What's privacy worth?

The business of personal data is booming and the web giants will stoop pretty low to get hold of yours. If only they put half as much effort into showing they can be trusted with it, says Simon Caulkin.

by Simon Caulkin
Last Updated: 09 Oct 2013

When a mid-21st century son of 1980s oil-baron soap Dallas is made, it won't be about oil. It probably won't be broadcast on what we know as TV either, or indeed be broadcast at all.

That's because the next business to boom in the way that oil did looks set to be personal data and identity, and this weightless new asset class has the potential to do to broadcast media what the internet has already done to the press.

Like oil, as well as disrupting older industries, it will also fuel a whole range of new ones. And it is already throwing up a comparably colourful cast of heroes and villains - social media, Google, credit agencies, hopeful start-ups, trolls, regulators, security agencies and governments, among many other more shadowy ones that we've never heard of - even if it's often hard to tell which is which.

And although concerns about privacy online are almost as old as the internet itself, what's changing is the nature and extent of the personal data that can be culled, and the increasing ease with which all and sundry can get their hands on it.

Giving up your name, address and email in return for a personalised service from a retailer or bank is one thing. But the advent of mobile phones with GPS and always-on internet access has led to a plethora of apps that can track our movements and browsing and social media habits, and powerful new analytical software can join the dots in ways that are both controversial and potentially hugely lucrative.

When Google claimed that anyone who emails someone with a gmail account has 'no reasonable expectation' that those emails should be private, even the most laissez-faire of technophiles stopped to think about their privacy.

The revelation, made in a recent court filing connected with Google's alleged involvement in the US National Security Agency's online eavesdropping scandal, has sent ripples across the internet. Is a privacy backlash about to begin?

Everyone agrees that the stakes are colossal - on both up and downsides. The Boston Consulting Group suggests that the value created through digital identity could reach 1trn in Europe by 2020, equivalent to 8% of the combined GDP of the 27 EU nations.

Business and governments could benefit to the tune of EUR330bn and individuals by EUR670bn, reckons BCG, the latter largely through services such as Facebook, Google and others that they get free in return for their info. Governments would gain substantially through more efficient public services.

'The advantages of open data (for the public sector) are so great that we mustn't cock this up,' says Stephan Shakespeare, head of pollster YouGov and author of a report on public sector information.

More modestly, Cntrl-Shift, a UK analyst that tracks such things, puts the future value of volunteered information at EUR20bn for the UK at the same date. Look around to see the alchemy already at work. The market caps of Facebook ($92bn), Google ($288bn), Amazon ($130bn) and other major web companies are held aloft by the value placed on their hoard of private data, their most valuable asset.

As European Commissioner for Justice Viviane Reding puts it: 'Personal data is the currency of the digital market.'

But here's the catch. It's not just that this rich harvest is no foregone conclusion. Personal data isn't oil, waiting inertly to be sucked up by a drilling company and magically spewed out as cash. Handled crudely, data is more like a potent and hazardous chemical.

The downside to its misuse isn't just an information gusher that doesn't gush, but something potentially much more toxic: a suspicion-ridden internet that at best becomes a terrain for large companies to deploy ever more sophisticated means of keeping their customers captive, and at worst an instrument of surveillance and control rather than individual empowerment, as evangelists hope.

The clue is in Commissioner Reding's crucial rider - that 'like any currency, (personal data) has to be stable and it has to be trustworthy'. At the moment it is neither.

This is largely because of the way the web has grown up. Until relatively recently, people had little incentive to consider what they were giving away online. No one read website T&Cs; the utility and convenience of search and social media seemed well worth the price of filling in a few personal details.

As a result, web companies such as Google and Facebook have been operating in a window of unchallenged dominion, when data was effectively theirs to monetise as they could.

'We've had a 15-year aberration as ecommerce got going, and we're only now catching up,' says William Heath, chairman of social enterprise start-up Mydex, one of a new breed of personal data store providers (PDSs) that aims to help individuals manage and control their personal data.

The consequences of this aberration became clear when the net company geeks figured out how to monetise their businesses. The motherlode, they found, lay not in the 'official' identity of volunteered names and dates of birth, but the second, shadow identity that was given away as a by-product of transactions by the first: locations, likes, preferences, activities, family and friends.

It's the trading of this shadow identity data that's behind the burgeoning 'free' app economy. The users pay nothing up front, but data from their smartphones may be logged, segmented and used by marketers to sell their wares.

