Former Oracle CEO Larry Ellison once famously said, “Privacy is Dead.” However, privacy had been resurrected and killed more times than a Tyrannosaurus Rex in a Spielberg sequel. A recent data breach https://www.wired.com/story/exactis-database-leak-340-million-records/ involving more than 340 million records of U.S. citizens demonstrates why privacy is dead. Again. It’s dead because you never heard of the Exactis data breach. It’s dead because you have become enured to reports of massive breaches of personal data. It’s dead because there’s little if anything you can do about a breach. It’s dead because, as long as you get a new credit card number or a credit freeze or credit watch, you long ago stopped caring about the breach. It’s dead because merchants and credit card companies find it cheaper to not go after those using stolen credit card numbers and because these investigations are too costly or too difficult to pursue. But it will come back.
Privacy is dead because we can’t agree on what we mean by “privacy” generally, and “private information” in particular. We can’t agree on who “owns” that information, and what rights individuals and entities have to collect, store, process or use that information. On the flip side, we don’t agree on what is “public” information. You saunter to the local shopping mall and buy a pair of faded denim jeans at the local Gap — in full view of dozens of other customers and security cameras. Private? Public? When you parked in the mall lot, with your vanity license plate (GO CAPS) prominently displayed on the back of your car – public? The window stickers which advertise your life membership in the NRA or Sierra Club — private information?
With this ambiguity in mind, we turn to the Exactis data breach, first reported by Andy Greenberg at Wired. I know your first question. What the hell is Exactis and why do they have 340 million records? I’ve never heard of Exactis. I’ve never given them my information.
Exactis claims to be a Florida-based market research firm with “triple validated” information about consumers. What do they know about me? Turns out, quite a bit. And really intimate information. But is this information “private?”
The raison d’existence for market research companies like Exactis is to provide sellers with information about purchases so that the seller can target the correct market. The more the seller knows about the purchaser, the more they can target. If you know the purchaser likes luxury brands — voila. You either market a luxury brand to them, or make your ordinary brand seem like a luxury brand by — well, raising the price. So a market research firm wants to know your name, your address, your contact information. They want to layer over that your income, your politics, your brand preferences. Add to that a souconce of politics, race, class, religion, sexual orientation. Mix in age, education, interests, hobbies, health and activities. It’s moneyball for marketing. Combine liberally (or conservatively — see what I did there?) with friends, relatives, contacts, acquaintances. Maybe a bit of physical characteristics added to the mixture — height, weight, hair and eye color. Languages? Tastes? Travel?
In simple terms, everything. A market research firm ideally wants to know everything about you. Because any of it may be useful or predictive of future purchasing activities. You like bananas, and you like them green before they ripen? Statistics say that people who like green bananas are 16.4 percent more likely to purchase toupe panty-hose in the Northeast on rainy Thursdays after 4PM when the Red Sox are in town. Moneyball for people. The Wired article indicated that the insecure (and potentially breached) Exactis’ database included “entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.” And yet, no public outrage.
Is this information “private?” Is any of it private? Is all of it private? Is it “private” as aggregated? Is it private as analyzed? Is it private as attributed?
Magic 8 ball says — situation murky. Ask again later.
Once More Into the (Data) Breach
The nation’s first “data breach disclosure” law was passed in California and was introduced by state senator Peace as SB 1386 in 2003. You know, when Bruce Almighty hit the box office. The law responded to a data breach at the California public employees retirement fund (which included state senators) which was not disclosed to the retirees. As a result, the thieves and hackers had access to these employees’ accounts and account information for months without the retirees’ knowledge. If the retirees had known, they could have monitored their own accounts for fraud, changed their passwords, or taken some other remedial efforts to prevent harm.
The California law https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.82 — which has since been amended and expanded — has what is actually an extraordinarily narrow definition of the kinds of “personal information” about which a breach disclosure must be made. And it is the template upon which almost all US state breach disclosure laws have been crafted. It defines “personal information” as:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social security number.
(B) Driver’s license number or California identification card number.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information.
(F) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
(2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
(i) (1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
Now compare that definition against the data which may have been in the Exactis database. According to Wired, the database did not include any credit card information, and there’s no indication that it included either driver’s license data or social security numbers. So the bulk of the marketing information I described above – what you eat, where you live, what you buy, who your friends are, your sexual orientation, etc., is not — at least under the data breach disclosure law — “personal information.” Even what is called “medical information” is ambiguous. Sure, the fact that you have been treated for AIDS, or the fact that you have diabetes is medical information, and deserves protection, either under a data breach law, or a law like HIPAA. But if you come to the movie theater in an arm brace or crutches — is that fact “private?” Or if I see you at the CVS buying glucose test strips — do I now have a duty not to disclose that as personal information (assuming I don’t work for or with CVS?) What if you post questions on a message board about treatments for cervical cancer or mental illness? What if I see you at the library taking out books about treatment for depression? What about your Google searches for medical information? Is that “information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional?”
