Cybersecurity and implicit contracts

I generally feel that people are not worked up enough about corporate invasions of privacy. So it’s good to see an article like this in the Times talking about these issues. People think I’m a little crazy when I tell them I trade supermarket club cards with other people to confuse the consumer profiling system. Maybe that’s because, according to the sidebar, 64% of people don’t realize supermarkets can sell their customers’ purchase information to other companies.

The author makes an interesting framing of personal privacy as an implicit contract. It’s not illegal for someone to follow you around from store to store and record your purchases, but we would consider it an invasion of privacy. We implicitly regard such information as belonging to you. The information has value to every company that can sell you more things if they know your purchasing habits, but this information has (largely) not been monetized. Apparently, the main way that buyout artists made money on hostile takeovers in the ’80′s was by breaking implicit contracts, like the implicit contract to pay senior workers more.

From my own experience from my father’s work in wholesaling, this seems to be a major way that large companies push out small businesses. Some of it is due to higher efficiency from economies of scale, but a lot of the lower prices come from breaking implicit contracts. A small sales business relies on personal relationships. “Good service” is based largely on the understanding that if something goes wrong, it will be fixed at no charge. The small businessman builds loyalty with the customers, often investing a lot up front in samples, demos, and time. The implicit contract is that the customer will stay on board for a while if she finds value in the product. A big company, on the other hand, can offer lower prices, but demos and personal time are short. Likewise, service is more an “our way or the highway” approach. Big companies can freeload on the value that smaller companies invested to get a new product adopted by coming in afterward, perhaps with a cheaper knockoff, and undercutting. At the same time, they keep costs low by redefining the implicit rules of good service and doing less for the customer.

If a small company who you’ve been doing business with for years says, “okay, I’m going to renege on all our agreements, but my prices will drop a little next year”, you’d probably be mad and find another supplier. But a new entrant has an easier time changing the rules, like the way the buyout artists could hire new managers who hadn’t made any promises about future salary. Similarly, online entrepreneurs have this incredible opportunity to break implicit contracts because the social rules of the Internet are still fuzzy. Corporate behavior is checked to some extent by consumer opinion, and behavior that really breaks the social code is sometimes met with a profit-shrinking backlash. But when the social code is fuzzy, this mechanism is less of a protection. Facebook bungled its attempt to spy on users’ purchases by going too far too fast. But I suspect if they made a more staged, strategic invasion of privacy, they would have gotten away with it. How did Google get away with reading private email? If a corporation started scanning our paper mail for keywords and tacking ad fliers on the envelopes, people would not stand for it. But now no one seems to mind the Google approach.

The capitalist compulsion is to monetize everything that can be legally (or sometimes illegally) monetized. It looks to me like the social lawlessness of the Internet and ill-formed social views about digital information are openings allowing personal identities to be rapidly monetized. Perhaps a partial solution is for online communities to coalesce around certain principles and defend them, as seemed to work in the Facebook case. If a major online community really drafted the “Internet Rules of Privacy” and got some prominent other communities to sign on, perhaps pledging to boycott companies that don’t follow the rules, that might really change the game.

As much as I’d like to see a landmark piece of legislation that defines ownership of personal information and restricts the collection of personal data, I wonder if the bottom-up approach, a sort of citizen-union, could work faster in the case of the Internet.

Comments are closed.