The theft of an estimated 143 million Americans’ personal details in a data breach of consumer-credit reporting agency Equifax and the Russian hack of the U.S. elections through Facebook had one thing in common: they were facilitated by the absence of legal protection for personal data. Though the U.S. Constitution provides Americans with privacy rights and freedoms, it doesn’t protect them from modern-day scavengers who obtain information about them and use it against them. Our privacy laws were designed during the days of the telegraph and are badly in need of modernization. Much damage has already been done to our finances, privacy, and democracy—but worse lies ahead.
Credit bureaus have long been gathering information about our earnings, spending habits, and loan-repayment histories in order to determine our credit-worthiness. Tech companies have taken this one step further, monitoring our web-surfing habits, emails, and phone calls. Via social media, we have volunteered information on our friends and our likes and dislikes, and shared family photographs. Our smartphones know everywhere we go and can keep track of our health and emotions. Smart TVs, internet-enabled toys, and voice-controlled bots are monitoring what we do in our homes—and often are recording it.
In the land-grab for data, there were no clear regulations about who owned what, so tech companies staked claims to everything. Facebook required its users to grant it “a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content” they posted to the site. It effectively required them to give it the right to use their family photos and videos for marketing purposes and to resell them to anybody. American laws are so inadequate that such companies are not even required to tell consumers what information they are gathering and how they will use it.
Unlike manufacturers liable for the safety of their products, tech companies gathering our data have practically no liability for compromising it; they can protect it as they choose and sell it to whomever they want to—regardless of how the third party will use it. No wonder Equifax had such lax security or that Russians and hate groups were able to target the susceptible with misinformation on Facebook.
The problem of data brokers’ not being required to provide industrial-strength security can possibly be fixed by the FTC. University of California at Berkeley law professor Pamela Samuelson says that it has “statutory authority to regulate unfair and deceptive practices, it can act on that authority by initiating claims against those who fail to maintain adequate security.” She notes that the FTC has used these powers before, by nudging firms to have privacy and security policies. And when firms failed to comply with their own policies, the FTC treated that as an unfair and deceptive practice.
This would level the playing field by making data brokers as responsible for their actions as most product manufacturers are for theirs. We hold our car manufacturers responsible for the safety of their products; why shouldn’t the tech companies bear similar responsibility?
New legislation could be enacted too. But Samuelson says that the data holders would fight it even harder. And, though it will be a good step forward, it will only solve yesterday’s problems.
Its falling costs will soon make DNA sequencing as common blood tests, and the tech companies that today ask us to upload our photos will tomorrow ask us to upload our genomic information. Technology will be able also to understand our mental state and emotions. These data will encompass everything that differentiates us as human beings, including our genetics and psychology. Whilst credit reports could result in withholding of loans, corporate use of our genetic data could affect our jobs and livelihoods. We could be singled out for having genetic predispositions to crime or disease and find ourselves discriminated against in new ways.
The Genetic Information Nondiscrimination Act of 2008 prohibits the use of genetic information in health insurance and employment. But it provides no protection from discrimination in such matters as long-term care, disability, housing, and life insurance, and it places few limits on commercial use. There are no laws to stop companies from using aggregated genomic data in the same way that lending companies and employers use social-media data, or to prevent marketers from targeting ads at people with genetic defects.
Some states have begun passing laws to say that your DNA data is your property; but we need federal laws that stipulate that we own all of our own data, even if it takes an amendment to the Constitution. The right to decide what information we want to share and the right to know how it is being used are fundamental human rights in this era of advancing technologies.
Harvard Law School professor Lawrence Lessig has argued that privacy should be protected via property rights rather than via liability rules—which don’t prevent somebody from taking your data without your consent, with payment later. A property regime would keep data control with the person holding the property right. “When you have a property right, before someone takes your property they must negotiate with you about how much it is worth”, argues Lessig. Imagine a website that allowed you to manage all of your data, including those generated by the devices in your house, and to charge interested companies license fees for its use. That is what would become possible.
Daniel J. Solove, Professor of Law at George Washington University Law School, has reservations about protecting privacy as a form of property right, because the “market approach has difficulty assigning the proper value to personal information”. He worries that although to an individual giving out bits of information in different contexts, each transfer may appear innocuous, the information could be aggregated and become invasive when combined with other information. “It is the totality of information about a person and how it is used that poses the greatest threat to privacy”, he says.
It isn’t going to be easy to develop the new systems for maintaining control of personal information, but it is imperative that we start discussing solutions. As Thomas Jefferson said in 1816: “Laws and institutions must go hand in hand with the progress of the human mind. As that becomes more developed, more enlightened, as new discoveries are made, new truths disclosed, and manners and opinions change with the change of circumstances, institutions must advance also, and keep pace with the times.”