Privacy, Inc.: Welcome to the personal-information marketplace
Democracy requires privacy: privacy in our actions, privacy in our thoughts.
Without privacy, there is no First Amendment protection of free speech. Anonymous speech made it possible for the pamphleteers to express their desire for liberty and independence from Britain prior to and during the American Revolution.
Without privacy, there is no sanctity of your "person, houses, papers, and effects" as enshrined in the Fourth Amendment. Freedom from observation is a concept that has its roots in English Common Law as a response to government overreaching.
Alternet's February 19, 2015, excerpt from Richard Scheer's book, They Know Everything About You: How Data-Collection Corporations and Snooping Government Agencies Are Destroying Democracy, presents Scheer's comparison of the current surveillance state to the dystopias envisioned by Aldous Huxley and George Orwell. As Scheer points out, "totality of societal observation" is the antithesis of freedom, "even when the observation is gained through hidden or subtle persuasion."
Scheer claims that the ability of government and businesses to map our minds exceeds the surveillance powers described in Brave New World and 1984. By collecting information about us, our thoughts, and our activities, the data collectors are able to manipulate and control us -- without us being aware of it.
Why are people willingly and "enthusiastically" giving up their privacy? The most cherished cultural value is now to be noticed: "[T]he most observed are the most valued," according to Scheer.
Seemingly non-threatening requests such as "Can we use your location?" disclose much more about who we are and what we're thinking than we imagine. We're tracked by our cell phones. The photos we take with our phones are geo-tagged. Facial recognition is applied to the photos we upload. Our wall posts, comments, likes, emails, text messages, chats, documents stored in the cloud, the snoopy apps we install, the web forms we fill out, all collect personal information that is ultimately retained, stored, shared, and mined by government and businesses.
Constant observation leads to self-censorship, which is the foundation of totalitarianism. We acquiesce to the data collection in the spirit of consumerism, and perhaps patriotism. Data collected by private companies is scooped up indiscriminately by government. The "military-intelligence complex," as Scheer refers to it, replaces the "military-industrial complex" that President Eisenhower warned against in his Farewell Address in 1961. Internet giants such as Google and Yahoo are now integral parts of the "American war machine," according to Scheer:
"The assumption of the new surveillance state [Post-9/11] is that we the citizens are all potential enemies of the government. This reverses the U.S. Constitution’s assumption that it is the leaders of our government who should be viewed with a deep suspicion—an assumption based on the notion that power corrupts and that absolute power corrupts absolutely. We the citizens are the ultimate guardians of our liberty, and our right to be informed, by the press and by whistleblowers when our governors deceive us, is sacred to the enterprise of a representative republic.... Our most private moments are now captured in exquisite detail by a newly emboldened surveillance state—resulting in a shutout of democracy. But the game’s not over, yet."
----------------------------------------------------------
Identify the problem so we can ask the right questions
Washington University Law Professor Neil Richards writes in a paper to be presented at this week's Future of Privacy Forum that "[p]rivacy is the shorthand we have come to use to identify information rules." The forum is sponsored by the International Association of Privacy Professionals.
Richards asserts that young people care as much about privacy as older folks. While they may be perceived as sharing indiscriminately, in fact young people share with friends but want to keep their activities private from authority figures.
Even people who claim not to have anything to hide will find they are self-censoring if they believe they're constantly being watched. This leads to bland, boring, sameness in thought and activity. Progress depends on new, usually unpopular ideas that manage to catch on.
Businesses that make money based on the information they collect from their "customers" can do so only if their customers trust them. According to Richards, "trust requires reliable and trustworthy rules and expectations about the proper limits on collection, use and transfer of information."
----------------------------------------------------------------
How do we reclaim our right to keep our personal information private?
If there are rules in effect for personal data collection and use, big data becomes our friend -- and potentially the source of much public good. Health information is one prominent example, but others include public safety, smart shopping, news reporting, and last but not least, an informed electorate. Just let us decide what to share, who we share it with, and what they can do with it.
Altimeter Group analyst Susan Etlinger gave a TED talk in 2014 covering “the implications of a data-rich world” and how to “use it to our best advantage.” Forbes' Howard Baldwin describes her presentation in a February 22, 2015, article.
