Personal information has become the new currency of online commerce. Decentralized Internet protocols have made computing resources increasingly pervasive, empowering individuals with an unprecedented amount of control. One result is that very few Internet consumers actually pay for network content, instead offering up personal information as they go. Content providers then collect, buy, and sell this information. To bring the Internet economy into its next stage of development, complementary software and legal architectures must be created in which personal information is regarded as a commercial property right, and accorded corresponding monetary value.
Privacy Implications of Personal Information Use
Code of Fair Information Practices
How Did Personal Information Become So Important?
Personal Information as a Property Right
Personal information has become the new currency of online commerce. Recent figures indicate that between 75 and 90 million Americans regularly use the Internet [ 1], and very rarely do these consumers actually pay for the content they see. Instead, Internet users offer up personal information about themselves as they go. Sometimes this information exchange occurs voluntarily, and sometimes it happens without the consumer knowing about it. In either case, vast warehouses of personal information are compiled, bought, and sold. Personal information is the lifeblood of the Internet economy.
Privacy Implications of Personal Information Use
The widespread use of personal information throughout the economy is not without its drawbacks. Privacy experts estimate that the average American is profiled in at least twenty-five, perhaps as many as one hundred, databases [ 2]. A recent U.S. Federal Trade Commission (FTC) survey indicated that 92% of Americans were concerned about the misuse of their personal information on the Internet [ 1]. A report by Jupiter Communications, issued in June, 1999, indicated that as much as $18 billion in lost revenue in e-commerce may occur by 2002 if consumer concerns about privacy are not addressed (compared to a project total of $40 billion in revenue) [ 3]. The FTC further estimates that misappropriation of personal information accounts for over $40 billion a year in telemarketing scams .
Public alarm about the misuse of personal information has begun to grow, and regulators have begun to take action. President Clinton has recently remarked that "marketers can follow every aspect of our lives, from the first phone call we make in the morning to the time our security system says we have left the house, to the video camera at the toll booth and the charge slip we have for lunch" [ 5]. Twenty states are considering some form of privacy legislation for the Internet, and more than a dozen bills have been introduced in the U.S. Congress . Americans increasingly regard the ability to safeguard their personal information as a basic right.
The trade in personal information was widespread long before the rise of the Internet. One of the first companies to discover the value of personal information was the Polk Company, founded in 1870. Polk's first product was a directory of Michigan-based businesses, organized by railroad station. The idea was to make it easier for consumers who lived near one railroad station to shop near another. In the 20th century, Polk became the country's leading purchaser of motor vehicle registration records. Polk uses these records to contact car owners on behalf of the automotive industry in the event of a safety recall. However, Polk also profits from combining the make and model of your car with census information, and then selling this information to marketers who use it to determine your lifestyle, income, and likelihood of purchasing any given product [ 6].
More recently, supermarkets have begun offering affinity programs for frequent shoppers. These programs give consumers a discount in return for line item tracking of their purchases. In principle, the supermarket uses this information for legitimate purposes such as store design, price calculation, supply chain management, and marketing. However, in at least one case, a supermarket that was sued by a customer who had slipped and fallen. His purchasing profile, which indicated that he was a frequent purchaser of alcohol, would have been used damage his reputation in court [ 6].
The credit reporting industry is the most widely known, and arguably the most reckless, consumer of personal information. The industry is dominated by three large companies: TransUnion, Equifax, and Experian (formerly TRW). One would think that an industry responsible for compiling extensive and detailed financial profiles on consumers would take certain steps to assure the accuracy and integrity of the information under its stewardship. Unfortunately, studies suggest that as many as 50% of all consumer credit contain serious errors. These are often much more serious than just a disputed purchase made on a credit card. For instance, in 1991, 1,400 homeowners in Norwich, Vermont (which only has a population of 3,000) were listed by TRW as being tax delinquent because a TRW contractor mistakenly noted tax bills on the town records as tax liens. Amazingly, precisely the same thing happened again in Cambridge, Massachusetts in 1992 when an Equifax contractor made the identical mistake [ 7].
