Who really owns data?

Spam texts promoting loans and nuisance calls about accident insurance claims are just some of the inevitable fruits of harvested personal data. In March this year, the Information Commissioner’s Office (ICO) issued one of its highest fines to a Hampshire company that had made over 22m nuisance calls. The company in question was fined(pdf) £270,000. In its defence, it claimed it purchased data from a number of different third party providers and that the data had been screened against the Telephone Preference Service and it was all “opt-in”.

While the ICO rightly took a dim view of this, it’s easy to see why it can happen. Just about everything we sign-up for now asks for names, numbers and email addresses and unless we read the terms and conditions (Ts and Cs) carefully, we have no idea where that data will end up. Free apps, free wifi, loyalty cards and even paid-for services such as mobile phone contracts harvest our data and either sell it or make it available via technology sharing deals. The real problem is not that companies want to use it, it’s that we as consumers don’t look after it enough, or know how to.

It’s hardly surprising, given the length and complexity of most business privacy statements. Australian advocacy group Choice recently highlighted the problem by getting an actor to read Amazon Kindle’s 73,198 word Ts and Cs. It took nine hours.

According to Stephanie Hankey, co-founder and executive director of the Tactical Technology Collective – whose Data Detox Kit helps concerned consumers clean-up online footprints – this is typical of the issues facing technology users who are consistently confronted with “meaningless and inaccessible” Ts and Cs, but it’s just the tip of the iceberg.

“Unlike service delivery data [such as location for Google Maps], sometimes metadata and content data is collected as part of the business model by the company and sold,” says Hankey. “There have been quite a few cases of ‘overreach’ here. For example, the flashlight app that was collecting your address book data. Clearly not needed to give you light.”

For Sir Tim Berners-Lee, data control is one of three key challenges facing the future of the internet. As we digitise all aspects of our lives and leave often incredibly detailed footprints online, how do we ensure our information is safe? Who can we trust? Facebook?

The social media site recently updated its privacy policy saying data can no longer be used by developers for surveillance tools. While on the surface this may seem like an honourable move, how will it be policed? Is it just a case of trusting Facebook with what is, according to Hankey, “a perfect tool for surveillance, with or without the collaboration of developers”?

Berners-Lee’s answer is to decouple data from websites, including social networks. Solid is an MIT project started in January this year and led by Berners-Lee, offering “a proposed set of conventions and tools for building decentralised social applications based on linked data principles,” according to the site. It’s too early to tell how successful this will be, but you get the feeling it’s going to be tough going.

Another site which is looking to redress the balance is Datacoup, a marketplace for people to sell their own data and make money. CEO and co-founder Matt Hogan says the site has “many users who’ve earned triple digits on selling their data,” although for the moment at least, this has been to Datacoup. The company is “lining up sustainable purchasers now,” says Hogan, whose real beef is with the third-party data brokers.

“These are B2B companies, yet they are selling consumer assets. Something is clearly askew there,” he says. “How could a company that I have no relationship, no touch-points with accumulate so much information about me? They’d have to have done so surreptitiously.”

For Martijn Verbree, partner at KPMG’s cyber security practice, efforts to return ownership to consumers are “noble but tough to do,”, adding that to a large extent, the horse has already bolted. He points instead to regulation and in particular the EU’s forthcoming General Data Protection Regulation (GDPR). The ICO is currently undergoing a consultation on the format and implementation of the regulation, to be applied in May 2018.

“GDPR brings a big stick,” says Verbree, “with fines up to 4% of group revenue or €20m, whichever is more. Under current Data Protection Act regulations, the maximum fine is £500,000.

While not everyone is totally enamoured with the regulation, or at least the UK’s ability to implement a sufficiently robust version post-Brexit, (see Amberhawk Training’s blog on transfers of personal data after a hard Brexit), for the foreseeable future, it is the biggest weapon against corporate misuse of personal data.

For Alan Duric, co-founder and CTO at Wire, not harvesting consumer data and selling it on has become a unique selling point. Based in Switzerland, the business which offers a video, voice, text and social sharing communications application prides itself on being open source, transparent and having “no ads, no profiling and full end-to-end encryption.” Wire apparently only stores user data for a maximum of 72-hours.

It goes against the grain, but doesn’t really undermine the idea that personal data is “the new gold”. There are too many apps and businesses with vested interests to change the course of data trading. Stiffer penalties will no doubt help but it is user education that will be most effective in the fight against lost data ownership.

Spare a thought for 7,500 online shoppers from 2010, when former games retailer Gamestation claimed to have gained their souls thanks to a clause inserted into its Ts and Cs for April Fool’s Day. If you don’t read the small print, who knows what you are giving away?