BUS303: Strategic Information Technology

Who's Collecting Data about You?

There's a thriving industry collecting data about you. Buy from a catalog, fill out a warranty card, or have a baby, and there's a very good chance that this event will be recorded in a database somewhere, added to a growing digital dossier that's made available for sale to others. If you've ever gotten catalogs, coupons, or special offers from firms you've never dealt with before, this was almost certainly a direct result of a behind-the-scenes trafficking in the "digital you".

Firms that trawl for data and package them up for resale are known as data aggregators. They include Acxiom, a $1.3 billion a year business that combines public source data on real estate, criminal records, and census reports, with private information from credit card applications, warranty card surveys, and magazine subscriptions. The firm holds data profiling some two hundred million Americans.

Or maybe you've heard of Lexis-Nexis. Many large universities subscribe to the firm's electronic newspaper, journal, and magazine databases. But the firm's parent, Reed Elsevier, is a data sales giant, with divisions packaging criminal records, housing information, and additional data used to uncover corporate fraud and other risks. In February, 2008, the firm got even more data rich, acquiring Acxiom competitor ChoicePoint for $4.1 billion. With that kind of money involved, it's clear that data aggregation is very big business.

The Internet also allows for easy access to data that had been public but otherwise difficult to access. For one example, consider home sale prices and home value assessments. While technically in the public record, someone wanting this information previously had to traipse down to their Town Hall and speak to a clerk, who would hand over a printed log book. Not exactly a Google-speed query. Contrast this with a visit to Zillow.com. The free site lets you pull up a map of your town and instantly peek at how much your neighbors paid for their homes. And it lets them see how much you paid for yours, too.

Computerworld's Robert Mitchell uncovered a more disturbing issue when public record information is made available online. His New Hampshire municipality had digitized and made available some of his old public documents without obscuring that holy grail for identity thieves, his Social Security number.

Then there are accuracy concerns. A record incorrectly identifying you as a cat lover is one thing, but being incorrectly named to the terrorist watch list is quite another. During a five-week period airline agents tried to block a particularly high profile U.S. citizen from boarding airplanes on five separate occasions because his name resembled an alias used by a suspected terrorist. That citizen? The late Ted Kennedy, who at the time was the senior U.S. senator from Massachusetts.

For the data trade to continue, firms will have to treat customer data as the sacred asset it is. Step over that "creep-out" line, and customers will push back, increasingly pressing for tighter privacy laws. Data aggregator Intellius used to track cell phone customers, but backed off in the face of customer outrage and threatened legislation.

Another concern - sometimes data aggregators are just plain sloppy, committing errors that can be costly for the firm and potentially devastating for victimized users. For example, in 2005, ChoicePoint accidentally sold records on 145,000 individuals to a cybercrime identity theft ring. The ChoicePoint case resulted in a $15 million fine from the Federal Trade Commission. In 2011, hackers stole at least 60 million e-mail addresses from marketing firm Epsilon, prompting firms as diverse as Best Buy, Citi, Hilton, and the College Board to go through the time-consuming, costly, and potentially brand-damaging process of warning customers of the breach. Epsilon faces liabilities charges of almost a quarter of a billion dollars, but some estimate that the total price tag for the breach could top $4 billion. Just because you can gather data and traffic in bits doesn't mean that you should. Any data-centric effort should involve input not only from business and technical staff, but from the firm's legal team as well.

Privacy Regulation: A Moving Target

New methods for tracking and gathering user information appear daily, testing user comfort levels. For example, the firm Umbria uses software to analyze millions of blog and forum posts every day, using sentence structure, word choice, and quirks in punctuation to determine a blogger's gender, age, interests, and opinions. While Google refused to include facial recognition as an image search product ("too creepy," said its chairman), Facebook, with great controversy, turned on facial recognition by default. It's quite possible that in the future, someone will be able to upload a photo to a service and direct it to find all the accessible photos and video on the Internet that match that person's features. And while targeting is getting easier, a Carnegie Mellon study showed that it doesn't take much to find someone with a minimum of data. Simply by knowing gender, birth date, and postal zip code, 87 percent of people in the United States could be pinpointed by name. Another study showed that publicly available data on state and date of birth could be used to predict U.S. Social Security numbers - a potential gateway to identity theft.

Some feel that Moore's Law, the falling cost of storage, and the increasing reach of the Internet have us on the cusp of a privacy train wreck. And that may inevitably lead to more legislation that restricts data-use possibilities. Noting this, strategists and technologists need to be fully aware of the legal environment their systems face and consider how such environments may change in the future. Many industries have strict guidelines on what kind of information can be collected and shared.

For example, HIPAA (the U.S. Health Insurance Portability and Accountability Act) includes provisions governing data use and privacy among health care providers, insurers, and employers. The financial industry has strict requirements for recording and sharing communications between firm and client (among many other restrictions). There are laws limiting the kinds of information that can be gathered on younger Web surfers. And there are several laws operating at the state level as well.

International laws also differ from those in the United States. Europe, in particular, has a strict European Privacy Directive. The directive includes governing provisions that limit data collection, require notice and approval of many types of data collection, and require firms to make data available to customers with mechanisms for stopping collection efforts and correcting inaccuracies at customer request. Data-dependent efforts plotted for one region may not fully translate in another effort if the law limits key components of technology use. The constantly changing legal landscape also means that what works today might not be allowed in the future.

Firms beware - the public will almost certainly demand tighter controls if the industry is perceived as behaving recklessly or inappropriately with customer data.