DOC: No Records on Privacy Shield Removal Procedure

Back in November, I posted the Department of Commerce’s Privacy Shield checklist. The next logical step was to request DOC’s procedures for removal of companies from the Privacy Shield (submitted Dec. 1). Today, DOC-International Trade Administration responded with a “no records” response. It is not clear to me what date the search took place, and ITA is careful to say that their search did not include non-ITA Commerce elements. I’m following up on that.

2017-04-14T09:10:17+00:00 April 14th, 2017|History|

On Edward Balleisen’s Fraud: An American History from Barnum to Madoff

“…fraud is endemic to modern capitalism,” so said Professor Edward Balleisen at a National History Center talk on his excellent, comprehensive, thoughtful Fraud: An American History from Barnum to Madoff. We need histories of consumer protection. Balleisen provides one such history, focusing on the idea of fraud—specifically those wrought by businesses against consumers and investors. The concept of “fraud” is complex, it is defined differently through disciplinary lenses, and when we think about FTC privacy and many other consumer protection efforts, we are addressing conduct that is different from Balleisen’s focus. Yet, Balleisen’s book offers lessons for consumer protection more broadly and I learned a great deal from it.

Balleisen’s observation of the policy pendulum of anti-fraud efforts is most clearly stated on page 309, and anyone involved in modern debates on the FTC will recognize it:

Forceful antifraud tactics tended to generate complaints about autocratic governance that ran roughshod over individual rights and American values, which then prompted adoption of procedural protections, which in turn limited the effectiveness of administrative remedies. Post–World War II proceduralism deepened the democratic legitimacy of antifraud regulation, but at the cost of extending the rights of accused businesses, whether in criminal or administrative contexts.

My copy of Balleisen’s book is heavily marked up. So here are two key questions answered by the book and some other reflections–

Why, despite our rich information environment and seeming greater accountability brought about by technology and institutions, do frauds still persist, largely in five basic forms (pump and dump, pyramid scheme, bait and switch, advanced fee frauds, control fraud)?

  • There are businesses committed to fraud. The proceduralism described by Balleisen allowed committed fraudsters (Holland Furnace, Fritzel Television) to slow down intervention.
  • Committed fraudsters keep a “squawk” fund to “cool of the mark” by paying the consumers who do complain.
  • Especially in areas where products/services are new and norms do not yet exist, new market entrants have more space for deception.
  • Concerns about the pace of innovation and creating breathing room for it makes tolerance for fraud a part of a dynamic economy.
  • A turn to individualism in the 1970s caused institutions such as the BBB to embrace squawk fund approaches—instead of pursing big, collective actions, BBB started remedying individual claims, thus leaving the target free to continue operations.
  • Frauds are often small scale and your typical collective action problems emerge in policing them (daunting costs of representation, limited recovery, risk of countersuit or retaliation, embarrassment, and the problem of “unclean hands”).
  • Information asymmetry still exists!
  • Fraudsters can take advantage of the biases and heuristic reasoning approaches that most of us use.
    • We are strongly moved by forms of social proof over more objective evidence.
    • We are overconfident, especially when we have a little knowledge of a subject. There is the problem that many of us cannot recognize our own incompetence (the Dunning-Kruger effect).
    • We reason through “available” examples—easily recallable fraud events. As old frauds (such as the lightning rod sales of the last century) are interdicted, we forget about them and their lessons.
    • We are vulnerable to anchoring, which skews our perception of price.
    • We are loss adverse—and so when we anchor to a price, we act impulsively to capture discounts from the anchored price.
    • We are not good at separating bundles, and so sellers that engage in bundling can influence our perception of value (act now and get not one, but two non-stick pans!).
    • We are optimistic.
  • Gullibility, dreams of quickly-acquired wealth.
  • Only a small number of people need to fall for a fraud for the enterprise to be successful.
  • The Holder in Due Course doctrine—obliterated by the FTC in the 1970s, the ability for a seller to transfer a debt obligation to a third party created intense incentives for fraudulent sales.
  • On some level, we admire the guile of fraudsters—think about our centuries-long fascination with stories such as Reynard. The OED has over 300 words to describe deception, deceit, and trickery.
  • And there are many, many ways of cheating. Balleisen covers the many ways 19th century companies defrauded each other—wetting cotton to make it heavier, enclosing a low-value project within an envelope of high-quality material, and so on.
  • We are unwilling to criminally prosecute many consumer frauds, and when we do, convicted defendants receive laughably small sentences in light of the scale of their thefts.
  • On some level, we resent victims of fraud, and suspect that victims were somehow complicit in the scheme. The OED has 200 words for dupes.

