A study shows that overly strict privacy laws inhibit the effectiveness of the Internet ecosystem.

FULL TEXT

Privacy legislation under consideration could reduce the effectiveness of online advertising and thus reduce the available revenue to support free or low-cost content, applications and services. Before passing such legislation, policymakers should review the empirical data on the importance of online advertising, the effectiveness of targeted ads, and the impact of regulations on online advertising. They should be aware that data privacy regulations could sharply limit the principal funding mechanism for most of the free Internet enjoyed by consumers today and result in lost jobs, investment and Internet innovation.

It is surprising that policymakers would want to tamper with one of the most successful drivers of economic activity in the United States as the national economy struggles to rebound from a recession. Let’s be clear—the Internet is a critical component of the economy both globally and domestically. ITIF estimates that the annual global economic benefits of the commercial Internet equal $1.5 trillion, more than the global sales of medicine, investment in renewable energy, and government investment in R&D, combined.[1] Moreover, the Internet has a substantial impact on the U.S. economy. A 2009 study co-authored by the Hamilton Consultants and Harvard Business School professors John Deighton and John Quelch found that in the United States the Internet generates at least $300 billion of economic activity annually, or approximately 2 percent of the U.S. GDP.[2] And while the U.S. has lost leadership and jobs in an array of industries, it still leads the world—by a considerable margin—in the Internet industry.

The Internet is important to our economy and online advertising is the dynamo powering the Internet’s rapid growth. Many of the websites that millions of Americans depend on for work and play would not be around today without online advertising. In fact, the top five websites in the United States—Google, Facebook, Yahoo, YouTube and Amazon.com—all use online advertising to support their products and services.

As shown in Figure 1, Internet advertising has grown dramatically over the past decade. In the United States, non-search online advertising expenditures have grown from $6 billion in 2002 to $13 billion in 2007. Similarly paid search has grown from $1 billion in 2002 to $8 billion in 2007.[3] The Internet Advertising Bureau estimated cumulative Internet online advertising market to be $21.1 billion as of 2007. The Kelsey Group found that worldwide Internet advertising reached approximately $45 billion in 2007, out of a total $600 billion advertising market, and predicts online advertising will grow to over $147 billion by 2012.[4] IDC reports similar figures estimating that worldwide spending on Internet advertising reached $61 billion in 2009. In addition, IDC predicts that advertisers will increasingly use the Internet for advertising, with online ad spending growing from 10 percent of all ad spending in 2009 to almost 15 percent by 2013.[5]

Figure 1: U.S. Quarterly Internet Ad Revenue since 2001, Source: IAB/PWC[6]

Internet advertising supports the creation of new content, applications and services. A case in point is the newspaper industry. Policymakers concerned with the decline of print media should note that greater revenue from targeted online advertising will likely be necessary for journalism to survive in the Internet age.[7] We are already seeing some evidence of this. For example, the Los Angeles Times announced in 2009 that its online advertising revenue was sufficient to cover its entire editorial payroll.[8] And online advertising will be important for the so-called “long tail” of small websites and content producers supported by ad revenues. After Google introduced a revenue-sharing program in 2007 for YouTube, various Internet entrepreneurs began turning their videos into a lucrative business. For example, Josh Chomik, a teenager in New Jersey earns around $1,000 a month from ad revenue generated by his YouTube videos.[9]

If online advertising is important to the Internet ecosystem today then ensuring that online advertising revenues continue to grow will be central to the Internet’s growth and success tomorrow. One way websites gain more value from online advertising is by providing more relevant ads—a benefit both to consumers who get more utility from these ads and advertisers who are willing to pay more to reach their target audience. Targeted ads based on information about a user—such as the user’s browsing history or other user-specific data—help deliver higher-value ads. Yet even though the importance of online advertising to the greater Internet economy has been well-documented, policymakers seem intent on imposing data privacy regulations that would limit the ability of Internet publishers to tailor advertising to users based on their interests.

