Privacy panic debate: Whose data is it?

commentary News that researchers have "discovered" hidden files on the iPhone that store geolocation data of approximate locations the devices pass by has sent privacy conspiracy theorists screaming back to their panic rooms.

Apple now joins the ranks of Facebook (Beacon), Google (Buzz), RFID tags, Flash-based "super cookies," and the Department of Justice's WikiLeaks investigation as the latest crisis du jour in the struggle to hold back a flood of invasions into our most intimate information for the most nefarious uses.

Never mind that cellular carriers already capture the same data for roaming and billing purposes. Now, we discover, it's being stored on the device itself, and it's not encrypted. (Apple so far hasn't responded to increasingly shrill demands to explain itself and now faces the prospect of congressional hearings.)

(Editors' note: Shortly after this commentary was posted, Apple made its first public statement about the controversy, in an FAQ posted to its Web site. See CNET's story here: "Apple: We'll fix iPhone tracking 'bug'.")

It's not that I'm against privacy. I agree that consumers should be better educated by service providers about how information is collected and used. But journalists, academics, and activists who treat every information exchange between service providers and users as signs of an imminent data apocalypse aren't helping to raise awareness of anything.

Instead, they're lulling most consumers into a dulled state of resignation, convinced that everyone from device manufacturers to service providers to content companies to governments are conspiring against their freedom. And the privacy extremists are intentionally or otherwise raising the possibility that eager regulators will dive into the deep packets of the Internet in an effort to save us from our own choices.

But the worst-case scenarios--police states, widespread identity theft, loss of an existential sense of individuality--are so far largely just scenarios. And calls for more government regulation of private data as the silver bullet solution miss the point that governments are themselves some of the most careless users of information, not to mention inconsistent in what it is they actually want companies to do.

At the same time that technology providers are being lambasted for collecting information, for example, governments are also asking or even requiring them to save much of the data they collect to help with criminal investigations, creating a kind of regulatory whipsaw. The European Union, which has strict laws about how personally identifiable information can be stored and used, also has a directive that requires retention of some of the very same data. One hand of government doesn't know or care what the other hand is doing.

The reality, as those of us who actually work in information industries know, is much less catastrophic and, frankly, much less interesting. It's true that more transactional information--private or otherwise--is being collected all the time. By and large, however, most of the information still sits in increasingly crowded data warehouses, doing next to nothing.

In the best-case scenario, it is being used responsibly by those we interact with to improve future interactions through customization, recommendations, promotional pricing, more relevant advertising, better customer service, and more-focused future product design. (Think Amazon, Groupon, Google, and others.) Or, through social-networking tools, the information is being used to broaden and deepen our interactions with friends, family, and colleagues.

Thaler's modest proposal
The iPhone flap inspired one of the worst examples yet of the kind of unhelpful and uninformed regulatory advocacy that characterizes the so-called "privacy debate." I'm speaking of Richard Thaler's recent article in The New York Times. (See "Show us the Data: It's Ours, After All," April 23, 2011.) Thaler, a University of Chicago professor of "economics and behavioral science," has given us an essay filled with technical, business, and legal errors, one that makes clear why it's so hard to have a rational conversation about this sensitive and misunderstood subject.

The article offers what seems on the surface an entirely reasonable and modest proposal: a copy for each customer of whatever information a business maintains about them. "If a business collects data on consumers electronically," Thaler writes, "it should provide them with a version of that data that is easy to download and export to another Web site. Think of it this way: you have lent the company your data, and you'd like a copy for your own use."

Thaler justifies his proposal using the example of finding the most cost-effective cell phone carrier. "To pick the best plan," he says, "you need to be able to estimate how much you use services like texting, social media, music streaming, and sending photos." (Does any provider charge separately for "social media"?) Cell phone providers should "give you access to a file that includes all the information it has collected on you since you owned the phone, as well as the current fees for each kind of service you use."

Thaler acknowledges that most consumers can't possibly make use of the "file" he wants every vendor to supply to every consumer it deals with, but he believes the entrepreneurial spirit will fill that void. An army of app developers, he says, stand at the ready to write software to help consumers use this data to become more informed comparison shoppers.

Thaler assumes without explanation that details about how you use a service is data you own and have merely "lent" to the company. But note right from the start that there's nothing private about how many text messages or photos you send. Nor does information about "current fees" even reference the customer's usage. And while few people would complain that their cell phone bill isn't detailed enough already, the data Thaler wants to require is already available online for those who want to review and verify it.