First, Etlinger says, make sure you're extracting quality data. It has to be accurate, relevant, and in context. Apply "smart" analysis tools used by trained, qualified analysts to ensure bad data is weeded out and any anomalies are identified.
Most important is trust. Data collectors must provide their customers with full disclosure about the personal information they're collecting, who they're sharing it with, and how it is being used. (I'll add that consumers require the ability to opt out of the collection and to lock the personal information that has already been collected, as per the terms of the data-collection contract I describe below.)
------------------------------------------------------------------
Cybersecurity executive order already bogged down in bureaucracy
There's not much chance of federal privacy legislation -- or executive orders -- having meaningful impact anytime soon. According to the government's plan, first someone has to develop standards for sharing and analyzing information about data breaches. Then someone has to create a network of organizations to do the sharing and analyzing.
President Obama's Executive Order -- Promoting Private Sector Cybersecurity Information Sharing states that it "strongly encourage[s]" the Secretary of Homeland Security to establish Information Sharing and Analysis Organizations (ISAO) to be coordinated by the National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC was established by the Homeland Security Act of 2002.
According to the Department of Homeland Security, the NCCIC "shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions."
The Executive Order states that ISAOs can be for-profit or nonprofit. A non-governmental body will serve as the ISAO Standards Organization to develop and promulgate "voluntary standards or guidelines" for ISAOs to use when they share information about "cybersecurity risks and incidents."
Okay, first they're going to find a non-governmental body to create voluntary standards for a network of for-profit and nonprofit ISAOs. The order doesn't refer to when any of the standards will be available to the ISAOs who are responsible for doing the actual sharing and analysis. Nor does it address the reluctance of financial firms and other businesses to share information about the data breaches they experience.
The Executive Order deals only with actions after a breach has occurred. What about preventing breaches? Or minimizing their damage by limiting the amount of personal information in the breach target's possession? Do all these organizations need to collect and retain all this sensitive information?
Consumers are better able to protect themselves from the effects of data breaches if they can decide what personal information to share, which organizations they share it with, and how those organizations can use the information.
------------------------------------------------------------------
Obama Administration's Privacy Bill of Rights is dead in the water
In fact, the Obama Administration did half-heartedly propose a Consumers Privacy Bill of Rights, but only for show, as Tech Crunch's Alex Wilhelm reports in a February 27, 2015, article. The law would specify when consumers could demand that an organization delete their personal data, and would allow them to revoke consent to collect it.
The type of information that could be collected would also be restricted to what is "reasonable in light of context." Consumers would have the right to ask for the data the company collects about them, so long as the request isn't "frivolous or vexatious."
The only thing both sides of the privacy issue agree about is that the bill has no chance of passing. The companies collecting and profiting from personal data claim the bill would burden Internet services unnecessarily and fundamentally change the way they do business. Privacy advocates point to a huge loophole in the bill that would effectively remove existing protections for data privacy and consumer control over personal information.
-----------------------------------------------------
Establishing a property right to personal information
If this is the best the government can do, maybe the solution to our loss of privacy will come from outside the government. If personal information were considered a form of property under the law, property owned by the person to whom it pertains, then the consumer and data collector would enter into a contract stipulating the terms of the data collection and sharing the organization is allowed. This solution is discussed in a paper I wrote in 2013, Reclaim Your Personal Information.
A recent decision in the U.S. District Court, Northern District of California refused to recognize a company's property right in its non-trade secret confidential information. Richard Darwin of Buchalter Nemer explains the court's reasoning in a March 2, 2015, post on the JD Supra site. Darwin quotes the court as stating “in order for the taking of information to constitute wrongdoing, the information must be ‘property’ as defined by some source of positive law.” No such source of positive law exists to date, according to the court. The case is NetApp, Inc. v. Nimble Storage, Inc., 2015 U.S. Dist. LEXIS 11406 (N.D. Cal. January 29, 2015).
Right now, the only way to reduce the chances that your personal information will be the target of data thieves, or that it will be collected by businesses and government, is to avoid the Internet, smart phones, and all other modern technologies. That's simply not practical for most people.
If a property right to personal information were recognized, any entity that collects our personal information would be required to disclose exactly what information they're collecting, how long they're retaining it, what they do with it, who they share it with, and what those third parties do with it. We would also have the right to do business with them without any personal information collection beyond what is required to transact our business.
