

When a Company Is Put Up for Sale, in Many Cases, Your Personal Data Is, Too - gk1
http://www.nytimes.com/2015/06/29/technology/when-a-company-goes-up-for-sale-in-many-cases-so-does-your-personal-data.html

======
bearwithclaws
This is one of the reasons I didn't put Hacker Monthly up for sale when I've
decided to shut it down.

Our subscribers (a little over 10k) trusted us enough to provide us their
contact information (and mailing address for print delivery). Turning them
over to 3rd party (even after due diligence) just didn't seem right.

------
RyanZAG
It hardly even matters if the company is put up for sale.

Assume a kitten-loving company that will rather die than let your data be
abused. They take VC funding, hit a bad turn, take more VC funding. Now the
board is controlled by VCs. You're now trusting the VCs with your data and not
the company itself.

Assume a second kitten-loving company that will rather die than let your data
be abused, and is run by only two co-founders. You give them all your data.
The two co-founders end up in a plane crash. Their company is transferred
to... who knows really? Your data is now sold off in liquidation to.. who
knows really?

~~~
JoshTriplett
> Assume a second kitten-loving company that will rather die than let your
> data be abused, and is run by only two co-founders. You give them all your
> data. The two co-founders end up in a plane crash. Their company is
> transferred to... who knows really? Your data is now sold off in liquidation
> to.. who knows really?

At least in theory, that's possible to avoid. If you accepted the data only
under a specific set of terms, and ensured either that the original terms
under which data was obtained are those that apply, or that specific privacy
and usage terms were required to survive into any successor agreement, then in
doing so you'd bind any future owner of the company by the same terms. You
can't sell (or liquidate) something you don't have the rights to yourself.

~~~
RyanZAG
Assume the only surviving beneficiary of the company is a Chinese nationalist.
All of the company and servers are transferred over to him. He quickly moves
all the data over to mainland China and uses it for.. who knows?

Even if you had laws, I'm not sure they would help in this case.

Besides, even if you have perfectly written self-binding contracts, there's
nothing stopping the next owner from being a scumbag and finding clever or
illegal ways around the deal. eg, he could 'find' a million dollars on the
pavement in the surprising position where he happened to 'lose' a hard drive
with all the data. Exaggeration obviously, but if the data is in someones
possession there are a lot of things that can be done with it without overtly
breaching any agreement. Eg, he could start a new company himself that
'leverages' the data to provide all previous customers with 'incredible deals
and benefits'.

~~~
JoshTriplett
You're now assuming the new owners are willing to commit illegal acts, or at
the very least breach a contract. (And the newly started company would be
breaching the contract as well, if it was written to exclude that.) That's at
least a significantly higher bar than "the highest bidder can do whatever they
want with the data", which is the current state of things.

But yes, even better protection would be never collecting data you don't need
in the first place.

~~~
pgeorgi
> But yes, even better protection would be never collecting data you don't
> need in the first place.

"Germans even have a word for it: Datensparsamkeit, the principle of only
collecting the bare minimum of data necessary."
([http://qz.com/390988/germans-are-paranoid-that-the-us-is-
spy...](http://qz.com/390988/germans-are-paranoid-that-the-us-is-spying-on-
their-data/))

Since the concept was established in 1983 by the constitutional court, there's
probably a body of knowledge around that, just in the 'wrong' language and
hence less known in the anglo-saxon culture.

~~~
Symbiote
Britain has similar laws, of a similar age. We don't have a word for it, but I
think there's an attitude that companies shouldn't be given more data than
needed, and a suspicion when they ask.

"Personal data shall be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed." [2]

Which the guidance[1] explains as "So you should identify the minimum amount
of personal data you need to properly fulfil your purpose. You should hold
that much information, but no more. This is part of the practice known as
“data minimisation”."

[1] [https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/principle-3-adequacy/)

[2]
[http://www.legislation.gov.uk/ukpga/1998/29/schedule/1/part/...](http://www.legislation.gov.uk/ukpga/1998/29/schedule/1/part/I?view=plain)

~~~
amelius
And how much data is google allowed to store about us?

And why isn't the user allowed to specify the amount of bits that google store
about us?

There are 7 billion people on this planet. If I allow google to store at most
32 bits about me, then at least that data cannot uniquely identify me (roughly
speaking).

------
globuous
I was talking about this with a friend of mine no earlier than yesterday. We
were discussing about how Facebook Messenger doesn't need an account anymore,
but only your phone number. For years I tried to not give my phone number to
Facebook (for various reasons, but I knew I'd someday "need" to give them my
number). Well turns out they've had my phone number associated with my name
ever since they bought Whatsapp. Along with all the conversations I've had on
this service probably. This article definitely points something that should be
kept in mind when uploading personal info online, althout this isn't anything
too new.

~~~
dunkelheit
Well the case of phone number information is even more devilish - it is in the
phonebooks of your (not so privacy-savvy) friends so you have almost no
control over it.