Regardless, Thaler believes users are owed that information put in a portable "file" so consumers can load it onto their PC or their cell phone and carry it around with them. He supports making that obligation a matter of law, as it is in the European Union. And he wants the file to be "in a format that is usable by app designers." (That presumably means the data will be left unencrypted.)

Misapplying the metaphor of property rights to information
Let's assume for the moment that enough consumers would actually benefit from the use of this information to make worthwhile the cost of providing it and of entrepreneurs developing the "apps" Thaler imagines will appear. Let's also leave aside the security risks of sending and retaining such a "file" on consumer electronic devices or of giving access to it to "app designers" who will help users interpret this information in order to become better-informed shoppers. (Perhaps the data the iPhone researchers discovered is a prototype of the kind of file Thaler believes should be required by law?)

Instead, let's go back to the idea that transaction data collected by the cell phone provider is the property of the user and merely "lent" to the business. Thaler simply assumes any data "collected on consumers electronically" is "their" data, full stop. Thaler follows a common view among privacy advocates that information is property, and information connected to consumer transactions is the sole property of the consumer, not the company that collects or stores it. The only issues for Thaler are what ownership interest consumers retain when they "lend" that data to someone else and how those interests ought to be regulated by law.

The scope of Thaler's proposed right is broad--he believes that regardless of whether data is personally identifiable, that data is the property of the consumer, reclaimable as a matter of law. Thaler, for example, writes that he is advising a British initiative that requires companies not only to provide "usage" data but also to provide consumers with the data "in a computer friendly way." He encourages similar initiatives--so far voluntary--by the federal government in the U.S.

Complete customer ownership of merchant data may sound good on paper, but it evaporates when exposed to the most basic understanding of business or economics. (Thaler is not an engineer, but he is a professor of economics, so the hand-waving here is pretty disappointing.) Market transactions starting in the Middle Ages have always included the exchange, collection, consolidation, and reuse of relevant information. A merchant knows what merchandise the customer bought, how she paid for it, and whether payment was prompt and complete. More useful, the merchant knows what merchandise other customers bought, and therefore what merchandise is and is not popular.

Until recently, no one has ever thought that a merchant who documents, analyzes, and responds to such information is taking advantage--unfair or otherwise--of property belonging to the customer. But because transactional information can now be captured "electronically," and because that data now has value independent of the merchant's direct use of it, Thaler would like to reassign the right to benefit financially from the data and its uses. Since the data is "collected on" consumers, Thaler simply assumes that consumers are the owners of it.

Of course, if customers are entitled to all or part of the benefits of information collection, it's only fair that they should also share in the costs. After all, businesses today spend a growing percentage of their operating budgets on the collection, storage, and analysis of data. And despite continued improvements in the costs of information technology, companies that make productive (that is, valuable) use of the information they collect are those that spend more on business intelligence, analytics, data warehousing, database management, outside data services, cloud computing, user interfaces, and integration with manufacturing and distribution systems. For starters.

The rise of information markets
At the very least those costs should be subtracted from the customer's share of the profits, with the rest allocated between the customers who "lent" the information and the businesses that made something valuable out of it. Rational business executives would only spend this kind of money if they believed they were getting back more than their costs--perhaps in the form of more efficient operations; cross-selling and upselling; market intelligence; and customer service. So let's assume there is some excess profit to be shared between the merchant who did all the work and the customers who "lent" their nonprivate information.

Aren't customers already sharing the profits that remain? Thaler acknowledges that the potential uses of transactional data are "endless," but he doesn't think customers are getting, well, anything. His example here is the supermarket club card. Thaler writes: "Supermarkets...have already learned that they can attract many customers to their shoppers' clubs by offering discounts to club members. This allows the stores to know what they buy and to target coupons based on their purchases. Shoppers can opt out--but only at the cost of losing the discounts."

I doubt Thaler has actually studied how club cards have evolved in any detail. (I have, see "A Market Approach to Privacy Policy" [PDF].) In fact many national supermarket chains, including Lucky, have found that the costs of warehousing and analyzing transaction data tied to specific club card members is too expensive or beyond their capabilities (so far). They no longer require the use of the card to get the discounts. Others, including Safeway, will simply swipe the cashier's card if the customer doesn't provide their own. And no store verifies that even the basic information a customer puts on their card application is even remotely accurate.