Related to the above, what are the tensions/tactics that enable fraud today?

  • Product complexity. Complexity makes quality assessment difficult, leading us to fall back upon easily-manipulated signals, such as social proof.
    • This is, by the way, one reason why I think institutions such as Yelp will aid consumer protection little. Yelp—and even the BBB—are easily manipulated. There are even services that will do it for you, just like buying “puffs” from a 19th century newspaperman.
  • Economic complexity. As our economy becomes more complex, we have to rely and trust people we do not know—even people not in our own country.
  • Agreement complexity. Basic business models such as compounding interest cannot be defined by many consumers.
  • Corporate secrecy.
  • The ability to quickly incorporate.
  • Being able to acquire the “trappings of success.” Ponzi was known to have bought the most expensive car in production—merely possessing it offered proof of his legitimacy. Balleisen shows other examples—the importance of fraudsters to claim having a prestigious address, of having been in operation for many years, of having trademarks or other signals of brand.
  • Disclosure pollution. If a regulatory regime requires disclosure of some fact pointing to a problem, “pollute” the communication by making tons and tons of disclosures. I suspect that drug companies do this with side effects of prescription medicines.

Some final reflections–

I was surprised to learn of the historical vigor of the Better Business Bureau. I’ve long thought it to be not the most agile or effective institution. But Balleisen recounts decades when it was a serious force for consumer protection enforcement. In its heyday, it was a key actor in big fraud investigations, and it assisted public authorities in prosecutions. Balleisen shows how a conservative faction asserted control over its priorities, defanged it, and in the process, made it slouch into a kind of arbitration service for individual claims, and an opponent of anything but self-regulatory approaches. Some of the problems that Balleisen paints in the 1970 takeover, such as the problem of adverse selection in BBB membership, replicated themselves in the self-regulatory regimes for the internet.

Thoughts of “fraud” conjure images of Ponzi and Madoff. Conservatives and liberals alike disapprove of fraud as such. A problem that arises is that we use the same institutions and laws to pursue pure fraudsters as we do companies that do not live up to their advertising promises. This brand of FTC target sees himself as an honest businessman not to be painted with the same brush as hucksters. Balleisen gives the historical example of Macy’s and its promise that all of its prices were 6% lower than competitors—we know that this claim cannot be true in all situations. Macy’s saw deviance from the 6% target as just an imperfection that does not amount to deception or wrongdoing. Today, when companies like LabMD react viscerally to FTC intervention, it acts out just as its forebears. It rightly sees itself as a honest business–why is the federal government breathing down its neck? Businesses that read the situation that way always do the same thing—they accuse the FTC of pinkoism and of standing on an insecure constitutional foundation. Balleisen’s point is that their interventions introduce more and more proceduralism, but they rarely limit the substantive authorities of consumer protection institutions.

Balleisen’s book does not end in a bang. He adheres to the idea that there is no “silver bullet” to fraud, that many institutions and legal tools are needed to contain it, and that prevention (incentives for truthfulness, public education, consumer friendly defaults) should be the strategy rather than ex post remedy. He does carefully present the conservative reaction to the FTC but seems unconvinced of its cogency, or perhaps unconvinced that the critiques justify dismantling of new institutions.

2017-04-08T16:41:41+00:00 April 8th, 2017|History|

D-Link Updates

The seal has been lifted on the complaint in the D-Link case. This document highlights the previously redacted portions in yellow.

Yesterday (April 3, 2017), D-Link filed a motion to dismiss that includes the initial hearing transcript.

