In his dystopian novel 1984, George Orwell describes a world in which a government controls information, rewrites history, and conducts surveillance of individuals’ private lives in order to control their movements and thoughts. Protagonists Winston and Julia seek but ultimately fail to revolt against Big Brother and The Party.
While the world today—outside of a few places like North Korea—is not the dystopian nightmare of 1984, individuals still face challenges with misuse of information that even Orwell could not have imagined. Consider the following four examples of abuse:
1. Information gathered and used without knowledge—Many major corporations and governments collect substantial troves of data about practically everyone. Some of this information is gathered with knowing consent, some with a check of a box on an unread screen, and some without consent at all. Some data are gathered from GPS location services. Social media sites such as Facebook collect information about individuals who don’t use their services. Information may also be gathered surreptitiously from unencrypted communications. Even if a consumer consents to the collection of certain information, the consumer likely is unaware of how the information is used. Of course, businesses and governments have collected and used information about individuals for millennia, but the means of collection and use have expanded dramatically in the past few decades.
2. Third parties benefitting from use of personal information—Governments and businesses collect vast troves of information on individuals not as an idle activity but precisely because it is valuable. Even when not useful in the short term, having banks of data about consumers can be beneficial at a later date. Some governments might use consumer databases for purposes ranging from tax collection to international espionage. Businesses purchase consumer data such as driving habits, purchasing habits, choices of entertainment, and personal political views to target marketing to specific customers. Others simply collect this data and sell it to other businesses. Most consumers are generally powerless to address this issue.
3. Third parties benefitting from the sale of information—One friend is drafting an email to another friend suggesting lunch. Suddenly, restaurant advertisements appear before the email is even sent. Some entities are eavesdropping on the mere drafting of emails and selling advertisements on that basis. Much of the Internet business model is built on selling advertisements to consumers based on specific information about the consumer. The matching of information generally benefits both consumer and advertiser, but in many instances, consumers prefer that some information about themselves not be sold. For example, an individual diagnosed with a certain medical condition might not be pleased that her medical information is known to anyone, much less sold to third parties that advertise remedies.
4. Stolen information—Government agencies such as the Office of Personnel Management (OPM) have had their databases breached and personal information stolen. So too have private companies such as Target and Equifax and countless others. Consumers receive the cheery message that their personal information may have been compromised. Information theft is not limited to corporate websites. Individuals using social media rely on privacy settings to guard their information, not recognizing that the settings and their data can be hacked. Information system administrators risk losing their jobs in these cases, but individual consumers are rarely offered compensation.
Information as Property
Above, we reviewed four types of abuse of information. In a well-functioning economy, an asset is rarely abused or misallocated if it is treated as property and where property laws are enforceable. Thus, assets ranging from land, groceries, clothes, and securities are rarely abused in the United States.
From an economic perspective, if an asset is to be considered property, the party controlling it has three rights associated with it: (1) the ability to determine the use of the asset; (2) the ability to benefit from the use of the asset; and (3) the ability to benefit from the sale of the asset. A person or entity that has these three characteristics controls the property, regardless of the underlying ownership structure. Thus the issue of whether a hospital, a doctor, a laboratory, or a patient owns an x-ray scan, or other information, is less important than who controls that information. The four abuses discussed above would be substantially lessened if information were endowed with property rights and if control of information were more transparent and if individuals had more control over information relevant to them.
Information has always been valuable, but with the advent of the Internet, personal information has become a gold mine. Many of the largest corporations in the world did not exist a generation ago, and most have capitalized on the value of individuals’ personal information on the Internet. These corporations did not necessarily purchase the information rights of individuals, but they have successfully found, developed, and controlled that information.
Some forms of information, such as copyrighted works, have clear property rights, both for ownership and control. This is not to say that property rights for copyrighted works are perfect; indeed, piracy of copyrighted works is rampant in much of the world. But there are mechanisms to ensure that for law-abiding websites, copyrighted works are not used without approval. Owners of copyrighted works may feel that these mechanisms are inadequate, but they are far better than the essentially non-existent mechanisms to protect consumers from unauthorized use of personal information.
The Limitations of Consent to Collecting Information
Many consumer privacy efforts today focus on consent to collect information. Does a consumer consent to have certain information collected? Does a consumer consent to having cookies placed on a machine? Does a consumer consent to receiving notices which in turn may collect further information? Is a form with hundreds of words of legalese printed in small font a reasonable basis for consent?
But these forms of consent are not equivalent to either ownership or control of property. A consumer who consents to a wide range of forms of collection of information does not necessarily abandon all interest in how personal information is later used or sold.
