FC: Responses to cost of privacy study from Swire, Smith, Sholtz

[Declan McCullagh <declan () well com>]

The Hahn/ACT cost-of-privacy report:
http://www.politechbot.com/p-01999.html

News coverage:
http://www.wired.com/news/privacy/0,1848,43654,00.html
http://www.postgazette.com/businessnews/20010509privacy5.asp
http://www.zdnet.com/zdnn/stories/news/0,4586,2716528,00.html
http://www.newsbytes.com/news/01/165458.html7

Three criticisms follow, from Peter Swire, Richard Smith, and Paul Sholtz.

-Declan

**********

Date: Wed, 9 May 2001 08:51:53 -0700 (PDT)
From: peter swire <peterswire () yahoo com>
Subject: Reply to study that estimated $30 billion for Internet privacy
To: declan () well com

Declan:

Here is my response to the study you posted yesterday
that estimated possible costs of over $30 billion to
comply with Internet privacy legislation.  It may be a
few days before this can be posted to my web site, so
sending it out in full would allow your readers to
assess the merits of the issue.

Peter
===================

For release May 9, 2001:

New Study Substantially Overstates Costs of Internet
Privacy Protections

                    Professor Peter P. Swire

     I am writing in response to a study by Robert W.
Hahn, a Resident Scholar of the
American Enterprise Institute, entitled "An Assessment
of the Costs of Proposed Online Privacy
Legislation."  This study was reported on May 8 in the
New York Times and elsewhere as
estimating costs of $30 billion or more to comply with
possible Internet privacy legislation.  The
study was sponsored by the Association for Competitive
Technology.  Unfortunately, based on
the study's own assumptions, there are serious
analytic flaws in the conclusions.  The estimates
are far too high, and should not be relied upon for
decisionmaking by policymakers.

     I have reached this conclusion based on my own
extensive efforts to estimate the costs and
benefits of privacy rules.  In 1998, the Brookings
Institution published a book by Robert Litan and
myself entitled "None of Your Business: World Data
Flows, Electronic Commerce, and the
European Privacy Directive."  As explained in Chapter
2 of the book, Dr. Litan and I concluded
after substantial effort that we could not create a
useful estimate of the likely costs of complying
with the European Union Data Protection Directive.

     In 1999, I entered the U.S. Office of Management
and Budget as the Administration's
Chief Counselor for Privacy.  In that position, I
participated in numerous issues that involved
qualitative and quantitative assessments of the
effects of privacy rules.  Notably, I worked closely
with the Department of Health and Human Services in
developing the "regulatory impact
assessment," or cost/benefit study, for the proposed
medical privacy rule that was issued in
October, 1999 and published in the Federal Register.
After extensive public comments on the
cost/benefit analysis and other issues, the final
medical privacy rule was issued in December, 2000
and took effect last month.  One omission of the Hahn
study is that it makes no mention of that
only published government analysis of which I am aware
that makes quantitative estimates of the
costs and benefits of privacy rules.  For the health
care industry, which is far larger than the
current Internet industry, HHS estimated costs
averaging $1.9 billion per year for a medical
privacy rule that is more detailed than most observers
expect for any possible Internet privacy
legislation.  Some industry estimates are higher than
the HHS estimate, but the Hahn study would
project out to costs per covered entity that are far
higher than any estimate I have seen for
medical privacy compliance.

     My concerns with the Hahn study fall into two
categories.  First, the study does not
adequately address the key issue for any cost estimate
-- what is the baseline against which the
cost comparison is made?  In measuring the difference
between a world with legislation and one
without legislation, what behavior do we expect in the
world without legislation?  Without a clear
picture of the world without legislation, we cannot
assess the extra cost of the world with
legislation.

     Second, the assumptions in the study drive toward
substantially overstated costs.  The
study assumes that small sites would spend as much as
large sites to comply.  It assumes too many
sites.  Each site would have to achieve
unrealistically demanding standards.  And each site is
assumed to spend the large premium needed for a
customized first-of-a-kind system, with no
packaged software and no learning from experience.

     A more complete analysis would address additional
points.  For instance, the Hahn study
quantifies only the costs of privacy protection, with
no estimate of the benefits.  Yet it would be
irrational to reach a conclusion on whether privacy
should be protected without examining these
benefits, as is done for example in the HHS regulatory
impact analysis for the medical rule.

