Too Much PII

Dave Schuler proposes a "radical idea" to safeguard individual privacy "in the wake of the hacking of Sony and the multiple credit card exploits over the last year or so."

Dave Schuler proposes a “radical idea” to safeguard individual privacy “in the wake of the hacking of Sony and the multiple credit card exploits over the last year or so.” It seems reasonable enough:

The personally identifiable information that’s being gathered and retained by businesses from your phone company to Google or Amazon doesn’t belong to them. It’s the property of the persons who are identified by it. That includes names, email addresses, phone numbers, IP addresses, and geolocation information. There should be restrictions placed on the information they retain, how long they retain it, and the manner in which it may be retained. Just as an example, these companies have no excuse for retaining your information indefinitely in unencrypted form.

I’d settle for an even less radical idea: business who collect PII should be prohibited from selling or otherwise sharing said information with other companies, to include companies who acquire them, without express permission from the persons who are identified by it. When I trust Google or Amazon with my information, I’m trusting Google and Amazon—not unspecified companies with whom they might at some point chose to do business.

FILED UNDER: Economics and Business, , , ,
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College and a nonresident senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. He's a former Army officer and Desert Storm vet. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. Dave Schuler says:

    I was being a bit facetious but just a bit. What I proposed was consistent with OECD privacy guidelines.

  2. ernieyeball says:

    Don’t know the current situation but when I worked in the land line telephone industry the local exchange number (NXX) and the subscribers address (XXXX) belonged to the telephone company. When telephone exchanges were added to an area we would change subscribers numbers all the time. It would piss them off, especially business lines who had all kinds of advertising that had to be changed. But there was nothing they could do about it.

  3. Gustopher says:

    So, stricter standards than Europe?

  4. MarkedMan says:

    James, re: trusting google
    What google gets in return for hosting your email for free is the right to read your email (via bot, but as far as I know, via human if they want) and sell any marketable tidbits to others. Mention you are looking at buying a new SUV in a note to a friend and you and they may find the ads of the sites you visit for the next couple of weeks full of SUV ads.

    It’s not really a violation of trust, since that is their business plan. It’s not exactly hidden, although they don’t talk about it much.

  5. PJ says:

    @James Joyner:

    When I trust Google or Amazon with my information, I’m trusting Google and Amazon—not unspecified companies with whom they might at some point chose to do business.

    But Google and Amazon aren’t selling your information to other companies, that would be like selling the cow instead of the milk.

    What one should be worried about aren’t the huge companies that have the capacities to analyze the information collected and profit from that, it’s the small companies that can’t.

    Anyone installing Android apps should make a habit to check the full set of permissions that you grant that app. For example, a note-taking app shouldn’t need access to your location, contacts, etc. It’s a lot more likely that the company/person behind such an app is going to sell that information than Google or Amazon.

  6. Franklin says:

    The personally identifiable information that’s being gathered and retained by businesses from your phone company to Google or Amazon doesn’t belong to them. It’s the property of the persons who are identified by it.

    I’ve always thought that this should be the case. But suspect it never will be.