STANFORD — We all live with a digital doppelgänger that resides in various computer databases — where major decisions about our lives are made on the basis of this digital other, a law professor warned.
“The FBI doesn’t need to break into my house and search it,” said Daniel Solove. “They can get everything they want to know from Amazon.com or my ISP.” Solove, a professor at the George Washington School of Law, spoke at the Center for Internet and Society at Stanford University on Monday.
“The information in databases increasingly has an effect on our lives in real spaces,” said Solove, author of The Digital Person: Technology and Privacy in the Information Age. “And the way we think about the problem has dramatic effects on how we go about solving the problem.”
Solove recommended new regulations for the ways companies do business, requiring them to do more to keep the personal information they store secure and to inform consumers when that information is compromised. He thinks there should be more limitations on what kinds of things companies can do with consumer information.
Solove also called for limiting the use of Social Security numbers, date of birth or other easily obtainable information as identification or authentication for accessing accounts. After recent data breach incidents in the news, members of Congress have called for hearings, investigations and new legislation to protect the information collected by private data brokers.
As they take part in modern society and commerce, Solove pointed out, consumers generate digital dossiers that are kept by insurance companies, banks, internet service providers and merchants. These records are increasingly being sold, consolidated, transferred and combined.
“Companies you may never have heard of have dossiers about you,” he said.
For example, Catalina Marketing adds over 250 million transactions a week to its database of supermarket discount card users, Solove said, while Aristotle maintains — and sells — a database of 150 million voters. Hippo Direct keeps information on consumer’s medical maladies. Marketers can buy a list of consumers with boils or bulimia. And Hippo Direct isn’t bound by the Health Insurance Portability and Accountability Act (HIPAA), a law that requires insurance companies and medical service providers to keep patient info secure and confidential.
Now, Solove said, “Government is becoming enamored by what Amazon.com can do. If you can look at patterns to see what consumers are likely to buy, maybe you can look at patterns to see whether or not I’m a terrorist,” he said.
Solove said the government’s controversial Total Information Awareness data mining program hasn’t gone away. (Congress cut funding for the program in 2003.)
“Government data mining and the actual crunching of the information is being outsourced to private sector businesses — including ChoicePoint,” he said. “ChoicePoint has a dossier about almost every American citizen and contracts with at least 35 federal agencies, including the IRS and the FBI.”
In February, ChoicePoint was forced to reveal that it had sold the personal information of around 145,000 consumers to crooks. The admission came months after the gaffe, and only because the State of California requires businesses to inform its citizens when their information has been compromised.
Solove said that neither the law of the land nor legal concepts had kept pace with the development of digital dossiers.
“We’re laboring under outmoded conceptions of privacy, and these conceptions are keeping courts from responding to real problems they’re causing.”
For example, while the law has a good grasp of situations that cause quantifiable harm, such as when someone’s credit card is stolen and used to make purchases, it has no way of assessing the harm to society from something like the ChoicePoint fiasco.
“When the ChoicePoint story broke, a lot of people felt harmed, even if their identities hadn’t been stolen,” Solove said. “Now they were more likely to be victimized in the future. Something was compromised by what this company was doing. We have to come up with a way to assess that harm without the traditional tort model.”
Another woeful lack in the law is the Third Party Doctrine, which holds that once a secret about a person has been revealed, that person has no more expectation of privacy about it.
“The problem with this view is that people will lose any ability to claim a privacy interest in any of their data, because we can’t live without having hundreds of records about us held by third parties,” he said.
In general, Solove wants to see the burden of monitoring security of the digital dossier taken from consumers and placed with the companies that profit from it. As it stands, he said, “Businesses have little incentive for preventing identity theft. The companies can easily write off any costs, while the consumer has to clean it up.”