If recent privacy scandals have taught us anything, it’s that industries reliant on monetizing user data have little or no enforcement procedures in place for preventing the abuse of that data. Nor do they risk any substantial penalties for such abuse.
The most recent example of this comes from a large report from Motherboard concerning how telecom companies resell user location data. The abridged version of it is that unscrupulous people with access to prized telecom location data are reselling that access to other, unauthorized people, such as bounty hunters. For just $300, Motherboard was able to geolocate a target’s phone.
It’s the same basic concept that formed the core of the Cambridge Analytica scandal that Facebook got swept up in last year: data acquired from consenting users is resold to other parties without users’ knowledge. Except that in the recent example from Motherboard, the privacy implications are even worse. Telecom companies are constantly triangulating your position in order to know how to route signals to your device. If Facebook is the Eye of Sauron, then your cell phone service provider is like … I dunno, a hundred Eyes of Sauron? (I have not seen The Lord of the Rings since it came out in theaters.) They constantly have your location and, when you’re not on Wi-Fi, route all data to and from your device.
In addition to the fee that you pay your service provider every month, cell phone companies are also selling access to your information, and they have little recourse to stop such abuse. In Motherboard’s demonstration, T-Mobile sold data to a firm called Zumigo, which sold data to another firm, Microbilt, which offered access to a company in the bail industry. There is plenty of space for weak links in a chain like that.
Another provider, AT&T, told Motherboard, “The allegation here would violate our contract and Privacy Policy.” This is the standard reply when stuff like this happens: that such practices violate the labyrinthian service policies that data harvesters supposedly enforce. Microbilt had its access to Zumigo’s data revoked, but that seems to be the extent of the penalty.
There are no substantial government regulations of the data market — nothing requiring things like financial penalties or restitution. This is despite the fact that industries reliant on vast stores of granular data are clearly not equipped to police themselves. Because data and information is an infinitely reusable resource and not a finite, physical one, it can’t really be stolen, in the standard sense of the word. The firm whose data is misused still holds that data, which makes it tricky to determine harm.
In addition to not having comprehensive measures in place to address what happens when companies get hacked, the United States also doesn’t have many ways of discouraging intentional misuse of data. Still, there are other examples of how to police data. There are penalties for insider trading, for instance. Maybe there should be, like, any sort of financial penalty for this type of mismanagement, instead of just allowing private companies to give each other slaps on the wrist.
