
RadioShack Sold Consumer Data to Pay Off Its Debts - wglb
http://www.slate.com/blogs/moneybox/2015/05/18/ftc_radioshack_consumer_privacy_letter_court_should_protect_people_s_data.html
======
mc32
I hope the FTC wins its case and establishes precedent that consumer data is
non transferable and most importantly not a good to be bought and sold
unregulated. I understand there are circumstances when data has to shared,
transferred etc. (health networks, but this regulated) But consumer data needs
to be well regulated and not treated as a commodity and "asset", that's not a
desirable incentive.

Consumer data should be one of those things which most companies consider
something toxic but necessary so they handle it with care and use the least
amount possible rather than collect as much as possible and worry about things
later.

RadioShack may not have the reams of data an ISP has, but still need a
precedent for future data handling and ownership resolution. It'd be great to
see this kind of data devolve back to the consumer, i.e. destroyed, once its
original user is no longer there to use it in support of ongoing business
operations and should not be a mainline of business per se.

~~~
legohead
I thought user data was one of the most valuable assets of a business.

When I worked at Company X, one of our competitors was failing and offered us
to buy them out. The most expensive part of the buyout was calculated
basically by #users*<some price>. And really that's all we wanted, was their
userbase, since we already had the product they wanted. We could absorb their
users and immediately grow our business.

~~~
mc32
I think there's a difference between we'll sell you all this data we have on
our users, some of which is related to conducting business with them, and here
are our paying customers who you can acquire and continue to provide goods and
services to.

~~~
ploxiln
The second case is different, and less directly harmful, but still bad for the
"free market".

You end up in a situation where you have a few huge companies that have shitty
expensive products and huge amounts of money. If anyone ever does better, they
use some of the money to acquire _the customers_. No one ends up with
something better or more cost effective; the 800lb gorilla just pays a tax to
remain the only choice, and that cost is easily passed right back to the
customers.

~~~
stickfigure
"Acquiring the customers" seems to be a business strategy with a high failure
rate, else we'd be yahooing instead of googling or facebooking. It's hard to
predict what competitors are going to blow up, and as soon as they get
traction the price goes high - Facebook may have bought WhatsApp, but
apparently SnapChat is holding out for more.

I actually think the "free market" works pretty well at this, even if it's not
perfect. Nothing is.

~~~
ploxiln
That's a good point. I suppose this thing is a natural driver of the recent
focus on user-traction over profitability.

------
brudgers
Of all the things I'm supposed to be outraged about as a consumer of news,
this one rises to the _whoopdie fucking so what?_ level. Radio shack was
collecting in their best ever year maybe half a dozen data points on me. It's
not like they had my DNS requests over the past ten years or my history of
cell tower signals or my click history following searches for "painful rectal
itch" or how long I typically watch dwarf porn before closing the browser...if
I were to do such a thing.

There are big privacy issues and little ones and this is definitely the
latter. How revealing the Radio Shack's data is of people's behavior should be
measured by the outcome of Radio Shack during the period in which it had
exclusive access...and here the context is a bankruptcy proceeding.

~~~
ascagnel_
This case can be used to test how binding a privacy statement can be. If Radio
Shack is allowed to sell the data to a third party over AT&T & Apple's
objections, basically every privacy policy is worthless. There are always
increasing amounts of data collected with increasingly invasive means, but
this can make bulk data collection less intrinsically valuable.

~~~
dm2
It's harming other businesses too because people are much more likely to put
in false data in order to avoid this situation.

~~~
Lawtonfogle
Other than violating social norms, would there be any problem with
purposefully making the data socially poisonous (not Bobby Tables, more like
saying your name is Mao or Stalin and you on 101 Legalize Murder Avenue... and
this is a tame example compared to what the internet could come up with)?

~~~
jbigelow76
Since it would be nearly impossible to universally "poison" your footprint the
most like scenario would end up being that Lawton Fogle is tied to an alias of
Hitler Manson that lives on Sodomy Lane and has a fake social security number
with strangle biblical references. Not a good way to stay off somebody's
radar.

~~~
jpindar
Only if you choose that. Who's to say I'm not Sunshine McBunny who lives on
Unicorn Lane in Hobbiton?

