TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Why I Haven't Yet Given Up Hope on Contracting Around Personal Data Related reading: Roundup: Canada, US and more


Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online?

It’s not like these are new ideas. In fact, way back in the Net’s dial-up dark ages—1996 to be exact—Cal-Berkeley economist Hal R. Varian, now chief economist with Google, penned a short, but widely-cited, essay on “Economic Aspects of Personal Privacy” that proposed assigning “property rights in information about an individual to that individual, but then allow contracts to be written that would allow that information to be used for limited times and specified purposes. In particular, information about an individual could not be resold, or provided to third parties, without that individual’s explicit agreement,” he argued.

A year later, Eli Noam of Columbia University made a similar argument in an essay on Markets for Electronic Privacy. “Encryption permits individuals to sell information about themselves directly, instead of letting various market researchers and credit checkers [use it freely],” Noam noted.

So, what happened on the way to private contracting paradise? There are several reasons privacy markets have never taken off.

First, there probably hasn’t been as much demand for formal contracting because many users don’t mind today’s predominant “take-it-or-leave-it” model of online services. Most people quickly click “Agree” and accept such licensing deals because of the low price—usually zero—and the ease with which they can start using those services right away.

But a better explanation for the failure of formal contracting around privacy is that it has always been tied up with the same thorny issues of information ownership and enforcement which have complicated digital copyright policy. Put simply, information control is damned hard—whether such control is being pursued through top-down regulation or bottom-up contracting methods.

Jasmine McNealy, an assistant professor in the Information & Communication Technology Program in the School of Library and Information Science at the University of Kentucky, wrote about these challenges in an essay last week. She noted that:

We still do not have clear answers to basic questions such as: Do people own personal information about themselves? How can they control or limit how companies (and governments) use it? To start, there are complexities around the fundamental issue of information “ownership,” particularly ownership of personally identifiable information (PII). One cannot be said to actually own information about one’s self. Information relates to you, is connected to you, or is of you.

McNealy notes that the unique characteristics of information—it’s intangible, amorphous, easily shared and “leaky”—“make it difficult to recognize as property.” Sometimes it is not even clear who “possesses” any particular piece of information. “While one can to exclude others from physical property through fences, locks, or, for the more extreme among us, guard dogs, it is much trickier to control information in a digital environment,” McNealy notes. “You cannot simply lock your online user habits behind a heavy door,” she argues.

McNealy is right, but should we give up hope altogether on the idea of contracting around our personal data? Perhaps there are reasons for some hope.

Firms such as,, and The Locker Project all hope to create “data lockers” or “reputational vaults” that would let consumers keep their personal information in a secure system for a fee and then trade it with others more selectively than they do today. Comparable startups were recently profiled by The Economistand The New York Times. “These ventures each take different approaches toward protecting personal information but are all focused, at their core, on enabling people to better control and leverage data about themselves and their lives,” notes technology writer David Bollier.

Of course, we shouldn’t ever forget that transaction costs matter greatly and could frustrate contracting around privacy. Administering property-like systems for information markets can be complicated and costly. Some of these costs are impossible to quantify but nonetheless significant. For example, many consumers may not want to deal with the mental transaction costs associated with constantly figuring out how to bargain with hundreds of online sites and services that use their data.

But here’s an interesting—and ironic—scenario: Might advertisers and data aggregators end up being the ones who push for more formal data contracting? If users started employing more privacy-enhancing technologies and more actively thwarted data collection and advertising, then perhaps some sort of bargaining around personal data would develop to ensure information kept flowing. For example, what if roughly 25 percent of online users were using technologies like AdBlockPlus and some variant of “Do Not Track” technology? Could that serve as the tipping point for online advertisers and other data aggregators to move toward contracting solutions to get consumers to keep sharing their data?

It remains to be seen, and I remain skeptical that strict contracting will work for the reasons McNealy outlined: Information is just really hard to keep bottled up. But we shouldn’t give up hope entirely.

photo credit: thinkpanama via photopin cc


If you want to comment on this post, you need to login.

