As a database engineer, it's fairly intuitive to me what is an is not Joe Blog's data. But that just means I use the genitive case when describing the relation - it doesn't mean Joe has property rights. Joe's credit card number very much "belongs" to him informally, but the card company has more actual rights regarding it. Ownership is a bad model extroplated out of linguistic usage.
But privacy matters, so anyone who has Joe's credit card number (or home address or what-not) should risk penalties for mishandling it. And the risk should make them not want to hold such data casually.
Email and social-posting archives, etc, are different but again ownership of the data is not the point. These services are definitely contractual in character. Given user's reliance interest, governments (preferably courts) should declare that gMail, Facebook etc. are bound by implicit contracts. That would be a Hayekean articulation of the implicit understanding that grew up through practical interactions.
Keep in mind that 'anonymous data' is _very_ hard to create/maintain – effectively impossible in many cases. As Gwern says/writes "everything is correlated". See the saga of the "Netflix Prize" for a great example of this.
It also seems weird to give people ownership of data that is _almost entirely_ the same as MANY other similar 'datasets'. I think some crimes have been solved not by having the alleged perpetrator's DNA, but a relative of theirs. Given the extreme 'entanglement'/correlation of DNA data, any 'ownership' scheme would likely be either useless or extremely Baroque in its complexity (and thus probably useless too).
A set of rules to handle every specific might be futile, but one could imagine a different default legal position.
Currently, the default position is something like "if you use a company's computers, they can do as they please with the information they get".
An alternative would be something akin to the common carrier rule of "if you use a company's computers, they can't do much of anything based on the information they collect". Effectively, make the storage space a company provides be the intangible cognate of a self-storage locker.
I wonder how many of the rights we believe we have to our data now are legally enforceable vs enforced by reputation. For example, suppose Google decided to publicize the entire contents of my Gmail archive. Would I have grounds to sue them under existing law for violating an explicit or implicit contractual commitment they had made to me to keep my data private? Or am I protected "only" by Google's knowledge that such an act would cause a mass exodus from Gmail (not to mention causing a lot of Google engineers to quit) as customers realized Google could not be trusted to respect their privacy?
This is the sort of thing I expect people who write Terms of Service would know, and almost no one else would.
Nicholas, I am an attorney. I think your Google hypothetical would not be looked at contractually, but would instead be assessed under the right to privacy. That right varies from State to State (in California it is both constitional and statutory), but an egregious public disclosure of presumptively private information almost certainly would violate the right. And an attempted exculpation via oppressive Terms of Service would likely be unenforceable on public policy grounds.
Another attorney here. I concur but note that California has much more plaintiff-friendly privacy laws than most other states. That’s not unique to privacy, so it is one of the reasons that companies are leaving California. Most privacy laws look first to control dissemination, then use, then collection. Some look to control transferability — the right to get “your” data. None that I’m aware of — either proposed or enacted — require a holder of your data to continue holding it beyond the time specified in their policies for getting a copy of it.
Also note that there really isn’t such a thing as data ownership legally. If there was, you could sue for trespass if someone destroyed your property. Instead you have particular rights, mainly of privacy. It is even less than copyright, which does not extend to unorganized data like that about a single person. (Thank goodness. Copyright usually belongs to the author, which would probably be Google, not you.)
It's all about control - who gets to decide, who is in charge, who makes 'the rules'.
Data Ownership is just an extension of ordinary intellectual property concepts. People who put stuff online for other people to see want to be like authors, inventors, software developers, etc. in gettng to decide who sees what and under what terms. Or, at least, not being entirely subject to the whims of some other entity and without any capacity for recourse.
In more familiar contexts, this can be done with the legal system with copyrights and patents and the option to appeal to the court system for remedy for transgression.
But it can also be done with technology that is designed to be self-securing / self-enforcing, and new crypto tech opens up even more robust possibilities in this regard.
Unless you are under a contract that specifies otherwise, using a huge private company's centralized servers as a platform to convey one's content to the world is currently often fraught with a nearly complete abandonment of any possibility of exercise of this kind of control. For a while no one thought there was any feasible alternative to that practice, but now, there is.
Copyright is a good example of why information ownership is troublesome. Enforcing it requires intrusive efforts. To enforce copyright, your DVD player must be a servant of Sony and not you, and that needs to be backed up by the Digital Millenium Copyright Act preventing nerdy users from "tampering" with their own property. And even that wasn't enough until Netflix became more convenient than BitTorrent.
That's how much effort the giants need to enforce their legal rights against ordinary Joe. If legislation grants Joe similar rights over "his" data, how is he gong to enforce them against the giants?
