Category: Uncategorized

Price discrimination is the practice by which firms offer differential prices to customers, often based on some observed characteristic. Examples include discounts to students, the elderly, loyalty program members, bulk discounts, etc. There are different kinds of price discrimination and the extreme form (1st degree) amounts to the retailer charging the maximum amount that each customer is willing to pay, thereby extracting the greatest surplus. So far, there is nothing inherently wrong with this. Clearly, some consumers will end up paying less under price discrimination, while others may end up paying more. But that’s just how things work. If you’re a student, you get a discount, otherwise, you pay full price. Great to be a student.

But when is this bad? Certainly when it’s illegal. US law has deemed price discrimination based on some characteristics (e.g. race, sex, religion) to be illegal. But what about computer type? People were outraged when Orbitz was outed for presenting more expensive travel search results to Mac users, relative to PC users (http://online.wsj.com/article/SB10001424052702304458604577488822667325882.html). But why the outrage? What if it were true that some other site charged less for movie rentals for PC users than Mac users? Would people be equally outraged? In one case the PC user saves money, while in another the Mac user saves.

It can be argued that price discrimination whereby students enjoy discounts is efficient because it enables transactions that wouldn’t otherwise occur (i.e. students wouldn’t pay full price). On the other hand, practices like Orbitz (2nd degree), or other forms of 1st degree price discrimination may instead just transfer surplus from the consumer to the firm. But is this “unfair?” I suppose that depends whether you’re a retailer or consumer.

Back to the question: when is price discrimination okay? While some may argue that Orbitz was unfair, it surely can’t be disallowed based on fairness. If not, then what are the rules by which we should consider price discrimination okay or not okay? In addition to illegal activities, deceptive behavior that violates FTC regulations would probably be considered “not okay.” But those are easy cases.

What about discrimination based on consumer shopping and browsing behavior? Does the collection and use of shopping data in and of itself make for an objectionable practice? I hardly think so. While some may argue for property rights over one’s transaction data, doesn’t the retailer/firm also have a right to use and innovate (i.e provide discounts and sales) based on these data, too? (Notice the familiar nuissance argument here.)

So if we agree that simply the collection and use of consumer shopping behavior *for price discrimination* is acceptable, must the retailer disclose that practice? (I’m deliberately avoiding discussion of the sale or sharing of PII — that’s a separate matter). I recognize that information disclosure can be a powerful policy intervention, but it doesn’t strike me that a simple notice in this case would lead to any meaningful outcomes.

What about discrimination based on the source of shopping behavior data? If discrimination based on traffic patterns observed only on a retailer’s site is okay, what about discrimination based on information purchased from third parties? Does this suddenly violate fair business practices, or social norms? Does it now require disclosure?

I appreciate the arguments that both consumer advocates and economists make, and they’re not unfamiliar. Arguments from consumer advocates generally relate to issues of fairness: “I want to know what’s going on, so that if I care to shop elsewhere, I have that opportunity.” On the other hand, economists will argue for efficiency (more transactions, greater total welfare), and are generally agnostic with regard to the distribution of welfare. But I don’t necessarily think these are mutually exclusive positions. I believe that the rules of the (price discrimination) game should be clear, and that everyone plays fairly. By which I mean that players should follow the rules, and not complain if they don’t always win the game.

[As a side note, there’s a story about how MAC users are more generous than PC users (http://www.theregister.co.uk/2012/12/17/qgiv_online_donations_study/).]

Here’s a story below from SANS NewsBites Vol. 14 Num. 94. A high school in Texas is RFID ing students as a means of funding. In addition to the unexpected use of this technology, what I find most interesting about the story is that because it’s a public school, the issue potentially becomes a Constitutional violation. Were it a private school (or company), the matter would be much more restricted in it’s scope, but because it’s a state run agency, the issue become much more complex.

“Texas HS Student Fighting Suspension for Refusing to Wear RFID Nametag (November 21 & 23, 2012) A Texas high school student has been suspended for refusing to wear an RFID badge. The Northside Independent School District’s John Jay High School’s Science and Engineering Academy in San Antonio implemented the RFID program to increase state funding. Schools in Texas receive funding based on student attendance; the tags can be used to determine that students are present at the school even if they are not in class. A Texas judge has issued a temporary injunction blocking the girl’s suspension pending a hearing scheduled for this week. Student Andrea Hernandez and her parents say that requiring her to wear the tag is a violation of her First Amendment rights.

http://www.wired.com/threatlevel/2012/11/student-suspension/

…In apparent protest, individuals claiming association with the Anonymous hacking collective have taken down the school’s website http://www.theregister.co.uk/2012/11/27/annymous_takes_down_northside_independent_school_district_as_revenge_for_rfid_tracking/ “

I came across a recent post regarding proctoring during online exams (http://www.technologyreview.com/news/506346/in-online-exams-big-brother-will-be-watching/). As you might imagine, teachers face a legitimate problem of being assured that students taking online classes are not cheating. This solution?: startup firms that provide online proctoring using webcams and screen sharing technologies. The issue, this article claims, is precipitated by the surge in popularity of free online classes provided by some top schools. Some of these classes can even reach enrolments of hundreds of thousands!

