By Dennis D. McDonald

Many companies benefit from the buying and selling of personal, financial, and medical information about individual US citizens. Usually these companies behave in a responsible, law-abiding fashion.

Sometimes, though, the controls they put in place to protect this personal information break down. We saw this happen recently when it was revealed that Equifax subsidiary ChoicePoint had sold information to a bogus company intent on fraudulent uses of the personal information.

As much as I am an advocate of privacy protection, I believe that, as far as the buying and selling of personal information are concerned, the genie is probably out of the bottle. Too many business decisions require access to some type of personal information. Examples are credit reports, medical information, and legal and security information. While there may be increased attempts to regulate the companies that trade in private information, ultimately I believe that there will need to be a balance struck between absolute access and absolute privacy.

Perhaps a change in intellectual property law could help the situation. Specifically, legal ownership rights of individuals could be spelled out concerning the credit, financial, employment, and medical information about them that is currently being collected, bought, and sold. Individuals could be legally recognized as the owners of information about them and their personal, legal, and financial relationships. On the basis of this ownership, individuals would then be in a position to control access to, and commercial exploitation of, their personal information.

Once the nature of this ownership is defined legally, systems and procedures could then be put in place to support management of access to this information by those who need it. Companies that make money from collecting, buying, and selling personal information would, in return for the individual’s willingness to release this information, pay that individual for the use of the information.

Here’s how I see this working. Legislation would be introduced to explicitly define the nature of ownership of certain types of information by individuals. Individuals should then be given the ability to define the level of access they wish to provide to their personal information.

Some may not wish to participate at all. That would be their right. Access to their personal information would be restricted and limited to certain governmental, national security, or public health uses, with appropriate safeguards to protect privacy.

For those individuals who wish to allow the commercial use of their personal information, they would register with an appropriate “access rights” organization. This would be their public declaration of their willingness to allow for the commercial exploitation of their personal information. Any organization desiring to buy and sell information about these individuals would then need to check the registry to see what access level is being defined by that individual, and pay accordingly.

Such a system would have the following types of benefits:

• It would explicitly recognize the desire of some people to prevent commercial exploitation of their personal information.
• It would provide for an incentive – payment – for others who wish to allow the commercial exploitation of their personal information.

Some companies will argue that adding a layer of extra payment over and above the current fees associated with collecting and managing personal information would be an onerous burden. On the other hand, paying for personal information might actually encourage more participation and potentially may provide access to more (and more valuable) information.

I believe in the rights of an author, composer, or performer to control exploitation of creative works. I also believe that if someone benefits financially from buying and selling information about me or my family’s financial transactions or medical history, I should be able to share in that money.

I’m under no illusion that such an arrangement would provide a financial windfall for any individuals. I do know that, as the sophistication of marketing and sales technology grows, there will continue to be a drive on the part of merchants, vendors, and service providers to “personalize” what they offer me. They do this by storing and manipulating information about my habits and financial status. Some of that information they get directly from me, some they buy from vendors such as ChoicePoint.

I say, let’s cut to the chase. If a vendor of, say, home appliances wants to know my age, sex, race, income, religion, ethnic origin, sexual orientation, hobbies, dreams, hopes, and fears, I say, let the vendor pay me by using the “licensing” or “permissions” organization I’ve authorized to serve as my agent. The vendor’sinformation will then come directly from the horse’s mouth, so to speak.

There are many questions unanswered about such an arrangement. What kind of dollars are we talking? How complex would systems have to be to support this? How many people would opt in – or opt out? What kinds of information would be “reserved” by the government as being both essential to be collected – and private? Is “intellectual property” law an appropriate model for such a system?

I don’t know the answers to these questions, but I would like to give people some options that balance privacy and commercial interests.

Copyright (c) 2005 by Dennis D. McDonald

Update

on 2007-09-05 20:08 by Dennis D. McDonald

I've gotten very useful comments from colleagues and friends and have also been doing some research on the topic.

Right now I'm concentrating on using web-based research tools and have downloaded reports from various university sources. I've also purchased an academic treatise on "ownership." I'm also making a list of companies that would be most affected by having to set up and maintain a system to manage transactions and payments for personal data.

There are many topics related here. My initial three-ring Venn diagram showing Ownership, Privacy, and Commerce is simplistic, as I know it would be. Other topics that touch on on protection and management of personal data on the concept of ownership include:

• Biometrics (how do you prove you're really you?)
• Digital rights (there's a lot on this and most seems associated with media conglomerates attempting to prevent use and copying)
• Privacy (this is much in the news given recent events. It also appears that European countries have a somewhat different approach to government involvement in enforcing privacy)
• Medical data ownership
• Alternate business models to support "free distribution" of scholarly information
• Voluntary cooperation with data gathering schemes such as supermarket frequent-purchaser discount cards.
• Emergence of alternative intellectual property rights management schema (e.g., Creative Commons)

I am not the first to suggest personal data ownership as a mechanism for managing privacy and access in support of societal and commercial transactions. However, it appears that much of the discussion along these lines is either of an academic or theoretical nature, especially as it pertains to intellectual property and entertainment. I think to make real progress here you really have to "follow the money."

A couple of things have emerged:

• The title of my paper starts with the words "Identity Theft" -- this is probably too narrow a focus. I'll need to come up with a better title. Any suggestions?
• The old saw "technology is outstripping the law" is heard nearly everywhere. This reminds me of my early days in consulting when I was doing research on copyright, photocopying, scholarly publishing, and bibliographic data ownership. "The more things change the more they stay the same."
• At least here in the United States, the basic concept of the Copyright Law having been established to actually promote "science and the useful arts" seems to have been swept aside. It now seems that Copyright is sometimes being used to maintain long-term media conglomerates so they can perpetually license music and other media they now own, often long after the death of the creator. This is one of the reasons the more flexible"Creative Commons" approach has gathered some interest, even to the point of including a beta version of a Creative Commons search engine with the Firefox web browser.
• Defining who owns "personal data" is going to be very tricky, especially if the concept of intellectual property is applied to it. If someone makes money by buying and selling information about my behavior that they have independently gathered without my knowledge, how can I claim that information as "my intellectual property"? (This is where the theoreticians and legal scholars come into play.)

Still, in my reading of the social and legal background of "private property," I do see that there could be an argument for treating "personal data" as "private property" from the perspective of maintaining a functioning society where individuals consciously balance their own self interest with the needs of society. Such arguments tend to get pretty esoteric but this may be why the academic sector and its various research institutes and think tanks are so vocal on issues of privacy.

Still, my next step will be to try to "get real" how such an approach might work, where individuals offer through an online registry open access to certain types of personal data --- for a price.