Part of this may be due to a misconception about how targeted advertising works. When Google offered ads to its Gmail users based on contextual information in emails, privacy advocates objected to Google “reading people’s email.”[10] Yet these claims do not distinguish between ads delivered to web users through automated computer technology and an individual snooping through personal emails. In the former, providing targeted computer-matched ads poses no more privacy threat to users than simply having their emails stored on remote servers. Similarly privacy concerns have been raised about Facebook with fictional claims of the company selling its user’s data because of misunderstanding about the mechanisms of targeted advertising. Targeted advertising works by matching ads to users based on the information in their profile. For example, a wedding photographer in Dallas can pay Facebook to serve an ad to everyone in Dallas who switches their relationship from “single” to “engaged.” This benefits everyone—the photographer gets more clients, the users get more relevant ads, and Facebook is better able to fund its free services. And at no time does the photographer learn who sees the ads, unless a user chooses to make contact.

These benefits from targeted advertising are clearly documented. Howard Beales, a professor in the School of Business at George Washington University and former Director of the Bureau of Consumer Protection at the Federal Trade Commission, has described how targeted advertising leads to higher value for Internet publishers and consumers. In 2009, Beales authored a report which found that advertising rates for online ads that used behavioral targeting were significantly higher than online advertising that did not use behavioral targeting (2.68 times as much).[11] Moreover, targeted ads are more relevant to consumers. This fact is supported by the data—click-through-ratios, or the percent of web users that click on an ad, for targeted ads are as much as 670 percent higher than non-targeted ads.[12] Beales looks at conversion rates—or the percent of online advertisements that turn into sales—and finds that the conversion rate for ads using behavioral targeting is twice that of ads not using it.

Now a new research paper by Avi Goldfarb at the University of Toronto and Catherine Tucker from MIT takes this research a step further and documents how privacy laws can negatively impact the efficacy of online advertising.[13] Specifically Goldfarb and Tucker analyzed the impact of the European Union’s Privacy and Electronic Communications Directive (2002/58/EC) which was implemented in various European countries and limits the ability of advertisers to collect and use information about consumers for targeted advertising. The authors find that after the new privacy laws went into effect they resulted in an average reduction in the effectiveness of the online ads by approximately 65 percent (where the effectiveness being measured is the frequency of changing consumers’ stated purchase intent). The authors write “the empirical findings of this paper suggest that even moderate privacy regulation does reduce the effectiveness of online advertising, that these costs are not borne equally by all websites, and that the costs should be weighed against the benefits to consumers.”

All of these analyses support the larger conclusion that targeted advertising is crucial for supporting the websites responsible for the majority of the free and low-cost content online. This is particularly true for general-interest sites (like news websites) that have little ability to determine what ads their users would be most interested in without the cues that better targeting enables (in contrast to some special-interest sites which can do so somewhat more easily). Not surprisingly, Goldfarb and Tucker found that the negative impact on ad effectiveness from the European privacy regulations was strongest among these sites. The negative impact was also stronger for non-obtrusive ads (e.g. smaller ads or ads not using multimedia) which suggests that small, text ads will be significantly less effective unless they can be tailored to a user’s interests. The authors also note that if advertisers reduced their spending on online advertising in line with the reduction in effectiveness resulting from stricter privacy regulations, “revenue for online display advertising could fall by more than half from $8 billion to $2.8 billion.”[14] And as Beales notes, a reduction in ad revenue directly hurts online publishers since more than half of ad network revenue goes to publishers who host the ads.

It is therefore not surprising that U.S. Internet companies lead the world and European companies do not. European companies are at a disadvantage compared to U.S. companies because the government is essentially limiting their revenue to less than half of what they could otherwise earn. As a result, Europe has struggled to be an effective player in the Internet economy compared to the United States where there are significantly fewer restrictions.

