Its all the rage. I’m not immune to jumping on a bandwagon, but by the time I get there the dogs have barked and the caravan has moved on. Is there anything new to be said on the subject? Perhaps we can get by with relabeling things we already know? Useful, but not exciting. To think about this I tried to come with questions about privacy that struck me as important. Here is my list, in hopes that it will prompt others to improve upon it.
1) Is the concern for privacy intrinsic or instrumental?
The question matters because an answer would have a profound impact on how one evaluates the welfare consequences of various policies.
2) Property rights over information.
Much of the information about us that is of interest is the result of interactions with others. When I purchase a book from Amazon, who `owns’ the record of that transaction? It could be argued that the record of the transaction is as much Amazon’s as it is mine. The question is not new. It arises, for example, when one writes a biography.
What about when a transaction takes place via an intermediary? What rights does the intermediary have to the record of the transaction?
3) A full specification of property rights would spell out who has the right to disclose what and to whom and under what conditions.
Some of this will involve a balance between the public good and individual harm. Out of court settlements regarding commercial matters whose terms are secret, prevent learning about systemic problems (Akerlof and his lemons, seems like a likely candidate for relabeling).
When is and under what conditions is mandated disclosure warranted? One can also imagine settings where one might wish to prohibit the voluntary disclosure of confidential information. Some professional schools, for example prohibit the disclosure of grades to potential employers (Grossman and Milgrom, anyone?).
4) Compliance. How might one monitor and verify that the specification of property rights have been adhered to?
For example, a promise not to disclose to a third party. In a given setting, are some kinds of promises even feasible? One may promise not to use certain identifying characteristics in the allocation of resources but those characteristics may have good proxies in other `allowed’ characteristics.
Who should bear the costs of such monitoring? (Coase?)As much information of interest is collected by devices, one might think about the `regulation’ of devices as a part of compliance. What standards, if any should devices that collect and transmit information adhere to? Is managing privacy best done through device standards or contracts?