But let's move on. Thaler sees stores that do still require customers to identify themselves to get discounts as perpetrating a rip-off. As it stands now, he says, consumers give up their data and should at least get "something in return for participating." They don't, so Thaler wants to "level the playing field." Specifically, he wants the store to make "your purchase history available to you" for free. That way, some "smart entrepreneur" can "devise an app" that will direct you to "cheap and healthy alternatives that can slim your tummy and fatten your wallet," or "warn shoppers with allergies, for example, that they are buying foods that contain ingredients to which they are sensitive, like nuts or gluten."

Well, Thaler is a behavioral scientist and not a venture capitalist or an entrepreneur, so maybe someone could come up with a use for the data that's a little more compelling. But let's go back to the original premise. Don't shoppers already get "something in return for participating"? Do they really go through the trouble of filling out an application, carrying the card around with them, and pulling it out each time they shop at the store without receiving anything for their trouble? If so, then the shoppers who use the card today (I'm one of them) are altruistic, or stupid, or both.

Of course, the idea that card users aren't already getting "something in return for participating" is nonsense. As Thaler himself says only a few paragraphs earlier, the use of the card is tied to the receipt of store discounts--sometimes significant discounts. The store, in other words, recognizes the value of data tying specific purchases to specific customers, and in exchange for allowing collection of that information, pays the customer in the form of lower prices. In this case, the payment is cash money.

It couldn't be any more direct or obvious. Information is being traded for money, and the exchange is entirely transparent. What's more, the customer can, with each visit to the store, decide whether to accept money for information. It's an opt-in system, not an opt-out. Even better, the exchange is instantaneous. It requires no protracted negotiations, no lawyers, and no behavioral scientists.

Consider the club card
The club card example, contrary to Thaler's factually challenged gloss, is actually one of the best illustrations that markets for information exchange are working well and evolving rapidly. Despite the chronic hysteria of privacy advocates and those who benefit from their agitation, it shows that real consumers can and do make rational decisions about the value of information under their control.

These information markets recognize both the value consumers bring (their specific, though rarely private, behavior) and the value companies bring (the ability to collect, store, consolidate, and analyze that behavior over wide cross-sections of related information). These markets offer consumers clear incentives for participating, including discounts, specific recommendations, and targeted (that is, relevant) advertising. Consumers are compensated for their cooperation, often directly and immediately.

These emerging markets also recognize that the sum of the parts is greater than the whole--the more customers who participate, the more valuable the overall databases become.

Notably, today's information markets are developing without the need for, and the expensive overhead of, micromanagement by government regulators. Or, for that matter, much overhead of any other kind.

In that sense, they are excellent examples of the kind of economic progress championed long ago by Ronald Coase, who, like Thaler, is a University of Chicago economist.

It was Coase, for example, who recognized as early as 1937 that markets use technology to reduce inefficiencies in all kinds of market exchanges--what Coase termed "transaction costs." By reducing transaction costs, companies become more competitive and markets become more efficient, a boon to all participants. The less "friction" there is in the market, among other benefits, the easier it is to determine what people really want and a fair price to charge them.

It is unfortunate that Thaler appears to have little appreciation for his colleague's work. Unfortunate, but not surprising. Throughout his career, Coase has encouraged economists to trade their dismal academic theorizing and behavioral experiments for actual research on how markets work, in the hopes of finding ways to accelerate the reduction of transaction costs.

In response to that plea, Coase was largely blacklisted by academic economists. He spent his career not at the University of Chicago's economics department but at its law school. For his efforts, Coase was awarded the Nobel Prize in economics in 1991. Yet in his Nobel Prize lecture, Coase acknowledged that his work had been ignored by his economist colleagues: "In my long life I have known some great economists, but I have never counted myself among their number nor walked in their company," he said.

Thaler and others who casually assume information markets can't or don't work need a remedial class in Coasean economics. But at the very least, they should try shopping at a real grocery store, reading an actual cell phone bill, or visiting a working data warehouse.

Then perhaps they'd have some basis to tell companies how to interact with their customers, or to propose laws to ensure those interactions take place.

If they like, they can even use their experience to continue terrifying consumers with privacy ghost stories. Who knows? They might actually find something concrete--for a change.