As ITIF has noted, proposed privacy legislation provisions in the United States would restrict targeted online advertising by limiting the collection of certain types of data, requiring opt-in consent for collecting data, or providing mechanisms to encourage users to opt-out of targeted ads.[15] Like the European privacy regulations, these types of restrictions would limit targeted advertising and harm the Internet-powered economy. The kinds of privacy legislation now being proposed in Congress will reduce revenue flowing into the U.S. Internet ecosystem, which means not only fewer web sites and less valuable content, but also less spending by Internet companies on servers and bandwidth. The net result will be fewer jobs. In addition, if the Internet is less valuable to consumers because there is less useful content, applications and services, users are less likely to subscribe to broadband. In addition, privacy regulations such as requiring opt-in to collect or use data for targeted advertising will likely increase costs. Goldfarb and Tucker report that anecdotal evidence suggests that obtaining opt-in consent costs organizations approximately 15 Euros per user.[16]

Does this mean that policymakers should avoid all privacy regulations? Of course not. But it does suggest that policymakers should tread lightly and focus more on preventing harms from privacy violations than on legislating expensive and revenue-reducing regulations.[17] The evidence clearly suggests that the tradeoffs of stronger privacy laws result in less free and low-cost content and more spam (i.e. unwanted ads) which is not in the interests of most consumers.

Proponents of stricter privacy laws often ignore the benefits that online advertising confers on consumers. For example, Google and Facebook, two of the companies most vilified by privacy fundamentalists, are at the forefront of offering low or no-cost content, applications and services to consumers unimaginable a decade ago. Yet when these companies use targeted online advertising to fund their operations, privacy fundamentalists object. Unfortunately, these objections reflect the prevailing message of privacy fundamentalists that privacy trumps all other values. However, policymakers should recognize that privacy, as with any other value, must be balanced against other competing interests and can, as it will here, comes at a real financial cost—fewer jobs, less investment and a less robust Internet.

The Internet is a vital part of economic and social life and federal data privacy legislation should ensure that beneficial uses of data are not curtailed by overly-restrictive data sharing policies. Congress should not implement across-the-board reforms to privacy regulations without seeking a better understanding of how these changes will affect the Internet economy, and by extension, the overall economy and society.

Endnotes

[1]   Robert Atkinson et al., “The Internet Economy 25 Years After .com,” (Washington, D.C.: Information Technology and Innovation Foundation, 2010) www.itif.org/files/2010-25-years.pdf.

[2]   John Deighton and John Quelch, “Economic Value of the Advertising-Supported Internet Ecosystem,” (Hamilton Consultants, 2009) www.iab.net/media/file/Economic-Value-Report.pdf.

[3]   Ibid.

[4]   “Interactive Advertising Revenues to Reach US$147 Billion Globally by 2012, According to The Kelsey Group’s Annual Forecast,” press release, (Chantilly, VA: The Kelsey Group, 2008) www.kelseygroup.com/press/pr080225.asp.

[5]   “Number of Mobile Devices Accessing the Internet Expected to Surpass One Billion by 2013, According to IDC,” IDC, press release, December 9, 2009, http://www.idc.com/getdoc.jsp?containerId=prUS22110509.

[6]   “Internet Advertising Revenues Hit $5.9 Billion in Q1 ’10, Highest First-Quarter Revenue Level On Record,” IAB, May 13, 2010, www.iab.net/about_the_iab/recent_press_releases/press_release_archive/press_release/pr-051310.

[7]   Robert D. Atkinson, “Federal Trade Commission Workshop on Journalism in the Digital Age,” (Washington, D.C.: Information Technology and Innovation Foundation, 2010) www.itif.org/publications/federal-trade-commission-workshop-journalism-digital-age.

[8]   Jeff Jarvis, “History in the making in LA as online ads hit target,” The Guardian [UK] 12 Jan. 2009, www.guardian.co.uk/media/2009/jan/12/la-times-online-advertising.

[9]   “YouTube channel earns college money for N.J. teen,” NJ.com, 7 April 2009, www.nj.com/news/index.ssf/2009/04/youtube_channel_earns_college.html.

[10]  Robert Atkinson, “Google E-mail, What's All the Fuss About?” (Washington, D.C.: Progressive Policy Institute, 2004) www.ppionline.org/ppi_ci.cfm?knlgAreaID=140&subsecID=288&contentID=252511.

[11]  Howard Beales, “The Value of Behavioral Targeting,” (2009) www.networkadvertising.org/pdfs/Beales_NAI_Study.pdf.

