Should Web Privacy Rules Really Be Subjected to a 'Multi-Stakeholder Process'?
April 5, 2012

Should Web Privacy Rules Really Be Subjected To A ‘Multi-Stakeholder Process’?

...And what in the world is a Multi-Stakeholder Process?

Opinion/Editorial provided by Jedidiah Becker for

By now most casual followers of tech news are familiar with the Obama administration's imaginative digital addendum to the first ten amendments announced in late February, cleverly christened with the smarmy sobriquet the “Consumer Privacy Bill of Rights” (CPBR).

The purported purpose of the executive report — the ponderous official title of which is “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” — is to help consumers understand how data-peddling companies are using their personal information and, more importantly, to set up standardized guidelines for regulating what those companies can and cannot do with that data.

In short, the CPBR delineates six guiding tenets for future privacy practices including transparency, respect for context, security, access and accuracy, focused collection, and accountability. Each of these broad domains is chock-full of delightfully vague verbiage like “easily understandable,” “reasonable limits” and “appropriate measures.”

Yet one aspect of the White House's initiative that seems to be receiving accolades from almost every corner has been its advocacy of the so-called “Multi-Stakeholder Process” (MSP) for creating concrete, enforceable guidelines for companies that deal with personal user data.

Essentially, a Multi-Stakeholder Process is something of a collective bargaining mechanism between numerous parties with presumably divergent interests. In this case, the White House is calling on Web-industry bigwigs like Google, Yahoo and Microsoft to 'voluntarily' get together with politicians and regulators as well as consumer and privacy advocates to hammer out a set of rules that would ostensibly address each party's privacy concerns in a fair and balanced manner.

Here's the UN's synopsis of a Multi-Stakeholder Process :

"The aim of multi-stakeholder processes are to promote better decision making by ensuring that the views of the main actors concerned about a particular decision are heard and integrated at all stages through dialogue and consensus building. The process takes the view that everyone involved in the process has a valid view and relevant knowledge and experience to bring to the decision making. The approach aims to create trust between the actors and solutions that provide mutual benefits (win-win). The approach is people-centered and everyone involved takes responsibility for the outcome. Because of the inclusive and participatory approaches used, stakeholders have a greater sense of ownership for decisions made. They are thus more likely to comply with them."


In theory, everyone is invited to participate. In the President's opening statement of the CBPR, he lists as potential stakeholders for web privacy negotiations as “companies, privacy and consumer advocates, international partners, State Attorneys General, Federal criminal and civil law enforcement representatives, and academics.” Oh, and don't forget politicians, federal regulators and technocrats. But that was, of course, implied.

The broad assumption at the moment is that as specific rules emerge from the MSP negotiations and gain consensus among the different stakeholders, these rules will then be instituted as general “codes of conduct” for companies and would ultimately be adopted by Congress as full-fledged laws. Thus the initial collectively-agreed-upon guidelines for web privacy will be sublimated into a set of new digital-privacy commandments via the legislative process.


Before even initiating the proposed MSP negotiations, the White House has demurely requested input from any and all interested parties regarding which privacy issues should be addressed as the process moves forward.

Redolent of the that cloying, faux diversity for which enlightened Westerners seem to have developed a fetish in the last half century, the MSP honey-trap has unsurprisingly attracted a host of hopeful participants, from professional public do-gooders and fawning politicians to obsequious business leaders.

On Monday, the D.C.-based think tank The Future of Privacy Forum (FPF) stated that it “strongly supports “¦ the development of enforceable codes of conduct through a Multi-Stakeholder Process.”

Highlighting what many supporters of the MSP approach see as its advantage over traditional law-making practices, the FPF pointed to the need for flexibility and dynamism in creating rules for the tech industry — features multi-stakeholder negotiations will presumably provide.

“With the rapid evolution of technology, an approach in lieu of technology-specific and prescriptive legislation and one that allows affected parties to participate is prudent.”

