Your personal information is out there. You did not put it there, so how did it get there? Internet websites provide visitors with different levels of interaction, ranging from delivering basic information to providing sophisticated features and tools such as profile management, interactive visual communication, and of course, advertising. Like many traditional businesses, websites turn to third party outsourcing to offer these features and tools. Such services include functionality (password and account control, social media integration, video hosting, chat and forum services, payment services, etc.), performance (backup service, security and firewalls, responsiveness tools, etc.) and targeting/advertising (advertising, lead generation, analytics, etc.). Use of third parties is ubiquitous among top websites; a website visitor is also making contact with all third parties enabled on the site. Much of this contact is hidden from view. A U.S. Senate report found that visits to online news sites may involve connecting with hundreds of other parties, and the sheer volume of such activity makes it difficult for even the most vigilant consumer to control the data being collected or protect against its malicious use.”
This begs the question, “What’s going to limit this privacy intrusion?” Privacy issues related to online websites, third party use, and tracking an individual’s activity is a public concern. Regulatory organizations such as the Federal Trade Commission and the European Union are looking into policy enforcement strategies. The other method of limiting this privacy intrusion is through the invisible hand of the market itself.
Our work initially focuses on how market forces can curb the behavior of websites in sharing user information with third parties. Websites typically have two sources of income, subscriptions and selling visitor data to third parties. A website using the subscription model needs a large base of visitors, but it can also sell visitor information in secondary markets through advertising or other third parties. Therefore, the website must strike a balance between subscription and third party monetization in this two-sided market, which naturally sets limits on abusive behavior. Interestingly, market forces ensure that when privacy concerns are very high (for instance with health websites) websites exercise greater caution in information sharing which is beneficial to consumers. When users have moderate privacy concerns – not too low and not too high – websites benefit the most to the detriment of users. When privacy concerns are low, users do not care; when privacy concerns are high, websites exercise caution; it’s the moderate privacy settings where consumers stand to lose the most.
To be effective overall, market forces needed to be supplemented with effective regulatory policies. Government agencies have a number of policy options at their disposal – from a total ban of third party sharing to GDPR which is implemented in EU that enables users to know and control third party sharing, to non-commercial entities setting up competing sites with the explicit objective of curbing privacy violating behavior of commercial websites. Each of the policy interventions has varied impacts on the economic surplus of three key entities: consumers, websites, and third parties. The key starting point to regulatory interventions, however, is requiring transparency and informing consumers about which third parties and what information is being shared. Encouraging market competition, along with enacting sensible regulatory policies that are sensitive to implications to consumers, websites, and third parties would enable reaping maximum privacy-aware economic rewards.
This piece originally appeared in the London School of Economics blog at the following link.