Matthew Sipe
People value privacy differently. For example, different people are willing to pay a range of premiums to conduct online transactions with added privacy guarantees.[1] Similarly, some individuals demand significantly more compensation than others for having their location data tracked.[2] These results suggest the potential for a market in privacy interests. Allowing individuals to buy and sell their privacy freely might be a boon to efficiency, in the same way that removing a price floor or ceiling on a good reduces deadweight loss. Doctrinally, United States v. Warshak suggests that if a market were to develop whereby internet service providers guarantee differing levels of privacy, the courts would be willing to respect those differences, and infer different reasonable expectations of privacy under each provider.[3] But can different members of the same network actually maintain different levels of privacy in practice? This post examines some of the practical roadblocks preventing markets for privacy rights in networks, and looks at the larger normative considerations counseling against such markets.[4]
Practical Concerns
In Warshak, the court held that Steven Warshak had a reasonable expectation of privacy in the content of his emails stored on his ISP’s servers. They reached this conclusion, in part, on the basis of the particular ISP’s behavior and terms of service. The ISP did not, in the regular course of business, scan Warshak’s emails or mine them for data, nor did the terms of service say that they would. On the other hand, the court concluded, if the ISP had “express[ed] an intention to ‘audit, inspect, and monitor’ its subscriber’s emails, that might [have been] enough to render an expectation of privacy unreasonable.”[5] In this way, the court seems to recognize the potential for different ISPs to provide different levels of privacy to their customers. An individual who values privacy more might pay more for a premium, black box ISP bound by ironclad terms of service. An individual who values privacy less might take advantage of a free email service that mines their emails for data to sell to advertising companies. As a practical matter, however, it is doubtful whether the market can actually support multiple privacy levels across a given network due to vicarious surveillance, monopolistic forces, and regulatory pressure.
Vicarious Surveillance
When someone sends a communication across a network, it is handled not only by the sender’s client, but also the recipient’s client. In other words, even if the sender of an email has paid for the privilege of a higher-privacy provider, that email can still be scanned and mined by a low-privacy recipient opening it. It is difficult enough to ascertain the privacy policy of one’s own provider;[6] it would be impossible to figure out the divergent privacy policies governing everyone you send an email to. This privacy uncertainty due to vicarious surveillance would drastically reduce the incentive to pay a premium for a high-privacy provider, and as individuals on the margin begin to shift from high-privacy providers to low-privacy providers, the incentive to pay would be reduced even further. Continuing in this way, the market for high-privacy network providers would likely eventually unravel.
Even if a sufficiently robust system of notice were to emerge and reduce uncertainty—let’s say, machine-readable privacy policies generating a pop-up alert before you send an email to a low-privacy recipient[7]—it would be far too time-consuming for a user to pore over the differences between each recipient’s policy. When confronted with that much information and too many attention-draining choices, individuals would begin to “drop out” and either disregard the pop-ups entirely or fall back on whatever choice is made default.[8] Either way, the incentive to pay for a high-privacy provider disappears.
Monopolistic Forces
Network technologies are natural monopolies. The low marginal cost of adding one more member once a network has been established is typically low, creating supply-side economies of scale, and network externalities generate significant demand-side economies of scale. In this way, it is easy for a handful of network providers to have complete control, with little threat of new entrants stealing away market share. Without sufficient competition, network providers have no incentive to offer a portfolio of privacy alternatives; customers will either accept the dominant level of surveillance, or not participate in the network at all. Given the necessity of many networks—email, internet, social media—to everyday life, declining to participate may not be a legitimate substitute. These monopolistic forces would thus result in a convergence of privacy policies, rather than a true marketplace of privacy options.
Regulatory Pressure
With an aim towards facilitating law enforcement and domestic security, the government has already begun to exert regulatory pressure on network providers to “hardwire surveillance-facilitating mechanisms into their technologies.”[9] While regulations such as CALEA do not obligate network providers to take advantage of increased porousness for their own benefit, they make it much cheaper for network providers to do so. With all providers forced to engineer backdoors into their systems already, there is little incentive not to go ahead and engage in profitable data-mining anyway, particularly in light of the monopolistic market structure hampering competition.
Normative Considerations
A market for network privacy rights also raises normative concerns. Even if it is accepted that privacy rights are alienable—and not viewed as part of the “fundamental dignity of persons” or an inviolate prerequisite to autonomy[10]—making privacy rights sellable raises novel concerns. First and foremost, sellable privacy rights would have regressive distributional consequences. If privacy rights can be bought and sold, then those with greater wealth will be able to command more privacy, and those with less wealth will have to do without.[11] To the extent that surveillance is used for targeted advertising and other behavioral manipulation, the effect would be even greater exploitation of vulnerable, low-income groups, and a potential self-sustaining cycle of poverty through consumer manipulation.
Second, allowing markets for privacy rights threatens robust political discourse and dissent. This concern is particularly salient in networks, designed for communication and dissemination. A “deliberative democracy requires … speakers and listeners,” resistant to “coercive standardization,” who feel comfortable expressing new or unpopular ideas.[12] If privacy protections ebb and flow with the whims of the market, democratic discourse will fluctuate with every business cycle boom and bust. Furthermore, since improved democratic functioning is a positive externality, not internalized by a privacy market, privacy rights will be undervalued and oversold relative to the social value they provide.
Conclusion
Privacy rights in networks, if left to the free reign of the market, will see an accelerating decline due to vicarious surveillance, monopolistic forces, and existing regulatory pressure. Even if a market for network privacy rights was capable of sustaining itself, normative considerations, including distributional and anti-democratic effects, would counsel against allowing it. Statutory and judicial constructions of privacy across networks, perhaps establishing baselines below which network providers may not go regardless of market forces, would go far in protecting privacy rights against such erosion. For all the flaws such a system would entail—prima facie inefficiency, the need to redesign standards for every new technology, the sloth of the legislature, the undemocratic nature of courts—the alternative of a free privacy market is far more threatening.