The days of the internet as a mainly anonymous forum are long gone.
Most Americans now have extensive digital footprints comprised of the Tweets, Facebook posts, LinkedIn profiles, Instagram photos, and other material they share online.(a) And this easily accessible public persona is just the tip of the iceberg. We may think our web searches, shopping habits, browsing history, and email archives are private, but this data is often one of the most valuable assets for companies like Google and Amazon.
The law, however, has yet to catch up. We still do not have clear answers to basic questions such as: Do people own personal information about themselves? How can they control or limit how companies (and governments) use it? To start, there are complexities around the fundamental issue of information “ownership,” particularly ownership of personally identifiable information (PII). One cannot be said to actually own information about one’s self. Information relates to you, is connected to you, or is of you.
For example, while you may own the curly brown hair growing out of your head, you do not own the recognition or awareness of that hair. U.C. Berkeley cyberlaw expert Pamela Samuelson notes three characteristics of information that make it difficult to recognize as property: (1) it is intangible; (2) it is without concrete definition; and (3) it is “leaky” or prone to sharing unless kept secret.1 Your brown hair is out there in public space, readily detectable by others, and that knowledge is both intangible and easily shared.
Even if we consider personal information to be a form of property over which individuals should have full control, the exercise of this control is complicated by the legal concept of possession. If an owner rents or leases her house to a tenant, she still owns the property but it is now in the tenant’s possession. While the landlord may set parameters for its acceptable use, she cannot really control what happens to the house and will have to turn to the law to enforce or punish renters who misuse the property.
The issue of possession is even more problematic when it comes to information. Because personal information can be easily replicated and shared in a much different way than tangible physical property, it is very difficult to protect, even if it is clear who owns the information. While one can exclude others from physical property through fences, locks, or, for the more extreme among us, guard dogs, it is much trickier to control information in a digital environment.(b) You cannot simply lock your online user habits behind a heavy door, unless, of course, you’re willing to move off the grid altogether.
The U.S. Supreme Court has identified one of the most essential rights of property ownership as the right to exclude – to prevent others from using or accessing the property.2 While the meaning of exclusion is clear when it comes to physical property, it is more complicated when it comes to information. According to Columbia legal scholar Thomas Merrill, the right to exclude others from intangible property like copyrights and trade secrets is grounded in the legal notion of trespass.3 Trespass is not only the entering or use of property without permission, but also occurs when an individual acts beyond the scope of permission given.
When it comes to information collected online, the question is whether consumers have given companies permission to harvest and store different kinds of PII and, if so, what the boundaries of that permission are. Social media sites like Facebook, Tumblr, and Twitter all require or encourage users to submit certain identifying information and have privacy policies governing how that information may be used. Unfortunately most users do not read these policies.(c) Still more problematic are the sites, applications, and devices that collect information without the user’s express consent. Consumers were upset, for example, by recent revelations that Apple and Google have been tracking detailed data on iPhone and Android users in order to better target advertising.
On the other hand, some users consider the collection of PII a reasonable tradeoff for the opportunity to use free tools and, indeed, this is the business model of many internet companies offering free services. It is often overlooked that the individuals who use Google’s free email and search services or Facebook’s social network are not the customers; the paying customers are advertisers who use data gathered by these companies to target their marketing more effectively.(d)
While user behavior may suggest many people are willing to give up personal information as the ‘price’ of being active online, the public outcry surrounding revelations of previously undisclosed information gathering demonstrates that not everyone is on-board with the casual and ongoing collection of their personal information and online activity. In response to pressure from privacy advocates and citizens, legislative bodies are exploring how to provide consumers with a measure of control over how their information is tracked and used.
