Because I am Here

Note: This article originally appeared on The Security Catalyst Blog.

If you have nothing to hide, why do you need privacy? This question, famously attributed to the McCarthy era, has gained currency again in this era of terrorism and national security. The question implies that privacy is a form of dishonesty, that the things people want to hide are the very things others should know about.

I admit that I bristle every time I hear someone say, “You have nothing to worry about if you have nothing to hide.” Baloney. I have everything to hide! When someone says, “I have nothing to hide,” it’s simply not true. What he really means is, “I have nothing to be ashamed of,” which may be true. But shame is only one, limited reason for confidentiality. Confidentiality is not an admission of guilt.

I have much to hide, for one simple reason. I cannot trust people to act reasonably or responsibly when they are in possession of certain facts about me, even if I am not ashamed of those facts. For example, I keep my social security number private from a would-be criminal, because I can’t trust that he’ll act responsibly with the information. I’m certainly not ashamed of my SSN. Studies have shown that cancer patients loose their jobs at five times the rate of other employees, and employers tend to overestimate cancer patients’ fatigue. Cancer patients need privacy to avoid unreasonable and irresponsible employment decisions. Cancer patients aren’t ashamed of their medical status—they just need to keep their jobs.

A person may share intimate secrets with an ecclesiastical leader that they would keep private from parents, because they fear the parents may not act reasonably or rationally when presented with the same information. During World War II, the government acted unreasonably and irresponsibly with Census data about the location of Japanese-American citizens. Privacy from government entities is paramount.

In addition, can you imagine how much damage you would impose on innocent people if you spoke every thought that came into your head? Or if doctors, lawyers, and accountants disclosed everything they knew about you?

The need for privacy is the recognition that most individuals, organizations, or institutions cannot be trusted to act reasonably, responsibly, in the best interest of the person, or in the best interests of society, when in possession of certain types personal information. Humans are biased. We have limited cognitive and analytical abilities, and never know all of the facts. We are infamously poor judges of character. We change our minds, and come to conflicting conclusions. So, the next time someone asks whether you have something to hide, do not hesitate to say, “Yes, of course I do.”

On page 2 of his book, The Digital Person, Professor Daniel Solove posits that each individual is comprised of “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.” In other words, a person may now be defined as just a few pieces of data.

A few months ago I argued that each this electronic collage of information comprises a “Data Self”. It was my rather ungraceful attempt to articulate: “Hey! You know all that stuff’ out there? That’s not ‘stuff’ out ‘there:’ That’s you.” Me? “Yeah, YOU.”

Thanks to an enlightening discussion with my very astute friend, Greg Ceton, we were able to identify other possibilities, each of which has its own set of problems.

• Data Self: Nobody thinks of themselves as a “Self.”
• Digital Identity: Although most people now understand “Identity Theft,” nobody thinks of themselves as an “Identity.”
• Digital Self: Same problem, and information doesn’t have to be digital
• Information Self: Even more abstract than “Data Self.”
• Digital Clone: Better, because Clone connotes both “me” and “other” simultaneously. However, it’s pretty sci-fi.
• Digital Me/You: “You/Me” is better than “Self,” but the concept is still too abstract to immediately grasp.
• Digital/Data Double: Although slightly easier to grasp, the “Double,” as in “stunt double” distances a person from their Data Double. After all, the whole purpose of having a stunt double is so that you don’t get hurt.
• Digital Twin: Same strengths and weaknesses as above. A “twin” is not “you.”
• Digital Alter-Ego: A subtle improvement, but still suffers from the problem of detachment.
• Your Digital Copy: Ditto.
• Shadow Self: The strength of this phrase is that you can never get rid of your shadow. But the analogy breaks down because 1. You always know exactly where your shadow is. 2. Your shadow can’t act on its own, and 3. Your shadow can’t harm or be harmed.
• Identity Hostage: I think this hits both points- a data alter-ego whose actions affect you. But as @caparsons put it, the term is loaded and implies that the only thing a digital identity is good for is stealing.

I’ll add more as I think of them. I’d appreciate your thoughts here, or on Twitter.

Note: This article originally appeared on the Security Catalyst Blog

A colleague recently asked me, “When did my personal information become someone’s property?” It’s a question with a vital answer, because if my personal information belongs to someone else, then they can do whatever they want with it. If data is property, then they can buy, sell, license, or give away my identity without my consent. This puts me at risk, because I must rely on the good will of a third party to keep my identity secure.

But if personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner paints it purple or runs it into a tree, it’s not my problem. But we all know that if I sell my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. Unless you enter the witness protection program, you’re stuck with your identity no matter how many times you sell it, and no matter how many times it is crashed.

Data is Property

Data behaves like property because 1. Data has value, like property. 2. Data is fungible, like property, and 3. Data is alienable, like property. For most types of information (ie, trade secrets, copyrightable or patentable information, etc) Intellectual Property law treats data like property with no problems, because trade secrets and patents are valuable, fungible, and alienable.