     1.  The importance of defining the baseline.  The
cost of privacy legislation is the
difference between what industry would do in the
absence of a law and what it would do if the
law were enacted.  As the Hahn study points out,
Internet companies have made significant efforts
in the privacy area.  For instance, almost all
significant Internet companies today have a stated
privacy policy, and violations of the stated policy
can lead to enforcement actions at the state and
federal level.  The cost of legislation is thus the
extra, or incremental, cost of the new legislation.

     There are many reasons that Internet companies
address privacy in the absence of federal
legislation.  For instance, they do so to promote
consumer confidence in Internet transactions, or
to comply with legal standards for customers outside
of the U.S.  Importantly, companies take
many measures that are simply good business practice.
For instance, any responsible company has
a firewall for its web site.  If a law were passed
requiring a firewall (and I am not advocating such
a law in making this point), then the cost of the
legislation might be almost zero -- most
companies would already be taking that action.

     The entire estimate of cost thus depends
crucially on the baseline against which cost is
measured.  If companies are taking a level of
appropriate action under self-regulation, as Hahn
seems at some points to suggest, then a law setting
that same standard would have low or no
compliance costs.  On the other hand, if companies are
failing to follow basic good business
practice, such as failing to have firewalls, then it
is wrong to blame the law for the cost of the
firewalls.  The firewalls should be seen as part of
the cost of doing business, and not some
extraordinary burden imposed by legislation.

     As discussed in my 1998 book, it is a difficult
challenge to define a baseline clearly enough
to permit quantitative estimates of the costs and
benefits of privacy legislation.  After much effort,
my co-author and I decided we could not provide a
quantitative estimate in that instance.  In the
medical privacy rule, there is extensive discussion of
this issue of baselines, and the eventual
quantitative estimates are made after explicit
discussion of the issue.

     Unfortunately, in the Hahn study, the baseline is
not defined clearly enough, with the result
I believe of overstating the likely costs of
legislation.  The study at some points seems to
support
the view that the Internet industry has already taken
substantial and effective steps to provide
privacy protection.  Yet the expenses already incurred
are never netted against the gross estimates
of cost.  It is as if one reports the cost of building
a house without subtracting out the cost of a
foundation and a couple of walls that are already in
place.

     2.  The Study's assumptions lead to substantially
overstated cost estimates.  The principal
assumptions that lead to an overstated cost estimate
are the failure to distinguish between large
and small sites, an excessive number of sites, the use
of unrealistically demanding and expensive
standards for each site, and the assumption that all
compliance will be customized rather than
having any reduction in cost after the first company
has complied.

     (a) Large and small sites are different. The
study surveys consultants about how much it
would cost for a large site to comply, for a site with
at least 100,000 current customers and the
capability to scale to millions of customers.  The
survey finds an average cost per site of $100,000
(more on that figure below).  But that cost is based
entirely on the estimated cost for building a
complex large site.  As the study itself discusses, it
is unreasonable to expect that a small Internet
site will spend $100,000 for privacy compliance.
Furthermore, as Response 2 to the survey
illustrates, the cost would be much lower for a small
site even though the survey failed to ask for
the difference in cost.

     (b) Too many sites.  The press release announcing
the ACT/Hahn study says that
"Analysis of Internet Privacy Regulation Says Costs
Could Exceed $30 Billion."
http://www.actonline.org/press_room/releases/050801.asp.
 Press accounts have reported the
study as showing "costs of over $30 billion."  Yet the
$30 billion estimate, called "conservative"
in the study, cannot be defended on the basis of the
study itself.  That estimate assumes that
360,000 sites do the expensive $100,000 compliance
solution.  But the study itself also says that
there is a grand total of only 94,000 "medium to
large" commercial Internet sites.  The extra
246,000 sites are "small" sites, and the estimate for
a site serving millions of customers simply
does not apply.  Each of these "small" sites, however,
 was counted at the $100,000 per site
compliance rate.

     The study's lowest cost figure is $9 billion.
That figure assumes that every single large
and medium site spends the full $100,000 per site for
compliance.  (The study defines size based
on the company size, with "large" having over 500
employees, "medium" 100 to 500 employees,
and "small" fewer than 100 employees.  Some "large"
companies may not have consumer sites
scalable to millions of customers, so they may not
have "large" sites.  Some "small" companies,
but proportionately likely not many, may have large
sites that are designed to serve millions of
customers.)  This $9 billion estimate thus assumes too
many sites for at least two reasons.  First, it
assumes that medium-sized sites will have to pay the
same as large sites.  Second, it assumes that
the medium and large sites do not already have
significant self-regulatory programs in place to
provide privacy protections.  Yet many of these larger
sites have already instituted significant
privacy programs.  The cost of compliance should thus
be reduced to take account of the
measures already in place, and this was not done in
the study.

