BLOG - Data Privacy: We Are Solving the Wrong Problem

There is a national conversation about data privacy going on.

Some trace this to large-scale incidents at Yahoo, Equifax, and Facebook. Others see a pattern emerging from the constant news of not-quite-as large ones. In the past couple of weeks, Saks, Lord & Taylor, Best Buy, Sears, Under Armor, and Delta Airlines all disclosed breaches. The Identity Theft Resource Center tracked 1,579 of them in 2017. That’s more than 30 per week.

Consumers are rightly concerned about identity theft and a loss of privacy. Congressional hearings, perp walks, and new regulations are coming.

In our rush to express outrage and “fix it”, we overlooked one important thing:

We are trying to solve the wrong problem.

Many assume that data privacy means data secrecy. It doesn’t. The really crazy thing is that we are now trying to treat data that has already become public as a secret. Think about that.

The Horse Has Left the Barn

Broadly known, widely shared information is being treated like nuclear launch codes. Securing information that’s already out there is like closing the barn door after the horses are out. Are we worried about the horses coming back in?

Take so-called Personally Identifiable Information. You are told to keep your Social Security Numbers (SSN) secret, like a password. If someone knows your SSN, they can steal your identity, open credit, file fake tax returns, and generally make your life miserable.

Don’t tell anyone this secret password. Except your employer. And your bank. And your stock broker. But that’s it. Oh, and every credit card company you have ever used. And of course, your physician, and your dentist. And every insurance company, ever. And the cable and electric companies. And your mortgage provider.

This is entropy in action. The more people that know and share your SSN, the more it will be known and shared over time. Wasn’t the first rule about secret passwords to not tell them to anyone?

Predictably, there is a sense of urgency to get angry and pass laws when someone who has a copy of your SSN leaks it. So many companies handle and share this data that leaking was inevitable. The crazy part is that SSNs are already widely shared and are already widely known. Some secret!

It’s not just SSNs. It’s true about lots of data. I get far too many automated “robocalls” and calls from telemarketers. Over the years, I’ve shared my phone number with enough people and companies that it’s impossible for me to think it’s a secret. I can pretend that nobody knows the number, ask the phone company for it to be to be “unlisted”, and complain about every ring, but that won’t stop the robocalls.

The truth is, I don’t really care if people know my phone number. I don’t care if they know my SSN. I don’t care if they know my name and my credit card number.

What I care about is that my information is never USED without my approval.

Consumers Need to Regain Control

Data privacy should be about me, as a consumer, regaining CONTROL of how my information is USED. Misuse is identity theft and fraud. Misuse is robo-calling me. Misuse is making unauthorized charges on my credit card. Misuse is filing a fake tax return. Misuse is creating new credit in my name. Misuse is draining my bank account.

Of course, you do have some data that is still legitimately private. That’s data that you would be uncomfortable sharing. Maybe your income, maybe a medical condition, maybe your voting record. There isn’t a lot of “uncomfortably private” data, and we need rules to protect it. Misuse of that data is sharing it without your specific approval each and every time.

We shouldn’t be angry that Facebook has a lot of consumer data or that they want to monetize it through targeted advertisements. That was the deal made when Facebook offered a free service to let us share posts with family and friends (after all, Facebook has to make money to pay for its data centers and employees).

But what is unacceptable, if true, is that a company named Cambridge Technica is alleged to have misused Facebook data to manipulate people’s votes. That’s unauthorized use of data.

Rather than focusing on penalizing those who legitimately hold data, we should penalize those who misuse it.

What do we really care about? In our rush to protect data from being known, have we lost sight of the fact that what we really care about is our data and identity being USED without our permission? Should we focus on what a Facebook did/didn’t do, or what a Cambridge Technica did/didn’t do?

The newest privacy regulations in Europe are called “GDPR.” Europe thinks they addressed the problem by further regulating data holders like Facebook, Google, and banks. A better approach would be to thoughtfully regulate data misuse, forcing those that receive and process consumer data to get explicit permission for every use-case. Not permission buried in a “terms of service” legal agreement, but real authorization to process our data after telling us what they want to do and why.

Focusing on misuse covers general cases like identity theft and fraud. It also covers misuse by sharing “uncomfortably private” data without specific permission. Regulating misuse means regulating any intentional action that someone took with our data.

If regulated correctly, you can have most of my data. My SSN, credit card, driver’s license, phone number, and all my other numbers. Legitimate businesses won’t allow you to misuse my data, and illegitimate ones will be held accountable if they try.

Lou Steinberg is a Managing Partner at The Authoriti Network,