Who Owns Data?

The Data as Property Debate in the Gen AI and Surveillance Capitalism Era

The Federal Trade Commission (FTC) is debating dramatic new rules on how data is collected and shared about consumers (FTC Data Rules).? This follows new legislation across multiple States on privacy and, in general, how data is to be handled by companies across almost all markets.

Two major factors are driving this focus on data.? Artificial Intelligence (AI) and data brokering/surveillance.?? Generative AI engines are crawling the internet and other systems collecting massive data sets to create large language models (LLMs) to generate intelligent systems that can do everything from prescribing medicine to driving cars.? Simultaneously, the explosion of surveillance capitalism is creating models that predict everything from what each person is going to buy to how they are going to vote.? This surveillance is incorporated into almost every website, email and text.

With all of this focus on data, there is a fundamental question that has be asked:

Who owns data?

This is a question most people think they know the answer.? After a few more questions, however, it becomes much more complicated.? For example, do you own your social security number (SSN)?? Most people answer “yes”.? Except the Social Security Administration gave that number to you, so don’t they own it?? If you share your SSN with an employer, do they now own it or are they just borrowing it??

For most of the last 40 years of technology advancement, there has been a general concept of “my hardware, my data”.? In other words, if data is on your servers, laptops, etc. then you own that data.? It is what has made Google, Facebook, Microsoft, Amazon and others multi, multi billion dollar companies.? If you post something on their servers, they can use that to sell advertising and generate other monetary gains with that data.?

The “my hardware, my data” concept began crumbling with the advancement of limitless and remote internet.? Though an employee might log into his bank account on his office computer, nobody would expect that the company now owns his bank account.? Likewise, when you connect to the internet in a Starbucks and use their routers, they do not have the right to see everything you do across that internet connection.?

The Generative AI and brokering/surveillance explosion is now bringing this topic of data ownership to a battle frenzy.? A bill was submitted in Congress on January 10, 2024 (H.R. 6943)? titled? the No AI Fraud Act.? In that bill, it states “(1)?IN GENERAL.—Every individual has a property right in their own likeness and voice.”? The bill goes on to say that creating an image or voice replication of a person’s likeness and voice is equivalent to the theft of property.? Under this bill, my image and voice is property.? What other data about me is my property?? My medical records?? My location?

Data as property is not a completely new subject.? Obviously, cryptocurrency and Non-Fungible Tokens (NFT) have the basic concept of ownership of data.? We have the concepts of intellectual property and copyrights as well.? These items are declarative statements of ownership around very specific pieces of data.? House Bill 6943 mentioned above brings in the element that there is data that, by it’s very nature, has property value.

Why is the concept of data as property so critical?? Think about all the laws and regulations that come into play if data has property values?? How about insurance?? ?If data is property, then data has value, which can be insured.? Similarly, the punishment for cyber and privacy violations could be tied to the value of the data taken, just as the punishment for stealing jewelry is higher than stealing a candy bar.? The implications of data as property are quite broad.

The Technological Challenge of Data As Property

When you pick up a diamond necklace, it is easy to see that as property.? It has a physical form, has a degree of uniqueness, has a location and can easily be seen.? ?Data, at its heart, is nothing more than a series of ones and zeros.?? From a physical perspective, it is a bunch of microscopic pieces of matter set in either a one or zero state.?? Unlike the diamond necklace, you can’t simply pick it up and put it in a shoebox.

So how can something without clearly defined physical form be treated as property?? The cryptocurrency and NFT world found a method for this challenge.? If the data can be proven to have not been altered, then there is a mechanism for holding value, and property, to data.? For cryptocurrency and NFTs, this was done through the blockchain approach.? ??Blockchain uses the concept of secured ledgers and validated transactions that assure that integrity of the data has not been altered or disturbed.? The approach works very well for financial data.