     (c) Unrealistically strict criteria.  The study
asks consultants to estimate what it would cost
to build a new system that complies with a set of
criteria.  Defining those criteria is crucial.  If the
criteria are easy, then costs will be low.  For
instance, it would cost little if the law says:
"Mention
the word privacy on your web page."  If the criteria
are strict, then costs will be high.  For
instance, it would cost a great deal if the law says:
"Design a state-of-the-art system that handles
personal information in complex new ways that have
never been done before."

     The problem is that the study assumes criteria
that resemble the latter.  Two examples
from a longer list give the flavor.  First, the study
assumes that every time personally identifiable
information (PII) is sent to any third party  the web
site must have a complete tracking of all of its
PII about that customer.  If the web site sends out
PII about that customer to someone the next
day, it must keep a complete file of the changed PII
that exists on that second day.  This sort of
time-and-date stamping of every item of information
about every customer is either rare or
unknown in the industry.  It is highly unlikely to
become law.  Yet that is the system that the study
assumes every web site will have to build.  A second
example is that the study assumes that the
customer access rules will be significantly stricter
than I believe anyone has seriously proposed
legislating.  In defining the access requirements so
strictly, for instance, the study assumes not
only that individuals will get online access to a
complete log of every time their PII has gone to a
third party.  Customers will also gain access to the
complete content of what is transferred to the
third party.  Again, this sort of time-and-date
stamping of the content that is transferred is either
rare or unknown in the industry.

     It is thus no surprise that the consultants
estimated that it would be expensive for each
web site to comply.  The criteria included features
that have not been implemented in the industry
and not seriously contemplated in legislation.  As the
consultants imagined what it would cost to
build these new types of systems for the first time,
they correctly stated that it would be very
expensive.  But the $100,000 average estimated cost is
a reflection of an unrealistically strict set
of criteria, rather than of the likely cost of actual
compliance with legislation.

     (d) All compliance is customized and there is no
learning from experience.  The survey
asked consultants to estimate how much it would cost
to build this complex, strict system for the
first time.  Their estimate of $100,000 per site for
building a new system was then used as the
average cost of compliance per site.  The over $30
billion estimated total cost assumed that
360,000 sites (large and small) would each build a new
system from scratch for that $100,000 per
site.

     But that is not the way that software works
today.  According to the study's figures, most
of those 360,000 sites are small or medium sites.
These sites will not ask expensive consultants to
write entirely new one-of-a-kind software.  Instead,
small, medium, and many larger sites will buy
software packages.  Implementation may include a
moderate amount of tailoring for a particular
company.  But the cost of that tailoring is much less
expensive, often by an order of magnitude,
than writing software from scratch.  The incremental
cost of compliance will further be reduced
because privacy compliance will likely be undertaken
as part of a broader upgrading of a site, of
the sort that is often done in the rapidly changing
Internet environment, rather than as a stand-
alone cost item.

     Put another way, the first system of a new type
costs far more to build than the 360,000th.
Experience gained in early systems makes it far less
expensive to build later systems.  Even if
Congress surprises everyone by requiring every one of
the unrealistically strict criteria that the
study assumed, later systems will cost much less than
the $100,000 that the study uses.  And,
Congress will not impose those criteria, so the cost
of actual legislation will be even less.

     Conclusion.

     I have written this detailed analysis of the
study because of my belief that it will be
irresistably tempting for critics of privacy
legislation to quote the $30 billion, or even the $9
billion, estimate as though these are realistic
figures.  For the reasons stated here, those estimates
are far too high given the study's own assumptions.
It is unrealistic to treat small web sites as
though they will pay the same compliance fees as large
web sites.  It is unrealistic to estimate
360,000 sites paying the large-site cost when the
study states that there are only 94,000 medium
and large sites combined.  It is unrealistic to use
criteria for system performance that do not
reflect industry practice or realistic Congressional
outcomes.  And it is unrealistic to believe that
the 360,000th site will cost the same as a pioneer
site that builds features that have never before
been implemented.  The combined effect of these
unrealistic features could easily be to reduce the
cost of compliance by an order of magnitude or even
more.  The actual costs of compliance
should likely further be reduced to account for the
actions industry would take and has already
taken in the absence of legislation.  And any ultimate
decision about the desirability of legislation
should consider the benefits of privacy protection,
which this study does not do in a systematic
way.

