Thinking Of Privacy As A Property Right Will End Badly

from the that's-not-how-privacy-works dept

We've talked for a while now about how we're really bad at regulating privacy because most people don't really understand privacy. People tend to think of it as "a thing." But, it's not. It's a set of trade-offs that can change depending on who is involved, what the context is, and the terms of the trade-off. The example we've used many times is that of leaving your home to buy groceries. Doing so entails giving up some amount of privacy. Someone could see you. They might even see what's in your shopping cart. But for most people, this trade-off is worth it. The "loss" of privacy here is minimal. The "damage" of someone seeing that you're buying broccoli is not that big of a deal. But, for some people, the trade-off may be quite different. If you're a movie star, for example, going into a grocery store may represent a huge burden and an impact on your privacy. Paparazzi may follow you around. Other customers may bug you. What you buy may be analyzed or mocked or worse. Other factors come into play as well, such as what it is that you're buying. Vegetables might not be that big a deal. Other items may be a lot more revealing.

That may be a fairly simple view of things, but it applies in lots of cases. Lots of decisions we make involve basic trade-offs regarding privacy. And part of the calculation that we all implicitly make involves a fairly straightforward cost-benefit analysis. Is the value we get from doing x greater than the potential privacy violation? And, of course, this is often made more difficult by the "cost" being one in which somewhat opaque probabilities come into play. Beyond the potential "cost" of such "private" information being revealed, what is the probability that such a revelation will lead to greater costs? For example, someone going into a drug store to buy condoms may represent a slight loss in privacy -- but if that person is doing so to have an affair, then the "cost" might be the probability that the person's partner becomes aware of such a purchase.

The issue is that thinking of privacy as just "a thing" that must be "protected" often fails to take into account the various nuances of the trade-offs. It fails to account for the fact that different people in the same situations may value the different sides of the trade-off differently and may have entirely different beliefs about what is and what is not an acceptable trade-off.

Building on that, the real problem we have today concerning "privacy" is that we often don't know enough about both sides of the trade-off equation. The concern or unease that some have over internet companies sucking up our data is that it's not entirely clear (1) what the ultimate benefit is of that and (2) it's very unclear what the costs are -- or what the probability is that the costs will be extreme. There's not much transparency and not much ability to have an accurate sense of the actual risks, and, therefore, we're often making the trade-off decision somewhat blind. There are lots of people who -- via their own expressed preferences in terms of what they actually do -- seem to think that letting Facebook suck up all their surfing data is a worthwhile trade for staying in touch with family and friends. Some argue that they're ignorant for doing so -- and maybe that's true. But part of the problem is that the costs are amorphous, at best, while the benefits to many seem worth it.

Still, the lack of transparency about what data is being collected, and how it's being used, combined with the lack of control for the end users, creates a totally reasonable level of nervousness for some. The issue is that the cost might be super high. But we don't know and we don't really have any way to do anything about it if that turns out to be the case. That's where most of the fear about social media's impacts on privacy come from.

Given that there's so much interest these days in "regulating" privacy, the models that people use to understand privacy can have a really big impact. Using the wrong model will lead to really bad regulations. And one of the worst ideas is unfortunately super popular: the idea of turning "privacy" into a quasi-intellectual property. Specifically trying to set it up as if it's a "property" right with a price attached to it. Tragically, this model has a bunch of proponents when it comes to regulations. The NY Times recently had an excellent opinion piece by Sarah Jeong explaining why setting up privacy as a property right is a terrible idea. That NY Times opinion piece came out just a week or so after a similar (and even more thorough) article at Brookings by Cam Kerry and John Morris similarly explaining why data ownership is "the wrong approach" to protecting privacy.