Even the American Civil Liberties Union (ACLU), which has admirably excoriated the Obama administration for its egregious lack of transparency in matters of national security, has found cause to celebrate the President's endorsement of MSP rule making for web privacy.

While offering a few suggestions on how to tweak the process to maximize its effectiveness, the ACLU wrote in a formal letter to the Assistant Secretary of Commerce for Communications and Information that “we believe the multistakeholder process could quickly achieve meaningful results for consumers.”

The ACLU went on to explain why MSP will prove so effective in coming up with rules to protect consumers from recreant data-abusing companies.

“The most powerful incentive for a MSP to work is a fear that if they (businesses) don't reach consensus, someone else will set the rules and lawmakers hold the ultimate big stick,” wrote Chris Calabrese on the organization's website.

Chanting their mantra of “transparency and consensus,” the ACLU seems to see the MSP as a friendly means of forcing the business community to openly agree to the rules that will regulate it while providing the illusion of voluntarism and solidarity.

Let's call it conciliatory coercion.


A number of organizations like the ACLU and FPF have taken the White House's entreaty for assistance at face value, putting forward numerous suggestions as to which specific areas most urgently need privacy regulations à la multi-stakeholder negotiations.

Significantly, at the top of many of these lists have been suggestions for rigorous regulation in the explosively growing arena of mobile web applications.

And this shouldn't be surprising. With our astoundingly multi-functional smartphones poised to dethrone the traditional PC as the principle tool with which we engage the Internet, privacy do-gooders and politicrats alike are increasingly swarming like locusts towards the vibrant, efflorescing field of mobile apps.

Convinced of a sort of legislative Manifest Destiny to civilize the Internet, mobile apps seem to represent a large untamed frontier for those who have taken up the Sisyphean task of rendering the web utterly secure for every upstanding denizen.

According to the FPF, its recommendation to place mobile apps at the front of the privacy regulation line is due to the simple fact that mobile apps are one of the fastest growing, least regulated sectors in the tech/telecommunications industry.

“The continued proliferation and use of mobile devices by consumers for a multitude of communication and computing purposes, with a corresponding increase in downloads and use of mobile apps, makes app privacy a priority.  Reports of privacy issues with mobile apps abound, making the issue timely and urgent,” wrote the organization on its website Monday .

And there, in a nutshell, you have the vapid, formulaic logic behind the impulse to intervene: The market for web apps is growing fast and we've heard a few people complain about data privacy, ergo this market is in dire need of federal regulation.

Co-chairs  of the FPF Jules Polonestky and Christopher Wolf even co-authored an editorial for the San Jose Mercury News advocating MSP as an ideal method of devising regulations for mobile apps, putting special attention on the need to involve the makers of apps in the process.

After all, wrote Polonestky and Wolf, “the folks best suited to solve the problem are the app developers themselves.”

The ACLU also cited web apps as top priority for the President's MSP initiative, noting that “some apps seem completely unfamiliar with privacy norms, and many don't even have privacy policies.”

The organization also agreed with another of the President's assertions, namely, that “adopting best practices for privacy will instill consumer confidence and allow this young industry to grow.” In other words, it isn't just in the best interest of consumers — it is also in the best interest of businesses and entrepreneurs.


With almost everybody who is somebody apparently on board with the MSP idea, the U.S.'s 313-million odd consumers and avowed technophiles may find themselves shrugging their shoulders and thinking, “well, if all of the talking heads on MSNBC, CBS and Fox News are for it, it must good.”

For this writer, however, the mere fact that this motley crew of political and economic actors finds itself in agreement on an issue this big is enough to induce a Pavlovian cocked eyebrow.

So as a mere thought experiment, let's for a moment drop the starry-eyed fawning of Multi-Stakeholder Process as a lovely theory and take a look at a few aspects of how this kind of collective law making might unfold in reality.

First, let's briefly debunk one of the assumptions mentioned earlier behind the alleged need for stringent online privacy regulations.