[12]  Jun Yan, Gang Wang, En Zhang, Yun Jiang, & Zheng Chen, “How Much Can Behavioral Targeting Help Online Advertising?” (Madrid, Spain: WWW, 2009) www2009.eprints.org/27/1/p261.pdf.

[13]  Avi Goldfarb and Catherine E. Tucker, “Privacy Regulation and Online Advertising,” (2010) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1600259.

[14]  Ibid.

[15]  Daniel Castro, “ITIF Comments on Draft Privacy Legislation,” (Washington, D.C.: Information Technology and Innovation Foundation, 2010) www.itif.org/files/2010-privacy-legislation-comments.pdf.

[16]  Avi Goldfarb and Catherine E. Tucker, “Privacy Regulation and Online Advertising,”

[17]  Daniel Castro, “Data Privacy Principles for Spurring Innovation,” (Washington, D.C.: Information Technology and Innovation Foundation, 2010) www.itif.org/files/2010-privacy-and-innovation.pdf.

ITIF Senior Research Fellow Richard Bennett explains the changing nature of personal privacy in the Internet era and why Congress should take such changes when attempting to regulate the Internet.

As data on individuals or their actions increasingly is collected and stored electronically, it is important for policymakers to consider the effect this has on privacy. The Department of Commerce's notice of inquiry provides a welcome opportunity to explore the best ways of protecting individual privacy while avoiding constraints on business innovation and unintended negative impacts on consumers as a whole. Privacy is important, but it must be balanced against competing goals including usability, cost and future innovation. While many technologies can be misused, they should not be banned simply because they come with some risk. Privacy fundamentalists often overstate privacy concerns as a rationale for opposing certain innovations: we have seen this in everything from RFID to biometrics to electronic health records. Moreover, restrictive privacy regulations for the private sector would likely result in less innovation, fewer free services for the average user, and higher costs for consumers. Instead, policymakers should embrace principles that support consumer privacy, but not at the expense of productivity and innovation.

Comments submitted by ITIF Senior Analyst Daniel Castro to the House Energy and Commerce Subcommittee on Communications, Technology and the Internet Subcommittee Chairman Rick Boucher and Ranking Member Cliff Stearns on the discussion draft of privacy legislation.

On May 14, 2010 Google announced that while developing its location-based services, it had been inadvertently collecting samples of payload data from wireless network traffic since 2007. This means that Google had captured data packets sent over unencrypted wireless networks—data packets that could include sensitive Internet traffic such as email and web browsing activity. The disclosure from Google followed an internal review prompted by the German data protection authority’s request for an audit of Google’s data collection for wireless networks. The company has apologized for its mistake and it has halted its wireless network data collection indefinitely.

Not surprisingly, this mistake has prompted outrage and criticism among privacy advocates and consumer protection agencies in the United States and Europe. While no company should be illegally collecting information about citizens without their permission, this situation is not as straightforward as some would like to make it seem. Certainly the legality of Google’s actions should be explored, as with any alleged crime, but this incident should not be used to impose punitive sanctions on Google unless it is found that the company caused consumer harm or did not act in good faith. To do so, would send a chilling warning to other companies that they face severe risks if they engage in fast-paced innovation of information-based services.

The initial facts show that Google has acted responsibly. For example, Google publicly disclosed the unintentional data collection and asked a third-party to review the incident and ensure data is properly destroyed. More importantly, no user harm has been identified. Of course the magnitude of the incident remains unclear. Some questions remain unanswered or unverified including how much information was collected, how the data was used during this time (Google says it was not used in any Google products), and whether any copies of this data were made. These facts should determine how government agencies proceed.

Unauthorized recording of electronic data should not be condoned or encouraged. However, while we may wish that companies never make mistakes, this is simply an unreasonable expectation given the complexity of many applications today. This does not mean that companies should be given a free pass to break laws or be absolved from negligent behavior, but it does mean that issues such as harm and intent should weigh heavily when mistakes are made. The goal of government should be to strike a balance that protects consumers while still encouraging socially-responsible and economically-beneficial innovation.