There would be a mechanism for locking the information that has already been collected upon termination of the personal-information contract. Individuals always retain the right to reassert their property interest in their personal information, if only to prevent any future use of it. (Possession changes hand, but consumers always retain title to their personal information.)
There also needs to be a mechanism to enforce the contract terms. Data collectors would have to be audited regularly to ensure they're abiding by the contract terms. The collectors would report on the collection and sharing operations in a manner that a third party can validate. The cost of the auditing would be shared by both parties of the contract.
Finally, consumers must have a legal right to sue for damages resulting from a breach of their personal information suffered by the collecting organization. In addition to actual monetary damages and damages related to the increased risk of identity theft and other future harms, the damage calculation must include any diminution of the personal information's inherent value to the information-collection industry.
Our personal information has value. We shouldn't allow others to realize its value without compensating us fairly through bargained-for consideration. In an excerpt from his book, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, data-security expert Bruce Schneier points out that consumers are getting a raw deal from both government and businesses. The excerpt is in a March 2, 2015, post on Motherboard.
The government promises that in exchange for our personal data and privacy, it will protect us. Businesses promise that in exchange for our personal data and privacy, they'll provide email, web searching, and other services. Schneier claims both are raw deals for consumers.
Once there's a fair, open personal-information marketplace, Google, Facebook, Twitter, and other Internet services will share the wealth with their raw-material suppliers: us.
---------------------------------------------------------------------
Consumers' standing to sue companies following data breaches
You only need two recent cases to demonstrate the inconsistency in judicial decisions regarding the plaintiff's standing to sue for damages resulting from a data breach. In a February 25, 2015, article on JD Supra Business Adviser, John Kloecker and Molly McGinnis Stine of Locke Lord LLP compare suits filed against Target and P.F. Chang's by data-breach victims.
Target: The U.S. District Court of Minnesota rules plaintiffs have standing. It found concrete and particularized injury to the plaintiffs, who alleged "unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment or new card fees."
P.F. Chang's: The U.S. District Court, Northern District of Illinois, rules "allegations of overpayment for P.F. Chang’s services, fraudulent charges to a debit card, inability to accrue reward points, and 'increased risk of identity theft' were insufficient to confer standing."
Go figure.
Without privacy, there is no First Amendment protection of free speech. Anonymous speech made it possible for the pamphleteers to express their desire for liberty and independence from Britain prior to and during the American Revolution.
Without privacy, there is no sanctity of your "person, houses, papers, and effects" as enshrined in the Fourth Amendment. Freedom from observation is a concept that has its roots in English Common Law as a response to government overreaching.
Alternet's February 19, 2015, excerpt from Richard Scheer's book, They Know Everything About You: How Data-Collection Corporations and Snooping Government Agencies Are Destroying Democracy, presents Scheer's comparison of the current surveillance state to the dystopias envisioned by Aldous Huxley and George Orwell. As Scheer points out, "totality of societal observation" is the antithesis of freedom, "even when the observation is gained through hidden or subtle persuasion."
Scheer claims that the ability of government and businesses to map our minds exceeds the surveillance powers described in Brave New World and 1984. By collecting information about us, our thoughts, and our activities, the data collectors are able to manipulate and control us -- without us being aware of it.
Why are people willingly and "enthusiastically" giving up their privacy? The most cherished cultural value is now to be noticed: "[T]he most observed are the most valued," according to Scheer.
Seemingly non-threatening requests such as "Can we use your location?" disclose much more about who we are and what we're thinking than we imagine. We're tracked by our cell phones. The photos we take with our phones are geo-tagged. Facial recognition is applied to the photos we upload. Our wall posts, comments, likes, emails, text messages, chats, documents stored in the cloud, the snoopy apps we install, the web forms we fill out, all collect personal information that is ultimately retained, stored, shared, and mined by government and businesses.
