There has been the age old question of whether change is always a good thing. We are told that progress is something that can only ever be made with changes to what we currently perceive, the idea that unless changes are made, something will go wrong and we will be left wallowing where we are.
On the other hand, there is the age old adage of ‘if it’s not broken don’t fix it’, changing something for the sake of change may not always have the desired consequences. The number of examples where changing part of an equation has damaged the outcome are numerous, from Apple changing from Google Maps to an in house model that was spectacularly bad to Coke’s new formula in the 1980’s.
So when we talk about Big Data in law, how necessary is it for changes to be made? What benefits are we likely to see and where are the changes needed the most?
The most important element of data that new laws need to concentrate on is how companies and governments are storing it.
We are seeing records being set for ‘biggest hack’ every year, from Target’s hack in 2013 to the recent hack of eBay. These are not small time breaches, these are full blown mining of millions of individual’s information. Both companies hold individual credit cards, meaning that personal wealth could be affected, meaning that banks could need to deal with millions of fraudulent card transactions and then law enforcement would also need to be involved. As we can see from this chain, hacks of this magnitude are not something that just impact on the company’s reputation, it goes well beyond that.
By setting a global mandate for data protection from companies, the overall industry will benefit even if there are teething problems, as you would expect with something of that scale. By forcing companies who hold more than a certain amount of data to adhere to data auditing, there is a much better chance of having improved data security. Without regular assessment of security infrastructures, effectively all holding data is doing is making it easier for those who want it to find it, whether they get it by legal or illegal means.
The collection of data has never been more prevalent than today and it will continue to grow in the future. The idea that every move they make is being monitored is either reassuring or terrifying, depending on people’s viewpoint. In reality, as long as the data is used responsibly i.e. targeted marketing or suggestion engines, the issues are few and far between. After all most of us would much rather see an ad for something we are actually interested in rather than a generic banner that bears no relevance to us.
Issues arise when the collection of information is done in more underhand ways. For instance the idea of list buying has been around for a few years and this represents a dark side to data collection. I have received hundreds of emails wanting to sell me their ‘opt-in’ lists. The idea being that these people are ‘opted in’ because they have expressed an interest in a subject or have a specific job title. With the rise in complexities of data sets, we could see these lists being sold with considerably more information and in reality the practice needs to be stamped out.
Some moves have been made in this area with websites now being required to have an opt in for cookies, meaning that people will be made aware when their information and actions are being mined. However, in reality, this simply adds a layer of transparency to a process that anybody with a tertiary knowledge of the internet already knows is happening.
This is perhaps the most difficult aspect to control as the majority of analysis conducted is done so in a variety of ways. This means that a general evaluation and code of conduct around this would be difficult to police as unless all analysis was done in a public domain, tracking what is actually found would be almost impossible. It would be easy to simply say that analysis is being done in a certain way but then conduct it in another.
Examples of how this could be used to the detriment of individuals would be in things like insurance or financial institutions. If it is found that there is a correlation previously unseen and companies can can utilise this to maximise profits at the expense of certain customer, this would pose a considerable moral question.
Controls are already in place for some industries, especially those who tend to deal in more personal information, but there are almost constant rumours about these same industries analysing data in improper ways. Whether these rumours are true is purely conjecture, but perhaps there is no smoke without fire.
With work along these lines though, the difficulty will not be in the formulation of any new laws, but in the upholding of them. Purely by it’s nature, data is stored and analyzed out of the public eye, making the identification of those in breach of the rules difficult. It is similar to financial crime, where it is often only through whistleblowers or audits that anomalies are found.
What we can see though, is that following the series of high level data breaches, this kind of work is not only timely, but absolutely necessary. The issue is not going to be whether it can be done, but how quickly it can be.