The exposure of an estimated 143 million Americans’ personal details in a breach of consumer-credit reporting agency Equifax also exposes the elephant in our nation’s room: that we don’t have much control of our own data. Although the U.S. Constitution provides Americans with privacy rights and freedoms, it doesn’t protect them from modern-day scavengers who obtain information about them and use it. Our privacy laws were designed during the days of the telegraph and are badly in need of modernization.
It is imperative that we start discussing solutions. As Thomas Jefferson said in 1816: “Laws and institutions must go hand in hand with the progress of the human mind. As that becomes more developed, more enlightened, as new discoveries are made, new truths disclosed, and manners and opinions change with the change of circumstances, institutions must advance also, and keep pace with the times.”
Credit bureaus have long been gathering information about our earnings, spending habits and loan-repayment histories to determine our creditworthiness. Tech companies have taken this one step further, collecting data on our web-surfing habits and which numbers we call. Via social media, we have volunteered information on our friends and our likes and dislikes, and shared family photographs. Our smartphones can know everywhere we go and can keep track of our health. Smart TVs and Internet-enabled toys can monitor what we do in our homes — and record it.
In the land-grab for data, there are no clear regulations about who owns what, so tech companies have staked claims to everything. Facebook, for instance, states that its users grant it “a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content” posted to the site. You can change some privacy settings, but that involves more work on the user’s part. Meanwhile, voice-controlled devices, such as Amazon Echo and Google Home, are pushing deeper into our homes and personal lives, gathering data along the way. American laws are so inadequate that such companies are not obligated to make it clear to consumers what information they are gathering and how they will use it or sell it to third parties. Privacy policies rarely, if ever, explain these activities adequately.
(Amazon chief executive Jeffrey P. Bezos owns The Washington Post.)
And when it comes to data security, tech companies gathering our information seem to have little liability for compromising it. Many of the hacks we have heard about in recent years simply led to an apology by the company that was hacked and/or personnel changes.
New laws could be enacted (although data holders would fight it even harder, says Pamela Samuelson, a law professor at the University of California at Berkeley). And, although it will be a good step forward, it may solve only yesterday’s problems.
With the price of genome sequencing falling from millions of dollars (as was the case a few years ago) to a few hundred dollars, DNA sequencing could become as common as blood tests. Tech companies that today ask us to upload our photos could tomorrow ask us to upload our genomic information. Some states have begun passing laws declaring that your DNA data is your property, but we need federal laws that stipulate that we own all of our own data.
Harvard Law School professor Lawrence Lessig has argued that privacy should be protected via property rights rather than via liability rules — which don’t prevent somebody from taking your data without your consent, with payment later. A property regime would keep data control with the person holding the property right. “When you have a property right, before someone takes your property they must negotiate with you about how much it is worth,” Lessig argues. Imagine a website that allowed you to manage all of your data, including those generated by the devices in your house, and to charge interested companies license fees for its use. That is what would become possible.
Daniel J. Solove, a law professor at George Washington University, has reservations about protecting privacy as a form of property right, saying the “market approach has difficulty assigning the proper value to personal information.” He said that although to an individual giving out bits of information in different contexts, each transfer may appear innocuous, the information could be aggregated and become invasive when combined with other information. “It is the totality of information about a person and how it is used that poses the greatest threat to privacy,” he says.
In the end, the right to decide what information we want to share and the right to know how it is being used should be fundamental human rights in this era of advancing technologies.