Inaccurate credit reports make it difficult for good consumers to get credit. However, the credit reporting industry does more than just report credit. They combine the credit report with contact information and purchase histories to create compiled "consumer scores," which are then sold to direct marketers. Over 550 million credit reports are sold in this manner annually in the United States [ 7]. With this many credit reports changing hands, it is easy for a good consumer's credit report to fall into the wrong hands, leading to identity theft. Nobody is really sure how common identity theft is, but it is estimated that between 100,000 and 400,000 cases occur annually in the United States [ 7]. This crime ultimately stems from architectural flaws in how the credit industry authenticates consumers. The system is built to assume that if person A knows the name, address, telephone number, Social Security number (SSN) and mother's maiden name of person B, then person A must be person B. This is a very dangerous assumption to make.
In many ways, off-line threats to privacy are even more complicated than those posed by the Internet. On the Internet, at least in principle, consumers have considerably more power to act and control the use of their personal information. It's not hard to opt-out of an e-mail marketing list when you start receiving electronic spam. Most mass mailers have links posted on each message you can follow to opt-out, and at worst, you could always change your e-mail address. Off-line, it's much less clear how to protect yourself. The Direct Marketing Association does in fact administer general-purpose opt-out lists, but few consumers are aware of their existence and even fewer know how to get on one. Even if you do succeed in being placed on a DMA opt-out list, your name will only remain there for five years, at which point you have to "renew" your interest in opt-out. Furthermore, some companies, like Experian, charge their business customers each time an opt-out list used to suppress names from a mailing list, reducing the chances that opt-out services will actually be used [ 4, 8].
Nonetheless, Internet commerce continues to receive the most scrutiny from privacy advocates. This is probably because electronic commerce dramatically shifts the delicate balance of interests that has long existed between buyers and sellers. The Web makes it dramatically easier for vendors to track and profile consumers, even if they never make a purchase. Unlike browsing in a store, which leaves no record if no purchase is made, browsing on the Internet leaves a permanent click stream trail that identifies what the user looked at, how long she looked at it, what type of browser she used, and so on. These click streams may or may not be anonymous, depending on the tracking prowess of the online vendor. More often than not, consumers are not even aware that this tracking is taking place. And, as with other forms of personal information, these click streams are compiled, packaged, and sold to the highest bidder. It is this manner of profiling that DoubleClick engages in and it is the cause of the company's current privacy problems.
Code of Fair Information Practices
The Code of Fair Information Practices (CFIP) originated from a report detailing the impact of computers on privacy. Prepared in the early 1970s by the U.S. Department of Health, Education and Welfare, the code outlines key policy practices that are intended to protect personal information from abuse by organizations. Many proposals for Internet privacy offer some combination of these four basic practices:
- Notice: organizations collecting personally identifying data disclose their information collection practices before collecting personal information from consumers.
- Choice: there must be a way for individuals to prevent their personally identifying information, granted for one purpose, from being used for other purposes unless they give prior consent.
- Access: there must be a way for an individual to learn what personally identifying information is stored in a record and how it is used, and there must be a way for that person to correct their identifying records.
- Security: any organization collecting, maintaining, using, or releasing personally identifiable information must ensure the reliability of the data for its intended use and take precautions to prevent misuse of the data.
While this code has inspired national privacy policies all around the world, the United States has been reluctant to make laws based on these common sense recommendations. The reluctance is mainly due to a desire to give private industry a chance to self-regulate. Today, many leaders, from journalists writing about privacy, to President Clinton addressing industry leaders about the future of electronic commerce, point to the CFIP as a sensible foundation from which to address the growing problem of privacy [ 9].
