People justifiably feel a sense of outrage about the lack of control over personal information, but this situation evolved from our historic lack of data governance.
Facebook’s data leak has shocked many people regarding the vulnerability of user data, yet this type of privacy breach should not surprise those who have paid attention to the growth of social networks in the age of Big Data. The question is whether this “wake-up” call will motivate behavior changes, both on the part of data-gathering organizations and by private individuals.
After discovering that an application developer had shared user data in an unauthorized manner, Facebook sought assurances from the developer and the recipient of the data that the data would be destroyed and not used. According to news reports, both the developer and research firm — Cambridge Analytica — defied Facebook’s requirements and continued to utilize user data.
This breakdown illustrates that when data is shared with multiple parties, the weakest link becomes the point of exposure. To understand our policy options, it helps to examine the role new technologies have played in generating and spreading our information across digital networks over the past generation.
The original wave of electronic-data generation saw paper records transformed into digital records and allowed a city clerk to process a new deed or marriage certificate in a matter of minutes instead of days. A second wave was fueled by consumers giving away their data to corporations for the convenience of web browsing and online shopping. This behavior gave birth to data profiling based on our online activities. Social networking apps, such as Facebook and LinkedIn, fueled this phenomenon with users supplying troves of their most personal information.
The next wave, called the “internet of Things,” saw people invite devices into their homes — connected vacuum cleaners, washing machines and home-security systems. All of these devices collect and process personal data, giving rise to an unimaginable volume of personal data and the mining of that data for commercial purposes.
These three digital-data revolutions have brought unprecedented convenience, efficiency and benefit to our lives. A Rip Van Winkle who fell asleep at his desk in 1990 would not recognize today’s smartphone driven world, marked by geolocation services, artificial intelligence and machine learning. The next decade, however, will see us adopt a range of technologies based on our immutable human traits and may become known as “The internet of Humans.”
Already, we have given up biometric identification to government and law enforcement in the form of fingerprints and facial recognition. DNA tests and ancestry services will further expose our most intrinsic data to a corporate culture that may or may not have our privacy interests in mind. Anticipating this, the Washington Legislature passed two laws last year governing the collection and use of biometric identifiers, if the state or a corporation wishes to utilize them. Yet, in general, technology will continue to leap ahead of laws that seek to regulate specific devices or categories of data.
People justifiably feel a sense of outrage about the lack of control over personal information, but this situation evolved from our historic lack of data governance. In the United States, our federal privacy statutes seek to safeguard health care and certain specific types of sensitive data from sharing without our consent, but we don’t enjoy a general data-protection right. Europe has taken a more proactive approach, defining a wide scope of personal information and regulating the “onward transfer” of such personal data. Europe recognizes that while a person may freely agree to share personal information with a specific company, that user’s consent must be obtained a second, third or fourth time when that data is transferred to another party. This kind of safeguard might have prevented the situation where Facebook’s wayward developer went off track.
No one wants to live in a world where their most essential data is profiled and monetized by unknown parties without their awareness and consent. To get ahead of this curve, companies need to put in place much tighter and enforceable restrictions on data sharing. Simply giving notice to a consumer that they may share data with “third parties” or “affiliates” fails to protect consumers, as these sharing practices have proved to be a source of potential data breach. Consumers need to do their part to only share their personal information with trusted parties and to use privacy controls wherever possible. We keep a list of these at privacy.wa.gov. It’s going to be challenging to get the “data genie” back into the bottle, but consumer action, new policies and regulation may help stem the tide of data breach.