------
SloopJon
Slate puts rather a different spin on this than other articles I've read.
Slate:

> The FTC is so displeased that Jessica Rich, its consumer protection
> director, has written to the bankruptcy court handling RadioShack’s case,
> asking that consumers' personal data be protected.

Ars Technica:

> The Federal Trade Commission (FTC) sent a letter to the bankruptcy court
> presiding over RadioShack's supervised asset sell-off suggesting a
> compromise that would allow RadioShack to sell its database of information
> from 117 million customers.

Previous coverage portrayed Apple as intervening to protect customers
(although it seems to have more to do with enforcing their reseller
agreement):

[http://www.imore.com/apple-wades-radioshack-sale-protect-
cus...](http://www.imore.com/apple-wades-radioshack-sale-protect-customer-
data)

[http://daringfireball.net/linked/2015/05/14/apple-
radioshack...](http://daringfireball.net/linked/2015/05/14/apple-radioshack-
privacy)

[http://arstechnica.com/tech-policy/2015/05/apple-asks-
court-...](http://arstechnica.com/tech-policy/2015/05/apple-asks-court-to-
block-the-sale-of-some-radioshack-data/)

------
joelgrus
Wow, this really sucks for whoever has the phone number that I had in 1991.

~~~
ja27
And for whatever numbers they typed in when I refused to even make up one
myself.

~~~
imglorp
When I visit the hair cutting place, they refuse to serve you without a phone
number. So I always give them the standard TV placeholder: xxx-555-1212.

The stylist is often confused why there are 20 people with that phone number.

~~~
minikites
If the other person is young enough, you can almost always get away with
867-5309.

~~~
slayed0
I used to use this at the grocery store/kmart/wherever and just tell them to
pick the top name off the list of 50 or so that came up per area code, (woohoo
key constraints!) but eventually they caught on.

Poor Jenny can't get a rewards card anywhere these days.

~~~
toast0
Jenny's doing just fine at CVS; she's earned a bunch of rewards

------
carlmcqueen
I can't say this is a big surprise. My first job was at a chicagoland
radioshack so I have followed their news and watched their fall with mixed
feelings.

It felt very odd in 2001 to try and sell electricians that would come in the
store at opening to buy 10-11 fuses if they wanted a cell phone, and bother
people just getting batteries for their first and last name so they could
'return their item'. We got dinged for each person who refused us. So there is
potentially a LOT of data this company is getting.

~~~
JoeAltmaier
The last CEO cancelled that policy as their first act. So for some years, that
data was not collected. I wonder what data they had to sell?

Anyway, this is a warning to all of us. No matter what promises that honest
startup gives you, the minute they are sold (and most sell in the end) the new
owners are free to do whatever they like with your 'private' information. In
fact it will be hawked in the marketplace like a chicken.

~~~
mikeash
That raises an important question: why aren't those promises legally binding?

~~~
VLM
Where's the consideration (money changing hands). Its not a contract.

From

[http://comingsoon.radioshack.com/privacy-
policy/privacy.html](http://comingsoon.radioshack.com/privacy-
policy/privacy.html)

"If we decide to change our Privacy Policy, we will post those changes to this
privacy statement, the homepage, and other places we deem appropriate so our
users are always aware of what information we collect, how we use it, and
under what circumstances, if any, we disclose it. If however, we are going to
use users' personally identifiable information in a manner different from that
stated at the time of collection we will notify users by posting a notice on
our web site for 30 days."

It appears they've done none of this; then again it amounts to accomplishing
nothing other than a PR show, so not much has been lost.

Their policy doesn't seem to have considered in its design, "what if we go
bankrupt fire everyone and someone else buys us".

