|
In recent years, opinion polling has shown increased wariness of the potential for tech companies to invade users’ privacy, especially in the wake of Facebook’s Cambridge Analytica scandal. As a sort of response, earlier this year Facebook CEO Mark Zuckerberg himself called for greater regulation of the tech industry, including privacy regulations. Against this backdrop, Sen. Josh Hawley (R-MO) introduced the Do Not Track Act last month, meant to address his concern that “tech companies collect incredible amounts of deeply personal, private data from people without giving them the option to meaningfully consent.”
Tech companies do collect a lot of personal information, but the proposed bill would not increase users’ privacy in the style or proportion of their actual demand for it. It would likely create regulatory headaches for users, website operators, and the tech industry. Hawley’s Do Not Track Act does not right wrongs but seeks to mold our information economy and society according to federal legislators’ and regulators’ preferences.
The central component of Sen. Hawley’s bill is its directive for the Federal Trade Commission (FTC) to create a “Do Not Track” (DNT) system “to protect consumers from unwanted online data harvesting and targeted advertising.” The FTC would be responsible for creating software that produces a “DNT signal,” available for download on the FTC’s website. Installed on users’ equipment, the DNT signal would be sent to every website, service, and application the device connects to. (Users would be able to whitelist sites and services to which they do not want the DNT signal sent.) Given the number and variety of protocols, apps, and services existing now and in the future, it is a tremendous engineering challenge.
Under the bill, operators of commercial websites, online services, and applications would be required to identify whether a connected device is sending the DNT signal. They would be prohibited from “collect[ing] data (other than such data as is necessary for the operation of the website, service, or application) from the user,” and they would not be able to use data from that user for targeted advertising or share that user’s data with third parties without the consent of the user.
“Do Not Track” has been a topic of debate and a voluntary program for years, but it has not gained traction. It is among many anti-tracking programs created by private entities, currently available for download — many for free. But most people make little effort to protect themselves from tracking, at least not with technical blocking. Surveys show few people are willing to pay for increased privacy, and fewer still take advantage of free and easily accessed privacy-enhancing software. Of Firefox’s roughly 250 million users, fewer than 8% have downloaded any of the browser’s top-ten privacy extensions. Less than one third of those who use ad blockers do so because of privacy concerns.
Legislation might be appropriate where there is an economic externality or legal harm. Neither is evident here. The public’s apparent preference for content and convenience over privacy may rankle privacy advocates, but the actions of consumers are the best measure of their wants and needs. Tracking controls have been in the marketplace for years now, and they have not gotten traction. Consumers have not punished companies for declining to implement Do Not Track. The current status quo does not appear to be a product of information asymmetry: as the polls show, consumers are largely aware of tracking and concerned by it. They appear to be accepting it in light of the copious benefits they get in exchange.
The bill goes further than creating a federal Do Not Track system as another marketplace offering. When a website, service, or app does not detect a DNT signal from a device, the bill mandates that the user receive a pop-up notifying them of the website’s data collection policy and of the availability of the FTC’s DNT program. That’s right: a bill aimed at improving users’ experience online would mandate one of the most universally despised features of the internet: the pop-up. This pop-up would appear the first time a device visited a website and at least as frequently as every 30th connection after that unless the user of the connected device opts out.
Assume that the pop-ups succeed in haranguing users into using the DNT program en masse. What then? We might expect endless legal and regulatory wrangling over what and how much data is “necessary to operate [a] website, service, or application.” While data collected “for the purpose of designing or displaying targeted advertisements” are explicitly categorized as “more data than [are] necessary” in the bill, there are no guidelines for how to determine whether data collected for non-advertising purposes are excessive. To fill the gap, the Federal Trade Commission would likely become deeply involved in designing web site functionality, internet services, and apps.
There are good reasons to be concerned with collection of personal data online and some of the uses to which that data is put. But the internet as a medium works best when the intelligence is at the edges. A centralized, top-down solution requiring all internet services to adhere to a given information-sharing standard is unlikely to deliver privacy on the terms consumers want it. The Do Not Track Act seeks to mold the information economy in ways legislators and regulators want because consumers’ revealed preferences show they simply don’t care as much as we might like.
Legislation might be appropriate where there is an economic externality or legal harm. Neither is evident here. The public’s apparent preference for content and convenience over privacy may rankle privacy advocates, but the actions of consumers are the best measure of their wants and needs.
|