Although many observers claim that industry has been slow to respond, some movement is beginning. For example, PrivacyRight, a privately held software company in Silicon Valley, California offers e-businesses Unified Customer Permissioning software to help companies enhance customer life-time value and manage the risk associated with maintaining personally identifying customer information. Businesses that implement CFIP will also likely see dramatically reduced interaction costs, which is the focus on the next section.
How Did Personal Information Become So Important?
To understand the Internet and what makes it work, it is important to understand TCP/IP. TCP/IP is a "packet-switching" protocol, meaning that information sent over TCP/IP networks is first broken down into little chunks called packets, which are independently routed from source to destination. When packet switching was first introduced in the 1960s, it was a radical concept. At the time, the traditional method of networking was "circuit-switching," which means that once a connection is established between two end points, all information sent over the connection follows the same route for the entire duration of the session. Circuit switching is still widely used in the telephone and cable industries.
In a circuit-switched network, every switch point, every routing agent, every piece of infrastructure in the network needs to understand the purpose and meaning of every piece of information it transports. It can be said that the network itself must be highly "intelligent." On the hand, a packet-switched network concentrates its intelligence at the "end points," in the applications that send and receive information. TCP/IP is designed so that the underlying physical network substrate connecting the source and destination can literally be anything. The network itself needs no "intelligence" about the nature of routed information. All the data processing and semantics are contained at the end points of the TCP/IP connection.
Historically, circuit-switched networks have enjoyed substantially greater market penetration. Appliances that connect to circuit-switched networks can be, comparatively speaking, relatively "dumb" (remember, the "intelligence" is in the network itself). For consumers, this translates into cost, with televisions and telephones being, on average, at least one or two orders of magnitude cheaper than a desktop personal computer system.
This began to change in the early 1990s. Packet switching made its first big inroad into the home consumer market shortly after the birth of the World Wide Web in 1991. Although the Internet had already existed for nearly 30 years at that point, it was the point-and-click ease of the Web that brought to within reach for tens of millions of consumers.
With the new medium came novel attempts to financially profit from it. Early into the history of the Web (circa 1995), a number of business models borrowed heavily from the broadcasting industry: aggregate eyeballs; sell banner ads; segment your audience. Some of these business models have failed or will very likely fail in the near future, thanks to the nature of TCP/IP. Broadcast networks are highly centralized. TCP/IP is highly decentralized. The economics of broadcasting are entirely different from those of TCP/IP networks, and ultimately, very highly flawed. Few realize that in broadcasting the product that is sold is not the program but rather the audience. The advertisers who subsidize broadcast networks are the real customers. The entire system is moreover heavily subsidized by government taxes, which further degrades any opportunity to establish balanced, bi-directional economic relationships in the spirit of TCP/IP.
In broadcasting, the consumer is the "product", so to speak. In broadcasting, viewers cannot reward broadcasters who exceed minimum expectations. Broadcasting also imposes a limit on how much money can be made creating content. The most that a viewer can possibly be worth to an advertiser is the profit from a sale multiplied by the probability that a sale will occur. This leads to the "lowest common denominator" effect common in broadcast networks.
The Internet inverts all these relationships between content producers and content consumers. Business models focused on advertising in the spirit of broadcasting are therefore very unlikely to succeed. In retrospect, the rush to build business models around banner ads on the early Internet isn't that unusual. The earliest attempts to take advantage of any new medium often mimic what is already well understood in other established media. The advertising metaphor serves us so well in print, broadcast, and other non-packet-switched forms of media that it would have been imprudent to not at least try it.
However, to expect in the future an Internet subsidized by banner ads would be unwise. We are nearly a decade into the Web, and banner advertising companies like DoubleClick and Engage have yet to show a profit. They likely never will. Economic systems always tend towards an equilibrium where buyer and seller know as much about each other, respectively, as possible. On the Internet, there are more clever ways to facilitate this trend than pasting banner ads up on every Web site. TCP/IP networks open up whole new ways for buyers and sellers to communicate and establish dialog that are just not possible in other, more traditional (i.e., non-packet-switched) forms of media.
