Who Should Benefit or Profit from the Use and Sale of Your Data?

What Matters Most for Success by Mike Critellii

There have been a number of recent stories about ownership of personally identifiable data, as a result of a court case argued before the U.S. Supreme Court on November 29, 2017, Carpenter vs. United States.

The issue before the Supreme Court in this case is whether the federal government can track a suspect by following his movements over an extended period of time through the access to his cellphone locations. As cellphone towers get closer and more of us allow GPS tracking, so that we can use various applications, the ability of the federal government or any third party that has access to our cell phone to know a great deal about us keeps increasing.

We voluntarily give a variety of firms, including Google, Facebook, and Amazon, permission to capture and sell a great deal of data about us. There are a handful of data brokers and aggregators, like Equifax and Axciom, that have aggregated enormous amounts of personal data about virtually every American. Few of us realize the value that those who capture, broker, or aggregate our personal data can realize from monetizing it.

To be sure, we receive some form of value, in terms of free access to social media sites, or lower-cost access to services like Amazon Prime, Netflix, or other digital content offerings. However, these companies receive a far greater share of the value from the use of our data than we do. We also have no control over the parties that end up with this data or the level of security with which they protect it.

When I was in the health information services business, as the leader of Dossia, it shocked me that, while the federal HIPAA law declared that everyone of us “owned” our own personal health data, getting timely access to that data in any actionable form was exceptionally challenging. The Obama Administration appeared to give us far greater control over our health data in the 2009 HITECH provisions in the stimulus legislation, and it even ordered the Department of Health and Human Services to issue regulations that not only required physicians to move to all-electronic records, but it also required them to make these records accessible to patients.

The original deadline for the regulations that would have mandated sharing of data with patients was January 1, 2014. Unfortunately, the Obama Administration postponed the effective date of these regulations and watered them down to the point where they have not achieved their intended purpose. There have been feeble attempts to get the government to crack down on data holders, like hospitals, insurance companies, and pharmacy benefit managers, who make it too difficult for patients to get their health records.

Perversely, they invoke privacy concerns as a shield to decline to make information readily available to firms like Dossia or other electronic health data aggregators on behalf of patients. When they make records available, they try to charge punitively high service fees that discourage patients or aggregators from securing the records. They also operate with deliberately secret technology protocols to make transfer exceptionally difficult. Napster created easy interoperability of music files almost 20 years ago, at a fraction of the cost of what healthcare providers and insurers spend to keep data from being transported.

Radical Proposal 1: A Transparent Financial Market for Personal Data

Every time we view an ad or visit a web site at which our personal data is being captured, we should have an absolute right to get paid an upfront fee and a percentage of any future data sales fee before agreeing that data can be sold to third parties. We should be partners with every firm collecting our data. If someone wants to use this data to market to us, we should receive a share of the proceeds. If we view an ad, we should be compensated at the time.

This is a micro-transactional process that lends itself to secure Blockchain storage and, over time, it can create another source of income for us. We may pay for a service that had been free, or pay more for a low cost service, but the decision will be ours, not that of the vendor that is trafficking in our data.

Today, there are firms that pay us to do surveys, but they are few and far between. Most firms get our consent to sell our data in a complex legal document, and, absent that consent, deny us access to a service freely available to many people, such as the Google Search function or the Facebook network.

Part of the reason we have advertising clutter is that there is no economic rationality to what marketers choose to expose to us. The marginal cost of online ads is low, and the benefit to advertisers is also relatively low. In many respects, we have recreated in the online world the same “junk mail” problem the Postal Service rate structure created in the physical mail world.

Anyone who blames the Postal Service for the clutter of unwanted advertising mail needs to understand two things about that mail:

Our rights should include the right to realize a greater portion of the economic value for the monetization of our personally identifiable information than we receive today, and to learn how others value that data. The trafficking in that data should be as transparent to us as would be an interest in the shares of stock we hold in a company. That data is part of our personal brand.

The world would be very different if the value of each individual’s data were secure against hackers, and if each person had a value assigned to every sale of the data and the advertising revenues it enabled. It would be even stronger if there were a highly transparent public market, in which we could all see the range of prices for tradable personal data and figure out how to charge for our data. We would not see the data itself, but the price others are willing to pay to get access to it.

Radical Proposal 2: Selective Consent

Privacy advocates, lawmakers, lawyers and academics tend to think of privacy relative to personal data as an “on-off” switch. However, we should think of it as equivalent to a TV remote control system in which certain channels could be blocked. The Parental Control system works this way, as do “Safe searches” on Google and Yahoo.

However, what if our health and other personal data were more selectively grouped for consent? For example, someone with a history of taking medications for a bipolar disorder might want that part of his or her health record suppressed, but he or she might want to publicize a condition like rheumatoid arthritis to get others to recommend treatments or support groups. The mechanisms to do that are available, but the individual has to do the selective disclosure and it is a cumbersome process.

The privacy implications of the Carpenter case.

The Carpenter case brings up another issue: what is the legal standard to which the police have to adhere to get court permission to track a single individual’s location? This question is trickier than it first appears. We used to track location through the cell phone towers or through GPA data, neither of which was geographically precise. When I go into a supermarket, like Fairway in Stamford, which I did on November 29, 2017, I will get the latest customer review for that store. The cell information or GPS is clearly getting more precise.

In the Carpenter case, the defendant was tracked for 127 days, and the police concluded that he was a suspect because he had been at the location of four robberies. Historically, someone in a public space had no expectation of privacy. Justice Scalia recognized the reality of modern technology in United States vs. Jones, by finding that, although we expect to have GPS tracking, we do not expect to have a high-powered GPS tracker attached to our car to be used to track our every movement. The attached GPS technology violated Jones’ privacy rights because it created surveillance far beyond to which a person on a public street would have agreed to submit.