By layering on a series of conditional phrases, the breach disclosure laws create ambiguity about what is private data. If this and that but not this, then it’s not a disclosable breach. If a list of social security numbers is stolen? Not personal information. A list of credit card numbers? Nope – not without access codes, PINs or passwords – and names of cardholders. A few million bank account numbers with account balances and names and addresses of customers? Not technically a reportable breach under the California law (but I pity the fool who did not report that to their customer.) A list of email addresses of people who were members of Adult Friend Finder or Ashley Madison? Not reportable unless it includes their passwords. Add to that their profiles, preferences and activity? Sorry – not “private” under the breach disclosure statute. Now recognize that data breach laws and data privacy laws may take different approaches to deciding what information is private and what is public, and other laws, like GLBA, FTC Act, HIPAA, FCRA, and others pay protect (or not protect) specific categories of information is specific contexts, but at best we have swiss cheese approach to privacy. Maybe that’s why SalesForce’s CEO recently https://www.salesforce.com/company/news-press/stories/2018/5/051618/ called for the U.S. to adopt a comprehensive national privacy law rather than the crazy quilt of laws we have.
We got here because US privacy laws are inherently reactive. We see a problem — a break-in at a retirement fund — and we craft a solution – tell people when their user accounts are potentially compromised. We see another problem — misuse of automated license plate reader information — we craft a solution – disclosure of such misuse. What we lack — particularly in the United States — is a comprehensive approach to defining what privacy is – and what it means.
Compare this to the EU approach as delineated in the GDPR. Article 4 of the GDPR https://gdpr-info.eu/art-4-gdpr/ defines personal information as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In shorthand — stuff about you.
Privacy is dead because we don’t know what privacy is, and we don’t know what privacy means. The City of Orlando recently terminated (well, allowed to end) an agreement https://www.npr.org/2018/06/26/623545591/orlando-police-end-test-of-amazons-real-time-facial-rekognition-system with Amazon for the deployment (well, testing) of a sophisticated facial recognition software program called Rekognition (because privacy invading tools always sound better when vaguely Germanicized, right?). While the software was being tested in a closed system with police volunteers, it raises the specter of collecting, storing and analyzing information about tens of millions of people who are doing nothing more sinister than going about their lives. Before any such system is deployed or used (or even tested) there should be vigorous and public debate about the capabilities of the system, what data is collected, how it is stored, how it is used, and who has access to it. And even after such debate, we should err on the side of protecting privacy. Because once privacy is given up, it cannot be reacquired. I recall in 1993 watching the movie “A Bronx Tale” (yes, it was a movie before it was a play) in a movie theater in Manhattan, when a series of commercials appeared before the trailers. The audience actively booed the screen. It was unthinkable! Ah. Quainter times. Remember the frog in the pan?
Privacy is dead because we can’t protect what we can’t define. Privacy is dead because there’s more money to be made by using data than by protecting it. Privacy is dead because people act like they don’t care about privacy (although they say something different.) Privacy is dead because the political constituencies for privacy have to fight against the political constituencies for privacy invading technologies. Privacy is dead because it is assumed (incorrectly) to be a barrier to law enforcement. Privacy is dead because it is costly to implement. Privacy is dead because we want to share information with the world about who we are and what we do.
Privacy will be back. And soon, and in larger numbers. It will return because privacy defines who we are. It will return because its extinguishment contributes to the coarseness of society. What future Justice Louis Brandeis and Samuel Warren described http://www.cs.cornell.edu/~shmat/courses/cs5436/warren-brandeis.pdf as “unseemly gossip” which, when harvested, “becomes the seed of more, and in direct proportion to its circulation, results in a lowering of social standards and of morality. Even gossip apparently harmless, when widely and persistently circulated, is potent for evil. It both belittles and perverts. It belittles by inverting the relative importance of things, thus dwarfing the thoughts and aspirations of a people.” And that was 128 years ago. Privacy will be back because it has to be back. Because we have a right to be left alone. Because it’s nobody’s business. Because we are more than a profile. Because democracy and freedom depend on it.
Privacy was never really dead. It was just resting. Pining for the fjords. Long live privacy.