2017-04-04T06:56:40+00:00 March 25th, 2017|History|

On Kenneth Rogoff’s The Curse of Cash

Professor Kenneth Rogoff’s Curse of Cash convincingly argues that we pay a high price for our commitment to cash: Over a trillion dollars of it is circulating outside of US banks, enough for every American to be holding $4,200. Eighty percent of US currency is in hundred dollar bills, yet few of us actually carry large bills around (except perhaps in the Bay Area, where the ATMs do dispense 100s…). So where is all this money? Rogoff’s careful evidence gathering points to the hands of criminals and tax evaders. Perhaps more importantly, the availability of cash makes it impossible for central banks to pursue negative interest rate policies—because we can just hoard our money as cash and have an effective zero interest rate.

What to do about this? Rogoff does not argue for a cashless economy, but rather a less cash economy. Eliminate large bills, particularly the $100 (interesting fact–$1mm in 100s weighs just 22 pounds), and then moving large amounts of value around illegally becomes much more difficult. Proxies for cash are not very good—they are illiquid, heavy, or easily detectable. And what about Bitcoin?—not as anonymous as people think. Think Rogoff’s plan is impossible? Well, India Prime Minister Modi just implemented a version of it, eliminating the 500 and 1,000 rupee notes.

As you might imagine, Rogoff’s proposal angers many privacy advocates and libertarians. His well written, well informed, and well argued book deserves more than its 2 stars on Amazon.

My critique is a bit different from the discontents on Amazon. I think Rogoff’s proposal offers a good opportunity to think through what consumer protection in payments systems might look like in a less-cash world—this is a world I think we are entering. Yet, Rogoff’s discussion shows a real lack of engagement in the payments and especially the privacy literature. For Rogoff’s proposal to be taken seriously, we need to revamp payments to address the problems of fees, cybersecurity, consumer protection, and other pathologies that electronic payments exacerbate.

The Problem of Fees

One immediately apparent problem is that as much as cash contributes to crime and tax evasion, electronic payments contribute to waste as well, in different ways. The least obvious is the cartel-like fees imposed by electronic payments providers. All consumers—including cash users—subsidize the cost of electronic payments, and the price tag is massive. In the case of credit cards, fees can be as high as 3.5% of the transaction. I know from practice that startups’ business models are sometimes shaped around the problem of such fees. Fees may even be responsible for the absence of a viable micropayment system for online content.

Fees represent a hidden tax that a less-cash society will pay more of, unless users are transitioned to payment alternatives that draw directly from their bank accounts. Rogoff seems to implicitly assume that consumers will chose that alternative, but it is not clear to me that consumers perceive of the fee difference between standard credit card accounts and use of debit or ACH-linked systems. For many consumers, especially more affluent ones, the obvious choice is to choose a credit card, pay the balance monthly, and enjoy the perks. Rogoff’s policy then means more free perks for the rich that are subsidized by poorer consumers.

Taking Cybercrime Seriously

Here’s a more obvious crime problem—while Rogoff is quick to observe that cash means that cashiers will skim, there is less attention paid to the kinds of fraud that electronic payments enable. Electronic payment creates new planes of attack for different actors who are not in proximity to the victims. A cashier will skim a few dollars a night, but can be fired. Cybercriminals will bust out for much larger sums from safe havens elsewhere in the world.

The Problem of Impulsive Spending and Improvidence

Consumers also spend more when they use electronic payments. And so a less cash society means that you’ll have…less money! Cash itself is an abstract representation of value, but digital cash is both an abstraction and immaterial. One doesn’t feel the “sting” of parting with electronic cash. In fact, there is even a company making a device to simulate parting with cash to deter frivolous spending.

The Problem of Cyberattack

Rogoff imagines threats to electronic payment as power outages and the like. That’s just the beginning. There are cybercriminals who are economically motivated, but then there are those who just want to create instability or make a political statement. We should expect attacks on payments to affect confidentiality, integrity, and availability of services, and these attacks will come both from economically-motivated actors, to nation states, to terrorists simply wanting to put a thumb in the eye of commerce. The worst attacks will not be power-outage-like events, but rather attacks on integrity that undermine trust in the payment system.

