Why I Haven’t Yet Given Up Hope on Contracting Around Personal Data

Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online?  

It’s not like these are new ideas. In fact, way back in the Net’s dial-up dark ages—1996 to be exact—Cal-Berkeley economist Hal R. Varian, now chief economist with Google, penned a short, but widely-cited, essay on “Economic Aspects of Personal Privacy” that proposed assigning “property rights in information about an individual to that individual, but then allow contracts to be written that would allow that information to be used for limited times and specified purposes. In particular, information about an individual could not be resold, or provided to third parties, without that individual’s explicit agreement,” he argued.

A year later, Eli Noam of Columbia University made a similar argument in an essay on Markets for Electronic Privacy. “Encryption permits individuals to sell information about themselves directly, instead of letting various market researchers and credit checkers [use it freely],” Noam noted.

So, what happened on the way to private contracting paradise? There are several reasons privacy markets have never taken off.

First, there probably hasn’t been as much demand for formal contracting because many users don’t mind today’s predominant “take-it-or-leave-it” model of online services. Most people quickly click “Agree” and accept such licensing deals because of the low price—usually zero—and the ease with which they can start using those services right away.

But a better explanation for the failure of formal contracting around privacy is that it has always been tied up with the same thorny issues of information ownership and enforcement which have complicated digital copyright policy. Put simply, information control is damned hard—whether such control is being pursued through top-down regulation or bottom-up contracting methods.

Jasmine McNealy, an assistant professor in the Information & Communication Technology Program in the School of Library and Information Science at the University of Kentucky, wrote about these challenges in an essay last week. She noted that:

We still do not have clear answers to basic questions such as: Do people own personal information about themselves? How can they control or limit how companies (and governments) use it? To start, there are complexities around the fundamental issue of information “ownership,” particularly ownership of personally identifiable information (PII). One cannot be said to actually own information about one’s self. Information relates to you, is connected to you, or is of you.

McNealy notes that the unique characteristics of information—it’s intangible, amorphous, easily shared and “leaky”—“make it difficult to recognize as property.” Sometimes it is not even clear who “possesses” any particular piece of information. “While one can to exclude others from physical property through fences, locks, or, for the more extreme among us, guard dogs, it is much trickier to control information in a digital environment,” McNealy notes. “You cannot simply lock your online user habits behind a heavy door,” she argues.

McNealy is right, but should we give up hope altogether on the idea of contracting around our personal data? Perhaps there are reasons for some hope.

Firms such as Reputation.com, Personal.com, and The Locker Project all hope to create “data lockers” or “reputational vaults” that would let consumers keep their personal information in a secure system for a fee and then trade it with others more selectively than they do today. Comparable startups were recently profiled by The Economist and The New York Times.  “These ventures each take different approaches toward protecting personal information but are all focused, at their core, on enabling people to better control and leverage data about themselves and their lives,” notes technology writer David Bollier.

Of course, we shouldn’t ever forget that transaction costs matter greatly and could frustrate contracting around privacy. Administering property-like systems for information markets can be complicated and costly. Some of these costs are impossible to quantify but nonetheless significant. For example, many consumers may not want to deal with the mental transaction costs associated with constantly figuring out how to bargain with hundreds of online sites and services that use their data.

But here’s an interesting—and ironic—scenario: Might advertisers and data aggregators end up being the ones who push for more formal data contracting? If users started employing more privacy-enhancing technologies and more actively thwarted data collection and advertising, then perhaps some sort of bargaining around personal data would develop to ensure information kept flowing. For example, what if roughly 25 percent of online users were using technologies like AdBlockPlus and some variant of “Do Not Track” technology? Could that serve as the tipping point for online advertisers and other data aggregators to move toward contracting solutions to get consumers to keep sharing their data?

It remains to be seen, and I remain skeptical that strict contracting will work for the reasons McNealy outlined: Information is just really hard to keep bottled up. But we shouldn’t give up hope entirely.