I keep coming back to the FTC’s report on new consumer privacy guidelines issued early in the year. Not only do the guidelines give a sense of the agency’s view on online data protection, but it also suggests what new legislation may eventually look like.
I bring up the FTC report yet again, because earlier this month, as an end-of-year surprise, it issued an order to several major US information brokers to learn more about their business practices.
In the FTC words, information or data brokers, are “companies that collect personal information about consumers from a variety of public and non-public sources and resell the information to other companies.” Sent to nine data brokers, the FTC order requested specific information on the source of their data, how the data is maintained, and consumer’s ability to access and correct inaccurate information.
It’s no secret that the FTC has its own ideas about how these brokers should be doing their job. In their guidelines, the FTC calls for a voluntary privacy framework that would support several “substantive” principles, which include data security, reasonable collection limits, sound retention practices, and data accuracy.
While these principles apply to all companies that handle consumer data, the FTC sees something special about data brokers. The key point is that consumers don’t have a direct relationship with these companies, and the broker is in the business of selling this data to others.
So what’s at issue here?
Data brokers are good at connecting online public records to quasi-private information trawled from multiple online sources, including website interactions, cookies, and mobile activity, with the goal of creating detailed profiles.
From voter rolls, campaign contribution lists, “anonymous” hospital data, housing sales, mortgage files, and now, apparently registered gun ownership records, publicly available data alone provides a good starting point in creating a rough sketch. By the way many of these public records started life as paper documents held in a town hall and then were subsequently digitized. More on this implicit loss of privacy later.
With not too much difficulty, though, depending on the data and the computing resources, it’s then possible to combine it with other de-identified information and link it, with high likelihood, back to an individual or group, thereby filling in finer details of the consumer portrait.
For example, at least one of the data brokers to which the FTC sent its request had done just that: tying personal data it had collected in Facebook to identifiable data stored in its databases. The broker has since changed its Facebook data gathering policy.
Ideally, the FTC would like to give consumers the right to access the data mined by the brokers, correct it when it’s invalid, and opt-out if necessary. For those following my posts, this approach should appear familiar—it’s very much in the spirit of the EU’s Data Protection Directive.
If we accept the fact that we’ll all have an online profile that is continually extended as more information is made public, then the FTC’s privacy policies are reasonable.
On the other hand, if we want to put the genie partially back in the bottle, we may have to rethink the easy availability of public and governmental records, or at least give more choice to consumers about opting in.
Public records created before the Internet-era required a visit to a physical location to view, and it would seem that the intention was not to make the data widely and instantly accessible. From what I’ve read about the gun-ownership map controversy in particular, the public data privacy question has actually united people on both sides of the debate on gun laws: with many agreeing that perhaps we shouldn’t too hastily webify public records.