< Professionalism

Case study into professional ethics surrounding Data Ownership.

In Correspondence with STS 4600 at the University of Virginia.

Introduction

"Data ownership refers to both the possession of and responsibility for information. Ownership implies power as well as control. The control of information includes not just the ability to access, create, modify, package, derive benefit from, sell or remove data, but also the right to assign these access privileges to others."[1]

Data is fast becoming one of the most valuable resources on Earth.[2] With a resource so highly valued, it is generally the case that its source is also of value. However, unlike most valuable resources such as oil or gold which are sourced from the Earth, data is sourced from people, who cannot be owned. This brings up a host of ethical dilemmas regarding the ownership of personal data.

Unwittingly, people agree to terms that consent to the collection and sale of their own personal data every day. These terms are generally presented in the form of fine-print terms and conditions statements or unassuming notifications from mobile apps asking to access information from your device. Once a person's data is in the hands of a data broker, the majority of them do not allow the person any control over the data that was collected from them.[3] Additionally, California is currently the only US state with any legislation requiring these data brokers to provide people the option to opt-out of allowing the sale of their data.[4]

Legislation

California

In California, a new law called the California Consumer Privacy Act (CCPA) gives consumers rights over their data that companies use. The law went into effect on January 1, 2020 and gives Californian the rights to know what personal data is being collected about them, know whether their personal data is being sold or disclosed and to whom, say no to the sale of personal information, have access to their personal information, and to equal service and price.[5]

European Union

The General Data Protection Regulation (GDPR) is the EU’s data privacy and security law.[6] It was put into place in May 2018, and includes a provision for the right to be forgotten. The EU has been improving privacy policy since 1995 when it implemented the Data Protection Directive.[7]

Right to be forgotten

The Right to be forgotten is the idea that an individual has the right to control personal data that is available on the internet. There are laws in place in several countries that strive to make this right possible. The European Union has made efforts over the past several years in particular. Article 17 of the EU’s General Data protection Regulations gives this right and lists several conditions for when it applies.[8] There are two important court cases surrounding this right.

Court Cases

In 2014 the Google Spain case set precedent for the right to be forgotten in the EU. The case arose when a Spanish man complained about an old newspaper article selling his repossessed property. The man felt that because his debts had since been resolved it was unfair that this search result still appeared.[9] The EU court ruled that the info should be deleted. Some claim deleting information like in this example is a form of censorship. This idea prevailed when a similar court case was heard between google and a french privacy regulator in 2019. The case was about the jurisdiction of the Right to be forgotten. The EU court ruled that search results do not have to be deleted outside of the EU. Google does this using it’s Geoblocking tool which restricts access to search results based on the location that the search was performed. The U.S for instance, does not have a national right to be forgotten law in place, so the search result would not appear in the US.[10]

Country Comparison

There is no one approach to data ownership and data privacy. In the US, we don’t have a nation-wide right to be forgotten law like the EU, but in 2020 California put in place a new data privacy law similar to the EU’s which allows Californians to request access to their information, and to request it to be deleted.

Some see this as a step in the right direction, but there are still some issues. For example, in CA you often have to manually opt out of companies using your data which is different for most sites that you would use. Some companies have decided to roll out these changes across the whole US for consistency, while others have not.[11]

China has a privacy law similar to the EU’s GDPR called the Personal information security Specification that was enacted in March 2018.[12] But there is trade-off between privacy and surveillance. It is difficult to both maintain government access to citizen’s information while at the same time protecting citizens from their data being used by others.[13]

Handling issues of data ownership is often not straightforward and there are many uncertainties and trade-offs.

Data as a Commodity

General

In today's digital age, data has irreplaceable value. The largest consumers of user data include Google and Facebook, followed by Amazon, Apple, and Microsoft.[14] These big tech companies use data for obvious things such as tailored advertisements and understanding consumer behavior, but the primary application is providing data for input to artificial intelligence algorithms.[15] When data is such a valuable commodity, the question of whether data producers should be paid for their contribution arises. Currently, the only compensation an average user receives for providing data is the use of some free applications such as the Google search engine, Facebook, or Skype.

Data Brokers

Data brokers are entities that collect and sell data. Since the terrorist attacks of 9/11, there has been a high demand for highly accurate identification of individuals through data and data brokers such as LexisNexis, Axciom, and Experian have been able to fill this demand through the collection of highly personal information from millions of people.[16]

The ways in which data brokers collect data are numerous and include public records, internet scraping, as well as getting people to opt-in to their data collection schemes through terms and conditions statements.[17] Some of the data collected could be subject to federal law, but the lack of regulation of data brokers in the US allows data brokers to buy and sell the information anyway.[18]

Once a data broker has someone's information, it is nearly impossible for them to regain control of their data. As of April 2020, there is currently only legislation in the State of California that requires data brokers to provide people the option to disallow data brokers from selling their data.[19] However, this task of opting-opt of personal data usage is not a straight forward one. There is no consistency among data brokers in the processes that are set up for people to opt-out, and some cost money.[20] Additionally, it is often difficult for people to know exactly who is collecting their data, as many data collection schemes that data brokers use contain no mention of the broker's name.[21]

Case Studies

Data Collection Freedom for Data Brokers

The lack of legislation regulating data brokers means that there is little to dictate how data brokers go about collecting data. Some data is free to collect, such as public webpages or public records. Other, often times more personal, data is not however, and so data brokers have developed processes to getting users to unwittingly agree to terms.

