The Other Side of Consumer Data Collection

While I generally consider myself an advocate of strong consumer privacy protection, even I have to admit that there are generally two sides to every invasion of consumer privacy. For example, shopper loyalty programs are criticized for raising consumers' fraud risk, and for leading to a proliferation of annoying telemarketer and junk mail contacts (e.g., here). However, sometimes, the information gathered by grocery stores is used in ways which are unarguably beneficial to consumers. Case in point: product recalls. Before my fourth of July barbecue, I got a call from Kroger's. Apparently, the ground beef I'd purchased earlier in the week had been recalled, and should be thrown away rather than eaten. Of course, they knew who I was and what I'd purchased, because I used my Kroger card to buy the meat, which meant they were tracking my purchases and storing the data.

The bottom line is that the same data type of data collection which leads to annoying circulars and telemarketer calls led to Kroger being able to provide me with information that I really needed. Of course, consumer data collection isn't an unalloyed good, but it isn't an unalloyed evil either. The trick is to find ways to deal with (or regulate) the data collection that maximizes the good while minimizing the harm.

New Information Security Threats

Now, your network connection isn't the only point of attack for malware. According to this article from C|NET malware has been found preinstalled on USB enabled consumer devices, including an Mp3 player, and (something I didn't even know existed) a digital picture frame. This isn't a case like the Sears holding company fiasco (described here), where the company installed tracking software with arguably insufficient notice. Instead, the malware found on the USB devices is something about which consumers are given no warning whatsoever.

So what does all this mean legally? The first thing it means is that law abiding companies should make sure that they have effective programs in place to prevent unauthorized software from being run on their systems, because this new attack vector (which includes picture frames) could lead to security breaches, and their attendant legal consequences. The second thing it means is that we're likely to see a ton of litigation against device distributors. When Sony shipped CDs with malware pre-installed, they were sued, and eventually settled in class action litigation for (among other things) fraud, deceptive trade practices, and trespass to chattels. I envision many similar suits happening in the future, many of which will probably inculde device distributors who didn't know what their manufacturers put on the devices while they were being made. Finally, I have a distant hope that news like this will lead to more people recognizing the dangers of malware and identity theft. A great example of the lack of regard many people have for information security is this post from BoingBoing which describes an individual who sought to prove security concerns were unwarranted by publishing his bank account number (which, predictably, was used to set up an unauthorized direct debit in his name). Maybe the shock of learning that every day objects like a picture frame can be used to steal data will end up making people more aware of the importance of information, and the lengths criminals will go to to steal it.