Vivek Gopalan: We see that in the Internet Age, government has authorized themselves with the ability to surveil and collect personal data etc. What do you think, as an individual, are important things to do to ensure one’s own data security? And tangentially related, should we have a right to sell our own data and commercialize it if we so wish?
Professor Joan Feigenbaum: I don’t have a straightforward answer to those questions. It depends entirely on what you mean by “ensure one’s own data security.” It is feasible for a tech-savvy individual who owns a particular dataset to secure it. Once you identify such a dataset, you can encrypt it and store it offline – not on a networked machine. If you have to send it to someone, then figure out a way to do so in which the data never have to be in the clear (unencrypted) on a networked machine. For example, if the entire encrypted dataset fits on a high-density handheld storage device, just (physically) send that device to the recipient, and send them the decryption key on a separate, secure channel (perhaps on its own physical device). The recipient should decrypt and use the dataset offline and then wipe the isolated machine that they used after they’re finished. What trips many people up is that you have to remember not to leave anything lying around – after you decrypt data and use them, you have to re-encrpyt them, store them securely, and make sure there’s no plaintext and no keys left lying around for would-be data thieves to find.
That’s doable if you are very careful and all you want to do is to secure a particular dataset that you own. But that approach won’t work to secure all of the data about you that’s out there. If you don’t want to be a hermit, you’ll take advantage of online services and applications: search, online banking, e-commerce, e-government, social networking, online dating, streaming media, and on and on. You can (and should!) be careful with passwords and avoid sharing anything that you know can compromise you. But every link you click on, every product you buy, every song that you listen to – basically everything you do online – creates data records in which you are the data subject. In general, those records are owned and managed by the companies whose services you use; they’re not owned by you. As a society, we should be able to expect companies to prioritize data security and not to use personal data inappropriately. Those are legal, political, and cultural challenges to a greater extent than they are technological challenges (although some technological challenges remain).
Do we have the right to sell our data? Once again, that depends entirely on what you mean by “our data.” It’s certainly an interesting idea. Jaron Lanier has suggested that, instead of trying to hide all of our personal data, we should go in the opposite direction: Set up the Internet and all of our information services so that every bit is tracked. If you translate a word from Swahili to English while you’re using a social network, and the social-network provider later monetizes that fact in a machine-translation system, then the provider should compensate you. If the provider sells the data it gets from customers to a third party that builds a machine-translation system (or some other application), then it should share its profit from the sale with the customers who supplied the data. It is not obvious how to keep track of all of these contributions and to establish a reliable marketplace. Most user contributions are valuable only when combined with millions of others – individual users often cannot bargain effectively to “sell their data.” And of course there’s the privacy problem.
In the case of ad-supported services (primarily Google and Facebook), the companies already have a well defined notion of “your data.” They have profiled you in detail so that they can target ads. Would it make sense to demand that they pay you for the use of those data? Currently, they pay you in kind with “free service” – it’s not crazy to want to be paid in cash instead. This would require giving users property rights in their data, which are now the property of the service provider. Note that, if we give people property rights in their user data, we would probably have less privacy, not more. Data would be traded more freely, because more parties would have the ability to profit from it.
I’m in favor of a general regulatory framework – one that would have to evolve as the technological environment evolves – in which ownership and the appropriateness of commercializing personal data can be discussed. I haven’t heard a good general solution proposed. I don’t think there’s a reason to panic, as many people have been doing, but there is a reason to be concerned that just a few companies with unique, detailed user profiles can make so much money through behavioral targeting. Shoshana Zuboff calls it surveillance capitalism. Internet of Things is going to make the situation worse, because there will be more kinds of personal data (voice, images, domestic routines, etc.).