  • comment Jim Harper • Aug 6, 2013
    McNealy seems to be looking at too small a universe of personal information. People constantly exercise property-like control over personal information, by not speaking, for example, not visiting certain web sites, and not entering information online, to name just a few examples. The discussion here seems to take *shared* personal information as the entire universe of personal information, and, yes, shared information is hard to control. But you can't conclude from the difficulty of formal contracting around shared information that people do not exercise control equivalent to property rights over personal information. Nice essay, Adam!
  • comment Name • Aug 6, 2013
    The question of who owns the data is as old as digital data.  A core question, that seems to be ignored in many discussions, is the difference between the data I contribute, for example my registrations, and the data that comes from other's observations of me.  The fact is that more and more data comes not from my contributions, but rather from the observations of my behavior.  In many civil law societies, any processing of data most be done pursuant to a legal basis, and an observation is a processing.  In the United States the question is more about when one is free to observe another individual.  In the physical world I am free to observe you in your front yard, but I am not free to stick my head inside the window of your house and observe your behavior.  A better question might be when do we set the norms for observation in a digital world?  Doing so might change the conversation with the rest of the world.
  • comment LaVonne Reimer • Aug 6, 2013
    Interesting essay. Information about me and my business endeavors may be hard to bottle up. But if I have a convenient way to aggregate it in a single place and then share it so it helps others understand my business and how to do deals with me, that will surely tend to draw viewers to my display rather than poking around the web to find stuff on their own. In other words, the next stage of this probably isn't contract but rather tools to leverage information to bring value my way.
  • comment Adam Thierer • Aug 6, 2013
    Thanks for your excellent comment. I think you get at the really hard question here when you note:  "In the physical world I am free to observe you in your front yard, but I am not free to stick my head inside the window of your house and observe your behavior. A better question might be when do we set the norms for observation in a digital world?"
    Drawing this line is hard but I think we already do it in some ways for “sensitive” classes of data, especially health-related, financial, and data about children. Our "norms for observation" are clearly different when that sort of sensitive information is in play compared to other forms of information that might be collected. 
    The question this raises, and that I did not have time to discuss in my essay above, is: To the extent contracting around personal information develops at all, will it just be for those “sensitive” classes of info? After all, various laws already give them special protection and data aggregators know they have to be super-careful with that sort of data. Do we, therefore, already have quasi-property rights for some health and financial data? I think we kinda do. But can we scale that system up to cover ALL data that might be collected about us? I am far more skeptical that can be done. Moreover, it would have some major repercussions for our data-driven economy that we would need to consider.   
  • comment Adam Thierer • Aug 6, 2013
    You make a fair point, Jim, although I think you are using a very broad conception of "exercise control equivalent to property rights over personal information." Perhaps you can provide some examples? Because I know we obviously agree that many people like us are constantly engaged in efforts to control information flow about themselves, but I am not sure I'd call that the "equivalent to property rights over personal information." I'd just call it personal responsibility, or good data stewardship.  
    For example, I quit Facebook last year (for a variety of reasons). That certainly allows me to exercise greater control over my online data flows, but that's not "equivalent to property rights over personal information," is it?    
  • comment Brad Reimer, CIPP/US • Aug 7, 2013
    The problem for me as a practical point is that daily businesses and individual consumers (“consumers”) receive offers based on observations about them and, finding utility in those offers, make a purchase or an inquiry that will lead to a purchase. It would seem that the utility of receiving and acting on these offers is accepted by the general populace and has a higher value compared to the theoretical economic gain that they might receive from contracting for data.
    Consumers’ mental transaction costs are pointed out in the article, but there’s also going to be a real time transactional cost in learning the implications behind contracting personal data and then taking time to managing those preferences. The current system works because consumers receive an appreciated level of utility for the use of their data. 
