Today’s US news hounds are aflutter about the US government collecting CDR’s (call-detail records) from several telephone companies. This database, amounting to "billions" of calls, will — according to the National Security Agency — reveal calling patterns that will help unmask those involved in terrorist activities.
This is a big story because nobody who made or received the phone calls was aware that the data would be preserved and published to the government for any reason. This leads to the core question:
Who owns the data?
A telephone call is a transaction. The parties to the transaction are: the person making the call; the person receiving the call; and the telephone service. It would make sense that these 3 are the involved parties in the transaction, therefore these 3 are the owners of the data about the transaction.
But that is not the case. As we see, neither the caller nor the recipient of the call have any claim to ownership. The data about the transaction was collected, preserved and distributed by the telephone service. There was no attempt to get the explicit permission of anyone else before the data was put to use for an unforeseen purpose.
This is no different from any other transaction that takes place in our daily lives. When we purchase goods from a store, the transaction data is captured and used by the store and the credit card company. When we see a doctor, the transaction data is captured and used by the doctor and the insurance company. And one telephone provider (AT&T) is reported to have declared that they exclusively own the data. In all cases, that data is widely distributed to credit bureaus, marketing firms, health care organizations, even the governments. Invariably, that data comes back around in the form of aggregate data, consumer profiles, loan rate factor, and other factors that impact our lives in large and small ways.
And in every case, we — who initiated and consummated the transaction — have no say in how that data is used.
When I put on my "data architect" hat, should I remove my "citizen consumer" hat? There is no need to do that. Yet we often do. As a technologist, I can take the position that "I’m not responsible for how the data is used. I just build the system to do what the client wants."
That’s a cop-out. That’s not good enough.
We who are technologists can’t abandon the larger questions — like "Who owns the data?" — because we empower the clients to do what they do. We bring about the technology to make it easy to misuse or abuse data. We have a responsibility to protect against that misuse.
A search through Google for "Who owns the data?" reveals an IT focus on the data as a corporate asset. The discussions — and they are numerous — are about finding the person or organization within the corporation that has the responsibility or authority to change the data. That’s an important business process question, one which resides within the corporation and outside IT.
But that focus presumes that the data is a wholly-owned corporate asset. The question I’m raising calls that presumption into question (in fact, I’m challenging that presumption). In my view, the data does not belong to the corporation, because it is data created by persons outside of the corporation — customers, browsers, competitors. Although the corporation may have participated in the creation of the data, that is not sufficient to grant the corporation ownership of the data.
Share the Wealth
It’s reasonable to share ownership of the data among all who created the data. In the case of the CDR, the data about that call is owned by the calling party, the called party and the telephone service provider.
So why not share the wealth gained from the data by splitting the proceeds (profits) with all of the data owners?
Sounds fair to me, I think. Whenever Axiom or Equifax sells my credit report, I should get a royalty.
Whenever Visa sends my transaction info to TransUnion, I should get a royalty.
This actually makes sense to me. Although, I have to admit, the finance industry would not stand for it. But after all, I made the transaction (and, in fact, paid the credit card company for the privilege), so I should be able to reap some of the profits from it.
Interesting question, I think.