Markets where it is difficult for buyers and sellers to find each other are said to have high interaction costs. The higher the interaction cost in a particular market, the more sellers will advertise. Advertising, therefore, is just a measure of how inefficient a particular market is. Lower the interaction costs, and the need for advertising will diminish. In a perfect world, where buyers and sellers have perfect knowledge of each other's products, services, and needs, and where changes in preference are communicated seamlessly to the proper parties, there would be no need for advertising. Knowledge of new products and enhancements would spread through customer communities simply by word-of-mouth.
That said, there will always be advertising. Economic nirvana is unlikely to occur anytime soon, even given all the structural elegance the Internet brings with it. However, if the Internet really is a more perfect communications medium, one would expect electronic commerce to tip the scales in favor of a future of far less - but far more relevant - advertising.
A key misconception commonly made about the Internet is that "advertising" fuels the Internet. If this were the case, DoubleClick or Engage would have already shown a profit by now. It is not advertising that fuels the Internet, but rather personal information. Granted, the process of (a) supplying personal information and (b) distributing (targeted) advertising based on that personal information are two links in the same economic value chain. The key, though, is that they are two very different links.
In "traditional" media, such as print and broadcast, it is extremely difficult for sellers to establish one-on-one relationships with buyers through advertising. What little information sellers have lacks detail and is not obtained in real-time. Because the personal information that buyers supply is so fuzzy, the value chain rewards business models that can blast branding messages at high volume to the largest number of possible listener/readers/viewers. In other words, very noisy ad distributors are rewarded.
On packet-switched networks, in contrast, the possibility exists to establish a far more deep and detailed, real-time dialog between buyers and sellers. Sellers can collect much more accurate and detailed profile information on potential buyers, which they use to update product lines, target products much more efficiently and sell to other vendors with complementary product lines. At the same time, the opportunity for information overload is vastly expanded on packet switched networks. While blasting high volume branding messages may work in other media, on the Internet these voices are drown in a sea of information overload. The value chain instead rewards business models that successfully enhance the value of personal information while reducing the amount of information overload (and advertising) for both buyers and sellers.
The most important key to creating a world with lower interaction costs is consumer privacy. When executed correctly, consumer control over personal information creates a powerful win-win for buyers and sellers alike. When businesses follow information management practices in accordance with CFIP, consumers will feel secure in trading personal information for value, much like any other form of currency.
Personal Information as a Property Right
Instinctively, we want to regard our personal information as our individual property. We already speak routinely of "identity theft," but the word "theft" is meaningless without a complementary notion of "property" and "ownership" to accompany it. With a property regime protecting personal information, individuals would have the ability to negotiate rights over personal information and would be entitled to privacy as a default. This is fundamentally different that the architecture we currently have in place (and different from the current European system, which merely enforces a set of arbitrary rules).
Currently, privacy is protected by a set of liability rules; if you invade someone's privacy, you can be sued. If DoubleClick tracks consumers by putting cookies on their computer storage devices, and if enough consumers feel their collective privacy has been violated, then DoubleClick may be involved in a class action lawsuit. A property regime, on the other hand, gives control and power to the individual holding the property right, and requires negotiation before transference. In a property regime, the rights holder negotiates a price; in a liability regime, a court does. In a property regime, there can individuals who choose never to transfer any personal information; in a liability regime, these holdouts do not exist. The reality of a property regime, therefore, is congruent with the expectations that most consumers have regarding the handling of their personal information [ 10].
This analysis is in fact an oversimplification. In fact, our current system indeed recognizes personal information as a property right. Unfortunately, the property does not belong to the individual who provided the personal information. Instead, it belongs to the organization that collected and processed that information. These organizations are often large corporations dependent on a revenue stream that, at least in part, consists of personal consumer data. Nearly every modern company in the world today uses, at some level, personal information. However, some companies depend on this revenue stream more than others. The most well known companies who depend almost entirely on personal information include DoubleClick, which distributes online banner ads, and the credit reporting companies such as Equifax and Experian.
