Last week, as a result of investigations of Russia interfering in US elections, it was discovered that without individual consent, 50 million US Facebook accounts were sold to the data strategy firm Cambridge Analytica. This data was then used to improve the targeting of political messages back to these individuals via Facebook ads, articles, and other media and communication outlets.
There are actually over 4000 data brokers worldwide, buying and selling our data for all kinds of purposes. Data brokering is a $200B market. An ePrivacy study by Citi Corp, found that Acxiom Corporation, has on average approx. 1500 pieces of data on 96% of Americans, and data on 500 Million people worldwide. And in fact, there’s a dirty little secret that’s been going on even before social media, a significant source of revenue for most US states, is, you guessed it, selling our personal data. This includes court records, property records, driving records, and more. Ohio alone sold 1.5 billion records in 2005 for a profit of $42 million.
The data the state of Ohio sold included:
- Driver’s licenses: name, address, date of birth, driver’s license number, and Social Security number (for verification only).
- Vehicle registrations: name, address, Social Security number (for verification) and information about the vehicle.
- Titles: name, address and information about the vehicle.
Buyer’s of this type of information include legal research services, credit reporting companies, marketing companies, and insurance companies.
And while we focus our outrage on Facebook, the US State Department paid Strategic Communication Laboratories Group (SCL), the parent company of Cambridge Analytica, $500,000 for information on how Islamic State extremist propaganda motivated recruits to commit terrorism. Information is power and big data is here to stay, but there’s actually some very good news here.
Incidents like those of Facebook, Equifax, and Uber, are not only making businesses re-think the way they handle and secure our data, it’s also making us think twice about who we share our data with and desire a better understanding of how our data is being used. If information is power, then we as individuals should also require information about who has our data and why.
During the next decade, our physical and digital lives will begin to merge, and personal data will become our most valuable asset. But before we hit the business end of that hockey stick, now is the time to take a good look at the current standards and practices of how we engage with online services and how they handle our data.
Unlike the US, several other nations have already been preparing for this for some time. Beginning in 1995, the EU began formalizing a set of guidelines called the EU Data Protection Directive for how any business should handle the personal data of EU citizens, be they customers, clients, employees, and even visiting tourists to some extent. The directive essentially focuses on how businesses need to have awareness of the personal data they manage, secure that data, and ensure the owner of that data understands how their data will be used and shared.
In 2016 that directive became a regulation better known as the General Data Protection Regulation, and is expected to be enforced this year. And as an incentive for businesses to comply, those found in violation of the regulation face stiff fines for non-compliance, up to $25 million or 4% of a company’s annual, whichever is higher.
There is much skepticism about getting US business to give up control of the data they have about us and comply with regulations like those in the EU. While I do believe data privacy should be treated just like any other human right, and as a nation, and a global community, we need to stand up and demand it as such. I also believe that whether the US institutes a regulation like the GDPR or not, businesses will begin to shift in this direction anyway. And here’s why.
There are plenty of valuable, useful, and entertaining online services out there, formalizing how these services handle our data may initially seem just another government regulation businesses are supposed to follow, but really it’s far more than that. If we want to move into the next era of the internet safely, an era where we can access our data and services from anywhere, have digital servants like Siri take care of our travel reservations, car rentals, and notify business associates when we’ll be arriving, all with minimal intervention, it’s simply a requirement that we know where our data is, who’s using it, and why, at all times.
While it may seem counter-intuitive, it’s exactly that requirement that will actually open our personal data and personal lives to more online services. Businesses that chose to be more transparent about their operations in the use of our data, and businesses that give us the ability to control not only what data can be used, how it can be used, but also when it can be used, will attract more customers than those that don’t. And once we establish a trust framework to implement that control and privacy capabilities, we’ll feel more comfortable sharing out data and knowing that we can change our minds at anytime and rescind it. Non-profits like the Kantara Initiative are already making headway on developing this kind of standard.
Doing so, will not only require an increased level of responsibility of online services, it will also require an increase in responsibility for all of us as the true guardians of our personal data and our digital identities.
In fact, we are seeing a shift in this direction today, where decentralized technologies like blockchain, are enabling individuals to have complete control and responsibility for their own data and transactions. A familiar example is Bitcoin. Bitcoin lets individuals engage in peer to peer payment transactions without the need for a central authority like a bank. We’ll begin to see this trend affect our personal data and all of our personal transactions as well. While this technology is still very early, once it becomes easier to use and secure, we’ll begin to see a boom in a new decentralized economy of data. In this new digital landscape, businesses and individual will share the value of personal data.
As scary as the Facebook event was, deep down, we probably felt more exposed and embarrassed than surprised. However, both individuals and businesses should look at this as a significantly positive event. The slap in the face we just received, made us all look up from our phones for the moment, acknowledge that big data is here to stay, and think about how we want to move forward in the next era of the internet and particularly with the handling of our personal data privacy. When we can agree on a sensible framework for data privacy and begin voting with our pocketbooks by rewarding those businesses that follow these guidelines, businesses will realize it’s clearly in their best interest to serve the best interest of their customers, clients, and employees. So don’t worry, as long as we continue to treat these breaches of trust with our personal data privacy as a wake up call, a better future is in store for all of us. Be happy.