Now Its Getting Personal

Opinion: Businesses must figure out who owns what information.

If you read this column regularly, you know a little bit about me. You should have a pretty good idea of where I stand on core technology issues, such as patents, security and software quality. If you desired, you could also figure out some other not-so-obvious things about me—like what TV shows and movies I watch, the type of music I listen to or which sports teams I root for.

But theres a lot of other information Im not planning to share any time soon.

There is, of course, the personally identifying information that I wont share, for fear that it will be used against me through fraud or identity theft. And then theres the information I want to keep private because it has value—information on how and when I shop, where I travel, or when and where I go for entertainment is highly sought after by businesses in these markets and the marketing firms that serve them.

After all, this is the information economy, and when my personal information has value, I like to think that I own that information and can choose how and when to share it.

/zimages/5/28571.gifRead more here about data privacy laws.

But it isnt that cut and dried. Despite the fact that President George W. Bush has said that America is an ownership society, there are battles going on over who actually owns a persons private information.

For example, firms that gather information on people—tracking their shopping habits and Web site usage—believe strongly that they own the information they collect. After all, theyve put in a lot of work and resources to gather it together.

The other argument that these firms put forth is that this isnt private information at all but is simply public observance of activity. They would compare it to walking by your house and noticing the cars parked in the driveway, the gardens in the yard and the shopping bags carried into the house.

Privacy advocates argue that the personal information these firms are gathering goes way beyond that, however, and is more akin to getting hold of someones library records, movie rental history and shopping receipts.

And back and forth the battle goes.

One of the major pushes going on now to help address this issue is the idea of putting control of personal information in the hands of individual users. The centralized ID movement called for doing just that, but technologies that put these ideas into action, like Microsofts Passport, never achieved their initial goals—mainly because people didnt want to leave their information on central servers in the hands of large companies.

The pendulum is swinging back now to the older ideas of electronic wallets or localized identity applications that put full control of identifying information in the hands of users. In a perfect world, these methodologies would give users total control of their personal information in almost a barter type of situation, letting users define what they are willing to share and then giving them the opportunity to find sites and merchants that are willing to accept those terms.

These ideas, while interesting, are still evolving, and there are many issues around mobility and security that need to be ironed out.

/zimages/5/28571.gifRead more here about how lawmakers are targeting consumer-data privacy.

But this isnt a bad time for companies and IT departments to start thinking about how they will deal with employees personal information in their companies. Typically, the law has fallen on the side of the company—saying that any information that is created or placed on company hardware or networks can be monitored or even owned by the company.

There are some who would argue that a business has no right to this information—that the situation is no different from a business owning an employees credit card number if he or she made an online purchase while at work.

The simplest solution would be to ban personal Internet use at work. In my Opinion, however, this tends to drive workers from their desks and cuts down on productivity.

Companies will need to step carefully here. Regulatory compliance requires a lot of activity monitoring and logging. But while its still up in the air as to who owns personal information, businesses have to be careful that they dont inadvertently become identity thieves.

Labs Director Jim Rapoza can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.