But that distinction is important. The latter case involves data that is not actually "yours"; it's generated by observations made from counterparties you do business with, and concerns only the details of those transactions, not the purpose to which those transactions are put.
And yet it's the latter case that represents the most outrageous transgression by NSA (the Verizon call records database). Which suggests to me that the "my data" / "your data" divide is actually not all that useful in the policy debate about where NSA's limits need to be.
It's clear that there are some forms of metadata (call records, packet destinations, etc) that are useful and perhaps necessary for service providers to observe and log, in the course of providing their services. But insofar as the privacy implications of releasing that data fall almost entirely on consumers, not on the service provider, it makes sense to give consumers some say over what happens to it. In this view, metadata really is "my data" in the sense that a service provider should have an obligation to protect it, analogous to medical records (which are records of 'business transactions' with my doctor that they nonetheless have an obligation to protect) or documents provided to an attorney under attorney-client privilege.
The only way to give individuals this choice is by enabling non-techies to encrypt and anonymize their data, freely, easily and in a way that respects the UX. It isn't up to a politician or Comcast.
Increasingly, people are going to make a binary choice with every new technology decision: do I opt _out_ of suspicionless blanket surveillance of entire populations, or do I use something else that gives me no choice in the matter?
Ceteris paribus, apps enabling you to opt out of it all, are just plain more valuable.
In the case of call records (well, any records regarding an individual), this could be a 4th Amendment issue, but it's also a 1st Amendment freedom of association issue. If the government is perusing call records, that puts pressure on your sense of whether you are free to associate with someone. If you know the government is looking at call records, then you may be reluctant to call your brother, or a journalist, or someone in Ferguson MO.
So I agree, we need to be diligent about cabining the surveillance powers of the state as an intrinsic policy goal, and not as a side-effect of who generated what bits and where they put them.
We already have a type of data that's treated like that, medical information, protected historically by patient/doctor confidentiality and formalized in HIPPA in the US. A lot of the medical data about you is essentially the doctor's or industry's data, not yours. It can be difficult to impossible to get everything about you disclosed to you; it is for all intents and purposes data about you but not owned by you. And yet, doctors and the industry are prohibited from sharing that data beyond business and medical purposes, and (I think) the government has laws prohibiting itself from having access to that data.
It's a good start.
> A lot of the medical data about you is essentially the doctor's or industry's data, not yours. It can be difficult to impossible to get everything about you disclosed to you; it is for all intents and purposes data about you but not owned by you.
Quite the opposite - a large portion of HIPAA is about the rights of the patient to access their medical data. Actually going through this formal process has a number of steps, but some of the first lawsuits regarding HIPAA were actually about this, not about the safeguards on sharing or security.
In fact, under HIPAA, doctors and insurance companies are allowed to share your data with other entities ('associates') without consulting you first, as long as they sign another agreement with that entity promising that they'll abide by certain rules. Those associates are allowed to share it with other associates, and so on, etc. - all of it is legal as long as there's a trail of these agreements going all the way back to the doctor, hospital, or insurance company.
Anytime that you sign a document authorizing release of your information to a third party, that's generally referring to releasing data that they can't legally share under HIPAA via the above means.
There are some caveats, but this is more or less what is already happening to your medical data - you just don't know about it.
(I am a lawyer, but this is not legal advice!) I would just add that HIPAA does limit what constitutes a permissible disclosure. Without a written authorization, PHI sharing is usually limited to disclosures necessary to provide treatment, seek payment, or operate the healthcare business.
The best reform we could probably see is to say that your health and medical data belongs to you, full stop, and consider it a work-for-hire. Then, a national regulation on how to represent that data (normalizing what is pulled in) and interoperability specs, as well as a public option for warehousing your data if you choose not to go free-market.
There are a lot of issues even with the simple data-representation part...terminology and whatnot, for example--and getting that straightened out is exactly the sort of boring work that, in the long-run, yields extravagant dividends.
The issue is how the government learns it.
The 4th amendment only protects against information within a reasonable expectation of privacy.
The Supreme Court has found that information turned over to a third party (like the phone company) no longer has a reasonable expectation of privacy.
The general idea is that if you turning over data for a third party to read it is not private data.
Things like email and text messages are private because they are kept private from even the business.
However, there will be major issues in the future because of some of the practices that tech companies have engaged in. Google, facebook, etc. do not keep your private email and messages actually private. They data mine the shit out of it.
There will eventually be a case that argues Gmail falls under the third doctrine. The tech community will be outraged at the government overstep. But the real problem is the tech corporate communities total disrespect of the their users privacy.
Perhaps just like there are strict requirements around credit card data, personal data is treated the same say. Maybe a 30-day limit for storage on some types of information, and a 90-day limit on others?
Allowing the collection but forbidding the persistence of the data (by both corporate and government interests) would allow commerce to continue but would cut back on privacy violations.
Don't know. Just thinking aloud.
My point is that the rubric of intellectual property is unhelpful in defending privacy. To the extent that society demands privacy, privacy must be an intrinsic goal, orthogonal to IP. And yet right now it isn't; significant privacy rights seem to fall out of happenstances about who "owns" what data.
Which is my critique of this article about Wyden.
Property is property, and my data should be my property. Right?
Maybe as society, we're coming to terms with the limits on ideas such as ownership as a whole when we have to create rules (an intangible in of itself) around things that are mostly intangible (bits) to the everyday person, and then flail in retrospect to see how such constructs don't hold water, and maybe that no one "truly" can own anything?
There can't possibly be any other ways to live/deal with such other than the way we do now in face of these realities…
As a Senator, he holds one of the most powerful positions in the US. If he wanted to, he could cause real trouble; as an example, by putting a hold on all apointments by the Obama administration. (I'm sure there are more ways to make a point in the Senate).
But he doesn't. Yes, he does bring some of the problems to light; but I wish he'd lace up and actually do something drastic to make the administration change its ways.