Unfortunately, as ITIF has argued previously, the current debate on electronic privacy has been driven largely by privacy fundamentalists who object to virtually all instances of for-profit companies providing unregulated services in the information economy. Yet, overall, consumers have benefited widely from the unbridled creativity of the private sector with innovative products and services. For example, Google collected this wireless network traffic as part of the development of its location-based services. Google’s location-based service allows users to pinpoint the location of their computer or mobile device on various Google products and services. Google also has created a Geolocation application programming interface (API) that developers can use to integrate Google’s location-based services in non-Google products. Consumers have benefited from this service with many useful location-aware applications from location-based social networking to online maps that show users their location and nearby points of interest to “location-based security” that locks or unlocks certain features on a mobile device based on where it is (e.g., unlocked at home).

To determine a device’s location, Google uses a variety of signals and data sets, including GPS, cell towers, and wireless access points. Different location indicators are used depending on the situation and the device, for example, some devices may not use GPS if they do not have a GPS receiver or cannot receive a signal. By “fingerprinting” wireless networks, Google is able to use this data to determine the geographic location of a mobile device. Other companies, such as Skyhook Wireless, have created similar products that map wireless networks to specific geographic locations.

Google collected the wireless data using the same vehicles it uses to collect imagery for its Street View service, although the two programs are otherwise unrelated. Specifically, Google used wireless receivers in its vehicles to record the beacon frames broadcast by wireless networks as its vehicles traveled through different areas. These data packets include the Service Set Identifier (SSID) which identifies the network name and the Media Access Control (MAC) address which is a unique identifier for each network device. Google also recorded data on signal strength, broadcast channel, and the wireless networking standard used (e.g., 802.11g, 802.11.n, etc.). Google does not share its data set about wireless networks with third parties but rather provides an API to interface with this data. This means that Google does not make public some potentially sensitive information, such as a list of all open wireless networks in a neighborhood.

Google’s accidental data collection also raises the question of whether users should have an expectation of privacy when transmitting unencrypted information wirelessly. Arguably if users transmit data without encryption they should not expect the information to remain private since the data packets can be visible to others. This should be especially true today now that encryption is standard and easy to use on consumer-grade wireless routers and web browsers. However, in general, the existing law protects both encrypted and unencrypted data transmissions equally. This differs from oral communications where legal protections only apply to “oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation.”

An analogy here provides a useful comparison: are wireless transmissions more like a mailbox or a window? If they are more like a mailbox, then wireless transmissions should be protected. A mailbox may not be locked, but that does not give others permission to look inside. However, if wireless transmissions are more like a window, then—unless individuals take action to cover the windows—we do not have a high expectation of privacy. (Of course, even with windows we have Peeping Tom laws, which vary by jurisdiction, that protect people from intrusive actions by others. However, in many cases, these laws require the victim to demonstrate harm.)

Objections have been raised about this for many years. For example, in 1986 when Congress updated the Electronic Communications Privacy Act (ECPA), a New York Times op-ed highlighted the legislation’s failure to distinguish between wired and wireless transmissions: “To disregard the medium is to ignore the essence of the privacy issue. Some media, such as wire, are inherently private. That is, they are hard to get at except by physical intrusion into a residence or from a telephone pole. Other media, notably radio signals, are inherently accessible to the public.”¹ Given the ease with which electronic data transmissions can be encrypted, perhaps this incident should serve as a red flag that privacy laws should be clarified to give more legal protection to private data when it is encrypted (i.e., to prevent unauthorized decryption of encrypted data) and less when it is not encrypted. Such an update would align legal rights with technical realities.

Again, we are not excusing Google’s mistake or seeking to reduce the privacy of individuals. However, this incident should not be seen as just another opportunity to criticize Google for its use of information and demand more regulation of electronic data. Instead, it is an opportunity to highlight the need for the private sector to implement better internal controls, for consumers to protect their sensitive information, and for nations to ensure that their laws protect both consumers and the spirit of innovation.

