Informational injury means harms that consumers may suffer from security and privacy incidents, according to Federal Trade Commission (FTC) Chair Maureen Ohlhausen. Opening a recent FTC workshop on the topic, she noted that the free market is a powerful institution, but that consumers do face injury from some business practices. The FTC needs to focus on actual tangible injury and usually needs to demonstrate harm before constraining business practices, she said. Informational injury is a key part of the FTC’s Section 5 unfairness standard; the workshop aimed to inform and guide the future implementation of that standard.

Actual harms may be the clearly direct financial damage from a data security breach, or the more mercurial “intrusion into seclusion.” Ohlhausen emphasized the need to understand key factors that matter in assessing informational injury, such as the type of data involved, magnitude of harm, and the relationship between risk and injury. We need to better understand how to quantify consumer info injury, the FTC chair said, referencing a Peter Drucker axiom: “What gets measured gets managed.”

Injuries 101

Pam Dixon, executive director of the activist group World Privacy Forum, told a harrowing story about a woman whose kids were taken away after an imposter stole her medical identification info. The thief sought painkillers from emergency rooms, then police came and arrested her and committed her kids to social services. Getting her kids back took three months, a DNA test, and an appeal to the state attorney general.

More broadly, Dixon discussed a new report on the geographical risk of medical ID theft, finding that it usually results from actions of organized professionals inside institutions, or organized crime. The data stolen is usually for procuring drugs or fake billing. The harm can also come from fictitious entries in a victim’s medical files (like cancer or Hep C, which lets a thief procure expensive drugs). Dixon noted a defect in the legal system, where there is no clear legal recourse to correct or delete medical info from a patient’s files. Medical ID theft is growing, Dixon said, but also “unique” in that it is growing in certain regions, especially areas where you find a lot of senior citizens.

How does this medical ID theft work? Frequently it involves biometric identification, where the thief steals a face photo, morphs it with a new face to create a morphed photo that will authenticate both the patient and the thief.

Dixon worried that people are afraid to opt out of financial transactions, even if they are scared of giving up their social security numbers, and consumers shouldn’t have to face harm from using technology. However, she posed a difficult question: with “information annoyances” belaboring everyone, where is the line drawn between an “informational problem” and an “informational annoyance?” There are some “everyday informational issues,” like the use of “financial tools and services.” These are lower-level issues, but consumers can learn how to shut down some of the financial data flows, and there are lots of opt outs a consumer can pursue. Unless a consumer wants to pay cash for everything, “which is not a really easy way to live.”

Damon McCoy, Assistant Professor of Computer Science & Engineering at the New York University Tandon School of Engineering, discussed some of the peculiar world of informational injury, such as ordering pizza to someone’s house, or sending emergency personnel to a person’s house (including SWAT). “How do we measure the harm from that?” He reported that there are online cookbooks, like the old Anarchist Cookbook, that exist to guide people through stealing information. Through the use of remote access trojan (RAT) malware, hackers trade in victims (called “slaves”) for whom they’ve gotten complete access to a victim’s computer, camera, files, etc.

Lauren Smith, policy counsel at the Future of Privacy Forum, discussed the high volume impact from algorithmic decisions, referencing a new report from the Forum. The report goes over a wide variety of informational harms, but none are quite as jarring to accept as “filter bubbles,” which Smith described as an informational injury where a person doesn’t get a wide enough swath of news.

Potential Factors in Assessing Injury

In order to examine the potential factors in assessing consumer injury and how and when government should respond, the second panel tackled some hypothetical scenarios.

HYPOTHETICAL #1:

  1. A pharmacy company uses geo retail tracking to determine aggregate consumer interest in greeting cards.
  2. The pharmacy also begins tracking aggregate consumer interest in over-the-counter (OTC) HIV tests.
  3. The pharmacy sells aggregate info to interested marketers.
  4. One marketing company uses its own algorithm to associate aggregate data with other data to estimate the probability that a specific consumer purchased a greeting card and an HIV test.
  5. The marketing company uses the data to target advertising to the identified consumer, Carl.
  6. The marketing company advertises HIV tests to friends and associates in Carl’s social network
  7. The advertisements mention that Carl recently purchased this product.
  8. A local insurance company gets this data and raises rates for Carl.
  9. Carl’s employer sees one of the advertisements and fires Carl.

Alessandro Acquisti, Professor of IT and Public Policy at Carnegie Mellon University’s Heinz College, responded that the hypotheticals bring no tangible harm at the beginning, but the informational injury builds quickly.

“Does the existence of any of these businesses in and of itself pose an informational injury,” asked Geoffrey Manne, executive director of the International Center for Law & Economics. “Is it an injury we want to stop if we’re sharing information to actually prevent harm,” such as alerting Carl’s social network that they should get tested for HIV too?

