March 8, 2011
"ePrivacy is all about money", I wrote three years ago. I can but rejoice the World Economic Forum, of Davos fame, and Bain & Company, a leading consulting firm, have now, if not formally endorsed, at least voiced my opinion (*). Calling personal data "a new asset class", it reaches many conclusions with which my readers have long been familiar.
Let us not confuse my role as a "romantic maximizer", in Yochai Benkler's words, and theirs, which is to give credence to ideas whose time has come. Neither original nor prophetic, they create value by adding weight to notions they pick up, validate and package for their influential clients.
And so their report presents two concepts. According to the first, "a person's data would be equivalent to their "money" [...] [handled] just like personal banking services operate today". The second recommends a user-centric approach to build "the personal data ecosystem".
From such premises, it is not surprising to see the authors of the report write at length about trust, without which banks cannot survive, and mentions "the structure of personal data markets" as a key factor, warning against the negative effects on the economy of any imbalance in such an ecosystem. In a revolutionary conclusion, they state "parties will be constrained on collecting data for free and will need to start paying for end user data".
It is not the first time I comment on a text I find constructive. Whether Jacques Zittrain on "tethered devices", Peter Swire and Cassandra Q. Butts on the "ID Divide" or Paul Ohm, who coined the phrase "database of ruin", I pull no punches when it comes to their shortcomings.
The first stems for asking at the same time to "innovate around user-centricity and trust" and to "focus on interoperability and open standards". While each goal is desirable, combining them is part wishful thinking . Take the W3C for instance. As it refuses to consider submissions unless donated for free, how can innovators be expected to contribute to open standards if not as a hobby? As for de facto standards, the fall back position, how can they be expected to be so open as to be interoperable? Rather information Age companies build a dominant position on proprietary strangleholds.
Internet and the Web, those two glorious exceptions, hark back to a time when big spending by Western public agencies was fashionable and no commercial interest was in play. More realistic would be to be ready to compensate those innovators whose work could advance open standards.
While the previous shortcoming is insidious, the next one is nothing but egregious. "The concept of property rights is not easily extended to data, creating challenges in establishing data rights". While "most people would intuitively assert that they own data about themselves", the authors insist "a cursory look [...] quickly reveals that the answers are much less clear". What the authors of the report do not realize is that, in the absence of clear property rights, their vision of banking on personal data assets is illusory. Banks do not thrive in plunder economies except to launder dirty gains.
In support of this position, the report lists two types of challenges. Who own one's criminal, credit and medical records? Do Google and Amazon own the algorithms they derived from analyzing their users' clickstreams? This is fair. If data rights are clear, simple questions call for simple answers.
Simple answers however often rest on deeper concepts. Possession should not be confused with ownership. When I give my car for valet parking, does the attendant think I transfer the title with the keys? When I hand over my credit card at the store, does the clerk imagine it is to be used at his whim? Similarly personal data ought to be exchanged only as part of a transaction freely agreed upon and strictly applied to enable its fulfillment.
Contrary to my car and, I hope, the piece of plastic which is my credit card, data can be easily duplicated and hence possessed by several persons at once. This however should not change the issue. What this does is simply to facilitate the fulfillment of long lasting transactions. But the same is true for money. My banker has possessed the balance on my savings account for more than ten years now. Yet she still does not own it.
To the distinction between possession and ownership, the previous example adds the concept of fiduciary duty. Since data is like money, it is normal to impose the same constraints as on a banker on those to whom one entrusts personal data as part of a transaction.
With these intuitive developments, the challenges of the first type vanish. Of course I own my medical records. However in order to fulfill their parts, it is necessary my physician and my insurer keep appropriate records during the length of my contractual relationship with them. Yet they should not own them and, at least in theory, US healthcare providers now need the patients' consent to share their personal information for any other use.
In the same way I should own and control my personal credit records. That I do not today is theft pure and simple, which credit report bureaus compounds by selling consumers ID theft watch services. What a pity since they could have a thriving business selling recommendation services.
Yet if I do not fulfill a transaction as agreed, the wronged party should be entitled to own this very fact as its part of the ill-fated transaction. Credit report bureaus should also be allowed to aggregate and resell my failures to pay on time, whether I like it or not. Without our consents, actual credit records go far beyond this list but criminal records are still indeed limited to personal failures, unilateral transactions which wronged society itself.
Finally do Google and Amazon own their own algorithms? Indeed and their own statistical records too. Witness Google Trends or the US Supreme Court historic decision, there is no need to keep personal records on users to know how many times people search a keyword or buy a book.
But if Google and Amazon actually reuse my personal clickstream as such without my explicit and unbundled consent, they should be considered liable of digital piracy. What is essentially some kind of market research should be a straightforward case of "paying for end user data". More generally simple rules could support remixing others' information into new productions fairly without stifling creativity.
Still linking privacy protection to transactions begs the question of what happens pre-transaction. Could targeted advertising for instance be efficient if each ad required a user contract? This is why my invention (1) enables a consumer to manage his own profile in his own personal data store and enjoy personalized interactions while delaying all personal data exchanges with absolutely anyone else until a transaction is mutually agreed upon.
Who would invest in Libyan oil fields today? Will Bain & Company take three more years to recommend data assets come out of property limbo?
- (*) . Personal Data: The Emergence of a New Asset Class, by
.............................. Professor Klaus Schwab, Alan Marcus, Justin Rico Oyola and William Hoffman (The World Economic Forum)
.............................. and Michele Luzi (Bain & Company) - February 7, 2011
- (1) see my US patent portfolio, US Patent Number 6,092,197 and US Patent Applications 2006/0053279 and 2009/0076914.