Picture Don Draper Stamping on a Human Face, Forever
Last week, a coalition of 10 privacy and consumer groups sent letters to Congress advocating legislation to regulate behavioral tracking and advertising, a phrase that actually describes a broad range of practices used by online marketers to monitor and profile Web users for the purpose of delivering targeted ads. While several friends at the Tech Liberation Front have already weighed in on the proposal in broad terms — in a nutshell: they don’t like it — I think it’s worth taking a look at some of the specific concerns raised and remedies proposed. Some of the former strike me as being more serious than the TLF folks allow, but many of the latter seem conspicuously ill-tailored to their ends.
First, while it’s certainly true that there are privacy advocates who seem incapable of grasping that not all rational people place an equally high premium on anonymity, it strikes me as unduly dismissive to suggest, as Berin Szoka does, that it’s inherently elitist or condescending to question whether most users are making informed choices about their privacy. If you’re a reasonably tech-savvy reader, you probably know something about conventional browser cookies, how they can be used by advertisers to create a trail of your travels across the Internet, and how you can limit this. But how much do you know about Flash cookies? Did you know about the old CSS hack I can use to infer the contents of your browser history even without tracking cookies? And that’s without getting really tricksy. If you knew all those things, congratulations, you’re an enormous geek too — but normal people don’t. And indeed, polls suggest that people generally hold a variety of false beliefs about common online commercial privacy practices. Proof, you might say, that people just don’t care that much about privacy or they’d be attending more scrupulously to Web privacy policies — except this turns out to impose a significant economic cost in itself.
The truth is, if we were dealing with a frictionless Coaseian market of fully-informed users, regulation would not be necessary, but it would not be especially harmful either, because users who currently allow themselves to be tracked would all gladly opt in. In the real world, though, behavioral economics suggests that defaults matter quite a lot: Making informed privacy choices can be costly, and while an opt-out regime will probably yield tracking of some who would prefer not to be under conditions of full information and frictionless choice, an opt-in regime will likely prevent tracking of folks who don’t object to tracking. And preventing that tracking also has real social costs, as Berin and Adam Thierer have taken pains to point out. In particular, it merits emphasis that behavioral advertising is regarded by many as providing a viable business model for online journalism, where contextual advertising tends not to work very well: There aren’t a lot of obvious products to tie in to an important investigative story about municipal corruption. Either way, though, the outcome is shaped by the default rule about the level of monitoring users are presumed to consent to. So which set of defaults ought we to prefer?
Filed under: Regulatory Studies; Telecom, Internet & Information Policy
E-Verify: The Surveillance Solution
The federal government will keep data about every person submitted to the “E-Verify” background check system for 10 years.
At least that’s my read of the slightly unclear notice describing the “United States Citizenship Immigration Services 009 Compliance Tracking and Monitoring System” in today’s Federal Register. (A second notice exempts this data from many protections of the Privacy Act.)
To make sure that people aren’t abusing E-Verify, the United States Citizenship and Immigration Services Verification Division, Monitoring and Compliance Branch will watch how the system is used. It will look for misuse, such as when a single Social Security Number is submitted to the system many times, which suggests that it is being used fraudulently.
How do you look for this kind of misuse (and others, more clever)? You collect all the data that goes into the system and mine it for patterns consistent with misuse.
The notice purports to limit the range of people whose data will be held in the system, listing “Individuals who are the subject of E-Verify or SAVE verifications and whose employer is subject to compliance activities.” But if the Monitoring Compliance Branch is going to find what it’s looking for, it’s going to look at data about all individuals submitted to E-Verify. “Employer subject to compliance activities” is not a limitation because all employers will be subject to “compliance activities” simply for using the system.
In my paper on electronic employment eligibility verification systems like E-Verify, I wrote how such systems “would add to the data stores throughout the federal government that continually amass information about the lives, livelihoods, activities, and interests of everyone—especially law-abiding citizens.”
It’s in the DNA of E-Verify to facilitate surveillance of every American worker. Today’s Federal Register notice is confirmation of that.
Cato on Facebook
Cato on Twitter
Cato on YouTube
Cato Tweets