IT Compliance Advisor

May 17 2010   8:04PM GMT

Using personally identifiable information is gonna cost you

Linda Tucci Linda Tucci Profile: Linda Tucci

The era of businesses playing fast and loose with people’s personally identifiable information (PII) has passed — and not because of standards like PCI DSS or compliance mandates. The public at large is awakening to the reality that information is currency.

This is something that CIOs, of course, have known for a long time. IT executives owe their livelihoods to the fact that there is barely a company in the world that doesn’t do business in this material known as information.

Now the rest of us — from computer cave dwellers like me to the oversharing Facebook generation — are on to the fact that our PII comes at a price. And, one way or another, companies will pay up. The uproar over Facebook’s shape-shifting privacy “rules” and the anger in Europe over Google’s collection of private data are two current and noisy examples.

To get a sense of the change in public attitude in a few short years, consider the evolution of the Netflix Prize. Back in 2006, the company that changed the way people consume movies announced an open competition to improve Netflix’s algorithm for predicting which movies its customers might like to watch based on their past viewing habits. In September 2009, to breathless media reviews about tapping into the wisdom of the smart crowd, Netflix awarded the $1 million prize to BelKor’s Pragmatic Chaos, a seven-man (yes, man) multinational team of computer scientists and machine learning experts, and promptly announced a second contest. By March, the Netflix Prize 2 was called off. Netflix’s chief product officer, Neil Hunt, reported that that the company had decided not to pursue round 2 after reaching “an understanding” with FTC investigators and settling a class action suit on whether the contest violated customer privacy. The investigation and suit were prompted by a research study by two University of Texas at Austin scientists showing that the anonymity of the Netflix prize data set was not so anonymous.

Gabriel Helmer, an attorney and privacy expert at Boston firm Foley Hoag, said the reaction to the second contest points to two important issues related to data privacy: re-identification and a company’s data privacy policy. For the second contest, Netflix promised contestants access to “a lot more demographic information,” and that information would be hosted in the cloud.

“You can take somebody’s name off their personal data, but the more personal information you provide, the easier it is to re-identify that person. Anonymized is never truly anonymous,” Helmer said. The FTC started to investigate because it wanted to know what Netflix told its customers their personal data would be used for when they turned it over.

“Most likely, Netflix did not say they would take the name off and give that personal information to the entire world in order to create a better algorithm,” Helmer said.

Helmer finds the case a “fascinating example” of the strengths and weaknesses of cloud computing — of the enormous gains that that can be realized by making real data available for analysis to large groups of people, along with the obvious dangers of doing that. As a consumer, he said he likes that companies will do the work to tell you which media or products you might like to consume. But the people who brought the class action suit against Netflix are realizing that those services “come with a price.” They are demanding that the price for personally identifiable information be borne by the business, whether it means paying for personal information in exchange for a service, or guaranteeing the data will remain private, or cease and desisting. But the lawyer says it is still early days for knowing how such transactions will play out.

”The reason why it is such an exciting time is that people really have not decided what they will put up with, and what they like and don’t like about personally identifiable information,” he said.

His bet? Just as technology got us into this quandary, technology will quickly point us the way out. It will likely do so in the form of biometric scans or ways to identify people other than using a Social Security number, an address or your mother’s maiden name, much of which is already widely available on the Internet.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: