Following close on the heels of the news about ChoicePoint, another “I’m a large corporation and I just exposed the personal data of lots of Americans, and ho ho ho I’m just going to apologize.”
“Bank of America Corp. has lost computer data tapes containing personal information on 1.2 million federal employees, including some members of the U.S. Senate.”
Oops.
There are a whole bunch of problems here.
These companies have very little liability and regulation for aggregating personal data. So, Bank of America has financial information on 1.2 million customers. That’s to be expected. They are, after all, a bank and need access to your financial information. But once you step past that – what else is legal for them to do with the data? Are they liable if they expose it by accident? They have a privacy policy that says they’re careful with your data, but what happens if they break it? Are there actually any consequences?
Bank of America actually has quite a detailed privacy policy, but what’s hidden here is important – it doesn’t say anything about the risks. “Remember that Bank of America does not sell or share any Customer Information with marketers outside Bank of America who may want to offer you their own products and services. No action is required for this benefit.” But also remember that Bank of America is a target, and your recourse is largely limited to “telling them your preferences”.
I’ve been reading “The Digital Person” by Daniel J. Solove, and it’s been an eye-opener about the problems associated with the construction, storage, and use of digital dossiers. It’s possible that I haven’t gotten to the main point yet, but even in the beginning, he makes some good observations – the problems we’re facing here aren’t necessarily malicious, but they are impersonal and uncaring. The fact that an individual piece of data doesn’t really matter if it’s revealed doesn’t mean that lots of pieces all revealed together aren’t a problem.
There are synergistic network effects at play here. It needs to be recognized that the “simple” collection and aggregation of large amounts of data has side effects in and of itself.