People have strong notions about ownership of their personal data. After all, nothing feels like it belongs to you more than your personal identity and information. As a result, people feel they own their personal data and can expect to control it, making “privacy settings” that can be abided and respected.
Consider your mobile phone number — digits that can uniquely identify you and connect to your digital accounts. Many people would consider their phone number to be personal information that companies should get their permission to sell, buy or otherwise distribute. However, what if your friend has your number in their contacts and uploads their contact list into a social network to help find more friends. Is that your data or their data?
Today’s user can no longer expect personal data to be user-controlled and owned. Privacy settings at most can govern what a single company can do with a user as far as consent, but they simply cannot keep up with the reality of all the parties involved in our digital lives. It’s either private data no one else was given access to, or it’s public data. Personal data is no longer private once it’s shared with another person.
Facebook has even argued this in court with U.S. District Judge Vince Chhabria. They debated what has become a quintessential question of digital privacy: Does posting, even to a select group of friends, on social media mean that a person is forfeiting all expectation of privacy?
Facebook lawyers points out: “There is no privacy interest, because by sharing with a hundred friends on a social media platform, which is an affirmative social act to publish, to disclose, to share ostensibly private information with a hundred people, you have just, under centuries of common law, under the judgment of Congress, under the SCA, negated any reasonable expectation of privacy.”
Once you’ve shared, you cannot control who else will see and repost it or use the data. Consider tweets about your political interests or hobbies. This “personal data” can be observed by anyone and, consequently, your activities can be profiled even by parties you never interacted with before. Even one-to-one communication cannot expect privacy in the sense of controlling who sees your information once you let it out. What is personal is not private and is no longer under your control.
Maybe in the past it was different. Historically, without computers and low-cost data storage, it’d be impossible for information you shared with even a limited set of people to stay out there forever or spread far. There was a data half-life whereby over time, information would fall off. Your phone number or address could change, and nobody would be the wiser when you got a new one unless you told them.
Now, all data continues to compound exponentially and stay connected. When users switch phones, all their contacts go with them as well — stored all in the cloud. When users write anonymous blog posts that information is indexed and stored by search engines and digital archives forever. That information will live on and over time can be corresponded to other data that may ultimately reveal who the anonymous user is — as was the case with Netflix user reviewers being de-anonymized in the past.
For personal data to remain private, it must not be shared with anyone in today’s digital world. Users and regulators will increasingly need to confront this new reality and adjust behavior and laws accordingly. We cannot continue to expect control over data we’re giving away freely and publicly in exchange for likes, convenience and other benefits.
Ka Mo Lau is chief operating officer of Thunder Experience Cloud. Prior to Thunder, he spent time as an investment banker at Credit Suisse and as a management consultant at IBM.