Moving From Regulation Z to E

The consumer protection landscape tilts in the move from credit cards to debit and ACH. Credit cards are wonderful because the defaults protect consumers from fraud almost absolutely. ACH and debit payments place far more risk of loss onto the consumer, theoretically, more risk than even cash presents. For instance, if a business swindles a cash-paying customer, that customer only loses the cash actually transferred. In a debit transaction, the risk of loss is theoretically unlimited unless it is noticed by the consumer within 60 days. Many scammers operate today and make millions by effectuating small, unnoticed charges against consumers’ electronic accounts.

The Illiberal State; Strong Arm Robbery

Much of Rogoff’s argument depends on other assumptions, ones that we might not accept so willingly anymore. We currently live in a society committed to small-l liberal values. We have generally honest government officials. What if that were to change? In societies plagued with corruption and the need to bribe officials, mobile payments become a way to extract more money from the individual than she would ordinarily carry. Such systems make it impossible to hide how much money one has from officials or in a strong-arm robbery.

Paying Fast and Slow

Time matters and Rogoff is wrong about the relative speed of payment in a cash versus electronic transaction. Rogoff cites a 2008 study showing that debit and cash transactions take the same amount of time. This is a central issue for retailers and large ones such as Wal-Mart know to the second what is holding up a line, because these seconds literally add up to millions of dollars in lost sales. Retailers mindful of time kept credit card transaction quick, but with the advent of chip transactions, cash clearly is the quickest method of payment. It is quite aggravating to wait for so many people charging small purchases nowadays.

Mobile might change these dynamics–not not anytime soon. Bluetooth basically does not work. To use mobile payments safely one should keep their phone locked. So when you add up the time of 1) unlocking the phone, 2) finding the payment app, 3) futzing with it, and 4) waiting for the network to approve the transaction, cash is going to be quicker. These transaction costs could be lowered, but the winner is going to be the platform-provided approaches (Apple or Android) and not competitive apps.

Privacy 101

Privacy is a final area where Rogoff does not identify the literature or the issues involved. And this is too bad because electronic payments need not eliminate privacy. In fact, our current credit card system segments information such that it gives consumers some privacy: Merchants have problems identifying consumers because names are not unique and because some credit card networks prohibit retailers from using cardholder data for marketing. The credit card network is a kind of ISP and knows almost nothing about the transaction details. And the issuing and acquiring banks know how much was spent and where, but not the SKU-level data of purchases.

The problem is that almost all new electronic payments systems are designed to collect as much data as possible and to spread it around to everyone involved. This fact is hidden from the consumer, who might already falsely assume that there’s no privacy in credit transactions.

The privacy differential has real consequences for privacy that Rogoff never really contemplates or addresses. It ranges from customer profiling to the problem that you can never just buy a pack of gum without telling the retailer who you are. You indeed may have “nothing to hide” about your gum, but consider this—once the retailer identifies you, you have an “established business relationship” with that retailer. The retailer than has the legal and technical ability to send you spam, telemarketing calls, and even junk fax messages! This is why Jan Whittington and I characterized personal information transfers as “continuous” transactions—exchanges where payment doesn’t sever the link between the parties. Such continuous transactions have many more costs than the consumer can perceive.

Conclusion

Professor Rogoff’s book describes in detail how cash leads to enabling more crime, paying more taxes, and how it hobbles our government from implementing more aggressive monetary policy. But the problem is that the proposed remedy suffers from a series of pathologies that will increase costs to consumers in other ways, perhaps dramatically. So yes, there is a curse of cash, but there are dangerous and wasteful curses associated with electronic payment, particularly credit.

The critiques I write here are well established in the legal literature. Merely using the Google would have turned up the various problems explained here. And this makes me want to raise another point that is more general about academic economists. I have written elsewhere that economists’ disciplinarity is a serious problem, leading to scholarship out of touch with the realities of the very businesses that economists claim to study. I find surprisingly naive works by economists in privacy who seem immune to the idea that smart people exist outside the discipline and may have contemplated the same thoughts (often decades earlier). Making matters worse, the group agreement to observe disciplinary borders creates a kind of Dunning–Kruger effect, because peer review also misses relevant literature outside the discipline. Until academic economists look beyond the borders of their discipline, their work will always be a bit irrelevant, a bit out of step. And the industry will not correct these misperceptions because works such as these benefit banks’ policy goals.