The problem with this approach is the assumption that you would be treated as the author of data about you. When Google uses cookies to collect information about you, Google would almost certainly be the author of that data of data were subject to copyright. Only data that individuals type would be owned by them. And so, for example, all the emails that you received in your Gmail account would be owned by the senders, not by you. Analogies to copyright are generally a bad approach, which is why no jurisdiction has followed that approach. Instead, they come up with principles that track closer to privacy.
Enforcing copyright doesn't require DRM. It just requires registering the relevant copyright and filing a lawsuit in federal court. If anything, DRM'd devices are a middle ground that is supposed to obviate the need to go to court.
Big companies actually have zero problem suing individuals like this in terms of the cost, but they don't like the negative publicity, so they prefer using informal methods and backdoor licensing arrangements like Youtube Trueview. There are automated tools for detecting infringing torrent users, automated methods for doxxing users by requesting IP unmasking from the ISPs, and most users will default. Big companies love the DMCA because it gives them the option to quash posting or sharing without the need to get ugly headlines about how they are suing people into penury.
If legislation gave ordinary Joe more rights over their telemetry data (which federal law already does for purposes of email marketing -- many marketing practices which are illegal in email marketing are legal in social networking), Joe would enforce his rights by suing for breaches and/or reporting it to the government. Realistically, many of the services that are now free would not be feasible as free services anymore.
In law as in medicine, it is better to be preventative than reactive. In general, any approach which requires a typical individual of ordinary means and sophistication to appeal to the legal system to enforce their rights against giant, rich companies who get to dictate the terms in the TOS / EULA is doomed to failure.
So, instead of leaving your doors and windows wide open and calling the cops after you get burgled, how about locking the doors and putting some bars on the window, so you don't get robbed in the first place?
Any efforts to extend or reform existing legal institutions to address this issue are futile and hopeless.
If people really want to control 'their' data, they will have to use tools and methods and services into which the default capacity of individuals having such control is baked in to the very structure of the protocols and systems.
New crypto tech now makes that all technically possible. Some of it is out there and already in use. Will enough people care enough to switch? We'll see.
> If people really want to control 'their' data, they will have to use tools and methods and services into which the default capacity of individuals having such control is baked in to the very structure of the protocols and systems.
Law and regulation will have much to say on whether such tools are economically dominant, merely feasible, or even allowed at all.
I have DRM as an example of the intrusive machinery required to enforce data ownership. And your counter is to detail the other intrusive surveillance machinery used to enforce it.
How is average Joe to detect these breeches that he is supposed to be able to sue under?
As a database engineer, it's fairly intuitive to me what is an is not Joe Blog's data. But that just means I use the genitive case when describing the relation - it doesn't mean Joe has property rights. Joe's credit card number very much "belongs" to him informally, but the card company has more actual rights regarding it. Ownership is a bad model extroplated out of linguistic usage.
But privacy matters, so anyone who has Joe's credit card number (or home address or what-not) should risk penalties for mishandling it. And the risk should make them not want to hold such data casually.
Email and social-posting archives, etc, are different but again ownership of the data is not the point. These services are definitely contractual in character. Given user's reliance interest, governments (preferably courts) should declare that gMail, Facebook etc. are bound by implicit contracts. That would be a Hayekean articulation of the implicit understanding that grew up through practical interactions.
Keep in mind that 'anonymous data' is _very_ hard to create/maintain – effectively impossible in many cases. As Gwern says/writes "everything is correlated". See the saga of the "Netflix Prize" for a great example of this.
It also seems weird to give people ownership of data that is _almost entirely_ the same as MANY other similar 'datasets'. I think some crimes have been solved not by having the alleged perpetrator's DNA, but a relative of theirs. Given the extreme 'entanglement'/correlation of DNA data, any 'ownership' scheme would likely be either useless or extremely Baroque in its complexity (and thus probably useless too).
A set of rules to handle every specific might be futile, but one could imagine a different default legal position.
Currently, the default position is something like "if you use a company's computers, they can do as they please with the information they get".
An alternative would be something akin to the common carrier rule of "if you use a company's computers, they can't do much of anything based on the information they collect". Effectively, make the storage space a company provides be the intangible cognate of a self-storage locker.
But then how could they censor your posts!?
I wonder how many of the rights we believe we have to our data now are legally enforceable vs enforced by reputation. For example, suppose Google decided to publicize the entire contents of my Gmail archive. Would I have grounds to sue them under existing law for violating an explicit or implicit contractual commitment they had made to me to keep my data private? Or am I protected "only" by Google's knowledge that such an act would cause a mass exodus from Gmail (not to mention causing a lot of Google engineers to quit) as customers realized Google could not be trusted to respect their privacy?
This is the sort of thing I expect people who write Terms of Service would know, and almost no one else would.
Nicholas, I am an attorney. I think your Google hypothetical would not be looked at contractually, but would instead be assessed under the right to privacy. That right varies from State to State (in California it is both constitional and statutory), but an egregious public disclosure of presumptively private information almost certainly would violate the right. And an attempted exculpation via oppressive Terms of Service would likely be unenforceable on public policy grounds.