And, although it is 'anonymised', that data can be extremely personal - a recent survey of the top 20 health and wellness apps by data consultancy Evidon revealed that everything from diet and diseases to bicycle trip distances and even menstrual cycles has become fair game in the data market.

In one study, researchers found they could identify people's sex, IQ and political, religious, sexual and behavioural orientations from Facebook likes alone. In another, so-called metadata was successfully used to establish actual identity. In other words, individuals weren't the customer: they were the product.

And we're just at the beginning. In the forthcoming 'internet of things', almost anything can become a tracking and communication device. A recent news item revealed that City of London waste bins had been equipped with sensors to track footfall and potentially target ads.

Verizon has a camera-equipped set-top box that delivers targeted ads to viewers; Google has patented a means of targeting ads according to the background noise on mobile phones, and there are its (in)famous webcam-toting Google Glass specs.

And that's all existing technology. Some of the UK's 5-6 million CCTV cameras (90% of them private) now have HD capability, enabling face recognition at half a mile. A whole city could become a tracking or surveillance device, experts believe.

'We never don't know anything about someone,' the chief executive of the opaquely named x+1 'enterprise search' outfit told the Wall Street Journal in an investigative series the paper ran in 2010, entitled 'What They Know'. 'We know more about you than you would care for us to know,' confirmed Dave Webb, CIO of credit agency Equifax, in an interview last year.

On mining the data, he added: 'The morality question is another dimension, but if it's legal we should do it.'

Yet for all the petabytes of data collected, today's information economy works poorly. Information in corporate CRM systems is notoriously incomplete or out of date. While individuals are better placed to supply accurate information, few do.

One survey found that 92% of respondents lied online to circumvent intrusive questions. When they told the truth, many Facebook users turned out to be kids who were too young to have accounts.

Unease over privacy issues and one-sided terms and conditions of service is growing. 'There's no doubt that a lot of people worry that they are losing control of their information,' says deputy information commissioner David Smith. 'Technology has shifted the balance towards organisations by making it so easy to collect so much information.'

In one small sign of revolt, an angry Russian modified his credit card agreement and laughed his way to the courts when the bank admitted it hadn't read his small print. Fraud and data theft, arbitrary changes to terms, apparently cavalier attitudes to privacy and data use and, above all, recent revelations of mass surveillance of internet traffic by US and UK national security agencies have all shaken trust in online services.

But without engagement of willing individuals confident that their data will be used with respect and for the purpose it was intended for, none of the potential benefits of the next era in the information age will be realised. That would leave a market potentially worth billions stillborn.

'Trust has to be the key,' says Heath. But there is precious little sign of it. According to Pew Internet, 86% of web users have taken steps to remove or mask their digital footprints, and 85% have acted to avoid observation by people, organisations or the government. Hackers and criminals were named the biggest threat - but advertisers came a close second at 28%.

With database and analytic technology, driven by Moore's Law, powering relentlessly ahead, where do we go from here?

Two scenarios suggest themselves. Optimists see the outlines of a new online economy that would exploit the internet's peer-to-peer capability to put individuals at its centre. Reversing current flows, they would use simple tools to manage vendors, advertising intent to buy and running vendor loyalty programmes.

They would be part of a broad 'personal data ecosystem' in which personal data stores or other 'trust frameworks' would connect individuals and organisations, with robust technical and legal standards governing data flow and usage, under the individual's control.

This could yield massive efficiency gains for business, public services and the third sector, champions believe. And, they add, the value of data used responsibly like this is likely to be much greater than its sale price.

'The economic point is that organisation-centric data feels good for organisations - as in, "we own it",' notes Heath. 'But what they own is a degraded and polluted commodity to which they don't have a moral right. Making data person-centric, and introducing trust and individual curation, increases the value of personal data by a good order of magnitude. The paradox is that relinquishing control to individuals creates something far more valuable. And smart organisations can benefit from that.'

Some promising early moves in this direction are emerging from the public sector. As YouGov's Shakespeare underlined in his report, the UK is ahead of the pack in realising the value of public sector information. The size of the public sector, together with the government's keenness not to hang about, are a major advantage and opportunity, he believes.

As well as opening up its data, ministers are also trying a new approach to identity. To escape the toxic legacy of the identity card debacle, they have wisely started at the other end.

Later this year, Britons will be able to access government websites using log-ons from assured ID providers such as Mydex, PayPal, the Post Office and Verizon, but not the government itself - so no centralised databases with the fears of potential abuse that these can generate. Providers have to sign up to exemplary principles of individual control, keeping data to a minimum, and portability.