Endnotes:

1. Robert Jesse, “How not to protect communications,” New York Times (September 13, 1986), p. 27.

The criticism of Facebook has reached an all-time high this past week as privacy advocates have fanned the flames of discontent among Facebook users, some of who are confused and upset by recent changes in the service and new features for sharing data. This criticism centers around two new features Facebook debuted at its F8 Developer Conference in April--instant personalization and social plugins. The first feature, instant personalization, allows certain partner sites to use data from a Facebook user's profile to customize their online experience. For example, if a Facebook user visits Pandora, a customizable Internet radio website, instant personalization will allow Pandora to create a custom radio station for the user based on their likes and dislikes from their Facebook profile. The second new feature, social plugins, allows developers to place a Facebook widget on their website so that visitors can "Like" a page or post comments. These interests can then be shown on a Facebook user's news feed and users can see their friend's activity. It is important to note though that websites, like the Washington Post, that use Facebook's social plugin do not see any of the user's personal information--but Facebook users benefit by receiving recommendations about web pages that their friends like or recommend. Both of these new features users can opt not to use.

Much of the frustration among users seems to stem from a feeling that they must continually monitor their privacy settings as Facebook introduces new features, rather than having a "set it and forget it" privacy option. However some users paradoxically complain both that there are too many controls and that they are too confusing, and that they do not have enough control over their personal information. Some users are also unhappy with recent changes that make personal information public if Facebook users choose to share it. Certainly Facebook could have done a better job of explaining its recent changes to users and helping them update their privacy settings, but many companies struggle with this challenge and Facebook seems to be getting better at this over time.

Other users are simply confused about what Facebook is doing. Contrary to some misconceptions out there, Facebook is not selling consumer data, they are selling targeted advertising. Targeted advertising works by matching ads to users based on the information in their profile. So, for example, a wedding photographer in Dallas can pay Facebook to serve an ad to everyone in Dallas who switches their relationship from "single" to "engaged." But Facebook does this without ever revealing any personal information to the advertiser. This benefits everyone--the photographer gets more clients, the users get relevant ads, and Facebook is better able to fund its free services.

Moreover, some of the complaints about Facebook are just downright absurd. For example, the New York Times published an infographic criticizing the length of Facebook's privacy policy of 5,830 words ignoring the fact that its own privacy policy comes to a total of 4,857 words. And opponents of Facebook's policies seem to miss the irony of using Facebook as their primary tool to organize a protest since it only highlights how useful Facebook can be for users. For example, Diaspora--the anti-Facebook start-up--is raising money using Kickstarter, a grassroots fundraising tool that uses Facebook to help spread the word. And many blogs and news websites that host articles critical of Facebook have already implemented the new Facebook features which are at the heart of the controversy including social bookmarking tools and targeted advertising.

Let's face it--when you have 400 million users, you are not going to be able to make everyone happy. But privacy fundamentalists--those individuals who value personal privacy above all other values--don't just want to set the privacy rules just for themselves, they want to set them for everyone else. For example, Danah Boyd a fellow at Harvard's Berkman Center for Internet and Society, claims that Facebook is a utility and should be regulated like one. Others, like the developers of Diaspora, are trying to develop an open-source social networking tool where data is decentralized and in the hands of private citizens rather than being controlled by corporations. And still others want government to pass more regulations on how companies can use consumer data. All of these individuals share at least one thing in common--they want a world where for-profit companies are not providing largely unregulated services in the information economy. While they may see this as a noble goal, the end result for the average user would be less innovation and fewer free services. Facebook, and many other useful social networking tools, would not be in existence today if they had to rely on donors and grants, instead of investors and venture capital, and if their innovations were DOA because of strict privacy regulations.

If privacy fundamentalists only cared about their own privacy, they could simply opt to not use Facebook. But these people instead see the world as one in which everyone else needs to be saved from having Facebook and its army of evil programmers sell off their personal data to the highest bidder (something Facebook is not doing). Consider a recent statement by Chris Conley at the ACLU who said, "People are not necessarily thinking about how long this information will stick around, or how it could be used and exploited by marketer." It is this type of paternalistic view of Internet users that is at the heart of arguments in favor of government regulation to protect consumers from themselves.

