The Asymmetry of Personal Data

There is an asymmetry between personal data held by companies and by the individual consumer. Companies know a lot about us, we don't know much at all -- even about what they know. What's the right balance and are we on our way there? (June 2013)

Why do we care about Privacy?

Privacy is a relatively new notion in Society. When we started living in our own houses, creating rooms, doors and locks - we got used to the notion of 'privacy'. In the last 50 years, we as individuals have become more private and isolated with both 'good' and 'bad' outcomes.

The last 15 years have seen us reconnected in new ways. I might no longer talk to my neighbor in person, but I reveal all sorts of information to people I have never physically met. So we have new social models that we have never before encountered.

It is within this backdrop that we should be discussing the balance of data asymmetry between companies and consumers. Back in 2000 I had this notion that organizations would be custodians of our personal data. Over the last 12 years, my idealist perspective has not really changed but I have been observing how business models have adapted to not only leverage personal data, but to capture more and more of it from us.

Five Questions on Privacy

Q1: As an individual, most 'transactions' you perform with or facilitated by an organization leave some sort of record behind. What are those records and where are they stored?

Q2: What value to the organization might that record provide? Another way of asking, how will that organization benefit (maybe monetize) just that data?

Q3: What happens if that unit if data is either aggregated with other people's data or other aspects of your own data? How would the organization benefit?

Q4: Going further, now think about your privacy - how would all of that data being used by organizations infringe upon or maybe even violate your privacy?

Q5: And further yet, your safety - think about if that data was to fall into the wrong hands, how might this be used to defraud you or put you in danger? If the regime you live under turned hostile, how could that data be used against you?

What is the right balance?

To figure this out, maybe ask first what is the 'wrong balance' - and do so at extreme ends of the spectrum

So first see what happens if ALL the data ended up with the consumer. We'd have to construct a working model for how this would manifest in the real world
Then what might happen if ALL the data ended up with the companies. This model is equally tricky as each corporation would have a silo of your data unless it was joined up somehow. I like to think that there are 3 classes of personal data an organization might have (using the example of a bank):

Class I: Personal facts: indisputable information - (e.g. my name, mailing address, DOB, SSN etc.) - I like to think of this as my data that I should be able to authenticate
Class II: Transactional facts: the data that is created as a result of the transactions that the organization manages on my behalf - (e.g. payments in, payments out, interest earned, amounts loaned, amounts repaid, interest charged) - this data really belongs to the organization to create and authenticate)
Class III: Profile data; this is data that is derived from the transactions, the personal facts and perhaps by combing with other data from the entire population. (e.g. the earnings segment that I am in, my propensity to pay back loans - i.e. credit score)

Scenario 1. Consumer gets to own all their data

A practical implementation where all the data ends up with the consumer: lets say that data is valued like money - and for arguments sake, let's say that our existing banking system also banks our data in addition to our money. Citibank will now be the bank for all of my data, all Classes as defined above. So simple things become easier - anytime I need to provide my address or personal details, I just point them to my data vault at the bank with the right level of permission and they can get my shipping address, or email if the goods are electronic. Nice because when I change my address, I only need to make one change. Now for the airline loyalty program, the travel history now needs to be housed with the bank, not insurmountable, but it does mean that the airline will have to continually send air-travel records to the bank for storage, but it also means that the bank would be able to aggregate all of my travel across airlines. This would go into a profile computed by the bank. That profile would be 'shared'' between myself and the bank - and if my profile was sold to an advertiser, they might see that I am a valuable air travels and I might be in the market for a new flight. Implications for making services easy for the individual are pretty horrible - companies that held no data about you would require some access to your data each time they tried to deal with you.

Scenario 2. Company gets to own all the customer data

This is sort of where it is now. Customers are giving up all the data in return for free use of services. We sign in to Google and search for things to the extent where Google knows our most intimate desires, problems and aspirations. We use Facebook for free and in return give up our conversations to them. We use the bank (not for free) but the bank is able to track every financial transaction. Credit cards, Loyalty Programs, Memberships schemes, Healthcare - our data presently lives in the databases of companies. In fact we really actually own very little - and all seems to be working fine.

Based on these two scenarios, seems like we already have a working model where companies own our data and we're okay with that because of the free stuff, personalization and convenience we get in return

Where are we today?

Let's fight the good fight for personal data being ours - maybe the ability to control it, manage who sees it and perhaps benefit for more than convenience - could we actually monetize our own data. If there was some sort of personal data tsunami event where a billion people's data was hijacked and people lost things, then maybe, we'd get motivated to do something.

My view is that it's not really going to change much. Compare two businesses, one that controlled your data and advertised to you versus the a second that made you pay a fee but did not advertise - right now, the model is that the first would win.

Back to the original question: what's the right balance?

Perhaps its not so much a question of balance. Companies will know more about us than we know - because there is benefit to them knowing versus us knowing. They can deal with us in aggregate (to determine how to market to broad segments) and deal with us individually (which allows them to deal with us more conveniently). We already know ourselves, our preferences and our behaviors. Where we don't, services like Mint.com, Google, 23andme.com, Jawbone Up will tell us. For those of us that want to be introspective there is nothing stopping us.

Let's acknowledge that companies do know more about us because of their very nature. What is wrong and right in my opinion is where the company might use that data dishonestly. Or fails to take adequate precautions that the data may be at risk of being breached by a malevolent organization.

Companies were prevented from using data in an unfair manner - for example, I could not be denied health insurance based on certain ethnic criteria. Could I be denied insurance based on the fact that a large proportion of my Facebook friends had also been denied insurance?

However, to use data about me to blackmail me, con me or fool me into doing something I did not intend. That is where I have a problem. And where data is held insecurely that might cause my personal safety or security to be compromised.

Things that were written