The Federal Trade Commission (FTC) hosted the first annual PrivacyCon in January 2016, an event designed to highlight the latest research and trends for consumer privacy and data security. The FTC’s stated goal was to bring together “whitehat researchers, academics, industry representatives, consumer advocates, and government regulators” for a lively discussion of the most recent privacy and security research. Unfortunately, not only did the event not reflect the diversity of perspectives on these issues, but the whole event seemed to be orchestrated to reinforce the FTC’s current regulatory strategy.
First, the “data security” side of this discussion was almost non-existent in the agenda. Of the 19 presentations, only 3 were about security. Given that the FTC has been flexing its regulatory muscle on corporate cybersecurity practices, this was a missed opportunity to delve into important cybersecurity research that could inform future oversight and investigations.
Second, the FTC mostly selected papers that jibed with its current enforcement agenda. As Roslyn Layton, a visiting fellow at the American Enterprise Institute, noted recently, of over 80 submissions that the FTC received for PrivacyCon, it selected 19 participants to give presentations with ten additional authors of rejected submissions asked to be participants. Of the presentations the FTC selected, almost all of them seemed to set up the conclusion that consumers are in peril and the FTC needs to step in to save them.
These presentations did not represent the diverse points of view that the FTC promised to bring together at PrivacyCon, nor as Layton argues, did they represent the views of many of the proposals submitted for the conference. The FTC did not appear to be interested in industry views since it rejected most industry submissions, including ones from researchers at GitHub, PayPal, and Microsoft. Similarly, the FTC rejected papers from organizations that often disagree with its enforcement actions, like the International Center for Law and Economics’ proposal for an economic analysis of the Internet of Things.
Third, the FTC limited debate around the presentations. Generally, with conferences that showcase academic research, peer critique of that research is paramount to establishing the legitimacy of that research. However, many of the presentations lacked a diversity of opinion. For example, the first panel on “the Current State of Online Privacy” primarily focused on attacking the idea of privacy tradeoffs and rational consumer choice. These panelists received little rebuttal from the following discussion panel set up as a rejoinder, despite the fact that one rejected paper was positioned perfectly to explore the counterpoint.
To its credit, the FTC did ask several authors which disagreed with the central thesis of the conference to be discussants, including myself. But their role was often limited to providing a brief statement, and given the short 20 minutes that the FTC allotted for each discussion, there was little opportunity for critique. There were some notable moments of course. For example, discussant James Cooper pointed out that the papers on the “Big Data and Algorithms” panel did not show any evidence of consumer harm. Similarly, the discussant Geoffrey Manne worried that PrivacyCon never really covered tradeoffs involved with regulation, including limiting the benefits of the technologies they were discussing, which could lead to “lopsided discussions” for government intervention.
Indeed, a casual observer of PrivacyCon might have walked away seeing general agreement that there is no reasonable tradeoff for privacy and the FTC needed to step in to save the day—consumer choice be damned. This thought process is reflective in recent FTC actions. For example, a September enforcement action against Nomi Technologies imposed a 20-year consent decree without showing that Nomi harmed anyone. Similarly, the FTC’s big data staff report from January 2016 downplayed the concrete benefits of the technology, devoting just a few pages to the topic, while going at length on hypothetical risks.
If FTC staff wants to host future research conferences that actually provide an opportunity for balanced discussion and real exploration of the full spectrum of issues involved, it needs to make some changes for the next PrivacyCon. First, it should either give data security proper billing or dispense with the fiction that it is part of the agenda. Second, it should allow a diversity of proposals to be presented, including those submitted by dissenting voices, industry, and economists. While academic papers are always important, a diversity of opinion will engender lively discussion. Third, the FTC should limit the number of sessions in favor of lengthier discussion. Rather than only allow a few minutes for terse responses, this would allow a robust back-and-forth that would bring depth and nuance to the proceedings.
PrivacyCon has potential to offer true insights from a multitude of stakeholders into how and when regulators can address consumer privacy harms as well as identify emerging issues for the FTC to monitor, but only if the FTC is open to listening.