The limitations of blockchain are that there requires a significant coordination across a full blockchain to validate every piece of data.? This is powerful for financial transactions because it is exactly what is needed.? But what if you just want to secure the picture you put on Facebook, or an article like this one, with no real understanding of where and how it might move?? ????And what if you want to get rid of this data, you don’t want to have to go through a complicated process that could invalidate or corrupt other data.?

?

The technological challenge is to encapsulate data in a way that gives the owner control and visibility into the data they own.?

The Only Viable Option – Encryption at the Micro Level

?As mentioned earlier, for the last 40 years the basic concept of handling data has been intrinsically tied to the systems, networks and devices that store, move and process the data.? This played directly to the “my hardware, my data” mindset.? Likewise, when discussing encryption, the general thought has been the encryption of these same systems, networks and devices.? People often think about their laptop, server or storage drive as being encrypted, which then protects the data residing on these locations.

But the demise of the “my hardware, my data” concept defeats this approach because data is constantly moving.? Being encrypted at one location is quickly lost when moved to third party applications, shared over social media or stored in a Google Drive and Amazon Web Services S3 buckets.? ?This lack of security has been borne out in massive data breaches over the past few years.? The MoveIT data transfer application lost millions of records for over 2500 companies and impacting over sixty thousand people.? The Microsoft email breaches of 2023 and 2024 impacted government and commercial companies across numerous sectors.? These are just a few of the third party cloud applications that have been compromised over the last two years.

The only viable option is that the data is encrypted independent of where it is stored, moved or shared.? For this to work, however, the data has to be encrypted at a micro level, such as file by file.? Additionally, the control of the encryption has to be managed by the data owner.? As the author of this article, I should control who sees, and does not see, the article regardless of where it moves and how it is stored and shared. ??Additionally, I should be able to determine how long that data should exist, where it goes geographically and who can process or just view the data.? Lastly, I should determine if this article should, or should not, be consumed by Generative AI engines.

This approach of data independent of networks, applications and devices exists today.? Galaxkey Ltd of the United Kingdom has a commercial product that does most of these concepts today.? Tim Berners-Lee, the inventor of the World Wide Web, has been pursuing concepts in this space through his Solid project with the Massachusetts Institute of Technology (MIT).? ?More companies are starting to develop products around this concept.

The Economic Upheaval of Data Ownership

As mentioned above, fundamental to this concept is that the data owner controls where data is stored, moved and processed.? To get to this approach, however, the issue of “who owns data?” has to be resolved.? ?The internet economy is built around the ability of companies to monetize the data of others.? Google, Facebook, X and thousands of others make money off the posting of information from others.? The data brokers are leveraging captured data to identify consumers and sell advertising.? More recently, companies are scanning massive locations to create datasets that are sold to the artificial intelligence companies.?

Moving data control to the owners would dramatically upset this economic model.? Data owners could either restrict who can access data or gain monetary value from it.? If a user on Facebook posts a picture but encrypts it so that only their friends can see it, then Facebook cannot post an advertisement around the topic of that picture or recommend new friends to connect based on the topic.

In a recent landmark ruling in the case X Corp. v. Bright Data Ltd., No. 23 Civ. 3698 (N.D. Cal. May 9, 2024) the court stated “…whereas?X?owns the technology that provides the basis for X’s access-based claims, X’s?users?hold the rights in the content that provides the basis for X’s scraping/selling claims…”.? This clearly implies that the ownership of the data is with the users, not the platform.?

The concept of data ownership goes much further than just social media and the general internet.? How about medical records?? If the patient owns the record and controls the movement through encryption, then the patient knows exactly which doctors, insurance companies and administrators can see their data.? Likewise, the patient could choose to have all of their data removed from the hospital by simply killing the encryption key.? This might be good for privacy but not necessarily for patient safety.?

Every thing from intellectual property to insurance to national security can be impacted by the concept of data having an owner.? Which comes back to basic question:? Who Owns Data?

?

*Image provided by Vectezzy