Privacy Declared Public Good

Bruce Schneier, eminent cryptographer, has declared market failure. He points to what he calls a meta-problem:

Those entrusted with our privacy often don’t have much incentive to respect it . . . What this all means is that protecting individual privacy remains an externality for many companies, and that basic market dynamics won’t work to solve the problem. Because the efficient market solution won’t work, we’re left with inefficient regulatory solutions.

Privacy is indeed an externality, but customer satisfaction is an externality, too. The whole point of markets is that they help us work these things out. What Mr. Schneier has described is not a market failure but in fact the original sin of the regulator: the assumption that, though the market chose publicity, it should have chosen privacy. We can’t make that claim without evidence.

Before we go making assumptions about what homo economicus might or mightn’t choose, we should remind ourselves of some of the benefits of publicity. Search engines like Google can give me tailored results, and targeted advertising funds many of their nifty services. When TransUnion vouches for me, I can reliably get a loan from a banker I’ve never met. If I’m married with kids, insurers who know that can offer me cheaper policies. These benefits are substantial, and we should be quicker to assume that the market values them than that it has ignored the associated costs.

There are plenty of good reasons for choosing privacy, and for the most part that choice is open to us. It’s still legal to pay with cash, walk around without ID, and forgo health insurance. It can be monstrously inconvenient, but that’s the price we pay when we make unusual choices. Of course, these options may not be legal for much longer, and there are already many legally required disclosures that should include privacy requirements–car insurance and airplane tickets, for example. There’s plenty of work to be done to make sure privacy stays legal, but that’s a long way from making it mandatory.

Mr. Schneier acknowledges several of the inefficiencies of regulation, to his credit, but he misses the single largest. None of us have exactly the same priorities when it comes to privacy, but when the choice is made for us by legislation, we’re stuck with a one-size-fits-all regime. As Mr. Schneier points out himself, there are also limits to how much regulation can accomplish. A privacy violation is the act of revealing information–not using it–and without any “IRS misplaces laptop” headlines, it’s usually impossible to tell whodunnit.

And of course, that’s the real problem here. If we don’t act like private people, we won’t be private people. I don’t share Mr. Schneier’s willingness to regulate, but he is absolutely right that the reality of privacy has changed too quickly for our norms to keep up. Posting drunken photos on Facebook is one of the stupidest things we can do with a computer, yet we do it all the time, because we don’t appreciate the consequences. It’s not just a lack of judgment, either. Everyone knows not to send cash through the postal service, but most of us still don’t have the slightest clue how email works. This too shall pass.

When man discovered fire, he learned not to burn himself. When we brought electricity into the home, we learned not to shock ourselves. If and when our online indiscretions come back to haunt us, we’re going to learn the value of privacy, and how to get it. Once we do, the market will bend over backwards to sell it to us. But insulating us from the consequences of our decisions can only make things worse.  If we try to save ourselves the trouble of adjusting, if we put our chips on government to simply make the problem disappear, we won’t be ready when the stakes are a lot higher.