Who owns the information? Daniel Hanson, http://www.securityfocus.com/print/columnists/338
Since the eighties, we've been told that we've begun an Information Revolution similar in scope to the great industrial revolution - in fact we've been told this so often that it now seems like little more than an overused cliché. At the same time, the growth of the personal computer has indeed revolutionized how we interact with our world. Many of us have moved from interacting primarily in a physical world to an electronic one, first where only a few pioneers were found, but then finally into a world that anyone can watch and experience. You no longer have to know how to play music by ear or from sheet to enjoy the music. Your understanding of the world is no longer limited by the size of your "dead tree" library. Much more information is available from your easy chair, but what does this mean for the ownership of information? >From the music you purchase and download to your personal details stored online, it's all just bits of information. The ownership, availability and security of this information has vaulted to the forefront of importance in the so-called information revolution that we live in. Setting the laws Enforcing both physical security and information security is built upon a scaffolding of social expectations and laws. These laws are built by society as the thinkers and commentators influence government and social policies. In our past, famous people like Dickens had made a tremendous impact by identifying the injustices that the social change was creating all around him, and his skill in crafting a message had influenced many laws that were to come later. Where is the Dickens of the 21st century for our information revolution? Once this role model has been chosen, what is he saying about responsibility, privacy, and security of information? Ask your favorite luminary and you might be surprised with their answers. Change during the industrial revolution was not a technological one, it was primarily a social change - the invention of a technology simply brought about the conditions for the societal shift . The same is true today. The technology is being refined, old ways of thinking are slowly being re-examined, and limits are being pushed. >From your bank account to your iTunes music purchases, who owns the bits of data? It seems like such a simple concept, but it's really not and the answer to this question proves to be elusive. Digital rights management The problem remains difficult when we compare the bits of information we can purchase that bear a close resemblance to some physical merchandise. Music, video, and other media are a flashpoint in this social change. If I buy a CD, what can I do with the music on it? The CD by itself is essentially worthless, a piece of plastic and pitted foil worth a couple cents. Obviously what I have paid for is the information encoded on it. What can I do with the CD, however, and what can I do with the information on it? Can I listen to it anywhere? Can I 'take' it off the CD and listen to it on my MP3 player? What if I have it on my computer, my MP3 player and listen to the same CD in the car, does my wife legally get to listen to the MP3 on the computer if I am out for a run with the MP3 player? What if my 16 year old is in the car with her friends listening to the CD at the same time (as if a 16 year old would ever listen to the same music as his father, but let's pretend just for rhetorical purposes)? Even with such a simple example, our technology has vastly outstripped the ability of our social contracts and our laws to deal with the resulting behavior. These questions have largely been answered by laws created before the CD was even invented, in some ways. Yet even with a fairly thorough understanding of what I paid for, and what I can do with it, I can still find myself in a legal and moral quagmire. What responsibility do Internet Service Providers bear in violation of these laws, when they purely provide the medium to transfer file? How about the manufacturers of the various types of software that can share files? What do we do about those who manipulate the information itself for other purposes? Essentially we are asking what are the moral and legal responsibilities of the individual is with regard to this information. If someone steals some content that I paid for, and misuses that information, do I have liability if I didn't take appropriate precautions? In the physical world, the answer is crystal clear so why is it not as clear in the electronic world? Privacy and control The problem gets more difficult when we change the roles and deal with vague concepts like personal information. Suppose you fill out a form that contains your email address, your birthdate and some other information required for a legitimate reason, to obtain a particular service. What happens to that information once it is typed into a computer? Who has access to it, and does it now belong to the entity that collected it? What do we do about ensuring that the entities who collect, use and store personal information behave with appropriate responsibility? There have been so many massive security breaches in the last few months that it's clear the responsible nature is very often lacking. As of late, some corporations have been aggressively pursuing legal options to ensure that the people who have bought access to their information behave responsibly in the existing legal framework. Who do we have ensuring that these same companies behave appropriately on behalf of the individuals who gave out the information in the first place? The recent and wide-spread theft of credit-card information from a major credit card clearing house highlights the problem stored information. Most people are bothered by this, but few are bothered for the right reasons: why was the company storing the information in the first place? Psychology talks about human behavior being determined by incentives and dis-incentives. It seems to me that the behavior of large groups of people known as corporations and governments is even simpler to understand because this behavior is determined solely through economic incentive. If the penalties for security breaches are high enough, the corporate behavior will change - but until that happens, the security breaches will continue. As more and more of our information is stored in databases, correlated with other information about us, and then made available through security breaches, we must continue to address the issue of who owns our information, who is allowed to store it, and what they are allowed to do with it. The current state of security (or lack thereof) among major stakeholders only serves to bring these issues evermore to the forefront of societal and legal change. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