I wonder how far back the records go. Could they give me a copy of my Dad's
purchase receipt from 1980 for our TRS-80 model III? For 16K of 4116 dram for
about $300 or whatever it was back in '81 or '82? On the other hand, given the
decline of the company in recent years, if they only have records going back 5
years I probably don't even show up in them.

~~~
mikeash
In the case of Radio Shack, you typically handed over information as part of a
purchase, so money definitely changed hands. For startups following the model
of "we'll give the product away for free and make it up in volume" it's less
clear, but giving info in exchange for access to a service seems like it could
be consideration.

------
matwood
Apple and AT&T tried/is trying to stop them:

[http://gizmodo.com/apple-sues-to-prevent-radioshack-
selling-...](http://gizmodo.com/apple-sues-to-prevent-radioshack-selling-
customer-data-1704644494)

~~~
devcpp
Apple "I-want-all-your-data" and AT&T "you-have-to-opt-out-of-tracking". Of
all companies. We have to count on our enemies to protect us because we are
powerless. Let's just hope they start privacy wars.

~~~
CountSessine
That's really a lazy mischaracterization of Apple. They've never been
especially interested in your personal data. The only service they have where
they maintain any sizeable, persistent consumer information seems to be the
iTunes store, and as far as I can tell, they've never tried to monetize/share
that information with anyone. I'm more curious why you would think of Apple
this way - "I-want-all-your-data"? Maybe Apple "you-didn't-really-buy-your-
hardware", but "I-want-all-your-data"?

If anything, I would liken Apple to a jealous and abusive boyfriend - they'll
beat and abuse their customers with sometimes arbitrary controls over what
they can do with their hardware, but God help you if you try to do the same to
their customers. Whether you're a third-party developer, an accessory
manufacturer, or anyone with a relationship with those customers, Apple will
come down on you HARD if they think that you're harming their platform or
exploiting their customers. From that point of view, Apple's action here -
trying to interfere with RS' sale of Apple customers' personal data - is
typical of Apple.

------
jhallenworld
I'm sure they have no choice but to sell assets with value.

But is the original privacy policy equivalent to a license (that we consumers
grant Radio Shack)? If it isn't, maybe this will be a chance to set a
precedent for this to be the case.

------
madaxe_again
I see this kind of thing all too frequently. Our clients are retailers. From
time to time, one goes pop, and goes into administration. The liquidators look
at all of their assets - initially, at things like stock and other physical
assets - but then look at their other less tangible assets, like user data, as
selling it can be the difference between settling with creditors or not.

Typically, when you license your data to a company you accept that they can
sell that data as part of the sale of the business, in the event of
administration or liquidation, and a variety of other situations in which you
don't want to have to ask the permission of your N million users to go ahead
with a merger or other essential business activity.

Further to this, we've also seen client service agencies who are processors of
data seizing user data as an asset if a client goes into administration and
leaves their service providers as unsecured creditors (i.e. "you're up the
creek, we'll pay you £0.000001 for every £ we owe, your £80,000 is now
£0.80"), as they also have a responsibility to mitigate their own losses, and
again, contracts usually allow for the seizing of assets in the case of
default.

So, long story short, this is not even slightly abnormal, and something
consumers should consider before providing their data to _anyone_.

~~~
dm2
The "we will never sell your data to anyone" in a Privacy Policy effectively
means nothing at all.

Why are there not consumer protection laws in place to prevent this? In my
opinion, in order to sell customer data you should have to go to court and
have a judge look over the data to determine what can be sold.

~~~
madaxe_again
I've little faith that any judge would do anything other than "ah. This is
something... computer. don't know. Yes?". It's the same "shutters coming down
with a bang!" phenomenon as one sees with most non-technical folks the moment
they _think_ something technical might be coming their way.

Either way, this is a very grey area, as if you tie up corporate affairs with
every single one of your customers, it would make your business unsaleable,
and make liquidation impossible, so while consumer protection is desirable,
there also have to be measures that allow businesses to operate without the
explicit consent of each and every one of their customers for any action.

~~~
dm2
I see your point about businesses being unsellable.

What's the difference in Facebook acquiring WhatsApp's customer database via
purchasing the entire company and it being sold numerous times during a
hypothetical WhatsApp liquidation sale? None really, and whatever WhatsApp's
(and all other companies) Privacy Policy said about protecting user data is
somewhat meaningless.

~~~
madaxe_again
Yup, nail on head.

Increasingly the value in a business _is_ the customer base, and therefore
their data - this will only continue as the service economy grows and brand
continues to be king.

------
bhartzer
Luckily, I've ditched my landline since I bought stuff at Radio Shack. So any
calls to my old landline phone number won't get through.

Is there any indication that what you bought there, along with your contact
info was sold? Or just your contact info?