Constant observation leads to self-censorship, which is the foundation of totalitarianism. We acquiesce to the data collection in the spirit of consumerism, and perhaps patriotism. Data collected by private companies is scooped up indiscriminately by government. The "military-intelligence complex," as Scheer refers to it, replaces the "military-industrial complex" that President Eisenhower warned against in his Farewell Address in 1961. Internet giants such as Google and Yahoo are now integral parts of the "American war machine," according to Scheer:
"The assumption of the new surveillance state [Post-9/11] is that we the citizens are all potential enemies of the government. This reverses the U.S. Constitution’s assumption that it is the leaders of our government who should be viewed with a deep suspicion—an assumption based on the notion that power corrupts and that absolute power corrupts absolutely. We the citizens are the ultimate guardians of our liberty, and our right to be informed, by the press and by whistleblowers when our governors deceive us, is sacred to the enterprise of a representative republic.... Our most private moments are now captured in exquisite detail by a newly emboldened surveillance state—resulting in a shutout of democracy. But the game’s not over, yet."
----------------------------------------------------------
Identify the problem so we can ask the right questions
Washington University Law Professor Neil Richards writes in a paper to be presented at this week's Future of Privacy Forum that "[p]rivacy is the shorthand we have come to use to identify information rules." The forum is sponsored by the International Association of Privacy Professionals.
Richards asserts that young people care as much about privacy as older folks. While they may be perceived as sharing indiscriminately, in fact young people share with friends but want to keep their activities private from authority figures.
Even people who claim not to have anything to hide will find they are self-censoring if they believe they're constantly being watched. This leads to bland, boring, sameness in thought and activity. Progress depends on new, usually unpopular ideas that manage to catch on.
Businesses that make money based on the information they collect from their "customers" can do so only if their customers trust them. According to Richards, "trust requires reliable and trustworthy rules and expectations about the proper limits on collection, use and transfer of information."
----------------------------------------------------------------
How do we reclaim our right to keep our personal information private?
If there are rules in effect for personal data collection and use, big data becomes our friend -- and potentially the source of much public good. Health information is one prominent example, but others include public safety, smart shopping, news reporting, and last but not least, an informed electorate. Just let us decide what to share, who we share it with, and what they can do with it.
Altimeter Group analyst Susan Etlinger gave a TED talk in 2014 covering “the implications of a data-rich world” and how to “use it to our best advantage.” Forbes' Howard Baldwin describes her presentation in a February 22, 2015, article.
First, Etlinger says, make sure you're extracting quality data. It has to be accurate, relevant, and in context. Apply "smart" analysis tools used by trained, qualified analysts to ensure bad data is weeded out and any anomalies are identified.
Most important is trust. Data collectors must provide their customers with full disclosure about the personal information they're collecting, who they're sharing it with, and how it is being used. (I'll add that consumers require the ability to opt out of the collection and to lock the personal information that has already been collected, as per the terms of the data-collection contract I describe below.)
------------------------------------------------------------------
Cybersecurity executive order already bogged down in bureaucracy
There's not much chance of federal privacy legislation -- or executive orders -- having meaningful impact anytime soon. According to the government's plan, first someone has to develop standards for sharing and analyzing information about data breaches. Then someone has to create a network of organizations to do the sharing and analyzing.
President Obama's Executive Order -- Promoting Private Sector Cybersecurity Information Sharing states that it "strongly encourage[s]" the Secretary of Homeland Security to establish Information Sharing and Analysis Organizations (ISAO) to be coordinated by the National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC was established by the Homeland Security Act of 2002.
According to the Department of Homeland Security, the NCCIC "shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities, intrusions, incidents, mitigation, and recovery actions."
The Executive Order states that ISAOs can be for-profit or nonprofit. A non-governmental body will serve as the ISAO Standards Organization to develop and promulgate "voluntary standards or guidelines" for ISAOs to use when they share information about "cybersecurity risks and incidents."
Okay, first they're going to find a non-governmental body to create voluntary standards for a network of for-profit and nonprofit ISAOs. The order doesn't refer to when any of the standards will be available to the ISAOs who are responsible for doing the actual sharing and analysis. Nor does it address the reluctance of financial firms and other businesses to share information about the data breaches they experience.
The Executive Order deals only with actions after a breach has occurred. What about preventing breaches? Or minimizing their damage by limiting the amount of personal information in the breach target's possession? Do all these organizations need to collect and retain all this sensitive information?
Consumers are better able to protect themselves from the effects of data breaches if they can decide what personal information to share, which organizations they share it with, and how those organizations can use the information.
------------------------------------------------------------------
Obama Administration's Privacy Bill of Rights is dead in the water
In fact, the Obama Administration did half-heartedly propose a Consumers Privacy Bill of Rights, but only for show, as Tech Crunch's Alex Wilhelm reports in a February 27, 2015, article. The law would specify when consumers could demand that an organization delete their personal data, and would allow them to revoke consent to collect it.
