Bloomberg Law
Nov. 13, 2019, 9:01 AM

INSIGHT: Laws Protect My Physical Property, So Why Not My Electronic Data?

Sam Curry
Sam Curry
Joseph Moreno
Joseph Moreno
Cadwalader, Wickersham & Taft

The idea of a U.S. Digital Bill of Rights setting forth how our personal data may be used, sold, given away, stored, and disposed of has been debated for years. One thing is clear, though: personal data is your own property and not free to others.

We all know there is no limit to the appetite data brokers have for our personal information, and we have seen with Cambridge Analytica data scandal and the 2016 presidential election how even the supposedly legal use of data can still feel wrong. Yet coming up with a legal and technical framework for how this data should be handled seems to be getting even more elusive as the privacy waters get ever murkier.

A Real Property Rights Analogy

Let’s look at real property rights for an analogy. Once upon a time in the United States, any land that was not enclosed was unowned. People could always move out west and—via various degrees of legality—enclose land, farm it and own it. Today there is no more unowned land that someone does not ultimately have rights to. If someone wants to come along and use any piece of land, they have to find the owners and work out terms.

Whether through private sale or eminent domain by the government, there is a legal construct through which land is protected and conveyed, and this is true throughout the developed world. No one can just take your land.

Yet companies are behaving as if your personal data was free and not, in fact, your property. This cannot be more wrong. The information related to how we as human beings interact with one another, with the world around us and what we do in our lives is a class of data that is 100% owned by the participants. Your share in any one “piece” of privacy data could be go from 0% to as high as 100%, but every piece of data that we would call privacy-relevant is 100% owned by someone. So let’s be clear: there is no unowned privacy data.

And all this privacy data has a value depending on how up-to-date and useful it is to whomever is seeking to harvest and use it. Think of “graph theory” as a branch of mathematics that builds models that show pairwise relationships among objects such as people, machines, locations and just about anything else—in effect, a giant Tinkertoy-like structure.

This can illustrate the relationship among people and computers in a company or on a larger scale the social relationships among everyone who subscribes to a social network like Facebook or Instagram. In fact, this is exactly what social networks use to understand relationships and make a profit on them.

The physical world can be thought of as the ultimate graph—that is, that there is an ideal graph that could be built to map out how everything is connected to everything else. The race is on, by the way, for data brokers to develop the most up-to-date, sustainable and useful graphs that get closer to this universal, ultimate graph.

When you take part in a social network (and very often even when you don’t), you are helping to populate a model that seeks to get as close to possible to that ultimate graph. The problem is, all this value is for the benefit of others. The underlying potential of all these social media companies is that should they have the more complete and total graph, they will have endless ability to make money with your information.

Features of a Personal Data Property Framework

What would a personal data property framework look like? It would need to define what constitutes personal data and when ownership attaches. It would require a system of tracking where such information is located and what is done with it—possibly leveraging blockchain or similar technology.

And there would need to be a set of rules that apply across borders and regardless of citizenship. Anyone who wants to monetize and use any information about relationships among people and the world would have to enter into a commercial relationship to do so.

In the European Union, the General Data Protection Regulation (GDPR) and case law establishing a “right to be forgotten” recognize that individuals have rights in how their data is used and by whom. Here in the United States, in the absence of a national data privacy standard, states such as California and New York have stepped up with new laws on how consumer data is handled and how companies must respond in the event of a breach.

But what we are talking about is more ambitious: an electronic property rights system based on the fundamental premise that there is no unowned privacy data in the world. Creating or harvesting this data without informed consent from the real owners, without the further ability to report on its use, and without accountability for keeping it accurate and reporting on it is not only unethical but should also be illegal.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Sam Curry is the chief security officer for Cybereason. He previously held leadership positions at McAfee, Computer Associates, and other technology companies and startups. He holds more than 20 patents in cybersecurity and also sits on the board of the Cybersecurity Coalition.

Joseph Moreno is a former federal prosecutor with the Department of Justice, a former staff member with the 9/11 Review Commission of the Federal Bureau of Investigation, and a U.S. Army combat veteran. He is currently a litigation partner with Cadwalader Wickersham & Taft.