Free for the Taking (or Why Libertarians are Wrong about Markets for Privacy)

Have you heard any of these arguments lately? Consumers willingly pay for the wonderful free services they enjoy using the currency of their personal information. We can’t trust surveys that say that consumers despise commercial tracking practices, because the revealed preferences of consumers demonstrate that they are willing to tolerate tracking in return for free social networking services, email, and mobile apps. If privacy law X were implemented, it would kill the free Internet (or more immodestly, the Internet).

Two recent articles take on all of these arguments and more in the context of the privacy of information collected online by private corporations. The articles are similarly entitled (before their subtitle colons), Free and Free Fall. Both are written by excellent interdisciplinary scholars, Free by Chris Hoofnagle and Jan Whittington and Free Fall by Kathy Strandburg. These articles, individually but even more taken together, present a thorough, forceful, and compelling rebuttal to pervasive libertarian paeans to the supposed well-functioning online market for personal information.

Libertarian arguments hold great sway among policymakers, particularly in the United States. Libertarian think tank types exhort policymakers to respect the unprecedented efficiencies of the well-functioning market for personal information, which has created and supports today’s vibrant Internet. For many years, privacy law scholars (myself included)—the vast majority of whom do not subscribe to these libertarian beliefs—have treated these arguments as mere distractions but have not focused much attention on responding to them. This is no surprise, as the tools of economics seem not by themselves up to the task of describing the problems we have documented. Yet this inattention has taken a toll, as it has strengthened by want of opposition the libertarian critique of many proposed privacy regulations, which some policymakers have begun to parrot. While legal scholars have done little to respond, these arguments been rebutted, capably but only incompletely, by scholars from outside the field, like economist Alessandro Acquisti and engineers and computer scientists Jens Grossklags, Lorrie Cranor, Aleecia Macdonald, and Ed Felten. Before Free and Free Fall, however, we’ve lacked a thorough and thoroughly economic rebuttal to the libertarian critique.

The core libertarian argument that drives the rebuttal in Free and Free Fall is that people “pay” for free, online services with their data. No they don’t, at least not if “payment” is supposed to represent an accurate measure of consumer preference and definitely not if “payment” means that consumers rationally give up data about themselves in exchange for free services. Both Free and Free Fall carefully marshal forth arguments why ordinary economic conceptions of payment and cost and demand and preference do not hold in the “market” for data. The two articles use different economic methodologies—Free relies on the framework of “transaction costs economics” (TCE) and Free Fall speaks in the more traditional language of market failure. But both articles describe in detail the great risks of harm people expose themselves to by allowing companies to collect so much personal information, from identity theft to insecurity to self-censorship to humiliation to unwanted association. Consumers do not “pay” with information, because they do not understand the true costs of allowing their data to be snatched.

But, the libertarians might respond, consumers expose themselves to risk of harm in commercial transactions in other contexts, and in those cases we still consider payment in the face of risk to be an accurate measure of consumer preference. To respond, Free and Free Fall document the many reasons consumers find it impossible to account for the risk of harm from online data collection: the utter lack of transparency into corporate data practices creates insuperable information asymmetries; well-documented network effects give rise to lock-in and other barriers to competitive entry; and bounded rationality prevents consumers from accurately assessing risk. Worst of all, unlike in some consumer transactions, all of these barriers persist even after the commercial transaction takes place, leading Strandburg to compare them to “credence goods” like medical treatments and legal services, which tend to be “natural subjects of regulation.” She concludes “[c]onsumers are doing what amounts to closing their eyes and taking an unknown risk in exchange for a presently salient benefit.”

Of course, many other privacy articles and books have recounted the risks of privacy harm from commercial tracking, but these two articles work a subtle but powerful reframing of how we should account for this harm. Until now, the libertarians and the policymakers they have persuaded have found it easy to discount discussions of privacy harm as separate from and outweighed by the great and unmitigated benefits of economic efficiency and growth found on the other side of the scale. A little identity theft is a small price to pay for free Facebook and Gmail, they have argued. Free and Free Fall explain how these privacy harms themselves work on the “benefits” side of the scale, because they need to be accounted for as economic inefficiencies, which diminish the economic value, measured both individually and societally, of these online services. As Hoofnagle and Whittington’s Free puts it, “[t]he financial consequences of transactions that occur with the press of a button can be of such magnitude and lasting consequence that their implications for parties can easily dwarf those of typical purchases in our economy.”

In other words, the market for personal data is dysfunctional and distorted in ways that cause profound economic inefficiencies in the form of risk of privacy harm, inefficiencies that sensible privacy regulation can help correct. We need new privacy laws not despite what they might do to economic efficiency but because they will allow the market to produce even more economic efficiency.

Both articles also explain how these skewed market forces have been subtly re-architecting the Internet in societally harmful ways. Companies are being pushed to design data extractive services in pursuit of corporate riches, even if consumers would prefer precisely the opposite. Hoofnagle and Whittington’s Free recount Google’s history with the http Referer header, which has seen the company on more than one occasion intentionally rolling back or weakening pro-privacy, pro-security advances so as not to disrupt the expectations and profits of advertisers. Although the authors do not draw this particular connection, it is fair to say that some of the worst abuses of privacy of the NSA have resulted directly from corporate decisions like these to place the desires of advertisers ahead of the wishes of users.

But it disserves these two articles to lump them together without highlighting a little of what each does that the other doesn’t. Hoofnagle and Whittington’s Free builds on the TCE work of Oliver Williamson and others to propose a rigorous and grounded methodology for taking account of all of an online transaction’s efficiencies. Strandburg’s Free Fall focuses thoroughly on the development of the market for advertising, drawing on a rich and detailed history from economists and marketing experts outside the legal academy.

There is so much more to these long articles, but rather than describe more, I’ll simply urge those in the field to read both. It might be overselling things to say that these two articles have demolished the libertarian critique of privacy law. But they do administer a thorough and long overdue drubbing of some core libertarian arguments.