    That appreciated level of utility results in the Data-Driven Marketing Institute’s estimate of $2 trillion dollars in sales ( “What It Means. How You Can Help” slide show presentation from November 2012). If sales don’t occur for a specific offer on a specific campaign, direct marketers will stop making the offer and find a new offer where the consumer receives the necessary utility and the marketer receives the necessary profit. 
    My logic may be flawed, but: If direct marketers are making offers, sales have to be occurring at an acceptable profit point for them. If sales are occurring at an acceptable profit point for marketers, consumers must be finding enough utility in the offer to make a purchase. If consumers are finding utility in the purchase and the offer is made in good faith, then the use of observations about the consumer to establish the relationship between the marketer and the consumer must be viewed as a positive transaction. 
    I see the simplicity of current state being far more attractive to the average consumer than my perception of the complexity of a future state with data contracting, but I remain open to evidence that would make me change my mind.
  • comment Jim Harper • Aug 7, 2013
    You're probably familiar with property rights being thought of as a "bundle of sticks," a variety of different rights that cluster together. Legal philosopher Tony Honore identified them as follows: "Ownership comprises the right to possess, the right to use, the right to manage, the right to the income of the thing, the right to the capital, the right to security, the rights or incidents of transmissibility and absence of term, the duty to prevent harm, liability to execution, and the incident of residuarity."
    These are all rights you can exercise over personal information. So having a piece of information in mind or written down, I am exercising the right to possess. If I consider the information or make a decision using it, I'm exercising the right to use. If I file the information in a file drawer or combine it with other information, that is an exercise of the right to manage. If I use it increase my wealth - say, because it's knowledge of how to tie a fishing lure - that is enjoyment of income from the information. If I give someone the information in exchange for something valuable, that is exercising my right to the capital. (This is what is happening in the advertising-supported web, sharing of information for something in return.) The other property rights ... I forget what Honore meant by them. But you get the picture. The incidents of property and ownership generally all apply to information and personal information.
    Now information is hard to maintain ownership of because of its peculiar 'property' of infinite replication. So if I go outside wearing a bright yellow hat, I still know of the fact, and I can do whatever I want with it. But anyone else can gather that fact and make whatever use they want of it. We both have it, and it is the property of each, but the value of it for many uses will be very low. That's not a problem with the conception of it as property.
    When you quit Facebook, you made a decision that cuts off the flow of information about you, helping to ensure your exclusive ownership of billions of facts about you. It's personal responsibility, data stewardship, and an exercise of property rights all in one!
  • comment Ryan Radia • Aug 7, 2013
    Thomas Merrill argues that "the right to exclude others is more than just ‘one of the most essential‘ constituents of property--it is the sine qua non. Give someone the right to exclude others from a valued resource, i.e., a resource that is scarce relative to the human demand for it, and you give them property. Deny someone the exclusion right and they do not have property." Thomas W. Merrill, Property and the Right to Exclude, 77 Neb. L. Rev. 730 (1998). The acts that Harper portrays as coincident with “property and ownership” in “information and personal information” may resemble property rights, but they are missing a key ingredient of private property: an stand-alone right to exclude all others in the world from using a particular asset (i.e., your information). You can harness the property rights you hold in certain assets (e.g., your home, computer, printer, file cabinet) to safeguard other assets (your information) from unauthorized use, but it does not follow that you hold a property right in your information.
    That said, U.S. law does recognize a handful of property rights in personal information. Under the Copyright Act, each of us enjoys a property right in an original expressive work we fix in a tangible medium, whether or not we publish it. And under various statutes and privacy torts, each of us also enjoys a quasi-property right in 1) the commercial value of our likeness (the right of publicity); 2) information we create, and enclose within, certain private spaces (tort of intrusion upon seclusion); and 3) sensitive personal information that isn’t known to, or a concern of, the public (tort of public disclosure of private facts).