The powers that be, in fact, have a great vested interest in making sure that individual consumers are not able to exercise property rights over their own personal information. This position has been succinctly expressed by Mr. C.B. (Jack) Rogers, Jr., CEO of Equifax, a consumer reporting company:"The very nature of information is so different from the properties of material resources that it defies all methods of measurement. For one thing, I can sell it to you and keep it at the same time. It doesn't wear out, it increases in value and it increases in value with use, and it is the primary resource for worldwide commerce and trade." [ 11]
Rogers mistakingly confuses intellectual property with personal information. There is ample evidence to suggest that the global economy as a whole benefits greatly the more freely ideas and other forms of intellectual property are allowed to circulate. However, personal information has enormous value in the network economy when it is directed to the right organization at the right time for the right reason. When copied repeatedly, used recklessly to create spam and, potentially, identity theft, personal information very rapidly loses value. In the same way that broadcast networks abhor a small audience, TCP/IP networks abhor spam and reckless bandwidth consumption. Copying personal information over and over again does not create value. It is, in fact, the most expensive waste imaginable on a TCP/IP network.
Rogers also mistakingly assumes that personal information does not wear out. In fact, people move; they change their names; their habits and income levels change; they get more education. All these factors affect the relevance of personal information over time.
How can we begin to ascribe property right status to personal information, at least when used for commercial purposes? Cryptography offers some clues. Most strong authentication systems will attempt to verify at least two of the following three conditions: (1) that you know something only you could know (a password), (2) that you have something only you could have (a smart card), or (3) measure some physical aspect of your body that could only be part of you (fingerprints, retinal scans). Meet any two of these three conditions, and the system assumes that you really are who you claim to be. The strongest authentication systems will attempt to verify all three conditions.
Common authentication architectures used on the Internet, based on username/password combinations, are therefore very weak. They only measure authentication along one dimension - something you know. For this reason, and because most passwords are often poorly chosen and easily guessed, it is relatively easy for one individual to assume the identity of another. Moreover, the username/password authentication scheme is not portable across Web sites, which ultimately limits the robustness of electronic commerce.
To help make personal information a property right in the context of online commerce, the Internet first requires (a) a stronger authentication system; and, (b) an authentication system that scales across Web sites (portable identity). Companies like VeriSign offer one possible solution to these issues. VeriSign is a leading provider of sophisticated encryption technology called public key infrastructure (PKI). PKI systems use encrypted credentials called digital signatures to allow two parties to (a) communicate in secret; and, (b) more importantly, establish and authenticate identity prior to entering into transactions. A digital certificate is analogous to an electronic driver's license or passport. It contains uniquely identifying information that people can use to sign and authorize documents and transactions (and therefore facilitate "non-repudiation"). Although PKI is not foolproof, digital certificates are both portable across Web sites and are orders of magnitude more secure than the username/password architecture currently in place.
Strong authentication alone, however, only has limited appeal. Once a strong authentication system has been created, there remains the question of how to get digital certificates into the hands of online consumers, and even more importantly, of verifying that a specific identity has authorization to make specific commitments. The world of e-commerce does not really care that I am Paul Sholtz. What is vastly more important is whether or not this identity named Paul Sholtz has authorization to spend up to $20,000, or if it is authorized to spend no more than $500. Smart cards, like Blue from American Express, will help deliver this architecture to the Internet. Although individual funds authorization is something that credit cards have always provided, smart cards bring an added layer of security through encryption, improve customer access to a much wider range of accounts, and can be customized with new services to meet individual needs.
While anonymization systems will allow you to completely hide all facts about yourself from others, they are probably more useful for protecting free speech online than for enabling privacy. Privacy ultimately is about an individual's ability to control personally identifying information, and anonymization alone can never facilitate this. Instead, true privacy enablement will come from a combination of CFIP deployed across the Web and complementary software and legal architectures that accord personal information the status of a commercial property right. These systems will minimize the misuse of identities on the Internet, and in turn engender greater trust and accountability, which together represent the foundation for all commerce systems, online and off-line.
