From: Sverker K. Hogberg <skh2101@columbia.edu>
  To  : <CPC@emoglen.law.columbia.edu>
  Date: Sat, 21 May 2005 19:19:16 -0700

Paper 2: Regulatory Approaches to Privacy

REGULATORY APPROACHES TO PRIVACY: EX ANTE DATA-PROTECTION STANDARDS

Granting citizens a legislative or constitutional right to anonymity
and providing easy access to technologies that enable them to seamlessly
exercise that right may be a hypothetically ideal antidote to the
government's use of subpoenas to circumvent Fourth Amendment safeguards
on search, seizure, and surveillance. It is, sadly, also politically
intractable. Exercising rights of anonymity unfortunately conjures up
distasteful notions of illicit activities perpetrated under a cloak of
secrecy. The social stigma attached to efforts to protect one's privacy
– particularly against the government – makes it even harder to overcome
the public-choice barriers that frustrate enactment of privacy
legislation. Fortunately, data-protection standards can leverage the
current concern over identity theft to indirectly curb private-party
data aggregation by imposing exogenous regulatory costs.

EX ANTE VS EX POST REGULATION
In the context of data theft, ex ante data-protection standards have
two primary advantages over ex post tort liability. Although both
schemes force personal data aggregators (PDAs) to internalize some of
the costs of data theft, only data-protection standards categorically
raise information aggregation costs across the board by imposing
compliance costs that are impossible to avoid. Insurance, superior
litigation resources, low rates of claims, and problems of proving
causation all make tort liability ineffective at imposing the full costs
of data theft on PDAs. [1] In contrast, the costs of complying with data
-protection standards must be incurred upfront, do not depend on
individuals bringing successful lawsuits, and, therefore, cannot be
similarly avoided.

More importantly, even if one were to assume that tort liability
could impose the full costs of data theft on PDAs – a perfect Pigouvian
tax – it would not be as effective as ex ante standards at broadly
curbing private data aggregation. Although, in both cases costs can be
dispersed and passed on to consumers, data-protection standards can be
made so rigorous that they impose far higher costs on PDAs than the
market ever would. In effect, standards can be made so stringent that
they cost more to comply with than it would cost to pay damages in full
to every victim of actual identity theft. For instance, imagine a
seemingly lenient standard requiring less than 1 incident of data theft
per year for every 1,000 customer records kept, with breaches punished
by fines and general injunctions against keeping personal data in
digital form. Since digital files tend to be stolen in large quantities,
a single break-in where a modest 100,000 records are stolen would easily
put a company - even one with tens of million of records - over the
limit.

Although this rigidity and imposition of above-market costs are
usually the principal criticisms leveled at command-and-control
regulatory approaches, here they are an unmitigated virtue: They help
curb a fundamentally undesirable phenomenon – private businesses
aggregating ever increasing amounts of personal information.

POLITICAL FEASIBILITY
Although the cost to consumers of identity theft may be compensated
through other means, only ex ante standards have the ability to put a
direct brake on the growth of private data gathering by imposing
impossibly high costs on the entire enterprise. However, since this is
done sub rosa, under the rubric of preventing data theft, data-
protection standards are far more politically feasible to enact than
legislation that directly targets PDAs by invoking Fourth Amendment
claims.

First of all, data-protection standards are the type of unambiguous
public good that voters invariably support. Like safety standards for
consumer products, the benefits are concrete and morally unambiguous and
the costs are so widely dispersed that they do not factor into the
average voter’s personal-benefit calculus. Second, legislators have an
incentive to support tough ex ante standards since they give a tangible
benefit of great symbolic value to constituents – protecting
their identities from abuse – while leaving room to benefit favored
industries by selectively imposing lower standards. Finally, many
companies may support data-protection standards either because they
advantageously impose differential costs across industries, or because
they erect barriers to entry against newcomers. [2]

Additionally, since safety standards can be made concrete and
quantifiable, they would likely work as a one-way ratchet that could
only be ratcheted up. It would be quite politically difficult to relax
data-protection standards once people have come to enjoy them.
Although the increased costs that data-protection standards would impose
on PDAs would not eliminate such activity altogether, it seems likely
that they would at least significantly reduce the total number of
entities engaging in data aggregation. For most companies, the costs of
complying with the security standards would simply not be worth the
benefits from exploiting consumer information. [3]

REGULATORY STEPS
So, what would these data-protection standards actually look like
and how would they be implemented? Although there are, as Caitlin and
Heather suggested, between three and four stages where such standards
could be imposed, they seem to be most easily applied to the storage and
dissemination stages. [4] For example, one approach is to create a
schedule of prescribed "best available" encryption technologies and
limits on methods of accessing personal information (PI) databases that
depend on the type of information stored. A "schedule one" database
containing only names matched with limited purchasing histories might be
accessible from the internet using simple SSL encryption and password
authentication, while a "schedule four" database containing social
security numbers or financial records might only be accessible from un-
networked and peripheral-less dumb terminals employing two-point
authentication systems.

It is important to recognize that data-protection standards will
never provide a foolproof means of preventing identity theft, which
still can and will occur. Yet, as a highly effective method of curbing
data aggregation through the imposition of arbitrarily large compliance
costs on PDAs, data-protection standards may prove to do more to protect
individual liberty than even a perfect data-theft prevention system ever
could. This is, then, where the greatest value of data-protection
standards lies.

[1] Tresa Baldas, Lawyers See Data 'Fear Factor' Rising,
http://www.law.com/jsp/article.jsp?id=1115802311951 ("[T]ons of cases
get dismissed because the plaintiffs cannot show damages related to
identity theft.").

[2] See Nathaniel O. Keohane, et al., The Choice of Regulatory
Instruments in Environmental Policy, 22 Harv. Envtl. L. Rev. 313 (1998).

[3] For example, the Sarbanes-Oxley Act is credited with inducing firms
to "go private" to avoid its accounting compliance costs. See Joshua
Koenig, Note, A Brief Roadmap to Going Private, 2004 Colum. Bus. L. Rev.
505.

[4] Caitlin Friedmann, A Statutory Scheme for Privacy, at
http://moglen.law.columbia.edu/CPC/discuss/232.html; Heather Schneider,
Architectures of Control, at
http://moglen.law.columbia.edu/CPC/discuss/233.html

-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list