As both pieces note, there are lots of regulatory attempts to put a property right and price on private info:

Some policymakers are taking such thinking to heart. Senator John Kennedy (R-LA) introduced a three-page bill, the “Own Your Own Data Act of 2019,” which declares that “each individual owns and has an exclusive property right in the data that individual generates on the internet” and requires that social media companies obtain licenses to use this data. Senators Mark Warner (D-VA) and Josh Hawley (R-MO) are filing legislation to require Facebook, Google, and other large collectors of data to disclose the value of personal data they collect, although the bill would not require payments. In California, Governor Gavin Newsome wants to pursue a “data dividend” designed to “share in the wealth that is created from [people’s] data.”

But as the Kerry/Morris piece notes, treating private data in this manner runs into all sorts of problems -- including conflicting with the First Amendment:

The trouble is, it’s not your data; it’s not their data either. Treating data like it is property fails to recognize either the value that varieties of personal information serve or the abiding interest that individuals have in their personal information even if they choose to “sell” it. Data is not a commodity. It is information. Any system of information rights—whether patents, copyrights, and other intellectual property, or privacy rights—presents some tension with strong interest in the free flow of information that is reflected by the First Amendment. Our personal information is in demand precisely because it has value to others and to society across a myriad of uses.

Treating personal information as property to be licensed or sold may induce people to trade away their privacy rights for very little value while injecting enormous friction into free flow of information. The better way to strengthen privacy is to ensure that individual privacy interests are respected as personal information flows to desirable uses, not to reduce personal data to a commodity.

Jeong's piece, similarly, highlights just a few of the problems of treating privacy as a property right:

Legally vesting ownership in data isn’t a new idea. It’s often been kicked around as a way to strengthen privacy. But the entire analogy of owning data, like owning a house or a car, falls apart with a little scrutiny.

A property right is alienable — once you sell your house, it’s gone. But the most fundamental human rights are inalienable, often because the rights become meaningless once they are alienable. What’s the point of life and liberty if you can sell them?

Jeong also makes an important point: that your "private" data may actually be someone else's private data as well, raising some significant complications:

Your location data can give away the whereabouts of your spouse. Your health records give away information about your biological children. If you sell your genetic privacy, are your parents entitled to a percentage?

Do you need to get joint approval with your spouse to sell location info? Do you need permission of your not-yet-born descendants to sell your genetic info?

The Kerry/Morris piece also highlights how useful it is, in general, for certain information to be shared, sans pricing, for society as a whole. Putting a price on all data would put an unnecessary bit of friction into fairly basic exchanges that no one should have an issue with (in my discussion above, those would be cases where the "cost" is very low, and the benefit much higher). Switching everything to a commodity/property model would come with pretty significant costs, however. And many of them would do little to actually protect "privacy."

Basing privacy protection on property systems, on the other hand, would reduce privacy to a commodity, double down on a transactional model based on consumer choice, and be enormously complicated to implement. The current notice-and-choice model is failing because it is effectively impossible for users to understand either how their data will be used or the accompanying privacy risks, especially in the constant flow of online engagement in today’s connected world. The result is that people click past privacy notices through to the information or service they want.

Moreover, many of these consumers already agree to provide personal information in exchange for the perception a benefit. It is hard to imagine people will burrow deeper into privacy disclosures or pause at clicking through to get at communications or transactions simply because they are offered what may amount to a few pennies. It is far from clear that in a market for data, the ordinary user would come out on top—either in relation to economic benefits or privacy harms. On the contrary, by licensing the use of their information in exchange for monetary consideration, they may be worse off than under the current notice-and-choice regime.

Or as Jeong notes, such a system might simply encourage people -- especially the most vulnerable -- to effectively "sell" their privacy.

But the American Civil Liberties Union called the bill a Trojan horse. The Electronic Frontier Foundation said it would “incentivize people to give up their fundamental right to privacy and exacerbate inequality by specifically encouraging vulnerable lower-income people to pour more personal information into an industry that exploits and discriminates against them.”

