Thinking more about personal data

Relationships are everything.

Relationships are the reason we look after each other, the reason we reproduce, the reason we form groups and ultimately the reason we evolve. Relationships are simply one of the fundamental parts of being human.

These relationships with others – our family, our friends, our neighbours, our colleagues our customers – are all based on different levels of trust. When we talk about ‘deep’ or ‘strong’ relationships, we just mean to say that we trust each other a lot, sometimes unconditionally. It’s obvious then – but worth making the point – that when we don’t trust each other we form weaker or perhaps shallower relationships. Trust and relationships are not only related, but symbiotic. They need and feed off each other.

Personal data is naturally one of those things we share with those we trust. Information about who we are, what we are doing, where we are, our physical and emotional selves and so on. But sometimes when we share personal data, trusting that what’s shared will be handled with care, there are unintended or unwanted outcomes. In this post I wanted to look at those unwanted outcomes from sharing personal data, and some of the steps we take to manage it.

Who said you could do that?

When we share our personal data, it’s sometimes used in ways we don’t agree with, in ways we didn’t sign-up to. I think there are three of these outcomes…

  1. Being contacted without permission (or good reason)
  2. Being impersonated without permission
  3. Being exposed without permission (or good reason)

When we have a relationship, often implicitly or perhaps culturally we agree the rules of engagement – how often, when and where we are happy to contact each other. And because we have a relationship, we are able to set those boundaries (and reset them when they are crossed). But sometimes we are contacted by people without our permission or good reason, and by people or companies with whom we have no relationship. So the first of the unwanted outcomes is about spam, stalking and unsolicited advertising. In order to contact us, people either need to obtain our contact details (phone numbers, email address, twitter handles etc.) or they need to track us so they can target their communication by knowing where we are, what we’re doing, or what device we’re carrying (here’s a great link to a recent New York Times article entitled That’s No Phone. That’s My Tracker).

The second is about identity theft. That is, someone we don’t know using our personal data in order to access our money, our government benefits or citizen rights (for example using our passport information to get into the country). Sometimes the data is obtained through phishing, and sometimes it’s hacked. Experian recently released a report showing that more than 12 million pieces of personal information were illegally traded online by identity fraudsters in the first four months of 2012 – outstripping the entire of 2010 (interestingly, about 90% of it was password/ login combinations). Regardless of how our personal data is obtained, it’s often being used to impersonate us without our permission.

The third is more interesting – it’s about permitting, or seeking to have control over information about us which is shared with others. Naturally, we’re pretty good at doing this for our physical selves – we use clothes and curtains to keep private what we don’t want other people to see. But when it comes to personal information it’s different. What are the ‘clothes and curtains’ for our personal information? Is it even possible?

The thing is, information has some interesting characteristics. George Bernard Shaw once said (something like): “if you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.” His point was that some things behave as if they’re abundant. It doesn’t matter how many times you copy them and share them, the original remains the same, as do the copies. These things are known as ‘non-rival’ goods. This idea of abundance is a powerful one, because it helps explain how we treat abundant things.

For a long time, sharing things was limited to people who were in the same place at the same time, or limited to those who could write things down, copy them and take the bit of paper or parchment away. In other words, there was a cost to sharing, a friction to sharing. And so sharing was contained, for better or for worse. But then the printing press came along, then later the telephone and more recently the Internet, and we’ve been able to copy information at an increasingly low cost. In fact today, the costs to copy are pretty much zero – as Kevin Kelly brilliantly puts it, “The internet is a copy machine”.

Anyway, sharing our digital information has now become so easy and so cheap that all day, every day we share things without thinking. And like Bernard Shaw’s ideas, we’re now sharing our personal data abundantly – perfect copies of this data can be made and shared widely at pretty much zero cost. And this abundance of sharing begins to scratch away at the idea that we’re losing the sense of relationship with whom we share our personal data. Where, how, why and when it is shared is often unclear to us. And with the loss of these relationships, we’ve lost the trust in how that data is handled; people started contacting us without permission, impersonating us without permission and sharing information about us without permission.

Protecting our privacy

Let’s take an example to bring this to life a bit. Earlier this year, much was written about how Target, a goods retailer in the US, figured out a teenage girl was pregnant before her father did.

Aside from the fact that there are some social and ethical issues to be explored here, the point is that whilst Target were correct in their analysis, they contacted the girl about the pregnancy without her permission, and they exposed her personal data without her permission. As we go about our daily lives we leave a digital exhaust – a digital footprint – and our personal data is often left behind like Hansel and Gretel’s breadcrumbs. Track enough of it (like what lotions and vitamin supplements you buy) and compare this with other known group behaviours (like those who you know are pregnant and who are buying baby clothes, nappies and pregnancy books) and of course it’s possible to make some accurate assumptions about an individual. I’ve previously called this your ‘inferred data’. So it’s understandable that we’re becoming more wary about what is being shared – both with and without our permission – and we’re seeking to protect our privacy to avoid these unwanted outcomes.

