34 Pages Posted: 6 Oct 2019 Last revised: 9 Oct 2019
Date Written: September 25, 2019
This paper proposes a framework for studying data policy, information security, and privacy concerns in digital businesses. We offer a full characterization of the optimal design of data storage and data protection policies for a digital company and also of how those policies affect users’ activity, privacy, and welfare. Our framework features a taxonomy that distinguishes between advertisement-driven companies (e.g., Facebook and Google) and transaction-driven companies (e.g., Amazon and Uber). This distinction reveals that advertisement-driven businesses store either all or none of the user-generated data whereas transaction-driven businesses exhibit a smoother pattern that may include an intermediate data storage policy. Comparing the amount of user information that these two types of companies store, we find that — contrary to public opinion — advertisement-driven companies do not invariably retain more of their users’ data than do transaction-driven companies. Our study establishes that measuring the direct damage inflicted by adversaries on consumers significantly underestimates not only the welfare loss but also the loss of consumer surplus due to adversarial activity. Finally, we identify the conditions under which advertisement-driven businesses generate more consumer surplus than that generated by their transaction-driven counterparts.
Keywords: Information security, online platforms, data-driven businesses, data policy design, advertisement-driven businesses, transaction-driven businesses, welfare
Suggested Citation: Suggested Citation