And for what? As Kerry/Morris note: the "value" of any individual's private data is almost certainly quite low (which actually is reflective of the legitimately low "risk" associated with that data being revealed):

Indeed, the uncertainties of valuating any one individual’s data suggest that individuals will receive little payment. Estimates vary but

The Financial Times has a calculator that one of us (Kerry) ran for his profile. The default value is $0.007, but as a well-to-do professional who travels a lot, the value of the Kerry data was estimated as $1.78. If pricing is set by service providers, then the resulting system is likely to end up being very similar to the current “take it or leave it” outcomes that are common under notice and choice. If pricing is set by consumers or through negotiation, the complexity of the service-user interactions would be even greater. And this new complexity would likely slow users’ access to information and services that they want—and simply turn “click fatigue” into “negotiation fatigue.”

Sure, governments could set the price, but does anyone think they will do so in a manner that makes any sense? The Kerry/Morris piece also notes that the government setting a price for our data likely would run afoul of the First Amendment based on the Sorrell v. IMS Health ruling, which ruled a Vermont law unconstitutional for barring data mining and pharma firms from being able to buy up prescription data.

And that's not even getting into the question of multi-party data -- such as e-commerce transactions:

Under an information-as-property regime, would both the purchaser and the retailer have property rights to information about the transaction? And in such a property regime, couldn’t the retailer simply make as a condition of sale that the purchaser must grant a license to the retailer to use the information for specified uses? And wouldn’t that simply lead to another form of the tyranny of fine print in which the purchaser who wants the convenience of an online purchase would be forced to cede rights to the retailer? It is unclear whether the information as property regime would in fact improve the current state of privacy.

There are plenty of legitimate reasons (and a few not-so-legitimate ones) to be concerned about the state of privacy today. But we're going to create a lot more problems if the "solution" is to turn your data into a commodity under some sort of property rights regime.

And the fact is we've been down this dumb road before. Hell, we've talked about it pretty much since the beginning of Techdirt with the silly idea of treating infinitely copyable "content" as "property" under copyright law. That's created a huge mess, especially for free speech, with the idea that expression can be owned and limited in some form or another. Indeed, many of the copyright debates over the past few decades concerning the internet are really representations of the ongoing struggle to recognize how a "content-as-property" regime under copyright law can possibly co-exist with a "global network for communicating and sharing content" world of the internet.

We won't do anyone any favors (other than maybe some lawyers) by adding in another category of made up "property" around "privacy." And, worst of all, it will do nothing to actually improve privacy outcomes for most people.

Filed Under: commodity, control, intellectual property, privacy, property right, trade offs


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  1. identicon
    David CAnton, 10 Jul 2019 @ 11:01am

    privacy as property right

    Mike, I agree that thinking of personal information as property doesn't work. Too often debates over PI, and analysis of what can be done with PI focus on ownership of the data. That doesn't work. The real question (ignoring privacy law technicalities) is whether collection, use, or disclosure of PI violates a reasonable expectation of privacy of the individual.

    As far as payment goes, a fundamental tenet of consent is that it is informed and meaningful. How is consent meaningful if there is a price put on it?

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, 10 Jul 2019 @ 11:12am

    One of the key concerns regarding privacy are the "unknown unknowns". You don't know what the damage of other people having more personal information about you could be, but you know the only reliable way to protect yourself against the unknown unknowns is not to disseminate information about yourself.

    Countless mobile app developers as well as tech companies big and small constantly collect information that either directly or indirectly reveals sensitive information about an individual. Lies about what is being collected are so commonplace as to be near ubiquitous (e.g. "anonymized" location information) and people are never almost never given a clear, concise, and meaningful choice to opt out.

    Or how about Windows 10 telemetry. They might very well make a product that some people will consider better if they have telemetry on every non-commercial customer. But I as a non-commercial customer have no meaningful mechanism to opt out of this invasive collection short of not using Windows 10. On top of this, Microsoft has a history of reverting privacy settings to increase collection after some updates have happened.