The type of information that could be collected would also be restricted to what is "reasonable in light of context." Consumers would have the right to ask for the data the company collects about them, so long as the request isn't "frivolous or vexatious."
The only thing both sides of the privacy issue agree about is that the bill has no chance of passing. The companies collecting and profiting from personal data claim the bill would burden Internet services unnecessarily and fundamentally change the way they do business. Privacy advocates point to a huge loophole in the bill that would effectively remove existing protections for data privacy and consumer control over personal information.
-----------------------------------------------------
Establishing a property right to personal information
If this is the best the government can do, maybe the solution to our loss of privacy will come from outside the government. If personal information were considered a form of property under the law, property owned by the person to whom it pertains, then the consumer and data collector would enter into a contract stipulating the terms of the data collection and sharing the organization is allowed. This solution is discussed in a paper I wrote in 2013, Reclaim Your Personal Information.
A recent decision in the U.S. District Court, Northern District of California refused to recognize a company's property right in its non-trade secret confidential information. Richard Darwin of Buchalter Nemer explains the court's reasoning in a March 2, 2015, post on the JD Supra site. Darwin quotes the court as stating “in order for the taking of information to constitute wrongdoing, the information must be ‘property’ as defined by some source of positive law.” No such source of positive law exists to date, according to the court. The case is NetApp, Inc. v. Nimble Storage, Inc., 2015 U.S. Dist. LEXIS 11406 (N.D. Cal. January 29, 2015).
Right now, the only way to reduce the chances that your personal information will be the target of data thieves, or that it will be collected by businesses and government, is to avoid the Internet, smart phones, and all other modern technologies. That's simply not practical for most people.
If a property right to personal information were recognized, any entity that collects our personal information would be required to disclose exactly what information they're collecting, how long they're retaining it, what they do with it, who they share it with, and what those third parties do with it. We would also have the right to do business with them without any personal information collection beyond what is required to transact our business.
There would be a mechanism for locking the information that has already been collected upon termination of the personal-information contract. Individuals always retain the right to reassert their property interest in their personal information, if only to prevent any future use of it. (Possession changes hand, but consumers always retain title to their personal information.)
There also needs to be a mechanism to enforce the contract terms. Data collectors would have to be audited regularly to ensure they're abiding by the contract terms. The collectors would report on the collection and sharing operations in a manner that a third party can validate. The cost of the auditing would be shared by both parties of the contract.
Finally, consumers must have a legal right to sue for damages resulting from a breach of their personal information suffered by the collecting organization. In addition to actual monetary damages and damages related to the increased risk of identity theft and other future harms, the damage calculation must include any diminution of the personal information's inherent value to the information-collection industry.
Our personal information has value. We shouldn't allow others to realize its value without compensating us fairly through bargained-for consideration. In an excerpt from his book, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, data-security expert Bruce Schneier points out that consumers are getting a raw deal from both government and businesses. The excerpt is in a March 2, 2015, post on Motherboard.
The government promises that in exchange for our personal data and privacy, it will protect us. Businesses promise that in exchange for our personal data and privacy, they'll provide email, web searching, and other services. Schneier claims both are raw deals for consumers.
Once there's a fair, open personal-information marketplace, Google, Facebook, Twitter, and other Internet services will share the wealth with their raw-material suppliers: us.
---------------------------------------------------------------------
Consumers' standing to sue companies following data breaches
You only need two recent cases to demonstrate the inconsistency in judicial decisions regarding the plaintiff's standing to sue for damages resulting from a data breach. In a February 25, 2015, article on JD Supra Business Adviser, John Kloecker and Molly McGinnis Stine of Locke Lord LLP compare suits filed against Target and P.F. Chang's by data-breach victims.
Target: The U.S. District Court of Minnesota rules plaintiffs have standing. It found concrete and particularized injury to the plaintiffs, who alleged "unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment or new card fees."
P.F. Chang's: The U.S. District Court, Northern District of Illinois, rules "allegations of overpayment for P.F. Chang’s services, fraudulent charges to a debit card, inability to accrue reward points, and 'increased risk of identity theft' were insufficient to confer standing."
Go figure.
