New England Law Review: Volume 49, Number 4 - Summer 2015

Legal Questions Raised by the Widespread Aggregation of Personal Data

ADAM TANNER*

[49 NEW ENG. L. REV. 601 (2015)]

INTRODUCTION

Iopen my book What Stays in Vegas: The World of Personal Data—Lifeblood of Big Business—and the End of Privacy as We Know It ("What Stays in Vegas")¹ as ten agents of the Stasi secret police are following me around on a single day in August 1988, a year before the collapse of the German Democratic Republic. Communist East Germany’s version of the KGB kept a detailed, minute-by-minute log of my activities and took photographs as they tried to fathom what motivated my visit to the great cultural capital of Dresden. What exactly was I really up to? I was writing a travel guidebook, the Frommer’s Eastern Europe and Yugoslavia on $25 a Day.

I tell this story to contrast how little Stasi agents understood about me compared to what companies and commercial marketers know about hundreds of millions of consumers today. Our personal data are gathered at every turn in the Internet age, aggregated and used to produce sophisticated profiles. We often have little choice whether and how our data will be shared. With exceptions related to financial, medical, and employment information, there are few legal restrictions on these practices in the United States.²

My work seeks to illustrate the human face behind the zeros and ones of digital data collected about our lives. Many of the corporate officials gathering information about us are intelligent, well-meaning entrepreneurs and executives doing their best to advance their businesses. Yet collectively, they have created a system where individual privacy is under assault.

Many marketers have told me they think it is great to have intimate insights on their customers, yet they find it creepy that others know so much about them.

There is a lot of stuff being done in the name of making money and in the name of ‘we’re going to provide a better user experience’ but yet if you actually told the end user you were doing this stuff, they would be aghast,³ says Jim Spanfeller, CEO and founder of the Spanfeller Media Group, which operates sites including thedailymeal.com and theactivetimes.com. The idea that we are hoodwinking the end user is really a bad idea. I think it is shortsighted, although shortsighted might be ten years or fifteen years, but I don’t think it is going to help the industry as a whole.⁴

The dangers to individuals, and thorny legal questions, are greatest when advertisers use sensitive personal information—such as details about a person’s health or finances. As Spanfeller explains:

Let’s say it’s just an ad for a cancer medicine, or it’s just an ad for bankruptcy, or if it’s just an ad for your sexual orientation. All of a sudden, that ad becomes completely transparent to people around you or other marketers or other people who use the same machine you use, or people who can easily look into your browsing history when you go to someone’s site. . . . Now all of a sudden you can, say, go to a bank site, I asked for a loan but they looked in and saw that I was looking at bankruptcy ads or have been targeted with a lot of bankruptcy ads so they didn’t give me a loan. None of which you are aware of. You are just totally oblivious as to why that would happen.⁵

Surprisingly, the mysterious world of casinos presents far more clarity when it comes to personal data than many businesses. One of the reasons my book includes a major Las Vegas focus is that casinos offer customers a straightforward model. Patrons can gamble anonymously if they prefer, but most share personal information by signing up for loyalty cards. Such programs allow casinos to track patrons in minute detail within the walls of their establishments. In exchange, participants receive free food, rooms, and other perks.

What Stays in Vegas looks at the world’s largest casino company, Caesars, as a case study of personal data gathering. They are clear about what they do with such information: they use it to market, not to share with other companies. By contract, many businesses do not give customers a choice about whether or not their data will be collected and stored and they often share it without consent. To what extent customers have a legal right to control the fate of their data invites future debate and scholarship.

The Total Rewards loyalty program has been one of the underpinnings of Caesars’ growth. At the same time, the company’s fate highlights the limits of big data. Because such information seeks to predict the future based on the past, it is blind to unexpected twists of events. Caesars passed on the opportunity to invest in Macau because its projections did not seem to justify a massive investment. In recent years, this special administrative region of China has dramatically outstripped Las Vegas casino revenue, even after a sharp downturn since 2014, boosting the fortunes of Steve Wynn and Sheldon Adelson, Vegas visionaries who often take a more instinctive approach and did invest in Macau.

Two big investment funds failed to foresee the sharp economic downturn of 2008, so they took out massive debts to buy Caesars shortly before the recession hit. Saddled with massive debt, the casino giant could not afford the interest payments and filed for bankruptcy protection in January 2015. The next month, CEO Gary Loveman, the former Harvard Business School professor renowned for his mastery of data, announced he would step down.⁶

I. The Risks from Anonymized Data

Most businesses deal with personally identifiable information (PII) which includes: details about customers such as name, address, phone number, email, and other details. The law has typically looked at such information differently than anonymized data. For example, U.S. HIPAA regulations bar the exchange of identified medical information without patient consent, but allow the commercial trade if certain standards of anonymization are followed.⁷

It may be time to rethink this approach, as anonymous information is increasingly at risk. It was once thought that removing obvious identifiers such name, address, or Social Security number would preserve anonymity. Yet studies over the past two decades have shown that crossing different data sets makes identification possible, even easy at times.