Paul Ohm, a law professor at Georgetown University Law Center, asked if a consumer is “worse off than if the conduct had not occurred?” That is the question for informational injury, he said. “In every single one of these hypotheticals,” Ohm suggested, “we see informational injuries, though maybe not all ones that we want the legal system to respond to, but I think all of them could involve government intervention.” Since he insisted that “court house doors are closing left and right” to tort seekers, Ohm demanded that the FTC step in.

Manne retorted that the FTC should be “over-careful” about regulating new technology.

“The risk of surveillance… is higher for some populations than others,” commented Michelle De Mooy, director of privacy & data at the Center for Democracy & Technology. A consumer’s “particular place in the ecosystem may impact the seriousness of the harm,” which may be “subjective harm” or “objective harm.”

James C. Cooper, Associate Professor of Law and Director of the Program on Economics & Privacy at Antonin Scalia Law School, George Mason University, noted that individualized rules are impractical, “so we need to generalize.” Some people may be particularly sensitive about their greeting card buying patterns, but most probably won’t be, he said.

HYPOTHETICAL #2:

  1. Company A stores consumer social security numbers. A security researcher discovers that company A has a security vulnerability that exposes its entire computer network, but no unauthorized access has occurred.
  2. Unauthorized access occurred, but confirmation that no consumer data has been exfiltrated.
  3. Unauthorized access and it is possible that consumer data has been exfiltrated.
  4. Unauthorized access and consumer data from Company A has been found on the dark web, but no evidence that it has been used for fraudulent purposes.
  5. Unauthorized access and consumer data from Company A has been used for fraudulent purposes.

Cooper suggested that, by #4, “the risk of bad things is high enough,” and certainly by the time you reach number 5.

De Mooy commented that #2 was a privacy violation, because the consumer has not been made aware of it. While it may not trigger government intervention, the company is responsible for a violation.

Ohm shook his head, saying that, “the state of data security in this world is horrid.” Consumers’ “time wasted, anxiety… financial ruin.”

Acquisti was similarly concerned for the data security angle, turning to the Equifax breach. He felt that it was hard to economically model the informational injury from the breach, because the harm could come “many years down the road.”

“I hit somebody and they got hurt – that is easy causality,” commented Cooper. “Is it a matter of first-party cyber insurance, to help reduce the incentives for tort resolution?” Or does that insurance need to be tied into the FTC as a solid backstop?

Business and Consumer Perspectives

Jennifer Glasgow, former Chief Privacy Officer for Acxiom, stated that, “every piece of data collected has some benefit.”

Since industries like financial services are so big on compliance, “just from a straight regulatory perspective,” Bob Gourley, partner at Cognitio, said that we should figure out the best approach for each. In many industries, “data is usually publicly available and companies are just combining it.”

“It is tough for businesses to understand the risks to consumers,” said Glasgow. As a CPO, she suggested, “I’d have had trouble identifying at least half of the informational injury risks identified on the panel this morning.”

Katie McInnis, policy counsel for Consumers Union, lamented that nonidentifiable data “is now becoming personally identifiable,” thanks to inferences that can be made from disparate data points.

Glasgow emphasized the need to differentiate in resolution and mitigation between different kids of incidents. “Data breaches are different from just inappropriate data uses by a company… as data becomes part of every business practice, it has both opportunities and risks that need to be carefully evaluated.”

Data security needs to line up with consumer expectations, said McInnis, but so many companies have not sufficiently protected the data they’ve received from consumers, that expectations are not being fulfilled.

Do businesses think consumers are informed about data collection and use? Omri Ben-Shahar, Professor of Law at the University of Chicago Law School, shrugged in response. “Privacy policies are meaningless to consumers,” he said. People report in surveys that they are concerned about what is going on, that it “causes them concern.”

Big Data and analytics engines, said Glasgow, make it even harder for consumers to understand. Between notices and policies, industries need to set the right guidelines. “When consumers are given a choice, and don’t understand what they are being asked, they usually take no action at all.”

McInnis commented that consumers are trading information for free services, and they sort of understand that, but consumers are worried about third parties collecting that data, demonstrated by the increased use of adblock services. She worried that too much is happening “on the back end.”

Ben-Shahar dismissed the survey data in favor of what consumers do “when faced with choices and tradeoffs.” Consumer behavior is what matters in this equation, he insisted, which will help determine if there is any meaningful informational injury. Otherwise, Ben-Shahar suggested, you have privacy skeptics saying there is no problem, and activists screaming that everything is a problem.

“I take your point that survey data isn’t indicated of what consumers actually do,” responded McInnis, but “maybe consumers just don’t feel they have adequate tools to control their privacy. … Tech companies are moving much faster than regulators. That is just a fact of life, but we’re trying very hard to catch up.”