     With all that said, the study does make the
correct point that badly drafted legislation, in
privacy as in other areas, can impose substantial and
undesirable costs. If Internet privacy
legislation is enacted, then it should be based on
careful attention to how principles such as notice,
choice, access, security, and enforcement would work
in practice.  My own goal, as a private
citizen and while in the Clinton Administration, is to
promote sharing of information where that is
beneficial and to keep information confidential in
appropriate situations, such as where the
information is especially sensitive or is gathered or
used contrary to the wishes of the individual.
In seeking to discern useful information flows from
invasions of privacy, policymakers need to
rely on more realistic estimates of the effects of
legislation than I am afraid this study provides.

     There have been other studies released in recent
months, sponsored by other groups, that
have estimated the costs and benefits of privacy
legislation.  These other studies also deserve

=======

Peter P. Swire is Professor of Law at the Ohio State
University.  In the 2001-2002 academic year,
he will be a Visiting Professor of Law at George
Washington University.  From 1999 until early
2001, Professor Swire served as the first Chief
Counselor for Privacy in the U.S. Office of
Management and Budget.  With Lawrence Lessig, he is
Editor of the Cyberspace Law Abstracts
of the Social Science Research Network.  Many of his
writings appear at
www.osu.edu/units/law/swire.htm. E-mail at
swire.1 () osu edu.  Phone: (301) 213-9587.  Privacy
documents from the Clinton Administration are
available at the Presidential Privacy Archives of
the Technology Policy Group, at www.privacy2000.org.

**********

From: Richard M. Smith [mailto:rms () privacyfoundation org]
Sent: Tuesday, May 08, 2001 9:05 AM
To: rhahn () aei org
Cc: vsampson () ACTonline org; jzuck () ACTonline org; Richard M. Smith
Subject: Where are the B-to-C Web sites?

Hi Robert,

I have a question about today's report that was
released by ACT:

   "An Assessment of the Costs of Proposed Online Privacy Legislation"
   http://www.actonline.org/pubs/HahnStudy.pdf

In the beginning report the following statement is made:

   "A fundamental issue in the privacy debate relates
   to the ownership of information. Does a company have
   the right to take and use personally identifiable
   information (PII) from a consumer and use that
   information for profit?"

My question is how come no business-to-consumer Web sites
took part in the survey?  Looking over the list of
companies from the survey, it appears to me that
most of them are either software tool companies or consultants
to other businesses.  If privacy is a consumer issue,
why were B-to-B companies interviewed exclusively
for the survey?  Does not compute.

Attached is a list of companies from the report.

Thanks,
Richard M. Smith
CTO, Privacy Foundation

==========================================================================

Active Designs
Aegis Consulting
Clarity Consulting
Compuware
Crosstier
DevX
i3 Solutions
Information Strategies
IXL
Mariner
MetroSharp
Online Consulting
Progressive Systems Consulting, Inc
Proxicom
Rocketworks, Inc.
Rubicon Technologies
WebBranch

**********

From: Paul Sholtz
Sent: Wednesday, May 09, 2001 12:21 AM
To: 'rhahn () aei org '
Subject: cost of privacy article

Dear Mr. Hahn,

I just read through your recent report (published on May 8) concerning the
costs of privacy. It is an interesting report, but I disagree with you on
several points.

You point out in your paper that privacy is a problem in data ownership.
Define who owns what data, and you've solved the privacy problem. I agree
with that. In fact, I think you've solved lots of other problems as well,
such as all the IP issues surrounding Napster, etc.

However, problems in ownership and property rights can often be modeled and
resolved using the Coase Theorem. You refernece some academic work that has
been done in property rights, but none of it references the Coase Theorem,
which outlines correlations between property rights and transaction costs.

I have made a number of economic arguments in favor of consumer property
rights over personal information, based largely on the Coase Theorem (it is
now cheaper for a company to tag permissions w/ data throughout the
enterprise than it is to risk a privacy breach).

You can find some of my papers at:

http://www.firstmonday.org/issues/current_issue/sholtz/index.html (<--
transaction costs + Coase Theorem)
http://www.firstmonday.org/issues/issue5_9/sholtz/index.html (<-- more
general economics)

I think from a 50,000-ft view, these papers outline reasons why consumer
privacy saves money over the long term.. (instead of costing tens of
billions like you say).