However, the analogy between data and property breaks down when we get to personal information, primarily because personal information is NOT alienable. Consequently, Intellectual Property law does not generally treat personal information as property.¹ Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable.² You can’t patent personal information,³ and it certainly isn’t a trade secret.⁴ In short, nobody “owns” my name, including myself. And if someone could “own” my name, it would most logically be my parents, since they created it. But my mom can’t copyright my date of birth, and the government can’t patent my social security number. My phone number is not an AT&T trade secret, nor is it mine.

Personal information is valuable and fungible. Entire multi-billion dollar industries thrive on the sale and exchange of personal information. United States election law requires candidates disclose the value of all in-kind campaign donations, including databases of potential voters.⁵ Other federal and state statutes, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, require corporations to account for the fair market value of assets, which may include customer data. And personal information is extremely fungible, as information in databases can be shared, sold, licensed, stolen, or lost with remarkable efficiency.⁶

Because personal information is valuable and fungible, it is often treated like property. Tort law implies that some forms of privacy come from a trademark-like ownership of one’s name and likeness.⁷ Even breach notification laws seem to assert that companies which collect personal information “own” it.⁸

But that isn’t the whole story. Unlike every other form of property, personal information is not alienable, (such as bank account numbers, credit scores, social security numbers, or police reports) even if a third party creates it. And unfortunately, you don’t have any constitutional right of privacy when you give your personal data to a third party.⁹

Because personal information is not alienable, it is sufficiently different from traditional “property” that IP law does not provide a helpful framework for managing it.

Self is Data

In the Information Age, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.”¹⁰ In other words, a person may now be defined as just a few pieces of data. This data is your Data Self. Your Data Self is a collection of your credit report, facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Your Data Self is a digital alter-ego, with its own personality, dispositions, fallacies and mortality. Your Data Self also has the power to enter contracts, grant access to your financial assets, have surgery, commit crimes, or be kidnapped.

When your Data Self belongs to someone else, it can be forced to act against your will. If someone makes your Data Self sign a contract, you are bound by it. If your Data Self is convicted of a crime, you can go to jail. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance. If your Data Self is abused, stolen, sold, manipulated, or forced to act against its will, you suffer the consequences. In this sense, “Identity Theft” might be more descriptively defined as “Digital Kidnapping.” Identity Theft is when someone pretends to be you by “kidnapping” your Data Self, doing something bad, and you get blamed.

Self is Property

In my view, this is a startling development. As long as my Data Self is a third party’s possession, then they can also treat me like property. In other words, if Self is Data and Data is Property, then Self is Property. The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, “Identity Theft” epitomizes the problem with treating personal information as property: The very term recognizes that you have an alter-ego digital “identity” or Data Self. It also acknowledges that your Data Self can be stolen and abused, like property.

Fortunately the 13th Amendment ended human trafficking, and human muscle, once required for agriculture and labor, does not command the same economic premium in a post-industrial society. Instead, a person’s economic value now lies in his access to financial assets and credit. Our Data Selves are easy to coerce, and people are now worth more in bytes than in flesh and blood. As long as Data Selves are digital property, new crimes similar to identity theft will continue to arise, and our society runs the sinister risk of a new form of human trafficking: A type of Digital Slavery, where third parties can own, abuse, and force Data Selves to act against their will.

Facing the possibility of this new class of crimes, the law should neither permit personal information to be treated as property, nor can we afford to go down that path.

Aaron Titus is the Privacy Director for the Liberty Coalition, runs National ID Watch, and welcomes feedback.

Footnotes

1. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8

2. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. “As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.”)
3. 35 U.S.C.A. §§ 101-102.
4. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.

5. 2 U.S.C.A § 431(8)(a).
6. Identity Theft Resource Center, Press Release – 2007 Breach List; Privacy Rights Clearinghouse, A Chronology of Data Breaches.
7. “Tort” law is common- or judge-made law that allows people to sue others for doing bad things. For example, the tort of Appropriation of Name or Likeness is when someone uses a person’s name or picture for financial gain: Rest. 2d Torts § 652C cmt a. (1977) (The Tort of Appropriation of Likeness gives the individual “exclusive use of his own identity, in so far as it is represented by his name or likeness, and in so far as the use may be of benefit to him or to others. Although the protection of his personal feelings against mental distress is an important factor leading to a recognition of the rule, the right created by it is in the nature of a property right, for the exercise of which an exclusive license may be given to a third person, which will entitle the licensee to maintain an action to protect it.”);

8. See, e.g. Cal. Civ. Code § 1798.81.5(a).
9. United States v. Miller, 425 U.S. 435, 443-44 (1976) (Holding that bank records have no fourth amendment protection, and are subject to government subpoena with no infringement of an individual’s rights).
10. Solove, Daniel J., The Digital Person. New York University Press, New York. 2004. p. 2