Another attorney here. I concur but note that California has much more plaintiff-friendly privacy laws than most other states. That’s not unique to privacy, so it is one of the reasons that companies are leaving California. Most privacy laws look first to control dissemination, then use, then collection. Some look to control transferability — the right to get “your” data. None that I’m aware of — either proposed or enacted — require a holder of your data to continue holding it beyond the time specified in their policies for getting a copy of it.
Also note that there really isn’t such a thing as data ownership legally. If there was, you could sue for trespass if someone destroyed your property. Instead you have particular rights, mainly of privacy. It is even less than copyright, which does not extend to unorganized data like that about a single person. (Thank goodness. Copyright usually belongs to the author, which would probably be Google, not you.)
It's all about control - who gets to decide, who is in charge, who makes 'the rules'.
Data Ownership is just an extension of ordinary intellectual property concepts. People who put stuff online for other people to see want to be like authors, inventors, software developers, etc. in gettng to decide who sees what and under what terms. Or, at least, not being entirely subject to the whims of some other entity and without any capacity for recourse.
In more familiar contexts, this can be done with the legal system with copyrights and patents and the option to appeal to the court system for remedy for transgression.
But it can also be done with technology that is designed to be self-securing / self-enforcing, and new crypto tech opens up even more robust possibilities in this regard.
Unless you are under a contract that specifies otherwise, using a huge private company's centralized servers as a platform to convey one's content to the world is currently often fraught with a nearly complete abandonment of any possibility of exercise of this kind of control. For a while no one thought there was any feasible alternative to that practice, but now, there is.
Copyright is a good example of why information ownership is troublesome. Enforcing it requires intrusive efforts. To enforce copyright, your DVD player must be a servant of Sony and not you, and that needs to be backed up by the Digital Millenium Copyright Act preventing nerdy users from "tampering" with their own property. And even that wasn't enough until Netflix became more convenient than BitTorrent.
That's how much effort the giants need to enforce their legal rights against ordinary Joe. If legislation grants Joe similar rights over "his" data, how is he gong to enforce them against the giants?
The problem with this approach is the assumption that you would be treated as the author of data about you. When Google uses cookies to collect information about you, Google would almost certainly be the author of that data of data were subject to copyright. Only data that individuals type would be owned by them. And so, for example, all the emails that you received in your Gmail account would be owned by the senders, not by you. Analogies to copyright are generally a bad approach, which is why no jurisdiction has followed that approach. Instead, they come up with principles that track closer to privacy.
Indeed "principles that track closer to privacy" is what we want, which is not in any meaningful way "ownership" of the data.
Enforcing copyright doesn't require DRM. It just requires registering the relevant copyright and filing a lawsuit in federal court. If anything, DRM'd devices are a middle ground that is supposed to obviate the need to go to court.
Big companies actually have zero problem suing individuals like this in terms of the cost, but they don't like the negative publicity, so they prefer using informal methods and backdoor licensing arrangements like Youtube Trueview. There are automated tools for detecting infringing torrent users, automated methods for doxxing users by requesting IP unmasking from the ISPs, and most users will default. Big companies love the DMCA because it gives them the option to quash posting or sharing without the need to get ugly headlines about how they are suing people into penury.
If legislation gave ordinary Joe more rights over their telemetry data (which federal law already does for purposes of email marketing -- many marketing practices which are illegal in email marketing are legal in social networking), Joe would enforce his rights by suing for breaches and/or reporting it to the government. Realistically, many of the services that are now free would not be feasible as free services anymore.
In law as in medicine, it is better to be preventative than reactive. In general, any approach which requires a typical individual of ordinary means and sophistication to appeal to the legal system to enforce their rights against giant, rich companies who get to dictate the terms in the TOS / EULA is doomed to failure.
So, instead of leaving your doors and windows wide open and calling the cops after you get burgled, how about locking the doors and putting some bars on the window, so you don't get robbed in the first place?
Any efforts to extend or reform existing legal institutions to address this issue are futile and hopeless.
If people really want to control 'their' data, they will have to use tools and methods and services into which the default capacity of individuals having such control is baked in to the very structure of the protocols and systems.
New crypto tech now makes that all technically possible. Some of it is out there and already in use. Will enough people care enough to switch? We'll see.
> If people really want to control 'their' data, they will have to use tools and methods and services into which the default capacity of individuals having such control is baked in to the very structure of the protocols and systems.
Law and regulation will have much to say on whether such tools are economically dominant, merely feasible, or even allowed at all.
I have DRM as an example of the intrusive machinery required to enforce data ownership. And your counter is to detail the other intrusive surveillance machinery used to enforce it.
How is average Joe to detect these breeches that he is supposed to be able to sue under?