Compliance Management, Incident Response, Privacy, TDR

We are data and data is property

News that Experian has inadvertently sold the personal information of more than a half-million people to identity thieves reveals an insidious, but nearly ubiquitous cultural norm: You are data. Someone else owns that data, and in a very real sense own a part of you. The dangerous cultural notion that you can "own" personal information is among the most pervasive threats to individual liberty of our time, because a third party who owns “my data” controls my real life.

Researcher Alessandro Acquisti has produced several studies illustrating how “any personal information can become sensitive information.” In many cases, there is no line between data about you and you. On Facebook, you are a username and password. Anybody who can get that information can become you on Facebook. To your bank, you are a Social Security number, address, PIN and a few other pieces of data. Even to some business colleagues, you are an email address. If that data can be owned, then you can be impersonated, often with devastating effects.

As law professor Daniel Solove wrote, "you" are not much more than "an electronic collage of bits of information, a digital person composed in the collective computer networks of the world." This collage is our "data self;" a digital alter-ego capable of entering contracts, committing crimes and going into debt. It's more than a copy or shadow, because you are responsible for the actions of your data self. You are bound by contracts your Data Self signs; you will go to jail for crimes your data self commits. If someone forces your data self to take out a loan, you must repay it. If your data self has an operation, your medical insurance rates may increase. When our data selves are forced to do something against our will, we commonly refer to these crimes as identity theft.

When put together, the very terms "identity" and "theft" neatly illustrate this heuristic: First, we each have a data identity or data self. Second, our data selves can be stolen and abused by a third party, just like property. In other words, we are data and data is property; therefore, we may become property.

With some exceptions, intellectual property (IP) law treats data like property because data has value, like physical property. Additionally, data is fungible, like property and it is alienable, like property. To alienate means to permanently disassociate. With physical property, the words “sell” and “alienate” are synonyms. For example, if I sell my car and the new owner runs it into a tree, I do not bear the consequences because I have alienated myself from the car. Most types of information such as trade secrets, copyrights, patents, and trademarks, are completely alienable.

But personal information is inherently inalienable. In fact, almost by definition the moment personal information is truly alienated, it is no longer personal and the vast majority of its value derives from its personal, inalienable nature. Experian sold 500,000 identities to identity thieves, but in this case, “sell” does not mean “alienate.” Because you and I never alienated our personal information to begin with, we will each suffer when an identity thief proverbially crashes our identities. Personal information should never be treated like property.

In addition, current IP law is not a good fit for personal information, because most personal data is factual. Facts are not copyrightable. You can't patent personal information, and unless you're famous, personal information is neither a trademark nor a trade secret. In short, nobody "owns" my name, including myself.

Even if we could invent an imaginary intellectual property right to one's personal information, in most cases the most logical owner would be third parties who created it. My parents would most likely own my name and DNA, since they created both. My mother and her doctor had much more to do with my date of birth than I did, so they would each logically have some ownership interest in my birth date. Credit card companies would own my credit card number. The government would own my Social Security number, and the Post Office would own my address.

But aside from these inevitable paradoxes, as long as we treat personal information as property, we are faced with an unavoidable dilemma. If we are data and data is property, then we may become property. Security expert Bruce Schneider famously underlined this fact when he observed, "We're not Facebook customers, we're Facebook's product it sells to its customers [the advertisers]."

It is time for a national—and cultural—conversation about the future of identity and it's time to reject once and for all the abuses inherent in treating personal information as property.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.