facilitating the extension of credit
Collection, analysis, and transfer of information are essential to banking and the extension of credit. Informed decisions regarding the extension of credit are essential to an efficiently functioning economy.
2. Targeting Advertising
Targeting advertising is the process of matching advertising to recipients in ways that maximize the likelihood that recipients will purchase in response. Targeting makes advertising more efficient. In doing so, it does not merely benefit businesses; it benefits consumers by reducing the amount of irrelevant information that bombards them. Technology has greatly increased the ability of businesses to target advertising by increasing the ability to collect, store, aggregate, and analyze information. This same technological development also enables price discrimination (charging different buyers different prices).
3. Price Discrimination
Price discrimination can generate significant economic efficiencies which benefit both sellers and buyers. Realizing these efficiencies requires sorting buyers into groups according to their willingness to pay, and that requires a significant amount of information. Consequently, sellers structure their interactions so that they can collect and use the necessary information.
4. Information as Power
(1) – (3) above are among the many illustrations that information is power. Information is power because the more relevant information one has in regard to an end, the more effective one is, other things being equal, in achieving it. “Other things” may not be “equal,” of course. Information overload can decrease effectiveness, and incomplete information can mislead. Such exceptions aside, however, relevant information empowers businesses by enabling them to discriminate among types of consumers in order to treat the different types in ways most likely to yield the results the business desires. This is why
the logic . . . of surveillance systems is to grow. Given that the efficient pursuit of discrimination among persons is their raison d’etre, we should hardly be surprised that they tend to grow in depth—that is, in the total amount of information collected on the average individual with whom they deal. But surveillance systems also tend to grow laterally—to broaden the variety of sources of personal data they rely on in making those discriminations, especially through symbiotic exchanges with similar systems.[1]
B. Tradeoff Questions: Two Types of Negative Externalities
The pursuit of economic efficiency raises two concerns. In explaining these concerns, we introduce two fundamental tradeoff questions.
First, the pursuit may fail. In a market economy, a rational, purely profit-motive-driven business will spend money to avoid harming another only if harming that person also harms the business. Absent business harm, the profit-maximizing strategy is to spend nothing to protect the other party. We argue that consumers’ privacy harms typically do not impose sufficient corresponding harms on businesses. To describe and analyze this situation, we introduce the classic economic concept of an externality. An externality is an effect of a decision on those who did not make the decision and whose interests were not taken into account in making the decision. If the effect is beneficial, the externality is labeled positive. If the effect is harmful, the externality is labeled negative. Consumers’ privacy harms tend to be negative externalities.
We distinguish between two types of negative externality—those that are, and those that are not, meaningfully quantifiable. Many externalities are meaningfully quantifiable. For example, we can, to a reasonable extent, assign a dollar value to the time, effort, and monetary losses from identity theft. We illustrate the point with cases in which a business’s efforts at price discrimination yield less quantifiable gain than quantifiable loss from negative externalities (they are notorious examples). These cases are examples of quantifiable inefficiency. One key question in what follows is how best to eliminate quantifiable negative externalities in order to achieve quantifiable efficiency.
Many negative externalities are not, or are not easily, quantifiable. In some cases, we simply have not done the research necessary to quantify losses that are, in fact, quantifiable. This is certainly the case for identity theft. The few studies that do exist are based on very small samples, and offer conflicting conclusions. On the other hand, there are losses that resist quantification. Identity theft again provides an example. How does one quantify the sense of personal invasion and violation many feel as a result of identity theft? It is extremely difficult to do so in any meaningful way. We review and criticize attempts to do so; we cover basic risk assessment and its pitfalls. Assuming the existence of non-quantifiable losses, we are often confronted with a tradeoff between achieving quantifiable efficiency and sacrificing efficiency, so understood, to avoid a non-quantifiable harm. How do we make such tradeoffs?
C. How Should We Respond?
The previous section identified two problems:
How do we eliminate quantifiable negative externalities in order to achieve quantifiable efficiency?
How do we make tradeoffs between quantifiable efficiency and non-quantifiable privacy harms?
We suggest that, in answering these questions, we should be guided by answers to four other questions. We do not claim that these are the only relevant questions, just that focusing on them is helpful here.
First: What combination of precautions efficiently prevents the loss? By “efficiency” here we mean quantifiable efficiency.
Second: What combination of precautions best prevents non-quantifiable loss es ? There is considerable disagreement over what counts as a relevant loss. Should one’s sense of being violated by identity theft be a serious harm that public policy should take into account? Or, is one just over-sensitive? There is also considerable disagreement over what counts as the “best” way to prevent the harms. We emphasize that norms reduce some of this disagreement. Norms that govern how information should be collected, used, and distributed balance privacy against a variety of competing concerns, and, to the extent such norms are widely accepted, disagreement over the proper balance is reduced.
Third: Who is responsible for the loss? We discuss various grounds for assigning responsibility.
Fourth: To what extent should those at risk insure against the loss? Where it costs more to avoid a loss than it does to recover from it, it does not make sense to take the excessively expensive precaution. The availability of insurance can make recovering from the loss less expensive than costly precautions.
Ideally, with regard to losses for which insurance is not appropriate or available, those responsible for the losses take precautions against them which are (1) the best way to trade off quantifiable efficiency against non-quantifiable losses, and (2) within the limits of that tradeoff, the best way to maximize quantifiable efficiency.
We need a name for these questions; call them the “framework questions.” Society’s answers to the framework questions will contribute to the development of privacy norms.
We will later consider three particular contexts in which these questions arise: malware, software, and network attacks.
[1] James B. Rule, Privacy in Peril 18 (2007).