Drawing the right lines on big data and privacy

In the sixth season of NBC’s television show “Parks and Recreation,” Ron Swanson, Parks Department director and a paragon of privacy, received targeted direct mail advertising based on a recent Internet purchase – and promptly went ballistic on his computer.

Once a colleague explained the concept behind cookies and being “on the grid,” Ron spent the rest of the episode studiously erasing his online footprint and protecting himself from “Big Data” and the many ways data mining can reveal consumer preferences for products and places.

He found limited success, as it turns out, since having a cell phone has become a must for anyone with a family, friends or a job. For Ron, helping out his partner and kids was the only acceptable reason to have a plain, no-frills cell phone. He drew the line at Twitter, however.

For most consumers, shopping online, having a smartphone with all the latest apps, and engaging in social media are everyday necessities. Every online transaction leaves evidence that can and is being used to direct future purchases, or highlight other opportunities a consumer might appreciate. According to a new report from SNS Research, Big Data refers not only to data, but the technologies that can collect, store, manage and analyze large amounts of data to solve problems and display trends.

Data has wider implications than merely advising consumers which book to purchase on Amazon. In a recent White House report, the societal benefits of Big Data were touted, suggesting that hyper-granular research of data could reveal disease trends, aid in law enforcement, and help improve the economy.

Consumers wonder, however, if the usefulness of Big Data is worth the lack of privacy. And should corporations and the government be given unrestricted access to consumers’ information? Privacy experts cite an uneven landscape of privacy laws at both the federal and state level, but Big Data advocates caution against stringent laws against data use in the name of privacy.

Knowing the Benefits

Daniel W. Caprio Jr., senior strategic advisor and independent consultant with McKenna, Long & Aldridge LLP, speaking during a George Mason University School of Law panel discussion on Big Data and privacy, called the new ways to harness data “transformative 21^st century technology that promises to revolutionize a number of things including homes, cars, healthcare and industry.”

“Big Data and the Internet of Things present the opportunity and challenge of protecting privacy and security and encouraging innovation,” said Caprio. The value of this budding “Internet ecosystem” is only just beginning, he added. Consumers have gotten out in front of connected devices and businesses are just now learning how the devices and data can be better used to improve and streamline industry and beyond.

While data has long been governed by the Fair Information Practice Principles, established in the 1970s by the Federal Trade Commission (FTC), the FIPPs reflected a different sort of world.

“The advent of Big Data and the Internet of Things compels policymakers, industry and civil society to confront the traditional notions of notice and choice of the Fair Information Practices Principles with security, accountability and consent,” he said. The privacy world seems to be leaning not toward abandoning the FIPPS, but interpreting them “in a slightly different way” that serves Big Data.

Underlying privacy is notice and choice, he commented. The burden needs to be taken off the consumer to know where their data goes and instead focus on how it is being used by the organization that holds the data to ensure it’s being used in a responsible fashion. Caprio advocated “breaking down silos” between privacy and security professionals, lawyers and organizations to build an effective case for Big Data.

“What we need to be thinking about is how do we increase transparency and security while we work together to define appropriate uses of data,” Caprio said.

Need for Laws

According to a recent whitepaper co-authored by Advisen and insurer XL Group, existing laws and policies surrounding Big Data are murky, at best.

“Plaintiffs’ attorneys are aggressively probing the boundaries of existing federal privacy laws – laws which clearly did not contemplate Big Data when they were written – and increasingly they are proposing novel new theories of liability,” the authors wrote, citing a lawsuit against Google filed by Android device users, alleging violations of both the federal Computer Fraud and Abuse Act and California’s Unfair Competition Law for transmitting geographical location data and personal information to application developers.

“Regardless of whether a legal framework exists for privacy protection, organizations should be concerned about backlash from customers who displeased about how their data is being treated,” asserted the authors of the report. “Privacy experts note that customers are most unhappy when data is collected secretly, when they don’t understand how it is being used, and when they are unclear as to how they benefit from it.”

The FTC last month called for a legislative crackdown on data brokers, indicating that brokers should “provide consumers access to their data, including sensitive data held about them, at a reasonable level of detail, and the ability to opt out of having it shared for marketing purposes.”

Data brokers’ work has its benefits, the FTC pointed out, commenting, “Risk mitigation products provide significant benefits to consumers by, for example, helping prevent fraudsters from impersonating unsuspecting consumers. Marketing products benefit consumers by allowing them to more easily find and enjoy the goods and services they need and prefer. In addition, consumers benefit from increased and innovative product offerings fueled by increased competition from small businesses that are able to connect with consumers they may not have otherwise been able to reach. Similarly, people search products allow individuals to connect with old classmates, neighbors, and friends.”