A common misconception about the online world is that information "wants to be free." While this may be true of "ideas", and other forms of information we might traditionally call "intellectual property", there are many forms of information that do not "want" to be free. Authorization codes to personal bank statements, inside information on stock movements, and access codes to nuclear devices are examples.
A similar concept applies to personal information. Electronic commerce operators regard personal information with as much value as any other form of digital currency. Personally identifying information adds great value to the Internet economy, but only if consumers can protect their privacy. When personal information is allowed to be "free," at best, large amounts of information overload are created for everyone from the vendor to the consumer to the ISP sitting in the middle routing spam. At worst, "free" personal information fuels crimes like identity theft, which pose a very significant drag to the network economy.
Electronic commerce is still in its infancy. The business models we see in action today, from Amazon.com to the largest business-to-business exchanges, merely transplant tried-and-true models from the physical world onto the Internet. The emergence of truly novel online businesses that leverage customer community in ways not possibly offline is only now occurring. Of central importance to this new generation of e-businesses will be protecting consumer privacy and valuing personally identifying information as a form of digital currency. Going forward, it will be important to find ways to reconcile the emerging digital world with values we think are fundamental, since these rules will create our collective reality.
About the Author
Paul Sholtz is Co-Founder and Chief Technology Officer of PrivacyRight, a San Mateo, California-based company. PrivacyRight creates products that enable companies to earn the trust and loyalty of their online customers while helping consumers protect and manage their personal information, in accordance with the Code of Fair Information Practices. PrivacyRight is actively involved in establishing industry best practices for online privacy through its operations and strategic alliances in Silicon Valley and Washington, D.C. Prior to co-founding PrivacyRight, Paul worked as a software consultant for several Fortune 500 firms, including Ingram Micro, Charles Schwab, and Hitachi. He holds a B.S. in Physics and Applied Mathematics from the University of Michigan, Ann Arbor.
1. Ellen Alderman and Caroline Kennedy, 2000. The Internet, Consumers and Privacy. Washington, D.C.: Internet Policy Institute, at http://www.internetpolicy.org/briefing/current.html
2. Andrew L. Shapiro, 1999. The Control Revolution: How the Internet is Putting Individuals in Charge and Changing the World We Know. New York: PublicAffairs, p. 259.
3. Jupiter Communications, 1999. Proactive Online Privacy: Scripting an Informed Dialog to Allay Consumer's Fears. (June).
4. Simson Garfinkel, 2000. Database Nation: The Death of Privacy in the 21st Century. Sebatopol, Calif.: O'Reilly & Associates, pp. 168-169.
5. Bill Clinton, 1997. "Commencement Ceremony, Morgan State University, Baltimore, Maryland," (18 May), at http://www.aegis.com/hivinfoweb/library/vaccines/goal9705.html
6. Garfinkel, pp. 157-159.
7. Garfinkel, pp. 27-32.
8. To opt-out of the DMA direct marketing lists, write to the following addresses, stating that you do not want to receive unsolicited marketing offers by mail or by phone, as appropriate:
Direct Marketing Association
Mail Preference Service
P.O. Box 9008
Farmingdale, NY 11735-9008
Direct Marketing Association
Telephone Preference Service
P.O. Box 9014
Farmingdale, NY 11735
For more information, visit http://www.privacyright.com/solutions.html
9. For more information, visit http://www.privacyright.com/glossary.html
10. Lawrence Lessig, 1999. Code: and Other Laws of Cyberspace. New York: Basic Books, pp. 160-162.
11. Garfinkel, p. 177.
Paper received 13 August 2000; accepted 29 August 2000.
Copyright ©2000, First Monday
Economics of Personal Information Exchange by Paul Sholtz
First Monday, volume 5, number 9 (September 2000),