I’ve long advised our clients to send only secure emails and to post only information they wouldn’t mind being reported on the front page of The New York Times on social media platforms like Facebook. I make this suggestion because there is an almost infinite number of ways the data can be compromised.
The most recent Facebook scandal proves how easy it is to misappropriate personal data. For more than a decade, Facebook has built what is likely the world’s largest collection of personal data. It did so by inviting outside developers to create apps to run on Facebook.
The app developers acquired access to all 2.2 billion registered Facebook users. These users gained access to third-party apps with their Facebook credentials. This helped Facebook create a detailed portrait of its users’ internet browsing habits. This symbiotic relationship has been dubbed “surveillance capitalism.”
One of the companies partnering with Facebook was Cambridge Analytica, a British political consulting firm. This firm gathered data from more than 270,000 Facebook users who had completed personality quizzes. The data also included details about the friends of these users, with data collected from a total of more than 87 million users.
Then, under contract with the Trump election team, Cambridge Analytica used the data to influence Facebook users to vote for Trump in the 2016 presidential election.
Facebook prohibits developers of third-party apps like personality quizzes from selling or giving away the data they gather. But it’s extremely difficult to enforce this rule. Facebook founder Mark Zuckerberg acknowledged this in his testimony before the US Senate earlier this month.
“When we heard back from Cambridge Analytica that they had told us that they weren’t using the data and deleted it, we considered it a closed case. In retrospect, that was clearly a mistake. We shouldn’t have taken their word for it.”
Zuckerberg also told the Senate Facebook had no objection to legal regulation of its activities. But is regulation the best way to deal with the proliferation of use – and abuse – of our personal data?
Bruce Schneier, a cryptographer and editor of Crypto-Gam Newsletter – and one of the sharpest minds in cyber-security – thinks regulation is the answer.
Schneier points out that most of the time, we have no way to control how our data is shared. He points to Google’s Gmail service as an example. While Schneier says he has no Gmail account, he believes that Google has stored about half of his email anyway, because so many people he corresponds with use the service.
Reflecting on last year’s massive Equifax data breach, Schneier wrote in an opinion piece for CNN:
“The companies that collect and sell our data don't need to keep it secure in order to maintain their market share. They don't have to answer to us, their products. They know it's more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?”
Schneier goes on to advocate government regulation as the only way out of the morass. Given punitive sanctions for failing to adequately secure data, the cost of a breach could become high enough that securing that data becomes a cheaper alternative. This is the approach the EU has taken with the General Data Protection Regulation (GDPR) that come into effect next month.
Certainly, government regulation might reduce the incidence and severity of data breaches. But do you really trust the same government that illegally gathers terabytes of our personal data daily for warrantless analysis by agencies such as the NSA? I can think of at least two alternative approaches.
The first is mandatory cyber-security insurance. I’ve seen a proposal to require any company that holds personal data to acquire this type of coverage.
The problem here, though, is a single serious breach could expose a company to billions or even trillions of dollars in damages. For instance, Facebook signed a consent decree with the Federal Trade Commission in 2011 to close the book on another data breach. The FTC accused Facebook of deceiving customers about the privacy of their information. The company agreed it would pay $40,000 per future violation.
If each of the 87 million individuals whose data was misused is considered a separate violation of the consent decree, the company could be liable for fines of nearly $3.5 trillion. That amount dwarfs the company’s market cap of $482 billion. It also dwarfs the largest insurance payout ever for a single event: $100 billion to creditors, investors, and taxpayers following the 2008 bankruptcy of Lehman Brothers No insurance company could possibly have the financial strength to weather a $482 billion loss – much less $3.5 trillion.
The second alternative to government regulation is the one that I favor. It is to recognize that every individual has an ownership right to their own data, including data held by credit bureaus, data aggregators, and the government. Ownership of your data gives you the right, but not the obligation, to share it with others. It also gives you a way to profit personally from surveillance capitalism.
Companies like Facebook, Equifax, and Google profit from your data every day. If you own your own data, you'd be paid a tiny royalty every time someone accessed it or exchanged it. You could also restrict your data flow if you chose.
The privacy debate is really a question of property rights. Does information about you belong to you, to the organization that collected it, or to everyone? Are your internet browsing records, financial records, medical records, etc., your property — or someone else's property?
Copyright laws and patent laws make up a legal framework that acknowledges the ownership and economic value of intellectual property. If you had a property interest in your own data, that information about you would belong to you – and only you would have the right to authorize disclosure of that information.
This proposal wouldn't shut down credit bureaus or data aggregators. They'd just need to start paying you a small royalty every time they use your data. They'd also need to give you access to a log of every search or match of your data. Since most people don't mind releasing data about themselves in exchange for tangible benefits, this type of market is already flourishing.
US investigative and intelligence agencies may complain that a suspected terrorist shouldn't be given the right to opt out of computer matches. After all, it's a matter of "national security."
However, police and intelligence agencies already have the ability to obtain secret warrants to examine electronic records if they can demonstrate probable cause to a judge that an individual has committed a specific crime. But if these agencies want to perform random computer matches, as they do trillions of times each year, they will have to obtain permission from the individuals whose files are being matched. Individuals not under investigation should be able to opt out of such matches, just as they would be able to opt out of matches conducted for marketing purposes.
I can already hear the bureaucrats howling. "How will we fight welfare fraud… or the war on drugs… or terrorism?" The solution, of course, is to reduce welfare, decriminalize drugs, and stay out of other nations' political squabbles.
We need more control over the electronic versions of our lives. Giving individuals ownership rights to their own personal information establishes a framework from which to take back control.