    If one accepts the proposition that the law ought to recognize property rights in assets that cannot be physically enclosed when the social benefits of doing so plainly exceed the resulting costs, it seems to me that the narrow quasi-property rights that exist today are largely justifiable—in principle, at least, if not always in practice. 
    If 99% of people are willing to pay to stop the commercial appropriation of their likenesses, yet 1% of people are making big money by using other people’s likenesses without permission, we might conclude that the 1% derives more value by appropriating likenesses than the 99% loses in value from the practice. Or, we might conclude that bargaining costs, the hold-out problem, and lax reputational forces have precluded the socially optimal outcome: a default rule prohibiting the commercial appropriation of an individual’s likeness without her permission. If policymakers reasonably determine the latter conclusion is far more plausible than the former—a big “if”, admittedly—why shouldn’t the law recognize an attenuated property right in our likeness?
    Measurement and transaction costs are two reasons to think twice before creating novel property rights. When we perish, who own our likeness, if anyone? If we can bequeath our likeness, is there a registry that identifies who owns each deceased person’s likeness? Should the law also encompass non-commercial unauthorized uses of a person’s likeness? First amendment concerns notwithstanding, would this regime frustrate valuable uses of photographs and paintings that depict actual persons by imposing insurmountable transaction costs on socially beneficial conduct (e.g., news reporting)?
    As for personal information we generate online, relying on contracts that only bind discrete parties (users, websites, possibly ad networks) is far more sensible than recognizing a broad property rights regime over personal information. Today, each of us enjoys unfettered legal rights to use and enjoy, non-exclusively, most information we learn from and about others in the course of our interactions with them—that is, unless otherwise agreed. What would property rights in personal information look like? I imagine it would abound with implied licenses and other exceptions, generating numerous billable hours for lawyers, but to what end?
    Property rights make sense in the context of someone’s house, car, or even likeness, as contracting with everybody who might like to use “your” asset is often cost-prohibitive. But on the Internet, you can watch everybody who legally watches you, which would be completely infeasible while walking down a busy street. You can view the IP addresses and businesses with which your computer interacts as you browse the web, video chat, or seed Linux distribution on Bittorrent. In fifteen minutes, you could “whitelist” 100 network domains with which you’re comfortable interacting, and block the rest of the Internet. This wouldn’t make for a stellar experience, to be sure, but neither would walking down a busy public street wearing a burqa (that is, assuming you’re wearing it for reasons of privacy, as opposed to religion). 
  • comment Jim Harper • Aug 7, 2013
    Ryan, assume a land with no copyright or patent law. I live there, and I have two pieces of paper. On one, I write a poem. The other piece of paper I fold into an origami Ruth Bader Ginsburg. And I put them both in a drawer. The origami Ginsburg is my property (I assume you’d agree), but the poem is not? Discuss.
  • comment Ryan Radia • Aug 7, 2013
    Both pieces of paper are your property. But neither represents the poem itself; it is an intangible asset manifested in the piece of paper you own. Assuming you successfully keep the piece of paper to yourself, I concede that for all practical purposes, you effectively enjoy the same property rights in your poem as in the piece of paper upon which it's written. 
    However, if a nosy neighbor walks on your land without permission and steals that piece of paper, you have valid causes of action for trespass and replevin (that is, you can force the neighbor to return the piece of paper). Or, if the neighbor derives a benefit from performing or publishing the poem, you might well have a cause of an action of assumpsit on an implied contract arising out of the neighbor’s trespass upon your land. “[I]f a [trespasser’s] wrongful act resulted in some benefit to the property or estate of the trespasser, then the law will imply a promise on his part to pay for the benefits received.” 167 A.L.R. 796. But “assumpsit will not lie where a mere naked trespass is shown.”
    On the other hand, if the neighbor trespasses on your land and merely memorizes the poem without so much as touching the piece of paper, you have no claim to anything of value the neighbor earns by performing or publishing the poem, nor to any losses you suffer due to the awareness that your poem no longer known exclusively by you.
