Q. Our firm collects private information about our customers. For instance, we have the measurements and style preferences of garment purchases. Can we sell this information to other vendors?
A. It’s true that giving information to other vendors has some advantages for the customer. Exactly because such information enables the seller to concentrate his ad budget on consumers who are likely to be interested in his message, the result is that the consumer is presented with more advertisements for products and services which interest him and with fewer messages which he finds annoying and irrelevant.
At the same time, such information collection presents immense privacy dilemmas. Most people would shudder to think that neighbors, creditors, competitors or even distant busybodies might have easy access to all of their buying and browsing habits.
The topic of disclosing private information has two aspects: consent andmodesty. Consent means that information should be disclosed only with the agreement of the subject; modesty means that some information should not be made public at all. This column will be devoted to the topic of consent; next week we will continue with the more subtle issue of modesty.
INFORMED CONSENT IN DATA SHARING
It is widely accepted that data should not be disclosed without the agreement of the subject, but there are many views regarding how much agreement is needed. Some are satisfied with an “opt-out” policy, in which all information is considered public unless the user explicitly expresses his desire to keep it private; others demand an “opt-in” policy in which service providers may collect information only when explicitly permitted by the user.
Many advocates are concerned that even an “opt-in” policy may lack adequate consent: Perhaps the consumer lacks enough information to give truly informed consent, or perhaps there is a degree of coercion because withholding consent has negative consequences, such as limited access to service.
Jewish tradition has a definite preference on the consent issue. The Talmud (1) points out that in the Torah, God explicitly tells Moshe when His words are to be transmitted to the people. Otherwise, Moshe understands that the prophecy is intended for him alone. From this we learn that in general it is proper to refrain from repeating what we hear to others unless the speaker consents. This source seems to support “opt-in” over “opt-out” — information should generally be considered private unless there is explicit consent to disclose.
The issue of informed consent is also prominent in Jewish sources. For instance, the Talmud states that if a person allows someone else use of his property without full understanding of the extent or value of his legal rights, his waiver is void. (2) We can extrapolate to the situation of Internet privacy, where the consumer may not fully understand the value of the information he is allowing the collector to use — a value which can easily reach hundreds of dollars.
A common phenomenon, which may undermine informed consent, is “data mining,” sophisticated analysis of seemingly innocent data. This practice can be likened to examining someone’s rubbish. If someone sees me throw out a can of soda, they have learned little about my lifestyle. But if someone were to carefully scrutinize every scrap of garbage that left my home, they would know practically everything about my private affairs! If I give someone permission to rummage through my rubbish bin for something useful, I don’t have in mind that he may prepare a detailed catalog of every item I discard! Likewise, a person who gives consent to reveal some particular bit of information may not have in mind that this data will be pooled with vast amounts of other private information.
We see that consent is unlikely to be truly informed and complete unless the subject has adequate knowledge of two facts:
1. What is the approximate value of the information he is giving up? 2. What is the scope of the use he is permitting, including the potential for pooling this information with other data?
The Jewish ethical tradition is particularly stringent regarding the preservation of private information, and simultaneously sets a particularly high standard of consent for valid agreements. While accepted custom does have a certain weight, these principles definitely favor an Internet privacy standard which involves only “opt-in” revelation, and which requires the information collector to provide adequate information regarding the value of the information being gathered and the full extent of the permitted use.
Sources: (1) Yoma 4b (2) Bava Metzia 66b.