Monday, March 17, 2008

Releative Position and Privacy


Ed Felton recently wrote two posts on the failure of the marketability of privacy, and how corporations and consumers should respond. According to Felton:

There’s an obvious market failure here. If we postulate that at least some customers want to use web services that come with strong privacy commitments (and are willing to pay the appropriate premium for them), it’s hard to see how the market can provide what they want.
In the follow-up, Felton describes a standard contract and a sort of privacy escrow protocol to protect individuals against the desperate actions of a cratering start-up.

The more I read and think about privacy, the theory that an individual's privacy has a value that can be exchanged on the market becomes less and less compelling. Frank Pasquale wrote at Concurring Opinions that in the market model, you trade your privacy for efficiency and convenience, using Gmail as an example:
[C]onsider the type of suspicions that might result if you were applying to a new job and said "By the way, in addition to requiring 2 weeks of vacation a year, I need to keep my email confidential." The bargaining model is utterly inapt there. . . . just as it would have been for women to "bargain" for nondiscrimination policies, or mineworkers to bargain, one by one, for safety equipment.
He concludes that people who trade their privacy will outcompete those who do not, and that
"[a] collective commitment to privacy may be far more valuable than a private, transactional approach that all but guarantees a 'race to the bottom.' " The paper he cites on cost benefit analysis and relative position was interesting (to me at least) when read in terms of privacy. From the abstract:
When a regulation requires all workers to purchase additional safety, each worker gives up the same amount of other goods, so no worker experiences a decline in relative living standards. The upshot is that an individual will value an across-the-board increase in safety much more highly than an increase in safety that he alone purchases.
"Privacy" can be substituted for "safety." Can "security" also be considered in this context? Is it already?

Monday, March 3, 2008


From Rothman, an article at CSOnline discusses Moody's infosec risk rating service.

I personally dig this quote:


The idea for such an at-a-glance rating is appealing to risk executives such as Andre Gold, head of security and risk management for ING’s U.S. Financial Services business... Last year Gold oversaw reviews of 176 new technology vendors; his team visited sites as far away as South Africa to conduct security assessments. “It’s a service that we must do, but I think it’s a non-value-add service,” he says.
A non-value-add service? To quote Michael Scott, that's what she said.


photo from Dwight K. Schrute.