Note: This article originally appeared on the Security Catalyst Blog
A colleague recently asked me, “When did my personal information become someone’s property?” It’s a question with a vital answer, because if my personal information belongs to someone else, then they can do whatever they want with it. If data is property, then they can buy, sell, license, or give away my identity without my consent. This puts me at risk, because I must rely on the good will of a third party to keep my identity secure.
But if personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner paints it purple or runs it into a tree, it’s not my problem. But we all know that if I sell my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. Unless you enter the witness protection program, you’re stuck with your identity no matter how many times you sell it, and no matter how many times it is crashed.
Data is Property
Data behaves like property because 1. Data has value, like property. 2. Data is fungible, like property, and 3. Data is alienable, like property. For most types of information (ie, trade secrets, copyrightable or patentable information, etc) Intellectual Property law treats data like property with no problems, because trade secrets and patents are valuable, fungible, and alienable.
However, the analogy between data and property breaks down when we get to personal information, primarily because personal information is NOT alienable. Consequently, Intellectual Property law does not generally treat personal information as property.1 Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable.2 You can’t patent personal information,3 and it certainly isn’t a trade secret.4 In short, nobody “owns” my name, including myself. And if someone could “own” my name, it would most logically be my parents, since they created it. But my mom can’t copyright my date of birth, and the government can’t patent my social security number. My phone number is not an AT&T trade secret, nor is it mine.
Personal information is valuable and fungible. Entire multi-billion dollar industries thrive on the sale and exchange of personal information. United States election law requires candidates disclose the value of all in-kind campaign donations, including databases of potential voters.5 Other federal and state statutes, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, require corporations to account for the fair market value of assets, which may include customer data. And personal information is extremely fungible, as information in databases can be shared, sold, licensed, stolen, or lost with remarkable efficiency.6
Because personal information is valuable and fungible, it is often treated like property. Tort law implies that some forms of privacy come from a trademark-like ownership of one’s name and likeness.7 Even breach notification laws seem to assert that companies which collect personal information “own” it.8
But that isn’t the whole story. Unlike every other form of property, personal information is not alienable, (such as bank account numbers, credit scores, social security numbers, or police reports) even if a third party creates it. And unfortunately, you don’t have any constitutional right of privacy when you give your personal data to a third party.9
Because personal information is not alienable, it is sufficiently different from traditional “property” that IP law does not provide a helpful framework for managing it.
Self is Data
In the Information Age, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.”10 In other words, a person may now be defined as just a few pieces of data. This data is your Data Self. Your Data Self is a collection of your credit report, facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Your Data Self is a digital alter-ego, with its own personality, dispositions, fallacies and mortality. Your Data Self also has the power to enter contracts, grant access to your financial assets, have surgery, commit crimes, or be kidnapped.
When your Data Self belongs to someone else, it can be forced to act against your will. If someone makes your Data Self sign a contract, you are bound by it. If your Data Self is convicted of a crime, you can go to jail. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance. If your Data Self is abused, stolen, sold, manipulated, or forced to act against its will, you suffer the consequences. In this sense, “Identity Theft” might be more descriptively defined as “Digital Kidnapping.” Identity Theft is when someone pretends to be you by “kidnapping” your Data Self, doing something bad, and you get blamed.
Self is Property
In my view, this is a startling development. As long as my Data Self is a third party’s possession, then they can also treat me like property. In other words, if Self is Data and Data is Property, then Self is Property. The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, “Identity Theft” epitomizes the problem with treating personal information as property: The very term recognizes that you have an alter-ego digital “identity” or Data Self. It also acknowledges that your Data Self can be stolen and abused, like property.
Fortunately the 13th Amendment ended human trafficking, and human muscle, once required for agriculture and labor, does not command the same economic premium in a post-industrial society. Instead, a person’s economic value now lies in his access to financial assets and credit. Our Data Selves are easy to coerce, and people are now worth more in bytes than in flesh and blood. As long as Data Selves are digital property, new crimes similar to identity theft will continue to arise, and our society runs the sinister risk of a new form of human trafficking: A type of Digital Slavery, where third parties can own, abuse, and force Data Selves to act against their will.
Facing the possibility of this new class of crimes, the law should neither permit personal information to be treated as property, nor can we afford to go down that path.
Aaron Titus is the Privacy Director for the Liberty Coalition, runs National ID Watch, and welcomes feedback.
Footnotes
1. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8
2. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. “As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.”)
3. 35 U.S.C.A. §§ 101-102.
4. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.
5. 2 U.S.C.A § 431(8)(a).
6. Identity Theft Resource Center, Press Release – 2007 Breach List; Privacy Rights Clearinghouse, A Chronology of Data Breaches.
7. “Tort” law is common- or judge-made law that allows people to sue others for doing bad things. For example, the tort of Appropriation of Name or Likeness is when someone uses a person’s name or picture for financial gain: Rest. 2d Torts § 652C cmt a. (1977) (The Tort of Appropriation of Likeness gives the individual “exclusive use of his own identity, in so far as it is represented by his name or likeness, and in so far as the use may be of benefit to him or to others. Although the protection of his personal feelings against mental distress is an important factor leading to a recognition of the rule, the right created by it is in the nature of a property right, for the exercise of which an exclusive license may be given to a third person, which will entitle the licensee to maintain an action to protect it.”);
8. See, e.g. Cal. Civ. Code § 1798.81.5(a).
9. United States v. Miller, 425 U.S. 435, 443-44 (1976) (Holding that bank records have no fourth amendment protection, and are subject to government subpoena with no infringement of an individual’s rights).
10. Solove, Daniel J., The Digital Person. New York University Press, New York. 2004. p. 2