The European Commission has proposed revising the EU Data Protection Directive to include a “right to be forgotten,” which gives an individual the right to prohibit the retention of their personal information and the power to force its deletion when it is no longer needed for a legitimate purpose. Proposals to codify a “right to be forgotten” into law are making their way through EU legislative bodies and could be enacted within the next few years. A recent EU court ruling on the inclusion of identifying information in Google search results suggests that, as legal scholar Jeffrey Rosen has pointed out, the battle over the issue may come down to the tension between privacy and free speech, legal priorities that are perceived differently in the U.S. and Europe.4
On the other side of the Atlantic, California Assemblywoman Bonnie Lowenthal has proposed the Right to Know Act. It differs from the European proposals in that it only requires disclosure, not deletion, of information. If passed, the Right to Know Act would require companies collecting sensitive PII or providing it to a third party to disclose that information, at no cost, to any consumer placing a request for it. A company would have to respond within 30 days of a request or face the possibility of civil penalties. After lobbying by tech industry groups, however, the proposed law has stalled in the state legislature.
From a legal perspective, the right to be forgotten and the Right to Know Act are important because they position the consumer – that is, the person about whom information is being collected – as the owner of the information and data generated by his or her online activities.(e) Both proposals offer consumers a measure of control over their PII and are equipped with enforcement mechanisms when this control is violated.
However, the proposals still face the issue of possession versus ownership, and specifically the tricky terrain regarding the right to exclude. There is not currently a viable way to reliably keep PII exclusive, retained solely by a given user and concretely in their possession. It is not just one site that may have a consumer’s PII, but a gaggle of third parties and mirror sites. The leakiness inherent to PII is exactly what will make the enforcement of any such laws difficult.
As governments begin to consider how to alter existing legal frameworks regarding privacy and information ownership to address the new concerns of the digital age, some users are also reconsidering their online sharing. Perhaps it is incumbent on all consumers to be circumspect with respect to whom they allow access to their data. This does not, of course, absolve companies from the misuse or unpermitted collection and retention of data. It does, however, recognize that consumers must remain vigilant about their data and demand better safeguards. Government must also recognize the inherent danger in the collection and retention of personal information and protect citizens – and empower them to protect themselves – from both corporate and its own interests.
- Pamela Samuelson (1989) “Information as Property: Do Ruckelshaus and Carpenter Signal a Changing Direction in Intellectual Property Law?”, Catholic University Law Review, 38: 365-400.
- See Kaiser Aetna v. U.S., 444 U.S. 164, 176 (1979), and Ruckelshaus v. Monsanto Co., 467 U.S. 986, 1011 (1986).
- Thomas W. Merrill (1998) “Property and the Right to Exclude,” Nebraska Law Review, 77: 730-755.
- Jeffrey Rosen (2012) “The Right to Be Forgotten,” Stanford Law Review, 64: 88-92.
- (a) Surveys conducted by the Pew Research Center’s Internet & American Life Project found that the amount of information teens share on social media sites significantly increased between 2006 and 2013. 91% of teens now share photos of themselves and 20% have posted their phone numbers. It also seems, however, that users of all ages are increasingly aware of their online reputations: 47% of people searched for information about themselves online in 2007, compared to only 22% in 2002.
- (b) The leakiness of PII online can be seen in the frequent reports of data breaches, lax security, and hacks exposing private data, often information that users willingly provided to internet companies. In April, for example, approximately 50 million customers were affected after the site Living Social, which is owned by Amazon, was hacked.
- (c) According to a 2012 survey conducted by the Internet Society, only 16% of respondents read every word of privacy policies on sites that require sharing personal information. Perhaps more jarring, 37% of respondents reported having little to no understanding of privacy policies, owing to a combination of length and complex language.
- (d) The exploding field of “big data” (also known as data science) involves managing and analyzing massive sets of data for purposes such as targeted marketing, trend analysis, and the creation of individually tailored products and services. For internet companies like Facebook, their most valuable asset is often the data they collect on users.
- (e) Recent revelations about the NSA’s PRISM program stoked a new fear: that private companies like Microsoft and Verizon are handing over personal data to the government. Extensive user information collected by phone and internet companies appears to have been made available to the NSA, though the agency insists it only monitored the activities of foreign terrorist suspects.