2016-11-16T11:59:32+00:00 November 16th, 2016|History|

On the “Coalition for Better Ads”

Behold the newest self-regulatory group, the “Coalition for Better Ads,” which claims that it will, “improve consumers’ experience with online advertising. The Coalition for Better Ads will leverage consumer insights and cross-industry expertise to develop and implement new global standards for online advertising that address consumer expectations.” How? They will:

  • Create consumer-based, data-driven standards that companies in the online advertising industry can use to improve the consumer ad experience

  • In conjunction with the IAB Tech Lab, develop and deploy technology to implement these standards

  • Encourage awareness of the standards among consumers and businesses in order to ensure wide uptake and elicit feedback

    The Coalition will draw upon consumer research in shaping the standards.

What are “better” ads? Certainly more secure ads would be welcome, in the sense that modern web advertising is not a billboard but rather code that can introduce insecurity. But what about privacy? Wouldn’t it make sense for ads to be more respectful of users privacy? How about advertisers’ use of data brokers to merge data online and off–something that NAI promised would not happen back in 2000?

These are dangerous questions to ask. So dangerous, that the fearless leaders of Facebook wouldn’t even ask them. Recall last month when Facebook announced it would circumvent ad blockers? Facebook’s Andrew Bosworth wrote:

For the past few years at Facebook we’ve worked to better understand people’s concerns with online ads. What we’ve heard is that people don’t like to see ads that are irrelevant to them or that disrupt or break their experience. People also want to have control over the kinds of ads they see.

Well, I think those conclusions are correct. Obviously no one wants disruptive ads–the emergence of the popup blocker is testimony to that. And if you are going to have advertising, you might as well have relevant ads. The elephant in the room is privacy–how did a company that tracks people on about 40% of the public web, intermediates the conversations, and tracks them physically not raise privacy issues? The answer is that Facebook didn’t ask about privacy.

Turning to the Coalition for Better Ads, it did not mention privacy anywhere in its discussion of ads. Nor did Pagefair in its 2015 study of ad blocking, nor did IAB’s primer on ad blocking. The closest that any ad group will get to the question appears to be Secret Media, which in a 2016 report wrote, “It is our hypothesis that advertising technologies are negatively impacting publisher websites and causing users to be frustrated by slow page load, tracking that exploits personal data, and the over exposure to ads.”

2017-04-21T11:38:00+00:00 October 23rd, 2016|History|

FTC PL&P Reviewed in ICON

I am honored and delighted to have my book reviewed by EUI’s Bilyana Petkova, who wrote in part:

…the work of Hoofnagle stands out by offering both a welcome description of the applicable law and a broad contextual framework…Chris J. Hoofnagle takes over fifteen years of experience in American consumer protection, information, and privacy law and converts them into an absorbing, in-depth institutional analysis of the agency.
[…]
Overall, Chris Hoofnagle’s Federal Trade Commission Privacy Law and Policy is a fascinating read and a treasure trove of useful references for further research.

The full cite is: Bilyana Petkova, Book Review: Federal Trade Commission Privacy Law and Policy, 14(3) Int J Constitutional Law 781–783 (2016) doi:10.1093/icon/mow053

2016-10-23T03:40:55+00:00 September 17th, 2016|History|

LifeLock’s Non-Public Initial Assessment

In LifeLock, the FTC alleged that the company “failed to establish and maintain a comprehensive information security program…” as required by a 2010 order. Lifelock settled the case for over $100M, despite the fact that the company claimed it had a clean bill of health from a reputable third party PCI assessor, and according to Commissioner Olhausen, LifeLock suffered no breach. Much of LifeLock was sealed, and so the case is a bit of a puzzle–how could it be the case that a company that receives a clean PCI-DSS assessment could also fail to establish a security program?

I hear we’re going to learn more specific details on the case soon, but in the meantime, the FTC just released to me LifeLock’s initial (2010) assessment. It contains a comical “public version” which is completely redacted and a largely unredacted “non-public” version.

More to come soon, but bear in mind that the FTC gave Wynhdam a kind of safe harbor if the company obtains a clean PCI assessment. If other respondents ask for similar treatment, these assessments are going to become more important than ever.

2016-10-23T03:25:40+00:00 September 2nd, 2016|History|

You must perform odious work to continue reading

Type the words  Submit