~~~
kw71
Those calls may not get through to you, but they'll get through to a bloke
like me, who happened to get your old number, hates marketing calls and will
play games with the callers (Billy speaking, Yes your ridiculous offer is
relevant to my interests, I'll take it) and extracting data from them bit by
bit (My address? I still live in Pratville and haven't moved. OK, Fine, I'll
confirm the details you read to me.)

If I had fewer scruples I'd actually use the data for criminal acts, but I
simply amuse myself by seeing how far I can get with callers.

------
kevando
This is why Google's "Don't be evil" mantra freaks me out. Yeah they're not
evil now, but who knows in 15 years? That mantra is gonna be like a slap in
the face.

~~~
jcadam
> Yeah they're not evil now

Oh come on, I was drinking coffee when I read that :(

~~~
iamcurious
They can always redefine evil...

Merriam-Webster defines evil[1] as:

    
    
        : morally bad
        : causing harm or injury to someone
        : marked by bad luck or bad events
    

Google defines evil[2] as:

    
    
        profoundly immoral and malevolent.
    
    

Surely Google isn't _profoundly_ immoral and when they happen to be I'm sure
they can add a few hyperbolic adjectives to their definition.

[1] [http://www.merriam-webster.com/dictionary/evil](http://www.merriam-
webster.com/dictionary/evil) [2]
[http://google.com/search?hl=en&q=evil](http://google.com/search?hl=en&q=evil)

------
strathmeyer
It's pretty hilarious this is being 'reported' on a site that won't let you
read the article unless you give them your personal information.

------
fiatmoney
It is standard in bankruptcies to dissolve existing contracts (after all, the
point of bankruptcy is that you can't fulfil all of your existing contractual
obligations). So it's not surprising on face that privacy policies would be
included in this.

(This is distinct from "selling / buying the company" which usually means
assuming all obligations).

For a class of contractual obligation to be "special" in the context of
bankruptcy you typically need some kind of legislative protection (some states
have rules about "outstanding payroll gets paid first", student loans are
nondischargable, etc). Or some kind of bankruptcy cour ruling that liquidating
the assets in this way would be somehow inefficient or against the public
interest, which looks like how the FTC is approaching it. But in a
circumstance where a huge portion of the business's assets were "private
information", I could see a bankruptcy court ruling the other way - this
doesn't necessarily establish binding precedent.

------
dredmorbius
Maciej Cegłowski "The Internet With a Human Face"

[http://idlewords.com/bt14.htm](http://idlewords.com/bt14.htm)

 _As a wise man once said, if you have something that you don’t want anyone to
know, maybe you shouldn’t be doing it in the first place._

 _But there are also dangerous scenarios that don 't involve government at
all, and that we don't talk enough about._

 _I 'll use Facebook as my example. To make the argument stronger, let's
assume that everyone currently at Facebook is committed to user privacy and
doing their utmost to protect the data they've collected._

 _What happens if Facebook goes out of business, like so many of the social
networks that came before it? Or if Facebook gets acquired by a credit agency?
How about if it gets acquired by Rupert Murdoch, or taken private by a hedge
fund?_

 _What happens to all that data?_

------
JackFr
The question comes down to is the private equity group a successor
organization.

If Best Buy had swooped in and bought Radio Shack, maintaining it as an
ongoing concern I don't think anyone would have objected to them getting the
data and honoring Radio Shack's original agreement. That is, they are not a
third party, they are the successor to the party of the first part, viz Radio
Shack.

Also had a private equity group come in and bought Radio Shack and taken them
private, few would have objected to the now private Radio Shack under new
management, maintaining the data and the agreements they held.

But by dragging Radio Shack through bankruptcy, they begin to lose the
appearance of a successor organization, and begin to look more like a third
party.

------
chris_wot
In Australia, we have a set of clear privacy principles outlined in law. These
are called the Australian Privacy Principles, and there are 13 of them.

The first principle is "Australian Privacy Principle 1 — open and transparent
management of personal information", and it states that every organisation
must publish a privacy policy and it _must_ state "the purposes for which the
entity collects, holds, uses and discloses personal information".

That's legally binding. If the company violates it, there are massive fines
and the Privacy Commisdioner can investigate.