However, as we've written previously, Facebook is neither a right nor a necessity. Certainly others agree with this sentiment. As Betty White recently joked on SNL, "Facebook... sounds like a huge waste of time. When I was young we didn't have Facebook, we had phone book, but you wouldn't waste an afternoon with it." It may be fun, useful and part of the daily routine for 50 percent of its 400 million users, but its popularity should not be grounds for government intervention.

Government intervention is not needed because there is already a simple solution--if you don't like Facebook's policies or services, then don't use it. Or use it, but use Facebook's privacy options to not share certain information. Facebook offers consumers a tradeoff--consumers can use its free service, and in return, Facebook can sell targeted advertising based on user data (which, again, is fundamentally different than selling consumers' data). Consumers face trade-offs all the time. I personally don't like paying $10 for popcorn at the movie theater, so I usually skip the popcorn line. Sure, I would be happier with the popcorn, but I'm not willing to make the trade-off. The trade-off Facebook offers is no different and consumers that do not want to make the trade can simply not use the service. This same idea was echoed last week by Facebook executive Elliot Schrage who (perhaps more tactfully) stated, "We are not forcing anyone to use it."

However, for as much media attention and criticism Facebook has received over the past few weeks, most people seem content to remain with Facebook. Some people will leave Facebook; indeed, some already have. For example, Leo Laporte the host of This Week in Technology generated much media attention by deleting his Facebook account during last Wednesday's podcast. But this does not seem to be catching on. The "Quit Facebook Day" website has attracted fewer than 3,000 pledges. And while some individuals (mostly privacy fundamentalists) will choose to delete their account (if they were using Facebook to begin with), for most users, the benefits of Facebook still seem to outweigh the costs of using it. Why? Because it is a great tool for making and keeping connections and most users get a lot of value out of using it.

This is certainly not the first time that Facebook has been faced with criticism about its service. In 2006, Facebook users protested the introduction of the "News Feed" which showed status updates from Facebook friends, yet a few years later, the News Feed is now a standard feature embraced by users. Even one of the leaders of the protest from 2006, has come to Facebook's defense now arguing that "Facebook...is the wrong target for our anger. It has done more to bring people together than any technology of the last five years, and the good it has brought far outweighs the bad. We made the decision to turn our personal information over to a private company, and for the most part Facebook made good use of it."

Social media is encouraging people to be more open about their lives. Some social networking tools like Twitter even make data public by default. But individuals still have control over what information they share and with whom they share it. Moreover, no user is forced to use a social networking tool. Facebook should not be criticized for trying to monetize its business model, which yes, involves serving users targeted ads based on their profile and personal data and getting as many users to join by offering innovative new features. But it is not selling user data to advertisers and it does not plan to.

Moreover, Facebook is not the enemy. With or without Facebook, people will continue to share information and use personal data information for work and for play, and users will have to learn to be responsible for their own actions and aware of what they do online. Some users may not like some of Facebook's recent changes, but it is not the bogeyman privacy fundamentalists have made it out to be and it should not be regulated like one. By and large, the changes Facebook has made have been designed to create a more useful and interesting Internet experience for its users. Before rushing to regulate social networks, policymakers should remember that not only do applications like Facebook provide users with real value in ways that do not violate their privacy, but that users have many ways of controlling their privacy on these networks.

Privacy fundamentalist will continue to insist that the government implement data privacy regulations, partly on the basis that consumers need to be protected from their own choices and that the kind of mass customization that new Facebook applications enable are not needed. But this kind of paternalism is not needed. People have learned in the offline world how to protect their privacy (e.g., they close the drapes at night before undressing), and they are learning it in the online world by not sharing sensitive information and controlling their privacy settings (and yes, exhibitionists both offline and online can share what you and I might consider too much information). Moreover, stringent new privacy regulations that effectively neuter all useful information sharing on the Internet would not just hurt Facebook (a U.S. company, it should be noted, that sells its services around the globe, creating jobs and export revenue for the U.S. economy), it would also stall future innovation and possibly eliminate many of the useful applications that people use today.