Ownership Rights in Data Pt2
Issue/Topic: Ownership Rights in Data Pt2 (F3E)
Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes
Convener: Phil Wolf
Notes-taker(s): Joshua Gruenspecht
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Phil: Review of yesterday – Started with a discussion of the idea that “if data feels like it’s yours, it should be owned by you.” However, the ultimate resolution of that discussion was that property law was not the right frame in which to consider these issues. Instead, perhaps we want to consider something more similar to a European-style moral rights regime.
Heather: What about a “common pooled resource” model a la Scott Davis – water pools, fisheries – for identifying information? Guarantees levels of protection/control without regard to the nature of the information or its availability in non-pooled forums.
<Discussion of the problems of trying to put genies back in the bottle – if information is already available outside of such a regime, how would we get people to participate within the regime without the carrot of that information’s availability? Commercial regulations? Law? Something else?>
Heather: We do this kind of top-down control of commercial information transactions already – any transaction involving a user and an aggregator approved by the user is covered by the Fair Credit Reporting Act. Consider this precedential.
<Discussion of the de-identifying requirements within the Freedom of Information Act>
Phil: In our future, I’d like to have some sense of control over my own online identity. My problem with doing this under contract law is that it doesn’t give sufficient control to users.
Heather: No, contracts are really the only way to ensure, through law, that users can have individual control.
Steve: I do not believe that you can completely describe people’s preferences in a preexisting contract, and that contracts will be insufficient for those reasons.
Joshua: So if we don’t like property or contract, what’s in between the two?
Jay: Scott’s suggestion could be helpful. European privacy laws and the moral rights framework may also be helpful.
Phil/Heather: If we get people’s assumptions and beliefs about privacy online, that would serve as a useful basis for determining what the “rights floor” ought to be.
Phil: What we’re discussing here is all the information that constitutes people’s “onlife” – everything that you do and are online.
Jay: The key to any such regime is that policy is great, but you also need a mechanism with which to ensure that said policy is enforced.
<Lots of talk about the possibilities of/problems with an insurance model>
Steve: But the problem with that model is that insurance assumes an acceptable level of failure, and there may not be an acceptable level of failure in this case.
Heather: We can work that problem, and we can’t let the perfect be the enemy of the good.
Heather: The assorted FIPSs covering various different kinds of data distributions under US law demonstrate how much of a patchwork things currently are.
Mary Ann: I think there have been a lot of unstated assumptions about data which have gone into this conversation to this point – for example, the assumption that data needs to be protected.
<Discussion of the reasons to believe that some data might need to protected; general agreement about the lack of decided scope for such protections.>
Jay: One key information practice – making it clear to users what information you’re asking for because you need it to provide the service in question (including the financing of that service) vs. what you’re asking for with other uses in mind.
Phil: Assuming we want to take action on this, who should be in on the discussion?
<Discussion of possibilities: national congressional leaders in the case of privacy lawmaking, legal negotiators for various companies in the case of trustmarking (alongside marketers), privacy engineers in the case of privacy design policies.>