In terms of the rest of your article, I have the following points:

(*) you indicate (on p.3) that the lost in revenue in PII-related
advertising would be significant. In fact, ALL advertising is based on PII
ultimately (in some way or another), and frankly, in today's economy w/ the
Internet, ALL advertising is economically inefficient (although I won't get
the details of why here)

The purpose of technology is to replace old, inefficient ways of doing
business with newer, more efficient models. To say that we cannot have
privacy b/c it decreases PII-related ad revenue is like telling Henry Ford
he can't build cars b/c they negatively impact the business of building
horse-carriages.

(*) You also say the PII-related ad market is small (p.3). In fact,
conservative estimates place the value of the American direct marketing
industry at roughly $600 billion annually. The DMA would like to think its
over $1 trillion annually.. I'm not sure what he's talking about in saying
that PII-related advertising is a small business - it's about 1/7 of the US
GDP..

When you're talking about a market that is worth $1 trillion, then $30
billion (<--that's roughly your cost of privacy estimate, isn't it?) of
upgrades in that market to make it more efficient is a TINY drop in the
bucket. It's less than 1/10th of 1%..

(*) On page 9, I'd like to indicate that the REAL distinction between online
and offline privacy are the transaction costs involved in how the
information is collected. You don't address this, and instead only focus on
the type and use of the information collected. These points are obviously
important, but the change in transaction costs is what necessitates the
change in property rights (under the Coase Theorem).

(*) On page 13, you point out that Yahoo! depends almost exclusively on
banner ad revenue and that privacy legislation would destroy companies like
that. In fact, Yahoo and banner advertising is an extremely inefficient
business. Yahoo is that ONLY company in world history that ever turned a
profit from banner advertising, and now even Yahoo can't do it anymore (b/c
businesses are realizing that banner ads are not an efficient use of thier
resources). If only ONE company in the world can profit from a business
model (and when it's a business model that bazillions of companies are
TRYING to profit from), common sense would suggest there is something
EXTREMELY WRONG w/ that business model..

(*) on Page 14, When a user first opts-in, and then opts-out, you suggest
that all the organizations with which info was shared in the intervening
period would have to be notified.

Well - yes and no. Today that is still frankly a technicality. The consumer
has still created value for herself by opting out, even though some info was
released beforehand.

More importantly, if you REALLY own personal data, you should be able to
publish changes in teh data or terms of use in one place and have all
"subscribers" to that data notified simultaneously.

For instance, whenever you move you have to change your magazine
subscriptions. It's a real pain to fill out change-of-address forms for each
magazine you are subscribed to .. it would be easier to fill out the change
once and have it propagate through to all relevant magazines.

This technology/business paradigm does not exist today, although it should.
It is possible to do, and much cheaper than the current system. This is (in
part) what a property rights system over personal data would look like. The
fact that such technology/business paradigms do not exist is what you are
referring to in your opt-in/opt-out dilemma.. In fact, this economic
paradigm is FAR MORE efficient than banner ads at Yahoo! (in terms of being
a model that "monetizes" personal data, as people from Yahoo like to say)

(*) The focus of this article is on why it is hard and expensive for
businesses to upgrade IT to meet privacy demands. You cite (on p. 17) that
the biggest cost is in integration and in having businesses offer the
"services" they need in order to make privacy happen.

In fact, there is a trend currently underway in IT called "Web services"
that allows businesses to quickly and easily segment their IT according to
discrete "Services" they offer to their customers. Businesses are already
adopting Web services (willingly) and Web services allow businesses to
quickly and easily add privacy services in the process of upgrading IT (<--
I am currently writing an article on this topic for an IT magainze - I'll
let you know when it's done)

(*) on p. 24, yes I agree that the market is reacting to address privacy,
but the market needs the (slight) nudge of law to help it along. Property
rights IS the market-based answer to privacy, but you can't have property
rights unless you have a government that defines a right to property. The
whole concept of Coase is that the government can create a market for scarce
goods where none would otherwise exist.

Once you have this system of property rights in place, then yes, market
based alternatives work (that said, of course it will still cost businesses
SOME money to implement them, but the business will save lots of money over
the long run).

Best Regards,

Paul Sholtz
PrivacyRight, Inc. - www.privacyright.com
Chief Technology Officer

**********





-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------