An example of this is X-Mode, which is a data broker that collects location data from people's smartphones through software embedded into mobile apps.[22] when a user downloads an app running X-Mode's software, the app prompts the user to allow it to use the device's location data without any further information. Many users will allow the app to use the data because they want to be able to in-app features. However, what is unknown to the user is that their location is now being tracked, and that data sold by X-Mode. This lack of transparency in the X-Mode process can be contrasted with that of 23andMe. Where X-Mode's approach doesn't informs user about their data usage, 23andMe tells used exactly who wants to use their data, and how and why they want to use it.

Facebook and Cambridge Analytica Scandal

In 2014, 250,000 users were paid to take a personality survey through an app which scrapes their Facebook profiles. They consented to the collection given it was for academic use by Cambridge University’s Psychometrics Center. Aleksander Kogan, a professor at the University, used the app to gather data about 87M Facebook users, and sold this information to Cambridge Analytica.[23] The acquired data included identities, friend networks, likes, and location information.[24]

Within the next year Facebook learned that the data was being used by Cambridge Analytica. They removed Dr. Kogan's app from the site and demanded that Cambridge Analytica delete the data.[25] Cambridge Analytica confirmed that the data was deleted. However, in 2016 the company was hired by the Trump 2016 Presidential Campaign to provide tools for identifying personalities of American voters and targeting advertisements to influence their behavior.[26]

The scandal exploded in 2018 when Whistleblower Christopher Wylie exposed Cambridge Analytica’s misuse of Facebook data, including that it was not in fact deleted. In the words of Mark Zuckerburg when he testified to congress: “When we heard back from Cambridge Analytica that they had told us that they weren’t using the data and deleted it, we considered it a closed case. In retrospect, that was clearly a mistake.”[27] Facebook also suspended Cambridge Analytica from the site at this time.

Interestingly, Facebook claimed this was not a data breach. Facebook VP and Deputy General Counsel Paul Grewal stated in 2018: "The claim that this is a data breach is completely false ... People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked."[28] Facebook routinely allows researchers to collect user data for academic purposes, as Dr. Kogan's app did. However, Kogan broke the rules when he sold the data to Cambridge Analytica, a commercial third party.

For more information, see Facebook-Cambridge Analytica data scandal.

Ethical Implications and Further Work

In any study that uses participants to gather data, the participants must give informed consent. For a participant to give informed consent, they must be informed of all relevant information including how the data will be used, they must understand that information, they must participate voluntarily, and they must have the capacity to make a decision about whether to participate.[29] The EU's GDPR is the most comprehensive regulator of online data in that whenever a company collects personal data from a citizen, it requires explicit and informed consent by that person in the form of opting in to the data collection.[30]

However, the case studies presented above exemplify that this practice is nowhere near ubiquitous. Data collection policies hidden inside terms and conditions and apps that do not disclose the true uses of collected data do not satisfy the requirements for informed consent. The US and the rest of the world would need stronger regulation on data harvesting in order to protect the individual rights of online users.

Ethical Dilemmas

Data Privacy vs. Data Availability

Easy access to large amounts of data could be used to improve human condition and help us to make advancements, but this could easily be misused. An example of this is the Cambridge Analytica Scandal in which data was shared without consent. This data was then used to influence the 2016 election. However, there's no reason that data like this could not be used for benevolent reasons.

Personal Rights vs. The Common Good

At what point should personal freedoms be limited to benefit the common good. A good example of this is medical data. Medical data collected could produce advancements in science and medicine, but how is that balanced with an individual’s right to privacy of personal information? We’ve seen this recently surrounding the COVID19 crisis.[31]

Transparency vs. Accessibility

Should companies be able to sell user data collected without being transparent about it's collection? In the section above, this is discussed in relationship to the company x-mode. Companies are able to keep cost of their services low or free by selling user data (location data in the case of x-mode) without really being clear about doing so. Should users have a choice in this? Should I be able to chose to pay for an app rather than sharing my location or other data?

At the end of the day there are good arguments for handling data ownership problems a variety of different ways. These questions are important to consider, especially as new legislation begins to arise around data ownership and privacy.

Further Work

There are many other cases in which data ownership is an ethical dilemma, some of which already have chapters in this casebook. One such example would be the data privacy case with Apple, the FBI, and Personal Data. Extensions of this chapter could explore more cases that provide additional evidence or considerations for ethical data ownership, or they could dive deeper into an investigation of data ownership legislation and regulation.