If, as seems possible, enough government departments sign up, the hope is that the venture will appeal to the private sector too. The idea of being able to open a new bank account in minutes is said to be switching on lightbulbs at the banks, for instance. So is the promise of reducing fraud.

'It's about rebuilding trust relations between government and the citizen,' says Chris Ferguson, deputy director of the Government Digital Service, a Cabinet Office unit in charge of pushing things forward. 'We want to provide simple, reliable access to government services - and if that gives industry the confidence to use it, so much the better.'

These then are the sunlit uplands that some are predicting. But a more pessimistic vision is also doing the rounds. In this worst-case scenario, we have already sleepwalked into digital serfdom. In this version, the big web companies see no reason to surrender the perceived advantages of holding 'captive' customer information, and the market rewards their lucrative exploitation of Big Data, constantly fuelled by ever smarter analytic software.

Governments are eager to use the same technology for surveillance as well as commercial purposes, raising the spectre of a latter-day military-industrial (or spooko-industrial) complex that combines forces to block Europe's bid to tighten data protection legislation.

Paranoia? Maybe - but there's a lot of it about. A search for 'surveillance state' turns up 352,000,000 internet hits, while, at the other end of the scale, this writer found his email correspondence on privacy accompanied by a contextual ad for 'Degrees for CIA agents' (courses on clandestine communications or advanced surveillance techniques, anyone?).

Few doubt that the dark narrative is technically possible. John Naughton, Open University professor of public understanding of technology, argues that the days of the internet as a seamless global network are numbered, and with it of course its potential to power the peer-to-peer economy that advocates hanker after.

Even if you put it down to caution rather than conspiracy, it's hard not to notice the big companies' protectiveness of their own privacy: none of those approached could field anyone for on-the-record comment for this article.

Small wonder that privacy organisations fear for the fate of measures to modernise data protection law now wending their way through the European Parliament, in the face of industry lobbying that privacy advocates describe as unprecedented. 'There's no good story that can come out of this,' concludes Naughton gloomily.

The larger-than-life CEO of Sun Microsystems, Scott McNealy, famously once advised: 'You have zero privacy anyway, so get over it.'

More thoughtful was Vint Cerf, 'the godfather of the internet', who told MT in a recent interview: 'If you've ever lived in a small town, the notion of privacy doesn't exist. Privacy is something that has emerged out of the urban boom coming from the Industrial Revolution. I'm not saying that we shouldn't be interested in privacy, but I am saying that it's an accident of the Industrial Revolution.'

But others think there's plenty to play for. Anna Fielder, chair of Privacy International, predicts the digital generation will lead a fightback using the net companies' own armoury. Until now, there hasn't been much money in counter-invasive technology, but she points out that 'privacy- enhancing technology' is now the hottest category in Silicon Valley venture capital circles. And some big net companies are cautiously beginning to talk up privacy to differentiate themselves from rivals.

YouGov's Shakespeare insists that inevitable risk shouldn't be used as an excuse for doing nothing. We've come a long way in realising the value of open public sector information, he argues, and now is no time to be throttling back.

He's right that a couple of quick wins would stiffen political will. It would also do wonders for the optimists' cause. That makes the launch of the ID assurance scheme this winter and the fate of European data protection legislation important short-term test cases.

But the key, as ever, will be the side governments (wearing their all-powerful national security hat) and the web giants choose to come down on.

Despite soothing noises in private, it's not clear that either shares the net-democratic, fair-trade data tendencies of the new digital generation, or indeed of many of those web companies' own college-dorm origins - even if, as Heath points out, the prize is 'an online economy several times more valuable than the one we've seen built since 1996, because it's trusted'.

So hang on to your hats: whatever happens, it will surely be a script that makes Dallas look like Blue Peter.




March 2013 - Fined $7m in US for logging personal data without permission in 38 states, via Streetview cars.

August 2012 - Fined a record $22.5m by the US Federal Trade Commission for tracking users of Apple's Safari browser.


August 2013 - Agrees to pay $20m compensation to 614,000 users whose personal details appeared in ads without their consent.

December 2012 - Tries to change T&Cs at its Instagram photo-sharing subsidiary so that it can sell users' images. Mass outrage prompts a hasty climbdown.


February 2012 - Admits to downloading and storing iPhone app users' entire address books when they hit 'find friends' function.

June 2010 - Following a series of security breaches, the US FTC imposes biannual data security audits until 2020.


Find this article useful?

Get more great articles like this in your inbox every lunchtime