~~~
robmcm
This is the worst part about your contact details, just think about the number
of times you get those spam emails when one of their accounts gets hacked, not
to mention address books mobile APIs.

Now think about how they often contain your home address, birthday, spouces,
photos etc...

------
beagle3
Yes. Which is why you should never trust a company with info you wouldn't
trust their competitor (or any other company for that matter), regardless of
how kitten-loving and un-evil they are today.

------
austenallred
Is this a surprise?

If a company buys yours, does anyone expect them to buy everything expect for
the information on their customers?

That gets nasty if a company is selling only the data, but the legalese that
allows companies to sell data to whomever may be buying the company shouldn't
come as a surprise.

~~~
QuantumRoar
It's not about it being a surprise that this happens as long as it is allowed.
It's a surprise that there are no laws in place to protect consumers.

Especially in times when most "tech savvy" people advice the use of cloud
services for backups, syncing, sharing and communication, a sale of a company
becomes a privacy nightmare for those who listened and tried out these
services. There should be more people that spell out that it is not safe to
upload your data to someone else's computer.

Would you upload a backup of your data to my computer? Of course not. Would
you do it if I made an over-designed one page website and offered an
iOS/Android app? There are a lot who do that every day. Once the deed is done,
I shouldn't be allowed to do whatever the hell I want with your data. Selling
or sharing data with third parties should be strictly opt-in, no matter the
circumstances.

Imagine your Dropbox, Password manager or backups being sold to the highest
bidder. A company which you previously trusted becomes greedy and sells you
out. There's nothing you can do about it because "you should have read the
small print 10 years ago, when you started using the service." It's not
surprising that there are people who'd sell you out. What is surprising is
that it is allowed.

------
jensen123
If I want to buy ebooks, games, music, movies etc. online, it's extremely
difficult to find a company that actually respects my privacy (as opposed to
just saying they respect my privacy - plenty of those). I wonder, if I bought
myself one of those Visa giftcards, and just made up a fake name and address,
would that be any problem? Would I be breaking any laws or anything?

~~~
__z
I've tried a few times to pay for stuff online using gift cards and the
transaction was always declined (n=3)

------
rwhitman
If you submit personal information to _any_ business you're putting yourself
at risk.

Social media companies have a lot of data, yes, but most of it is pretty
benign. The world should be far more concerned about the PII that gets
transmitted around less tech-savvy smaller businesses and non-profits.
Particularly for-profit education companies.

Education companies have gobs of very sensitive info like social security
numbers, previous addresses, family relationships with full contact info,
medical history etc and many of them are clueless when it comes to privacy and
data security. Not only are they at high risk for data breaches but their
lists can also get acquired and traded when the business changes hands.

------
rayiner
The bigger issue is bankruptcy. Creditors will look to sell any assets that
can be monetized, and given the nature of the proceeding, the court will have
a lot of discretion in allowing them to do so, much more so than a private
purchaser.

------
nocarrier
I'm guessing everyone who works at a big company and used Secret was hoping
that said big company didn't acquire Secret's assets when they folded.

It does always make me think twice before committing to using a startup's
product, you never know who is going to fail and sell assets to the highest
bidder, or who is going to get acquired by a big company whose ideals you
don't like.

The problem is that oftentimes, the data is one of a company's most valuable
assets, so you can't just make it off-limits since that would erase a lot of
the value. I just wish there was a better legal framework to handle these
kinds of situations.

------
amelius
I sure hope Google never goes up for sale.

------
dunkelheit
I wonder how much of the price of the big acquisitions of recent years (e.g.
instagram, whatsapp) is justified by the value of personal data.

~~~
LoSboccacc
well, outdated, but personal data and its quality has indeed a value:

[http://www.statista.com/statistics/289505/social-networks-
va...](http://www.statista.com/statistics/289505/social-networks-value-per-
active-user/)

also user generates revenue by themselves

[http://www.technologyreview.com/article/424650/how-much-
is-a...](http://www.technologyreview.com/article/424650/how-much-is-a-user-
worth/)

edit: updated link to more recent stats

------
VOYD
Considering so many companies whole business model is based on personal data,
this not a surprise. Seriously, how could Uber be valued so high without every
customers personal info being sold off to the highest bidder.

------
jacquesm
That's actually a good case. When a company goes bust your personal data could
end up _anywhere_.

------
DevPad
Some time ago I participated in some Startup Accelerator.

Was part of Startup with really fast growing user base, but small amount of
sales. What some investors really suggested to do with our database - is to
sell it!

So companies can sell personal data (and they do it) not only when put up for
sale, but at any time.