In researching What Stays in Vegas I identified three anonymous volunteers in the Personal Genome Project, which shares intimate medical data on the Internet in hopes of advancing science. I also found and learned a great deal about a woman who had posted saucy photos on the Internet. She had tried to hide her tracks by using a stage name, but other clues allowed me to piece together her identity and find her.

In 2011, researchers took photos of students on a university campus and re-identified about a third of them by matching them with publicly accessible Facebook images. They then built on their previous research to show they could predict Social Security numbers for some they identified.⁸ Others have shown it is possible to identify people from aggregating anonymous Internet searches or Netflix movie rental patterns.

People need assistance and even protection to aid in navigating what is otherwise a very uneven playing field,⁹ Alessandro Acquisti, the researcher on the 2011 experiment, wrote in Science magazine in February along with Laura Brandimarte and George Loewenstein.¹⁰ [A] goal of public policy should be to achieve a more even equity of power between individuals, consumers, and citizens on the one hand and, on the other, the data holders such as governments and corporations that currently have the upper hand.¹¹

That same issue of Science included a study of credit card purchases for 1.1 million people over three months.¹² Researchers showed it was possible to identify 90% of people just based on what they purchased.¹³ Yves-Alexandre de Montjoye and others who conducted the credit card re-identification study concluded:

Our results render the concept of PII, on which the applicability of U.S. and European Union (EU) privacy laws depend, inadequate for metadata data sets. . . . Our findings highlight the need to reform our data protection mechanisms beyond PII and anonymity and toward a more quantitative assessment of the likelihood of reidentification.¹⁴

Another area that bears scrutiny is the legal liability of companies whose inadequate security enables malicious hackers to steal personal information. Target, Adobe, Home Depot, and JPMorgan Chase are among the many companies that have announced significant security breaches in the last year or two.¹⁵ Last year, after JPMorgan Chase said that data on seventy-six million American homes¹⁶—two-thirds of all households—had been hacked from its systems, I called their customer service and asked how I might be impacted. What breach are you referring to? the telephone agent asked me. I could not tell if the agent was being coy or just confused amid numerous breaches.

In one of the latest incidents, Anthem, one of the largest U.S. health insurers, said in February that external hackers accessed personal information about current and former customers, including Social Security numbers, employment information, and income details¹⁷ impacting 78.8 million people.¹⁸ Lawsuits have typically followed such major breaches. Should such a firm be subject to sanction for leaving vulnerabilities in their systems, or sympathy because they are the victim of crime?

[I] know you expect us to protect your information,¹⁹ Joseph Swedish, president and CEO of Anthem told his members in an open letter. We will continue to do everything in our power to make our systems and security processes better and more secure.²⁰ Are such pledges enough when surely the same fate will befall another unfortunate company in the months ahead?

II. Differing Perspectives on Data

On the legal front, another interesting privacy debate revolves around the right to be forgotten. A European court has ruled that when it comes to Google searches, citizens have the right to have certain search links to web pages removed.²¹ During a recent trip to Europe, I learned how tangled such cases can be thanks to Michael Persson, a journalist at the Volkskrant newspaper in the Netherlands. He asked his readers to share what happened when they tried to have information removed from Google.

One reader told Persson that his newspaper had photographed him in 1994 while he was relaxing in a park playing a didgeridoo, the elongated wind instrument. All these years later, people searching for his name in Google quickly find an image of a man with a beard and scruffy appearance. Now a financial advisor, the reader would prefer that potential clients see other information instead. Upon his request, Volkskrant agreed to remove the image from the web; however, it still remains in the newspaper archives.²²

Another reader said that when he was sixty years old in the 1990s, he made a single pornographic film, acting out the fantasy of the older man getting lucky with a younger woman. The man, who used his real name in the credits, knew that someone might come across the performance in an adult video store, but thought his escapade would otherwise attract little attention. Yet the Internet today allows someone searching for his name to find the old video in just a few clicks, as well as an IMDB movie website entry. Google removed some links but not all, judging that anyone trying to learn about the man had a right to know about the appearance. Persson stated:

As a journalist, I used to follow Google’s line: erasing anything is tampering with history. But from these cases I learned that people have a right to have different personalities in different times of their lives. Googling someone can obfuscate these distinctions. You cannot reduce a person to the search results on his or her name.²³

How the United States handles personal data has ramifications for other regions. Ronald Leenes, the director of Tilburg Institute for Law, Technology, and Society at Tilburg University explored this problem at a recent event he moderated in Amsterdam.