------
driverdan
This is exactly why you should never give your data to someone unless it's
absolutely necessary. If someone asks for your contact info just so you can
buy batteries just say no.

~~~
Lawtonfogle
Maybe with new AR devices coming out soon, maybe you can quickly do a picture
to social media lookup, and then use that to see if the employee has their
address/phone number online. The look on their face as you give them their own
personal info would be priceless.

The investigation for stalking, not so much.

------
lazyjones
I don't know the case's specifics, but doesn't typically the bankruptcy court
decide what assets are to be sold? The former management and staff (what we
are thinking of when slate.com writes "RadioShack Sold...") has no influence
over this and should not be blamed. The bankruptcy court is the new
management, they can do what they want and must according to law to satisfy
creditors, blame them.

~~~
agwa
They collected and stored data unnecessarily, so former management absolutely
shares blame.

------
jmkni
I have worked a company where this has happened, and it wasn't even the
company themselves really.

They went into administration, and the administrators came in and wanted to
see if they had anything of value.

Data is of value, so they sold it to a rival company. Not a lot you can do
about it really, apart from not store the data in the first place.

------
oldmanjay
well, "your" data in perhaps some rhetorical sense. "data about you" would be
more intellectually honest, but slate is nothing is not manipulative. it's
okay, they know they're promoting correct opinions so little tiny
manipulations in service of that is okay.

~~~
deong
> well, "your" data in perhaps some rhetorical sense.

In this context, "your data" is 100% of the time used to indicate data you've
provided to someone else about you. Have you ever seen an article saying
"Facebook to target ads based on their photos" or "Google using their data to
make money"?

~~~
oldmanjay
Well yes, as I indicated, the author is using a phrase in a rhetorical sense
to frame the narrative emotionally. I'm sorry if I wasn't clear that I
understand what the technique is accomplishing. I am merely pointing out the
essential dishonesty in its use.

~~~
deong
But if _everyone_ uses the phrase that way, then it's not dishonest for this
person to do it too. That's how language works. If I tell my student, "the
early bird gets the worm", it's idiotic to call me stupid because I confused a
human with a bird. I _didn 't_ in fact do that. I used a common idiom in the
language that we all understand. The fact that you can recognize there's a
literal meaning that wasn't accurate is pointless. I'm not dishonest or a liar
either. I used language in a non-literal way, just like all of us do hundreds
of times every day.

When someone says "company X is using your data", there's a common
understanding in play. We all know what they mean. They mean "data they've
collected about you". If you want to call everyone names because, taken
literally, it's incorrect, then go ahead, but you're beating a dead horse
here. And I'm not actually accusing you of pummeling the carcass of an equine.
I'm saying you're spending your energy on a pointless task, but doing so in a
way that relies on you understanding that the meaning of a sentence isn't
strictly determined by the meaning and order of the individual words in it.

------
anigbrowl
And people wonder why I am less exercised about government snooping than most,
when it arguably has much less impact on most people's lives. (This is not the
same as saying that it's OK; I just don't think it's the #1 tech-social
problem).

------
ck2
It is one thing for private corporation to sell their sales data.

Some people don't have a problem with that, though I think they should.

You might be outraged however to discover that your state DMV will happily
sell your license/cartag data to corporations.

------
bcheung
Did they sell the data or the company? I'd be curious to know if the new owner
is still obligated to follow the same privacy statement? In either case, I'm
not going to lose any sleep over this.

------
kefka
The answer is: Do not have a privacy policy.

If you have a privacy policy and you violate it, the FTC comes after you. No
policy? No harassment from FTC.

Aside that fact, it's not like they really matter. Right?

~~~
matthewmcg
The laws of many jurisdictions require you to have a privacy policy if you are
going to collect personally identifiable information from residents of that
jurisdiction. See, for example, the California Online Privacy Protection Act.

------
cmdrfred
Never gave them a fucking scrap of data, in fact I actively gave them bad but
valid enough looking information so they (and now whoever they sold it to)
will waste time and money.

------
tsieling
Battery Card Club, you've turned against me.

------
rglover
SO that's why I just got a random call from Michigan selling me a security
system.

------
gcb0
Just makes you wonder, what if Google, Apple or Facebook go broke tomorrow?

------
antidaily
Oh fuck. Someone knows I bought some RJ45 connectors!?!

------
jms703
Isn't everyone doing this in some form?