    To summarize - The biggest problem that nearly the entire tech industry has is that they do not understand the meaning of the word "consent". It is a wholly alien concept that they theorize and redefine to near meaninglessness.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 10 Jul 2019 @ 12:03pm

    Selling individual data is a losing proposition for the individual, as the corporation will add the cost, administration fees and some profit margin to what they pay, and add that to the cost of goods and services.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 10 Jul 2019 @ 12:09pm

    store cards vs. privacy

    The example we've used many times is that of leaving your home to buy groceries. Doing so entails giving up some amount of privacy. Someone could see you. They might even see what's in your shopping cart. But for most people, this trade-off is worth it. The "loss" of privacy here is minimal.

    The privacy issue is not minimal. Virtually all major grocery store and drug store chains catalog every item a customer purchases, so they know as much about you as Facebook does. Even if you give a fake name when applying for the store's discount card, security cameras will have your picture on file, and these videos and point-of-sale snapshots are also indexed. You can of course "opt out" of the system by making your purchases "anonymously" by not using the card, but then that means paying substantially higher prices.

    reply to this | link to this | view in thread ]

  5. icon
    Lance (profile), 10 Jul 2019 @ 12:26pm

    It's probably impossible to "walk things back" at this point, but things should never have been allowed to get this far. We needed Congress to pass a law a long time ago (most appropriately in 1978 after the "third party doctrine" came into being) banning the divulging (for profit or not) of your information without an individualized waiver for every instance. Then, when the web came around, the selling of private info and tracking people around the web would have been non-starters. By now, huge companies are making a lot of money off of our info, and many smaller companies only exist to do so. Pretty hard to fix anything with all of them lined up against it.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 10 Jul 2019 @ 1:20pm

    Re:

    There is at least one law, the Video Privacy Protection Act of 1988. "Netflix cited the act in 2011 following the announcement of its global integration with Facebook. The company noted that the VPPA was the sole reason why the new feature was not immediately available in the United States ... In 2012, Netflix changed its privacy rules so that it no longer retains records for people who have left the site. This change was due directly to a lawsuit indicating violation of the act."

    The next time someone's nominated for the Supreme Court we'll need to see what private information we can buy and release. That's the only thing that seems to work.

    reply to this | link to this | view in thread ]

  7. icon
    Federico (profile), 10 Jul 2019 @ 1:42pm

    Lessig on privacy as property

    Lessig proposed to create a property right to privacy, to sort of counterbalance the power of the "intellectual property" concept, in its 1999 book "Code". In the second edition "Code 2.0", chapter 11, p. 228 or so, he offers a summary of the counterarguments which I think has aged rather well.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 10 Jul 2019 @ 1:49pm

    I could not more strongly object to the premise that the overwhelming majority of information that the majority of people "agree" to provide to platforms is done with explicit consent.

    And a trend I notice on social media is of tech shills who breathlessly go into threads proudly proclaiming how they're fine giving away all their most sensitive and intimate details to various tech companies. It's just...you have a conversation of privacy and some random nobody feels the need to come in and announce how much they're an exhibitionist. It's creepy and unwelcome.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 10 Jul 2019 @ 2:40pm

    Re:

    Its not so creepy going to the market to buy some broccoli as it is to know these spying corporations (cough cough facefucknutbook) have been designed and run with stealing all your most intimate private moments and then selling it to some other fuckup corporation. The laws should go after those assholes who have built a business model around your life without disclosing their actions or intentions and certainly they aren't sharing the profits they make from you texting your babysitter for a rendevois.

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 10 Jul 2019 @ 2:52pm

    Re: Re:

    The entire privacy debate is trying to negotiate what is public vs what is private.

    Tech companies want to argue everything you say or do on a tech platform is public. Your sex life, your movements, your income, discussions about your mental health. They argue that this should be as public as how much broccoli you bought at the store.