They are constantly testing the limits and export the U.S. model to Europe and elsewhere . . . Given their dominance of US companies in cyberspace, we can ask ourselves whether the practices you discuss in your book and presentation display our common future. . . . We do have stricter regulation. Is this adequate to keep data brokers at bay? Color me skeptical here.²⁴

III. The Business of Humiliation

Another important area for legal review has to do with the business of humiliation, which uses true facts or photos to shame people, often for profit. One chapter in What Stays in Vegas describes one business that started out by posting millions of criminal mug shots on the Internet.²⁵ People horrified that others could so easily find these images would then pay to remove them. Such practices are changing. In January, a new California law took effect that bans websites from taking money for removing mug shots.²⁶ Other states, including Utah, Illinois, Oregon, Georgia, Texas, Colorado, Wyoming, and Missouri have passed similar legislation.²⁷ Still, variants of the practice continue.

One area where the law is evolving involves revenge porn, the posting of intimate images to scorn a former lover. Those who grew up before the era of smartphones may find the practice hard to understand, but such devices have made many couples into amateur pornographers, spicing up love lives by filming themselves solo and together. In my research, I have met several people whose lives have been turned upside down by such activity.

Holli Thometz started sending explicit images and videos to her boyfriend when she moved to a different part of Florida for graduate school. You are having these interactions with somebody that you’re in an intimate relationship through the phone, the way that you would have an interaction with them in person, she says. Technology has allowed us to do that.²⁸

After three and a half years, the pair broke up. All of a sudden the erotica that spiced up their long-distance love lives became a weapon. Some of her videos appeared on revenge porn sites. One, tagged as Masturbation 201 by Professor Holli Thometz went viral, causing deep humiliation and anger.

In a different part of Florida, Bekah Wells started dating a bodybuilder. He encouraged her to take erotic photos. She had just gotten a smartphone and agreed. Eventually they filmed an erotic video together. When I looked at it with him I said, you know, this is really lame, she says. It was not at all like you think a video like that would be.

The relationship ended in 2010. Later, she was horrified when a Google search of her name turned up some of her photos on revenge porn sites. It is such a violent form of betrayal. If you can just imagine your most private intimate moment you’ve ever had, this was essentially that, just broadcast to everybody, she says. My heart raced, I hyperventilated probably for 10 minutes, I couldn’t think straight, I started just crying hysterically.²⁹

Seeking a new start, Thometz legally changed her name. But soon the images were linked to her new name Holly Jacobs. She decided the stigma was too great, so she left academia and became a leading anti-revenge porn advocate with her group the Cyber Civil Rights Initiative. Wells also fought back by forming a women against revenge porn website. Both have advocated making revenge porn a crime. Wells asks, Why should it be fair that I be punished and not him?³⁰

Publicity around such cases has led to change. Since 2014, a growing number of states have passed laws against revenge porn and authorities have stepped up enforcement. In January 2014, the FBI arrested Hunter Moore, 27, whom Rolling Stone Magazine called The Most Hated Man on the Internet.³¹ Moore had brazenly promoted revenge porn on isanyoneup.com. He and another were charged with hacking into email accounts to steal erotic images. In April 2015, Kevin Bollaert, 27, of San Diego was sentenced to 18 years in prison for operating a revenge porn website³²—a sign of shifting social and legal mores against such incidents. Sitting behind a computer, committing what is essentially a cowardly and criminal act will not shield predators from the law or jail, said California Attorney General Kamela Harris.³³

Another legal question is raised by sites that seek to intimidate rather than profit. For example, one radical anti-abortion activist set up a website on which he posted photographs of people entering abortion clinics, committing various crimes to which they should answer.³⁴ It also called on supporters to photograph and videotape people who work at clinics, including at their houses and near their cars. Furthermore, it asked for home addresses, Social Security numbers, and other personal details.

CONCLUSION

Although my book does not specifically look at the business of personal data through a legal framework, it, in effect, asks whether U.S. laws need to offer more privacy protections. Overall, I think that the evolution of electronic personal data parallels the development of past technologies such as automobiles or factories. The development and evolution of the horseless buggy or factories producing goods for the masses helped advance societies and transform the way we live. Yet they also brought unexpected negative consequences, such as injuries and pollution. Over time, governments mandated protections including seat belts, airbags, and pollution controls.

Many companies have failed to provide proper transparency into their