choof.org

August 17, 2003

Academic PR: Hoofnagle Responds to AEI-Brookings

I've decided to start posting the correspondence I have with various people who produce either bad intentioned or aimless research on privacy. I've been writing to professors (mainly economists) for some time to debunk some of the claims in their research. Generally, I have a low opinion of economics. It is, after all, a social science. It relies upon assumptions that are often falsifiable. But, it's been elevated to the status of a religion in the US. In the extension below, I have the first salvo on a recent AEI-Brookings study performed by Professors Jamal, Maier, and Sunder. It concludes that the US system of privacy protection is superior to the UK's because US companies have privacy notices. In detail below, I explain why this is crap.

Reply-To: hoofnagle@epic.org
From: "hoofnagle@epic.org"
To: karim.jamal@ualberta.ca, michael-maier@uiowa.edu, shyam.sunder@yale.edu
Subject: Privacy Study / Comment
Date: Sun, 17 Aug 2003 13:06:04 -0400

Greetings Professors Jamal, Maier, and Sunder,

I recently had the opportunity to read your paper (Enforced Standards
Versus Evolution by General Acceptance), and wanted to provide some
constructive criticism. I am Chris Hoofnagle of the Electronic Privacy
Information Center.

I think that your paper relies upon some false assumptions. In
reconsidering these assumptions, you may decide to change some of the
conclusions of the paper, or adjust research methods.

First, the US does not have privacy norms that have "evolved by general
acceptance." In fact, we have a common law of privacy that is constantly
expanding as a result of a series of Federal Trade Commission complaints.
As a result of cases dating back to In Re Geocities, the US has enforced
norms that include a prohibition on materially false or deceptive claims in
privacy policies, a prohibition on omitting material uses of personal
information on the privacy policy, making false security claims, etc.
There are also some specific privacy bans that have developed as a result
of AG enforcement, such as the problem of "pre-acquired account"
telemarketing. That practice is now highly regulated as a result of fraud.
We also have the COPPA.

Second, more fundamentally, there are serious problems in the assumption
that notice is a fair information practice that promotes privacy. Notice,
specifically, is not a fair information practice. If you visit the 1980 EU
Guidelines (which you incorrectly claim has only 5, rather than 8 fair
information practices--you have cited "FIPs Lite," the FTC guidelines),
you'll see that notice derives from the "openness" principle. That
principle stands for the premise that there should be no secret databases.
It is in fact derived from American studies (the 1973 HEW report and the
Privacy Act of 1974, which requires all agencies to disclose the presence
of all databases, even if classified).

In the US, and especially in the context of 4th Amendment rights, notice is
used to *eliminate privacy.* So, when you visit an airport, the sign says
"we may search your personal belongings." This is an attempt to relieve
individuals of expectations of privacy so that they do not have a 4th
Amendment claim against those who search them.

In the context of commercial privacy policies, you'll see that one may have
more privacy without them. Your study assumes that presence of a notice is
a good thing, where in reality the notice just serves as a disclaimer.
Take for instance, the privacy policy of ticketmaster.com, which does not
allow individuals to opt-out of anything. Saying that a privacy policy
protects privacy is just like saying that a food with a nutrition
disclosure is nutritious.

As far as fair information practices go, the OECD's first, collection
limitation, is far more important than any other practice. Many of the
privacy problems we experience would be eliminated if collection were
limited to what is necessary to administer a transaction, with the consent
and knowledge of the data subject.

So, your study highlights the least important aspect of privacy, while more
or less glossing over a much more important issue—use of 3rd party cookies.
The study could have just as easily concluded that websites in the UK are
better because they are less likely to use 3rd party cookies, and when they
do employ them, they are more likely to give notice of the fact.

Third, it is a generally accepted fact that so called "web seals" are
pointless. Truste is a joke. It's been known for some time that the group
has been captured, and even if it were not, business will always private
enforcement actions (ADR) rather than a public one that is more
accountable. Robert Gellman's work in this field is necessary for an
understanding of web seal weaknesses.

Much valuable research could be done in this field. I would suggest, if
you are interested in doing more privacy work, to address the issue of
*actual* privacy practices, especially in the arena of cross-selling and
CRM within the big banks. The banks are very secretive about these
practices. I suspect that they are objectionable practices. Additionally,
the problem of customer exclusion have not received enough attention. But,
it is clearly a new trend in this field—that is, excluding customers
because they are too troublesome, or because they aren't profitable to the
company.

I hope this is helpful, and please contact me with any concerns or
questions.

Regards,
Chris Hoofnagle

Posted by chris at August 17, 2003 01:12 PM