“For businesses to succeed online,” President Obama asserted in the press release accompanying the initiative, “consumers must feel secure.”

Again, the same tune in E flat: Privacy regulation isn't just for consumers; businesses need it to flourish as well.

Sounds logical, right? Problematically, however, a brief look at the cold reality of the situation throws a kink into this line of reasoning.

Can you think of another industry that has been as boomingly and consistently successful in recent years as the 'relatively' unregulated tech/Internet industry? And within that broad field, can you think of another sector that as shown as much prodigious growth in the last year as the almost wholly unregulated market for mobile apps?

By some projections — and these have been more than corroborated by data from the past six months — the global market for mobile apps is expected to grow by almost 30 percent year-over-year from 2009 to 2015. “¦ If only the hyper-regulated, mega-politicized industries for most everything else in the U.S. were ailing under the same burdens as the Internet industry!

Thus it seems that the White House's equation for a healthy Internet (i.e. Consumer Trust via Privacy Regulation = Success for Web Businesses) runs into a bit of a snag. For either most consumers already feel relatively safe with current privacy practices, or they simply don't care about them quite as much as politicians and advocacy groups shouting about them in  their name.

Ah, merciless, objective reality; that bitterest adversary of all would-be do-gooders and jitney messiahs.


This leads us to a second critique of the current MSP web privacy initiative.

A fundamental assumption of multi-stakeholder processes is that every affected party — every 'stakeholder' — is directly involved in the negotiations so that their interests will be duly taken into account.

But this writer would submit the seemingly inane question: Who actually represents the 313 million consumers that make up the U.S. market?

For the sake of moving the argument along, I am going to consider it a fairly self-evident proposition that neither the Federal Trade Commission nor Congress (with approval ratings frequently dipping into the single digits) can be considered to represent the collective consumer's interest in any meaningful way.

Which leaves us with these so-called consumer and privacy advocates who we keep hearing so much about and who have been so vocal in arrogating the noble duty of defending our interests.

But again the question: To what extent are the wishes and concerns of the consumer really represented by these organizations when they sit down at the MSP table to negotiate concrete regulations in our name?

Again we run into a few problems.

Firstly, we might point out that many of these so-called privacy/consumer advocacy groups are Washington-based think tanks, staffed by people who regularly make the rounds on the public-private-public circuit.

Jules Polonetsky, co-chairman of the aforementioned highly vocal Future of Privacy Forum, serves as a case-in-point.

A quick look at Mr. Polonetsky's curriculum vitae indicates that he has been moving in and out of the revolving public-private door since the early 1990s, alternately serving as chief privacy officer for AOL (private), the NYC Consumer Affairs Commissioner for Mayor Rudolph Giuliani (public), Chief Privacy Officer and Special Counsel for New York's largest advertising and marketing firms DoubleClick (private), and member of the New York State Assembly as well as legislative aide to Democratic New York Senator Charles Schumer (public). And in 2011, he was appointed to the Department of Homeland Security Data Privacy and Integrity Advisory Committee (public?).

In highlighting this fact, I do not mean to question the fundamental integrity of Polonetsky or colleagues with similar resumes. Yet as far as his appropriateness in playing the role of 'consumer representative' goes, there do emerge a number of reasonable concerns regarding his true objectivity — the same kind of concerns one would likely harbor about an honest judge who is being cuckolded by the defendant's husband and plays Wednesday-night poker with the claimant.

Secondly, there are reasons to doubt whether even a group like the ACLU — an organization with an honorable track record of transparency and integrity on many issues — can be said to represent the citizen as consumer in this case. After all, on the issue of consumer privacy the ACLU has, at least on some points, staked out a fairly rigid and dogmatic course in assuming what is good for the consumer.

The simple fact is that it borders on absurdity to assume that any group can represent the collective wishes of consumers. And this stems from the simple fact that there is not one consumer's wish to represent but 313 million unique consumer wishes that overlap and diverge to various extents and on various points. The kind of information privacy desired by Consumer A might be completely different from what Consumer B is willing tolerate.

