TechFreedom President Berin Szoka will testify on privacy and self-regulation at today’s livestreamed hearing before the U.S. Senate Committee on Commerce, Science, and Transportation. As he explains in his written testimony,

With the best of intentions, we are heading towards reshaping the fundamentals of the Internet—in ways that may have serious negative unintended consequences for privacy, the sites and services consumers enjoy, and the health of the ecosystem.  But the way we’re doing it may be even more troubling.  This is not the result of a bottom-up evolutionary process, but of collusion between government and powerful market players.  We are heading for opt-in dystopias.

Read Szoka’s full oral remarks below the fold and written testimony here .

Chairman Rockefeller, Ranking Member Hutchison—thank you for inviting me to testify about privacy again.  First at The Progress & Freedom Foundation, and now at TechFreedom, I’ve worked for over four years to articulate an alternative perspective on privacy that stresses the enormous value created by data while recognizing the need to prevent its abuse.  While we’re all engaged with “fixing the problems,” we mustn’t lose sight of the forest for the trees: the benefits of the collection and use of data to date have dramatically outstripped the costs of the relatively few abuses.

When considering how we address abuses, I agree: self-regulation is not enough; so-called “baseline” legislation is, indeed, necessary.  But such a baseline already exists: Section V empowers the FTC to prohibit as “unfair” uses of data that do more harm than good and that consumers themselves cannot reasonably avoid. Further, the Act empowers the FTC to enforce self-regulation by holding companies to their promises. Above this baseline, we’ve built a layered approach to privacy protection, including narrow legislation to address particularly thorny problems.  But the genius of American law is our largely evolutionary, common law model, addressing problems as they arise and learning from past successes and failures, rather than attempting to design a comprehensive regulatory scheme wholesale.  Our system is what Richard Epstein famously called “Simple Rules for a Complex World.”

The FTC’s effectiveness should be measured not by counting settled cases, but in the development of a quasi-common law of privacy.  Yet today, companies have only FTC complaints and consent decrees to guide them.  I suggest the agency take four steps:

  1. Explain its analysis in consent decrees;
  2. Issue “no action” letters when deciding not to sue;
  3. Issue advisory opinions upon request to guide industry on how the agency might evaluate new privacy practices; and
  4. Issue guidelines explaining how it has applied Unfairness and Deception in past privacy cases and plans to do so in the future—clarifying especially the boundaries of privacy harm.

Congress should ensure the FTC has the resources necessary to do all these things, and to keep pace with ongoing technological change.

But policymakers – and, I hasten to add, everyone else – necessarily lack the expertise and foresight to freeze in place fair information practices.  The technologies involved are evolving rapidly and the trade-offs are too complex.  This is why the White House Report stressed “the flexibility, speed, and decentralization” that only self-regulation can provide.

But Congress should carefully scrutinize how the FTC use has used “soft power” to influence self-regulation—and how that power has reinforced incumbents’ market power.  Nowhere is this more true, or potentially more dangerous, than in W3C’s Do Not Track process. As FTC Commissioner Tom Rosch has noted: “the major browser firms’ interest in developing Do Not Track mechanisms begs the question of whether and to what extent those major browser firms will act strategically and opportunistically.”

The W3C process has rested on the principle of user choice.  Microsoft breached this consensus when it decided its new IE10 browser would send DNT:1 headers by default.  Default DNT-On doesn’t empower users any more than would ad blocking by default.  Default DNT-On simply empowers browser makers to force fundamental changes in the Internet ecosystem. From today’s low-friction, flat ecosystem of independent sites and services funded by generally impersonal data collection, Default DNT-On could take us to an Internet with fewer players who collect more data with less transparency.  In the worst-case opt-in “dystopia,” consumers could be made significantly worse off in three ways.

  1. If publishers have to rely on micropayments or subscriptions, their revenues will likely drop.
  2. Ironically, in the name of privacy, we could actually increase user tracking, because those sites and data companies that do obtain opt-ins will likely collect more personal data.
  3. Few publishers and data-driven companies will be able to obtain opt-in exceptions to DNT.  This will force unprecedented consolidation in the Internet ecosystem.

Thus, with the best of intentions, we’re blithely heading toward reshaping the Internet.

But even more troubling is the way we’re doing it.  This isn’t the result of a bottom-up, evolutionary process.  It’s more like collusion between government and powerful market players.  It is not self-regulation, but co-regulation. It is the European model, where governments steer by extra-legal threats and industry merely rows; where powerful incumbents use market power to serve their own agendas, with government’s blessing.

Given the FTC’s heavy involvement in the W3C process, Congress should ask the FTC to explain exactly what its role has been, especially in Microsoft’s decision to  defy W3C’s principle of user choice.

No one would deny that regulatory agencies play a significant role in encouraging self-regulation.  But with all due respect to Peter Swire, the extra-legal intimidation he and Tim Wu endorse is deeply dangerous.  If government can regulate the Internet without statutory authority or judicial review, simply because its goals seem noble, the rule of law does not exist online.  The better way for the FTC to encourage self-regulation is through the legal means I have suggested: building a quasi-common law subject to clear standards—and review, if not by the courts, then by Congress.

Again, thank you for inviting me here today to testify.

</>