To look more closely at how we protect ourselves, I’ve broken down the lifecycle of personal data:

  1. Data is produced (or observed if it’s self-evident);
  2. Data is captured and stored;
  3. Data is analysed or processed; and then
  4. Data is used

Here’s an example of this in action…

  • I wear clothes that expose my Harley-Davidson tattoo
  • My tattoo is seen by the man serving me at the bar
  • The barman makes an assumption – that I’m into biking and believe in what Harley-Davidson stands for
  • The barman strikes up a conversation about bikes, and because he too is into bikes, we share information about each other. The result is that we start to trust each other. We form a relationship. He might even give me a beer on the house.

Now let’s take a more obvious digital example…

  • I browse the web using an internet browser
  • Using cookies, my browsing activity is tracked by the web sites I visit
  • My behaviours are analysed – both in real time and afterwards
  • My subsequent web browsing is targeted with ads to better ‘personalise’ the service. Importantly, the targeted ads are paid for by companies trying to build a relationship with me. But it’s not really a relationship. And there’s no trust. It’s really just a transaction at best, and I’m seen as a sales lead to be sold on

This use of my personal data means I get a better experience (like remembering my ‘shopping basket’) and sometimes I get a good deal on my purchases. But mostly it just makes my browsing experience a bit noisy because the ‘targeted’ ads are assumption-based and are often more miss than hit. These two examples highlight how it’s the context of sharing that determines the permissions to share – some are explicit, while others are implicit – and therefore the outcomes i.e. stronger relationships and lower prices or instead a loss of trust and shopping frustration. As we live more and more of our lives online these issues have become increasingly apparent, and there are now many groups and bodies who are looking at the social, ethical, economic and political issues surrounding personal data.

I see that these projects fall into two camps… The first are looking at who knows what about us – in other words, steps 1 and 2 above. For example there is lots of work going into making the public aware of exactly how much data is being captured about them, by whom and for what purpose. The second group are looking at how this data is handled once it’s captured; that’s steps 3 and 4.

Privacy in action

Now rather than delve into the ins and outs, rights and wrongs of digital privacy (not least because there are many more qualified people than I who have written credibly about it, and at length), I wanted to point to some of the main activities aiming to help us manage our personal data and avoid those unwanted outcomes I suggested at the start of this post.

Below is a list of some of the main things going on around personal data; I’ve broken them down into the stages of the personal data lifecycle, steps 1-4. (Note that some of these are links to specific projects, and others are just  linked to sites that provide more information)…

1. Produce
2. Capture
3. Analysis
4. Use

Who’s in control?

A big part of sharing our personal data is the bargain we make with online services when we agree to give up a bunch of data in return for some utility – a better deal, access to my friends’ information, accurate search results and more. Cory Doctorow highlights one of the great underlying issues here when he points out that “…even if you read the fine print, human beings are awful at pricing out the net present value of a decision whose consequences are far in the future.”

So I would suggest that we’re sharing our data abundantly, and not really ‘pricing in’ the full cost of doing so. The thing is, culturally we’re so much more comfortable with scarcity. When things are scarce we value them more highly, and when things are abundant we treat them cheaply (in Clay Shirky’s words, abundance means ‘cheap enough to waste’ and therefore ultimately ‘cheap enough to experiment’). And so it is with our data – we value it and so want it to remain scarce. Our instinct is to hold on to it, restrict it, secure it and sometimes misdirect others around it (like when we give out a fake email address to avoid getting spammed). And yet we give so much of it away, not really fully aware of the T&Cs under which we agree to share it. This pretence of scarcity means we end up saying things like ‘who owns the data?’ or ‘who controls the data?’, something pretty much impossible once it’s been shared in this digital age.

In my view, we should instead reflect on the idea that our personal data is now in many ways a non-rival good, it’s abundant, and perhaps behave differently around it. That would mean we would instead say things like “who has access to the data” and “what are people doing with my data”. It would mean new terms and conditions for sharing, perhaps those under which we can  feel more confident about how our data is being used, and under which we can benefit from the products and services exchanged. Sharing would be more transparent, and we’d have the right to take action if our data is incorrect, or there’s an abuse of the data. Once we get some degree of visibility of who has our data, in what format, why and how they are using it, I think something interesting will happen: trust will emerge. And with that trust, new relationships. Indeed, we may begin to actually share more – an idea already proposed by those looking at Volunteered Personal Information. And as we share more – under clear and transparent terms – everyone will win: new products and services will become available (think of but for everything), our existing services will get even better because they will matter to us (and not be based on guess work), and guess what, we’ll feel better about it all because there won’t be a sense of any hidden agenda with our personal data, which after all, is personal.

A couple of suggestions

So I’d say that we need two main changes to how we behave around our personal data

  • We need to recognise that we can’t control data in every circumstance:  instead lets accept that and turn to ways to improve transparency: information sharing agreements, regulation for organisations to be clear about what data they gather and how they use it, and perhaps new ways to make us more aware of what we’re sharing in the first place so we can make informed decisions
  • We need to better understand personal data in context: what it is we really need to share, when and with whom (here’s a good example: to prove we are old enough to buy alcohol, we often use a document that proves we can drive. We can and should get better at using personal data in context – we only need to share what we need to share)

I’m hopeful that much of this is on the way. But there’s a lot more to do.


  1. Pingback: Personal data is a story « Jamie Smith
  2. Pingback: Why stories matter « Jamie Smith

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s