From DEF CON 23: If supply and demand make a market, where is the market for privacy?

Everyone talks about privacy, but nobody does anything about it, to mangle Mark Twain’s witticism regarding the weather.

Economists at Princeton are launching a study to explain why there’s not a more robust market for privacy products and services, given our growing understanding that our most private matters are routinely plundered from online sources.

“There’s a demand for privacy,” economist Rene Mahieu told me earlier this month at DEF CON 23. “Also, I’ve been here at DEF CON and I’ve heard a lot of talk about the technical possibility for creating privacy. So there is a potential supply.”

It follows, therefore, that there should be a market. “A vibrant market,” he says.

Mahieu and Princeton research colleagues are starting with some theories, but it seems to me this question can be answered from the gut. Digital privacy is inconvenient, complicated, and expensive.

Economists have names for these obstacles, Mahieu informs me.

“Information asymmetry” may dampen the inclination to purchase, even from consumers with a clear interest in the product. In a technology transaction, the potential buyer may not understand the product, and becomes doubtful that it will deliver on its promise. Mahieu likens it to buying a used car. The seller has more information than the buyer about the vehicle, and holds the cards when it comes to contract terms. It feels better to walk away than to spend money one something when you’re not convinced it will meet your needs.

“Network effects” describes the lonely experience of adopting a privacy-enhancing messaging service, for instance, and discovering that none of your friends use it, and therefore you can’t talk with your friends. Do you undertake a massive recruitment project or continue to expose yourself to privacy invasion? Most likely, you resign yourself to the latter. Life’s too short.

There’s also the abstract nature of privacy invasion, stacked up against the convenience and pleasure of connection.

“The problems are uncertain and in the future,” Mahieu says, “while the gratification is now, and direct.”

As part of their research, the team wants to talk with business people who’ve had first-hand experience developing privacy products, successful or not. They’re interested in entrepreneurs as well as folks who’ve toiled in big data. Mahieu encountered some of them at DEF CON. One entrepreneur described his innovation, which had been well-received by everyone who tried it. But it didn’t sell, and was ultimately offered for free.

“That’s the starting point for our question,” Mahieu says. “Why, given the immense interest, and the growing interest in privacy, and our technical capabilities, is the market not functioning as we expect it to be?”

If you can help explore the question, he’d like to hear from you. The research project is at the Center for Information Technology Policy at Princeton, but you can contact him directly.

7th Circuit Court of Appeals: You don’t own your personal information

UPDATE August 9, 2015:  Regarding my claim below that a robust market for personal information on the dark web constitutes evidence of its value as a commodity, attorney Caitlin Kelly Henry points out (in the context of a casual conversation at DEF CON) that the court would not recognize illegal activity. But she also notes that businesses are routinely engaged in the lucrative practice of marketing of their customers’ personal data, making essentially the same point. Caitlin adds that this case is well outside her practice area. Thanks nonetheless, Caitlin.

7th Circuit Court of Appeals: You don’t own your personal information

Woah! This is not good news, and while the case was covered in the legal press, this was not the headline. Buried deep in the dicta —  page 13 of a 17-page decision —  the court says personal information is not a property right.

The question before the court was whether Neiman Marcus customers have standing to sue after the company suffered a credit card breach that exposed the plaintiffs’ personal ID and financial data. The court said they do.

The discussion centered on Neiman’s argument that there was no actual injury since the plaintiffs were not accountable for fraudulent charges on their accounts. Standing can’t be argued on speculative claims of future harm, Neiman argued.

Potential future injury is what’s at issue. Until this decision, there was a high bar to establish the risk of future injury from exposure of personal information. The 7th Circuit has lowered it, granting standing on the speculative claim, and asking why else cyberthieves would steal credit card numbers, if not to set up fraudulent accounts.

After a lengthy discussion of the various legal issues involved, the court threw in some brief comments on the ownership of personal information, mostly for good measure. “For the sake of completeness…” the court said.

Plaintiffs also claim they have a concrete injury in the loss of their personal information, which they characterize as an intangible commodity… This assumes that federal law recognizes such a property right. Plaintiffs refer us to no authority that would support such a finding. We thus refrain from supporting standing on such an abstract injury, particularly since the complaint does not suggest that the plaintiffs could sell their personal information for value.

What!!?? There is and has been a thriving market for personal information, and yes, the information has monetary value. Business has been so good, in fact, that the value per ID on the dark web has gone down since its peak, just as any commodity responds to excess supply.

In this opinion, the 7th Circuit has contradicted itself, acknowledging that the purpose of stealing credit card data is to make fraudulent charges and set up fraudulent accounts in the name of the card holder, yet declaring that the card holder’s personal information has no value.

I’m no lawyer, and further research is in order, but I predict a large herd of worms crawling out of this open can. And by the way, is anyone else reading these documents all the way through?

CASE UPDATE: Neiman Marcus has requested a rehearing en banc in the data breach lawsuit referenced below. The retailer asserts that the 7th Circuit Court’s “use of an expansive standard” to establish standing in data breach suits will be “enormously consequential to the national legal landscape.”