At the same time “people search” has the inadvertent result of assisting stalkers in finding people who do not want to be found, and allowing businesses, including insurers, to potentially discriminate against individuals they deem to be too risky. Proper balance must be sought, the FTC determined, and the key appears to be access.

“For example, if a consumer is denied the ability to conclude a transaction based on an error in a risk mitigation product, the consumer can be harmed without knowing why,” said the FTC. “In such cases, the consumer is not only denied the immediate benefit, but also cannot take steps to prevent the problem from recurring.”

Regular examples of marketing gone wrong and data being misused in the eyes of the public can be found. For example, photo storage and production website Shutterfly recently mistakenly sent emails to customers congratulating them on their “new arrival,” trying to boost sales of photos from people who’d recently bought birth announcements from the company. Unfortunately, the email went out to a much wider list, arriving in the inboxes of people who were not new parents – some of whom were upset by the message.

Something as seemingly simple as poor data storage can trip up organizations. In 2013, Indiana University found that a “webcrawler” – a data mining service that tracks the Internet – had accessed a server containing the names, addresses and Social Security numbers of current and former students dating back to 2011. While webcrawlers are used to improve search capabilities, IU had to alter its storage system and notify students that their data may not have been stolen, but they should be on fraud alert.

Perhaps most notably, several lawsuits, including a class action case, have been filed against the federal government relating to National Security Agency (NSA) surveillance. Edward Snowden, former NSA worker, unveiled the agency’s practice of monitoring email messages, Facebook posts and phone calls since 2007. NSA Director James Clapper defended the efforts, saying, “Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats.”

Advisen data show that the public disagrees, suing President Barack Obama and the NSA for “collecting ‘metadata’ about every phone call made or received by residents of the United States, and that records provide intricate details, including the identity of the individual who was spoken to, the length of time of the conversation, and where the conversation took place.”

Human Data

Paul Ohm, associate professor at the University of Colorado School of Law and a privacy scholar, speaking at the same event as Caprio, urged a move toward “data humanism.” He noted that Big Data does have many benefits, but from a privacy standpoint, it comes down to privacy versus security and representing how the data is being used.

“In many cases, the very conduct that I find to be a violation is the conduct that you find is making you money,” he said. “It’s that really, really direct struggle between cost and benefits.”

“The power of inference” is the power of Big Data, Ohm explained. Organizations can infer certain facts about consumers based on their activities. That information can be benign, or it can be exceptionally sensitive. That can lead to information being used for “unfair or creepy or discriminatory” purposes, which Ohm predicted is going to confuse the discussion over Big Data and regulation of privacy.

“Invidious racial discrimination is likelier to happen more often … and sometimes without knowledge … because my algorithm has concocted a classifier that has figured out that you, based on these four really benign things, are not a good credit risk, or shouldn’t be admitted to my university, or shouldn’t be hired by my organization. And it turns out it’s a perfect proxy for race,” said Ohm. “And because of the blindness and the ignorance with which we deploy these algorithms, we’re not going to even realize that’s what we’re doing – until we realize that’s what we’re doing.”

Ohm called the discourse over Big Data “timid” especially as related to privacy law. Data humanism, he said, comes from the trend of calling statistics “data scientists.”

“Where are the data humanists?” he asked. “We need to separate the advertisers from the rest of data scientists.”

He explained that lumping data use by advertisers in with other data pursuits, for research or security purposes is a dangerous proposition.

Ohm said, “Behavioral advertising, by and large, is an unethical profession.”

If Big Data is truly being used for the greater good and involves sensitive information, the individuals and organizations working with it should safeguard the data and have the appropriate attitude toward their work, he asserted.

“It gives you the citizen, the individual the ability to retreat into your private zone, to know that these lines are there and to know that they’re protected,” said Ohm. I think we delineate other parts of our lives that are separated from data science.”

He recommended “pervasive auditing” to emphasize the accountability and the fact that data means “the secret, sensitive lives” of people.

“One thing that can remind people about data humanism is to remind them that data represents humans,” concluded Ohm.

Big Data does not appear to be going anywhere any time soon. The SNS Research report indicated that in 2014, Big Data vendors are poised to take in nearly $30 billion in revenue. Investments in Big Data are projected to grow 17% over the next six years, landing at an estimated $76 billion in 2020.

The Advisen/XL report summed up many of the arguments on Big Data and privacy: “For the full potential of Big Data to be harnessed, companies must not only adhere to the current patchwork of federal and state privacy laws, they must take steps to build trust by demonstrating responsible data stewardship and engaging customers in controlling the use of personal data. The opportunities presented by Big Data are staggering, but if privacy concerns are not adequately addressed, its benefits may never be fully realized.”