I fully understand that my neighbor might not want Internet companies tracking her searches and certainly not tracking her physical location. But in our hyper-connected brave new world, there is more than likely a niche market for a smartphone app that, for example, lets selected friends and family follow your whereabouts at all times using GPS or even recognizing your face as you 'check in' to various events.

To this writer, this admittedly sounds a like a Foulcauldian nightmare, and I would personally opt out of using such apps. But if it seems far-fetched or implausible to imagine that another consumer might actually want this, just think of those numerous websites set up by people who have voluntary turned their homes into digital panopticons by rigging every room with perpetually streaming webcams.

Or what about something that might appeal to more conventional tastes, say, an app that tracks and records your online shopping habits and then links up with GPS to alert you when you happen to be in the vicinity of a shop that has those dark blue chinos on clearance that you've been dying to buy.

As long as the app sticks to the terms to which you agreed, why shouldn't you get those chinos?

Thus contentions that 'the consumer doesn't want to be tracked' or 'the consumer doesn't want his search history kept on record longer than X amount of time' unravel in light of the fact that some consumers do in fact want just that.

Regarding the 'interests of the consumer', in this writer's mind there's really only one consumer interest that seems to hold true for all consumer at all times, and that is to simply ensure that the business on the other side of the transaction holds up its end of the deal. In short, not to dictate which terms of privacy a mobile app or web service is allowed to offer me but rather to simply make sure that he stays within the bounds of the original conditions to which I agreed.

If a company accesses or uses parts of my personal data not authorized by its privacy policy — which is to say that it breeches the implicit contract I accepted when I agreed to use its service — then he's fair game for the law man. Otherwise, why should anyone be able to dictate which terms a business can offer me or which terms I can accept?

(Note: This writer perceives a market niche for a mobile app that provides users with a quick overview and/or detailed breakdown of the privacy terms of other apps. “¦ Takers?)


The last problem I would like to point out — though not the last I can think of — regarding the using MSP is similar to the problem of defining a 'collective consumer'.

Essentially, we can ask the same question in regards to businesses representatives that we asked about representative 'stakeholders' of the consumer: Are the business stakeholders sitting at the MSP negotiating table really representative of the business community at large?

Let's assume for a second, that somehow the hundreds of small businesses and independent Web entrepreneurs were actually given a seat at the (extremely large) negotiating table and managed to find the resources in their meager budgets to spend weeks or months wheeling and dealing with the big-shots in D.C. Do we have any reason to believe that their voices will carry the same weight as those of, say, a handful of the Silicon Valley giants?

Of course not. Not only do Google, Microsoft, Apple and other giants enjoy the advantage of having economies of scale — meaning in this case that they have huge budgets and entire divisions of experts able to research, formulate and enunciate their 'interests' in legal and economic terms — but they also have the advantage of financial and political clout.

Thus it isn't just that the blue-chip tech companies will be able to state their case in a more persuasive and informed manner than the little entrepreneurs, but they are also in a position to more effectively pull the necessary strings needed to get the stakeholders on the other side of the table (i.e. politicians, technocrats and consumer advocates) to see things their way.

The situation this presents seems reminiscent of the early days of so-called trust-busting in the U.S. — a misnomer if ever there was one — where the steel and railroad magnates got together with politicians to design the rules that would govern their industries. The result was a Pandora's box of 'anti-trust' laws that actually served to stifle and choke out small competitors who sought to challenge the market dominance of the industries' Goliaths.

Thus for all the laudatory talk about the transparency and fairness of multi-stakeholder processes, why in the world would this process be any more transparent or fair than, say, a session of Congress, where deals on legislation are often made behind closed doors long before a bill goes to the floor for a vote?

In closing, consumers and users of the products and services from which our politicians and professional do-gooders would like to protect us need to be aware that the enchanting multi-stakeholder process theory will inevitably turn into a far less charming and sordid reality once it convenes.