The current debate over consent focuses on the collection of information, not on the subsequent use of information. Detecting the misuse of information is often easier than the improper collection of information. If an advertiser sends an improper advertisement, that is easier to detect than if an advertiser has access to a hidden database.
Much of the discussion of consent implies that individuals have absolute control over the collection of their personal information. However, things are much less clear cut, even without bringing the Internet into consideration. If I walk into a store, and a store manager records my presence, that is information about me that belongs to the store with or without my consent. I have no right to object to that collection of information. It is only if a store uses the information about my presence in an improper way—for example, using a photo of me shopping for vegetables as part of an ad campaign without my permission—that I have a right to object. So the idea that each individual can hope to control all aspects of their personal information is implausible in a world where entities are constantly collecting information about people. The question is, what is proper information collection and use? And when do individuals have a right to object?
Data Privacy in the U.S.
Currently, Americans have limited rights related to personal and consumer information. Those rights are usually created by federal administrative agencies and cover only specific categories of personal information. For example, the Department of Education creates privacy protections for students’ education information, particularly for college and high school students. In the name of privacy, schools are not allowed to tell parents of older students about their academic performance without specific student consent, possibly even for students who may need remedial programs. However, students cannot fully determine the use or the benefit of their academic data, nor can they benefit from selling the information.
Similarly, health information privacy laws limit the sharing of health information about a patient. These laws do not actually assign any tangible property rights to patients, who still cannot determine the use of information, benefit from that use, or benefit from the selling of information. Consumers ostensibly control the dissemination of health care information, but that is a far cry from actually determining how information is to be used and benefitting from that use.
The current legal framework that addresses personal information rights is a confusion of laws with which most consumers are unfamiliar. The exact protections vary by federal agency, and the enforcement of those rules is often primarily by the agency itself. The United States has yet to develop a streamlined approach to solving this problem.
The Europeans Try a New Approach
The E.U. has a new set of privacy rules, GDPR (General Data Protection Regulation), that gives consumers substantial new rights with regard to their online personal data. Individuals have more tools to limit the collection of their online information, the rights to review and edit information that has already been collected, and companies have new limitations on how information is sold. These rights of review are doubtlessly costly for online companies, most of which are American. At least currently, the European rules do not distinguish between information that has properly been collected and information that has not.
But the European rules clarify no particular right of Europeans to control the use, and benefit from the use, of their own information. The European rules do provide an individual with some ostensible control over the sale of consumer information, but in the complex realm of consumer databases, an online company can accurately claim to have received the information from many sources other than the consumer.
Deploying Consumer-Oriented Property Rights
Today, most discussions of consumer privacy focus on government regulations to limit the collection of consumer information. The solutions range from the European approach of creating rights for individuals to request information from online companies to public hearings to excoriate online companies. The usual solutions assume that large corporations have a monopoly on technology, and that only these companies can use technology to control information. These solutions concede the technological and practical control of all information to the very entities suspected of mishandling information. Ordinary individuals are seen as passive victims, relying on the good graces of government to help them out.
Internet technology, however, is neither one-sided nor limited. Because collection of consumer information is profitable, extraordinary technologies have been developed to enable the collection of consumer information, often without consumer awareness.
Protecting consumers from unwanted use of personal information should also be profitable. If there were sufficient demand, consumers could be equipped with technology to block collection of information and to track where collected information has been used and where it has been sold. Consumers might be able to control and monetize their own data, and lease data to different companies. That technology should come not from the companies that benefit from the collection of consumer information but from independent software developers, specializing in protecting personal information.
Technology to protect consumers is not a pipe dream. Companies have developed applications to help consumers in many ways. In each instance, consumer demand created a market for consumer-oriented software.
But today, there is no array of software to protect consumer control over the misuse of personal information on the Internet. Instead of looking to Silicon Valley for protection, many consumer groups look to Washington to limit the collection of customer information. These rules are unlikely to do much.
A better approach would be consumer recognition that technology, rather than government regulation, is their most certain method of gaining control over their personal information. Clever software is easier to develop, and more reliable, than clever regulation. If applications developers perceived the demand for apps to help consumers control information on the Internet, the market would likely develop.
The Orwellian nightmare in 1984 of Big Brother controlling information and thereby controlling individuals was premised on the notion that individuals could not effectively use technology to defend themselves. The 21st century is different, most importantly because individuals can use technology to fight back. Just let them assert property rights to control their own information.
Harold Furchtgott-Roth is Senior Fellow and founder of the Center of the Economics of the Internet at Hudson Institute.