Internet Privacy: Market Drivers for Change

One of the comments I received on my last privacy post from Reshika Dhir rhetorically questioned whether users of cloud computing applications had a choice in not using these services to reduce their privacy risks. I agree with Reshika that many individuals in first-world countries have come to the point of technology dependence. To add to her comment, I would argue that our dependence on these services stems from the fact that our social groups, peers, and immediate society use these services to enrich their lives and stay connected. Not adopting and using these technologies could mean that we may be left behind and excluded. The logical conclusion (and undertone of Reshika’s comment) is that the solution is NOT for users to stop using these advances in technology altogether. But rather than throw up our arms in despair, I believe that the current and future privacy issues of cloud computing applications can be resolved through legislative changes in conjunction with allowing the market to self regulate. This post discusses the ability of markets to self regulate in the context of cloud computing applications and emphasizes the need for legal intervention where the market breaks down. I will be focusing on social networks and Facebook for practical examples, but the reasoning could certainly apply to their competitors or other similar cloud computing services.

Exerting Commercial Influence on Social Networks
Customers best exert commercial influence on companies by taking their business to a competitor. Practically, however, a single user’s ability to exert this influence is frustrated by the fundamental nature of cloud computing applications and social networks.

The nature of cloud computing applications like Facebook’s social network is that its large user-base attracts and retains users. Users are attracted to a large social network because there is a greater likelihood that their acquaintances are already part of that network. These large networks are then able to retain users because the cost for a user to switch to a competitor is significant. Even though a user may be dissatisfied with a particular social network service, they may still not switch for fear of losing their network connections. Because users want large networks, the industry also trends towards an oligopoly or monopoly rather than a perfect market with many competitors. Lack of competition is further exacerbated within geographical regions since most real-world connections (and hence social network connections) between users are regionally based.

The net effect of this type of market is that a gradual trickle of dissatisfied users from one social network to a competitor’s is unlikely to occur. More likely is a mass exodus of organized users switching social network because of their dissatisfaction. But for such an organized movement to occur, there would need to be an issue that burns brightly for many network users at one time.

With respect to privacy, the majority of the privacy risks that social network users are subject to do not spark the widespread dissatisfaction needed to bring the winds of change. There are likely two reasons for this. First, users may be unaware of the risks. Second, most of the privacy risks, though material, are probably too remote for users to appreciate.

That said, when a risk materializes and is experienced by a large number of users over a brief period of time, users’ apathy to privacy disappear. One of the best-known examples of this occurred in September 2006 on the Facebook network. A newly implemented news feed feature was released which published updates on a user’s home page about other users’ Facebook activities. Users, however, were not adequately notified of this change nor were they given the option to control what news feeds of their activity were published. Upon discovering this change, Facebook users banded together and threatened to have a day without Facebook. Responding almost immediately, Facebook added additional privacy controls and Mark Zuckerberg quickly posted a public statement apologizing for not providing those controls initially. A similar incident occurred in Nov 2007 when 50,000 Facebook users signed a petition requesting that the new advertising feature Beacon be disabled. Beacon tracked a user’s purchases made on affiliate sites such as eBay North America and Travelocity, and then notified the user’s network of their purchase. Again, in response to the outcry, Facebook implemented additional privacy controls and Mark Zuckerberg apologized for Facebook’s mistake in implementing the feature.

The previous analysis of social networks and these examples are useful because they provide an indication of the type of privacy issues market-forces may be able to regulate. Specifically, privacy risks that materialize and immediately affect a large number of users over a short period of time are ideally left to the market. As an aside, it is interesting to note that what makes it difficult for one user of a social network to switch to a competitor, may actually facilitate the organizing of a large group of dissatisfied users to drive change. In Zuckerman’s post, he openly thanked all of the dissatisfied users who created groups and even went so far as to create a group of his own.

By contrast, privacy risks that are better dealt with through legislation include those that users are unaware of, or that are remote but could be significantly damaging to a user if they materialize. Particular attention should also be paid to privacy risks where it is in the immediate financial interest of the corporation to exploit or not resolve. Take for example the two Facebook incidents mentioned above. The first incident was the implementation of a feature that had little revenue generating capacity. Facebook’s response was almost immediate (3 days). The second incident, however, had significant revenue generating capacity. It took Facebook close to a month to address and Zuckerberg openly apologized for this delay.

While market self-regulation is an important driver in resolving the privacy issues created by cloud computing applications, it is important to keep in mind the nature of the market in light of the technology, and its shortcomings. Where these markets fail, law has an important role to play by stepping in and protecting end users.

  1. Brandon, I applaud you for promoting the notion of self-regulation in today’s current economic climate. While I myself have typically been in favor of less rather than more regulation, I think there may be some lessons to be learned from Alan Greenspan’s recent statement regarding the financial crisis:

    “Those of us who have looked to the self-interest of lending institutions to protect shareholders’ equity, myself included, are in a state of shocked disbelief,”

    With regards to cloud computing, perhaps we can see this as an omen that we should not leave to the self-interest of cloud computing companies to protect their privacy reputation in the eyes of their revenue generators (users) when it comes to “privacy risks that materialize and immediately affect a large number of users over a short period of time.”

    While there are clearly differences between cloud computing service providers and lending institutions, the current financial mess has shown us that a problem that may seemingly be thwarted by self-regulation, may not necessarily be able to be so. As such, I’d suggest that legal protection may have a bigger role to play alongside market pressure in protecting privacy – even in scenarios where market pressure is seemingly sufficient.

    Indeed, just because users have risen up against privacy risks that materialize and affect a large number of users in a short period of time in the past, it doesn’t necessarily mean that such a response will happen every time privacy interests are theatened. To that extent, legislation needs to be in place to make up for such a case when market forces fail to rectify that privacy infraction.

  2. Brandon, I find the illustration of regulation by market-forces in your two examples very impressive. With regards to the reference to the ‘day without facebook’ focusing on the Feeds, I find the whole approach very naive. The answer to the question “Why do the Feeds make so many of us angry?”, includes phrases like “It damages what privacy was left on Facebook…It is almost impossible now to keep your information to yourself”.

    I do not believe that Facebook or Mark Zuckerberg were under any legal obligation to rectify that uproar, and just on the side, I am not convinced that getting rid of the Feeds are restoring user privacy to any significant levels.

    Nevertheless, I think the bigger issue at hand with regards to Facebook, and maybe other networking websites, can be drawn from the following excerpt form the Facebook Terms of Use:

    By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

    So even if I were to delete my information from Facebook, there are copies of my user content floating out their that can be “copied, …publicly displayed… and distributed … for any purpose”. I wonder if market forces will be able to deal with something so such grave impact. I am certain that there is a wide awareness of the consequences of such an agreement, but I feel that an average user has grown to accept the loss of control over their private information.

    I agree with Julian in recognizing the importance of legislative regulations, without which we are proceeding with no real control over our privacy and probably a blind faith in a self correcting system with no guarantees of its applicability in the future.

Comments are closed.