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 10 Jul 2019 @ 2:54pm

    I see no advantage to changing the rules on privacy,
    except maybe laws about securing data from hackers eg user data should be encrypted if it contains adress,name,phone no, bank account , credit card no, social security data, date of birth etc eg if the data could be used to steal someone s identity or gain acess
    their financial data or credit history.
    Their should be basic rules on securing data in data base,.s if the data base
    contains more than say 100,00 users .

    reply to this | link to this | view in thread ]

  12. icon
    Mike Masnick (profile), 10 Jul 2019 @ 3:32pm

    Re:

    I could not more strongly object to the premise that the overwhelming majority of information that the majority of people "agree" to provide to platforms is done with explicit consent.

    Explicit consent is something different -- and I agree that there are questions about consent. But my point was that people do use these platforms, meaning that they find value in them. Often that may be because they don't understand how much data they're giving off or what's done with it, or because they don't recognize the potential costs.

    And a trend I notice on social media is of tech shills who breathlessly go into threads proudly proclaiming how they're fine giving away all their most sensitive and intimate details to various tech companies.

    I am unaware of anyone who fits the description you are talking about.

    It's just...you have a conversation of privacy and some random nobody feels the need to come in and announce how much they're an exhibitionist. It's creepy and unwelcome.

    That's completely fair. But also... not quite on topic.

    reply to this | link to this | view in thread ]

  13. icon
    Anonymous Anonymous Coward (profile), 10 Jul 2019 @ 3:35pm

    Two related articles

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 10 Jul 2019 @ 4:35pm

    Re: Re:

    You... have not met anyone online or in meatspace who goes on about "there is no such things as privacy", or endlessly commends the merits of exchanging your information plus eternal tracking for awesome services? Really?

    Or was that a dishonest question that you know is loaded with some baggage of the usual sort which is regularly flung at td?

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, 10 Jul 2019 @ 6:21pm

    Re: Re:

    Explicit consent is something different -- and I agree that there are questions about consent. But my point was that people do use these platforms, meaning that they find value in them. Often that may be because they don't understand how much data they're giving off or what's done with it, or because they don't recognize the potential costs.

    There's also quite a few apps where people may not recognize data is being collected on them at all when the functionality does not intuitively (to a lay person) require data collection to facilitate function.

    I am unaware of anyone who fits the description you are talking about.

    I see it very frequently. Oddly enough mostly when talking about Microsoft's privacy practices, but that could just be a coincidence.

    That's completely fair. But also... not quite on topic.

    I apologize. I tend to drift a bit to related topics on privacy as I've beaten the topic to death on other forums.

    reply to this | link to this | view in thread ]

  16. icon
    Toom1275 (profile), 10 Jul 2019 @ 9:26pm

    Re: store cards vs. privacy

    I read the Ars Technica article on the LEGO lunar lander set. Watched some of the linked videos. Looked at the older Saturn V set online.

    The next week, I receive at home the first LEGO catalog I've gotten in at least a decade, with that lunar lander on the front cover.

    Gave me that oooOOOooo feeling.

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, 11 Jul 2019 @ 1:49am

    The issues are extremely complex and fraught. Severe restrictions of the collection, transfer and use of data need to considered very carefully.

    I am not sure if there are any major downsides to strait-up banning targeted advertising though.

    Half of the problems associated with the surveillance economy are caused by that toxic business model.

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous Coward, 11 Jul 2019 @ 3:08am

    To quote Moxie Marlinspike

    Information is not a banana.

    If you share a banana, there is still only one banana. But, if you share information, it replicates.

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 11 Jul 2019 @ 6:10pm

    Re: To quote Moxie Marlinspike

    If you unwittingly share information, what happens to that?

    reply to this | link to this | view in thread ]

  20. icon
    Scary Devil Monastery (profile), 12 Jul 2019 @ 7:09am

    Re: Re: To quote Moxie Marlinspike

    "If you unwittingly share information, what happens to that?"

    It leaks at a rate directly proportional to how interesting people find it. See "Streisand effect" for details.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.