Interestingly, the people hired by these proctoring firms are, themselves, students. Given that the goal is to reduce cheating — or at least the perception or possibility for cheating — I have no idea whether that should matter. Overall, the article claims a (known) cheating rate of 0.7% (7 out of every 1000) — a fair bit lower than typical class rooms, I would bet. And while expectation of privacy is appropriately low during a typical classroom exam, one would not think that online monitoring with a webcam should not violate any social norms.

There’s a story (http://www.securityprivacyandthelaw.com/admin/trackback/289911) about a lawsuit filed against the game company, Blizzard, which seeks class action status. It appears that the company is being sued for enabling two factor authentication for their online gaming service. Yeah, that’s what I thought: why on earth would someone sue a company for *having* strong authentication? The lawsuit isn’t really about any particular breach, or any harm resulting from negligent actions by Blizzard, or any actual identity theft suffered by its customers. Rather, the complaint appears to argue that customers might, someday, experience harm, possibly, in the future, should Blizzard be (again) hacked. Uh-hun. It further states that, “defendant’s acts have … harmed plaintiffs’ and class members by devaluing their video games … by adding elements of risk to each and every act of playing said games.” Really? Devaluing their video game? How, exactly? Is there any evidence of this? No, there’s not.

It also suggests that customers were deceived into purchasing the game only to later learn that they also needed a $6.50 device to enable two-factor authentication (the RSA ID fob). Now, fine. If it’s true that customers were misled in some material way, then an allegation of consumer fraud might be appropriate (though, isn’t this the role of the FTC?), and if there was some evidence of any kind of harm (even a real privacy harm), then that might be valid, but these claims seem to be quite stretched.

I had occasion to visit the NYU law librarian recently. I was looking for information regarding WestLaw’s search strategy for federal cases. In addition to being very helpul, Gretchen also send me this link of privacy resources. The site is really quite impressive, and not something I had seen before. There are links to privacy preserving software (PETs), web and email anonymizers, reserach links and many other resources. Worth checking out.

She also pointed me to this link to an EPIC story regarding FBI collection of individual data:
http://epic.org/2012/10/fbi-exempts-massive-database-f.html

FBI Exempts Massive Database from Privacy Act Protections
The Federal Bureau of Investigation has exempted the FBI Data Warehouse System, from important Privacy Act safeguards. The database ingests troves of personally identifiable information including race, birthdate, biometric information, social security numbers, and financial information from various government agencies. The database contains information on a surprisingly broad category of individuals, including “subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI’s missions; individuals whose information is collected and maintained for information system user auditing and security purposes.” The Federal Bureau of Investigation has exempted these records from the notification, access, and amendment provisions of the Privacy Act. Earlier this year, EPIC opposed the Automated Targeting System, another massive government database that the Department of Homeland Security exempted from Privacy Act provisions.

Scary, indeed.

From SANS Newsbites 14(82):
–Senator Rockefeller Seeks Information About Data Brokers’ Business  Practices  (October 10, 2012)
US Senator Jay Rockefeller (D-West Virginia) has sent letters to nine data brokerage companies, asking them to provide answers to a dozen questions about where and how they gather information, with whom they share the information, and what information is shared. Senator Rockefeller is also asking what level of control individuals have over the information the companies collect. The companies are asked to respond by November 2, 2012. Earlier this year, two US Representatives launched an inquiry into data compilers, and the Federal Trade Commission (FTC) is also looking into some data brokers’ practices.
http://thehill.com/blogs/hillicon-valley/technology/261249-rockefeller-pushes-data-brokers-for-answers-on-business-practices-

Text of letter:
http://commerce.senate.gov/public/?a=Files.Serve&File_id=3bb94703-5ac8-4157-a97b-a658c3c3061c

I received a notice about this journal issue:
http://idpl.oxfordjournals.org/content/2/4.toc?etoc

I’m not sure why I received it, exactly, but it scanning the articles, many of them look quite interesting. It’s particularly nice to hear from Fred Cate again. I’ve always appreciated his views and discussions. No doubt many of you will recognize many of the other authors, too.