The FTC report on the ‘Internet of Things’

The new Federal Trade Commission (FTC) staff report on the “Internet of Things” resembles previous commission privacy reports in being almost entirely bereft of new data or analysis. Commissioner Joshua Wright’s dissenting statement is the best summary: “the Workshop Report includes a lengthy discussion of industry best practices and recommendations for broad-based privacy legislation without analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare.”

The commission has a well-deserved reputation for promoting solid analysis on a range of consumer protection and competition issues. In the very important privacy area, however, the commission has gotten in the habit of substituting workshops, which are heavy on opinions and light on facts, for systematic data-gathering and analysis. As Wright notes, “merely holding a workshop — without more — should rarely be the sole or even the primary basis for setting forth specific best practices or legislative recommendations.”

{mosads}As I have noted before in my past analyses of FTC privacy reports, a more useful report would include three features.

First, it would identify consumer harms that its proposals are intended to address. Second, it would determine if recommended policies can reasonably be expected to address those harms. Third, it would evaluate whether the costs and benefits of policy recommendations were likely to yield a net improvement in consumer well-being. As Wright notes, “the Commission and our staff must actually engage in a rigorous cost-benefit analysis prior to disseminating best practices or legislative recommendations, given the real world consequences for the consumers we are obligated to protect.”

Wright correctly voices concern over the staff’s data minimization recommendation that businesses “develop policies and practices that impose reasonable limits on the collection and retention of consumer data” without any analysis demonstrating that benefits outweigh the costs for consumers. He explains, “To the extent concepts such as security by design or data minimization are endorsed at any cost — or without regard to whether the marginal cost of a particular decision exceeds its marginal benefits — then application of these principles will result in greater compliance costs without countervailing benefit. Such costs will be passed on to consumers in the form of higher prices or less useful products, as well as potentially deter competition and innovation among firms participating in the Internet of Things.”

The commissioner also notes that recommendations in a staff workshop report act like quasi-regulations: “Although an agency’s recommendations regarding industry best practices do not carry the force of law, there is a very real danger that companies may reasonably perceive failure to achieve those practices or to adopt such recommendations as actionable. Where an agency’s recommendations regarding best practices are not supported by cost-benefit analysis, firms may respond by adopting practices or engaging in expenditures that make consumers worse off.”

It is not much of a stretch to believe these recommendations could, in fact, make consumers worse off. The focus on data minimization ignores the reality that the especially innovative uses of data are often not anticipated when the data were collected. Reports last year from the White House and the President’s Council of Advisors on Science and Technology (PCAST) indicate that in such a world, the traditional focus on limiting data collection is increasingly irrelevant and, indeed, harmful. The PCAST report concluded “that policies focused on the regulation of data collection, storage, retention, a priori limitations on applications, and analysis … are unlikely to yield effective strategies for improving privacy. Such policies would be unlikely to be scalable over time, or to be enforceable by other than severe and economically damaging measures.”

Instead, PCAST recommends that “Policy attention should focus more on the actual uses of big data … the specific events where something happens that can cause an adverse consequence or harm to an individual or class of individuals.” In other words, the White House big data reports seem to conflict with this most recent FTC report. It is unclear why the White House reports, which reflect substantial research on the modern uses of data, have had such a minimal influence on thinking at the FTC.

The FTC is this country’s lead agency on privacy matters and privacy-related issues are at the top of its consumer protection agenda. In keeping with its typically high standards, the commission should base its recommendations on rigorous analysis of benefits and costs, rather than opinions of various advocates.

Lenard is president and senior fellow at the Technology Policy Institute.