  • comment Jim Harper • Aug 8, 2013
    Thank you for this thorough, lawerly, and Latin-y answer, Ryan. I appreciate your acknowledgement that the poem is an "asset." Let me amend the hypothetical in a couple of ways and the question in another. Let's say that I am Maya Angelou and that my trespassing neighbor, having memorized the poem, publishes and performs it, earning $1.1 million. My question is: Do you think allowing me no recompense is a just outcome?
  • comment Ryan Radia • Aug 9, 2013
    My response to your hypothetical about the unpublished poem was incomplete. At common law, an author enjoys a property right in unpublished manuscripts, which were often described as "literary property" in the eighteenth and nineteenth centuries. Today, this doctrine is often referred to as "common law copyright". See Melville B. Nimmer & David Nimmer, Nimmer On Copyrights § 2.02 (2007) (explaining that the common law's protection of authors' rights over unpublished works was "referred to somewhat inaccurately as common law copyright.") Once a work is published, it is protected solely by statute.
    When you said to “assume a land with no copyright or patent law”, my response assumed the absence of common law copyright. If, however, you meant to assume the absence of any law resembling the U.S. Copyright Act, my response was inaccurate, as the common law would indeed protect your unpublished poem as literary property.
    As for your follow-up question, I do not think it would be just for your trespassing neighbor to publish or perform your unpublished poem without your permission. And I am glad the law recognizes literary property as such, and that it confers greater somewhat protection on unpublished works than published works. 
    I suppose you might argue that publishing your poem – that is, voluntarily exposing it to the world - is akin to disseminating personal information by voluntarily walking down a public street. So why should quasi-property rights attach in one case, but not the other? And if I were to support statutory copyright protection while opposing comparable protection of personal information voluntarily conveyed to the public, wouldn’t that make me a hypocrite? Not at all; as I explained in my original comment, “the law ought to recognize property rights in assets that cannot be physically enclosed when the social benefits of doing so plainly exceed the resulting cost”.
  • comment Jim Harper • Aug 9, 2013
    I intended to assume a land with no copyright or patent statutes, letting common law exist as it will. Thanks for clearing up that ambiguity in my hypothetical.
    So, you've discovered that the answer at common law, and the one that does justice, is for a person to enjoy a property right in information that he or she has suitably concealed from others? Sounds good to me!
    I don't know that we need to get into the merits of statutes that try to assign property rights in information exposed to the world. In the context of privacy regulation, I've talked about that as being like trying to make rivers flow upstream. But if you say that social benefits might plainly exceed the costs, well, you just go on and have a good time with that. I'll be over here pointing out how common law and justice treat information as property when it is maintained as such by its owner.
  • comment StitMe • Mar 17, 2014
    The world just doesn’t seem safe anymore, does it?
    Think about it: anyone who has your mobile number can call you or text you any time they want, as often as they want to. It is not just angry ex boyfriends or girlfriends or friends who don’t understand that you may not want to be contacted at odd hours or at work, but Hackers, Identity thieves, and for that matter even the NSA can track your movements and find out all they need to know about you once they get their hands on your number.
    And to make it worse, most of us have been giving away our Mobile numbers on our business cards, social networks, and email footers for years.
    Insurance agents, mobile companies and even ambulance chasers have taken to calling or texting you at any time of the day or night, desperately trying to make a few bucks off you. Surveys and unwanted charities can be even peskier. 
    “But, isn’t there a national do not call list?” 
    Of course. I bet you’re on it. But you are still constantly getting calls. On your mobile, over VOIP, from unlisted numbers and even from people belonging to other countries.
    ŠtítMe offers the first real solution. You never need to give your mobile number out to anyone again. Give them your ŠtítMe ID example (#JoeBlack) instead. You decide who calls you, when they call you, and if you no longer want to be called. ŠtítMe gives you the ability to deny access to anyone by simply deleting him or her. 
    Even if a deleted contact tries calling you back, Stitme will ensure the call will not get through. 
    Try ŠtítMe. Believe me, you’ll wonder how you lived all these years without it!