References

  1. U. (n.d.). Office of Research Integrity. Retrieved April 29, 2020, from https://ori.hhs.gov/education/products/n_illinois_u/datamanagement/dotopic.html
  2. The world's most valuable resource is no longer oil, but data. (n.d.). Retrieved April 29, 2020, from https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
  3. Pasternack, A. (2019, May 28). Here are the data brokers quietly buying and selling your personal information. Retrieved April 29, 2020, from https://www.fastcompany.com/90310803/here-are-the-data-brokers-quietly-buying-and-selling-your-personal-information
  4. Whittaker, Z. (2020, January 02). Here's where Californians can stop companies selling their data. Retrieved April 29, 2020, from https://techcrunch.com/2020/01/02/california-privacy-opt-out-data/
  5. AB-375 Privacy: personal information: businesses. (2018, June 29). Retrieved April 29, 2020, from http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
  6. General Data Protection Regulation (GDPR) Compliance Guidelines. (2020). Retrieved April 29, 2020, from https://gdpr.eu/
  7. The History of the General Data Protection Regulation. (2017, March 29). Retrieved April 29, 2020, from https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en
  8. Everything you need to know about the "Right to be forgotten". (2020, April 24). Retrieved April 29, 2020, from https://gdpr.eu/right-to-be-forgotten/
  9. Cellan-Jones, R. (2014, May 13). EU court backs 'right to be forgotten' in Google case. Retrieved May 3, 2020, from https://www.bbc.com/news/world-europe-27388289
  10. Kelion, L. (2019, September 24). Google wins landmark right to be forgotten case. Retrieved May 3, 2020, from https://www.bbc.com/news/technology-49808208
  11. Morrison, S. (2019, December 30). California's new privacy law, explained. Retrieved April 29, 2020, from https://www.vox.com/recode/2019/12/30/21030754/ccpa-2020-california-privacy-law-rights-explained
  12. Sheng, W. (2020, March 16). One year after GDPR, China strengthens personal data regulations, welcoming dedicated law · TechNode. Retrieved April 29, 2020, from https://technode.com/2019/06/19/china-data-protections-law/
  13. Feng, E. (2020, January 5). In China, A New Call To Protect Data Privacy. Retrieved May 3, 2020, from https://www.npr.org/2020/01/05/793014617/in-china-a-new-call-to-protect-data-privacy
  14. Porter, Eduardo (2018). Your Data Is Crucial to a Robotic Age. Shouldn't You Be Paid for It? The New York Times. Retrieved 30 Apr 2020.
  15. Ayala, Manuel (2018). Should tech companies pay us for our data? World Economic Forum. Retrieved 30 Apr 2020.
  16. Data Brokers: Background and Industry Overview. (2007, May 03). Retrieved April 29, 2020, from https://www.everycrsreport.com/reports/RS22137.html
  17. Data Brokers: Background and Industry Overview. (2007, May 03). Retrieved April 29, 2020, from https://www.everycrsreport.com/reports/RS22137.html
  18. Data Brokers: Background and Industry Overview. (2007, May 03). Retrieved April 29, 2020, from https://www.everycrsreport.com/reports/RS22137.html
  19. U. (n.d.). Office of Research Integrity. Retrieved April 29, 2020, from https://ori.hhs.gov/education/products/n_illinois_u/datamanagement/dotopic.html
  20. Nield, D. (n.d.). How to Opt Out of the Sites That Sell Your Personal Data. Retrieved April 29, 2020, from https://www.wired.com/story/opt-out-data-broker-sites-privacy/
  21. Grauer, Y. (2018, March 27). What Are 'Data Brokers,' and Why Are They Scooping Up Information About You? Retrieved April 29, 2020, from https://www.vice.com/en_us/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection
  22. App Publishers: X-Mode. (2020, April 23). Retrieved May 29, 2020, from https://xmode.io/app-publishers/
  23. Kozlowska, Hanna (2018). The Cambridge Analytica scandal affected nearly 40 million more people than we thought. Retrieved 30 Apr 2020.
  24. Granville, Kevin (2018). Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens. The New York Times. Retrieved 30 Apr 2020.
  25. Granville, Kevin (2018). Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens. The New York Times. Retrieved 30 Apr 2020.
  26. Rosenburg, M., Confessore, N., & Cadwalladre, C. (2018). How Trump Consultants Exploited the Facebook Data of Millions. The New York Times. Retrieved 30 Apr 2020.
  27. Watson, Chloe (2018). The key moments from Mark Zuckerberg's testimony to Congress. The Guardian. Retrieved 30 Apr 2020.
  28. Grewal, Paul (2018). Suspending Cambridge Analytica and SCL Group From Facebook. Facebook. Retrieved 30 Apr 2020.
  29. Garcia, Christine (2018). Everything You Need to Know About Informed Consent. Retrieved 30 Apr 2020.
  30. Garcia, Christine (2018). Everything You Need to Know About Informed Consent. Retrieved 30 Apr 2020.
  31. O'Neill, P. H. (2020, April 28). How Apple and Google are tackling their covid privacy problem. Retrieved May 3, 2020, from https://www.technologyreview.com/2020/04/14/999472/how-apple-and-google-are-tackling-their-covid-privacy-problem/
This article is issued from Wikibooks. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.