Think Your CRM Files Are Invasive? You Ain’t Seen Nothing Yet—And Neither Has Your Lawyer
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.
Technology is now enabling retailers to capture data from their customers that those customers never envisioned sharing—such as the sound of their voice or the shape of their face, or using their directory assistance inquiries to determine book pitches. From a legal perspective, these interesting efforts may be inviting lawsuits and other legal challenges.
Consider a service that Google offered where you could call a toll-free number (GOOG 411) for directory assistance. Although you got a telephone number and directions, Google got information about not only what people in general were searching for (people in Piscataway picked pizza) but also what a specific person was looking for (John Smith—or John’s telephone—searched for the number for an AIDS clinic, then a drug store, then life insurance). Again, because Google isn’t a phone company or particularly regulated in any way, it could use or sell this information in any way consistent with whatever privacy policy it wrote. But Google got much more than that.
It could use the information to create a database of voices for use in voice-recognition software. It could also have used individual voices to create a profile of a specific person’s voice and then—like the potential facial-recognition program in the retail store—sell that data. Who would buy it?
A bank, for example, wouldn’t pay to authenticate its customers, because the bank could simply ask those customers to directly give them voice samples for free. But a bank very well might pay to identify the voice of the fraudster on the phone. There is little if any law preventing this.
Consider a restaurant selling a soda. The customer pays with a credit card and the restaurant now knows the person’s name and what he looks like. On the soda glass is that person’s fingerprint and DNA. Pretty cool. Should or could a retailer make a lucrative side business (in addition to selling soda) out of collecting and selling this information?
Most state laws on DNA relate to the creation of a DNA database by the government, and federal law prohibits discrimination in healthcare and insurance based on DNA profiling. But no law would prevent, say, your local Starbucks from creating such a database.
September 8th, 2011 at 2:22 pm
This data is open to manipulation then use for nefarious means. The data is also stored probably unencrypted in various locations that are subject to hack hence theft and the worse case of identity theft every.
“1988” may be just a little late but it is here never the less.
What of my self do I really own and have the right to protect? My DNA is no longer mine! Obviously someone else believes that they own my finger, voice and retinal prints. What next human organs?
Not good, not good at all.