From: Kenneth Canfield <ksc2103@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Sun, 05 Feb 2006 17:20:20 -0500

Paper: Can We Stop Data Mining With Trade Secret Law?

Can We Stop Data Mining With Trade Secret Law?

The Google subpoena fiasco has allowed many more to discover the
transparency of the fishbowl we live in, and care about whether the law
offers protection against massive data mining.  I ask whether trade
secret law may provide a solution, and unfortunately, I do not believe
it does.

Useful (to the data miner) data mining requires a series of steps:
collecting, aggregating, and analyzing.  Yet the biggest concern is not
when Amazon alone collects, aggregates, and analyzes, but when Amazon,
Google, Visa, ShopRite, and Verizon together collect, aggregate (share),
analyze, and even possibly disclose the results to others.

To stop data mining we must break the chain—but where?  It is hard to
attack collection by single entities, at least under current
technological conditions.  Cash plus avoiding bonus clubs might work at
ShopRite, but not at Amazon and other online merchants.  For online
orders of physical goods, we have to give physical addresses.  For
Verizon, we have to provide the numbers we dial.  While technological
solutions may exist to limit collection, I am interested in a legal
solution under current law and today's conditions.  Once data is mined
by a single miner, preventing aggregation and analysis seems impossible.
 Thus, I will concede for now the ability to prevent independent mining,
and focus on the sharing of data and disclosure of results from mining.

The immediate reaction to attacking data mining at the point of sharing
among data miners and disclosure is that a solution may violate the
first amendment.  However, there already exists a body of law to protect
the disclosure of "secrets"—trade secret law, which prevents the
disclosure of certain confidential business information.  I will
consider how trade secret law might be extended to protect us from
collaborative dining mining.  Trade secret protection protects
confidential business information satisfying three requirements:  (1)
the information is secret; (2) the information provides an economic
benefit by virtue of being secret; and (3) the secret holder makes
reasonable efforts to keep the information secret.  How would our
personal information fit under this rubric?  I will focus on the third
element, which I find the most interesting, and conclude that trade
secrets are not the solution, even if the other elements are satisfied.

We voluntarily give information to Amazon when making purchases, make
non-anonymous searches on Google (though anonymous browsing is
possible), and pay with credit cards.  We let Amazon know what we order,
and ShopRite too if we join their club.  If we view our secrets at this
fine level—the books we order, searches we perform, and groceries we
buy—it would be hard to say we make an effort to keep the information
secret.  While one could argue that we give information to Amazon
without intending it to go any further, and we make efforts to keep it
secret in that we only disclose it as required, such logic would appear
to trivialize the requirement.  We willingly part with the information,
and take no active steps to conceal it (in contrast to not sharing it
more, which I consider more passive).  We do not even try to inform
Amazon how much we value the secrecy of our purchases and preferences.

Can we view our secrets not as the fine data we willingly part with, but
the results of aggregation and analysis?  For actions of a single data
miner, it would be hard to say we gave them information while keeping
secret anything they conclude from it.  But I have already put aside the
case of a single data miner, and the more dangerous results of data
mining occur when Amazon shares with Google and others.  A terrorist
might let Amazon know he wants a book on bomb making, let Verizon know
he makes phone calls to the middle east, and let Google know he searches
for bridge designs, while attempting to conceal from all three that he
is a terrorist.

While it is more promising this view can meet the attempt to keep secret
criteria, the "attempt" is an artifact of the services provided by each
company, rather than true efforts.  If the terrorist were to use Google
Talk instead of a Verizon cell phone, then Google can combine the bridge
design search with the calls to the middle east.  I believe that when
most people use separate entities for different purposes, they do so for
convenience and out of habit, not out of an effort to prevent the
discovery of secrets that can only be uncovered if the various entities
share data.  Gmail has taken off despite being owned by the search
engine giant.

If one were to disagree with my analysis and argue that we do make
sufficient efforts to keep certain information secret, assuming the
other elements are also met, how much protection would trade secret
protection provide?  In order for trade secret law to provide useful
protection, the secrets would have to be the information at the finest
level, i.e., the Amazon book order, the Google search, and the Verizon
cell phone call—the information we most willingly give away.  If our
secrets were only the conclusions gleamed from shared data mining, that
is, if the Amazon book order is not a secret, but the fact that the
orderer is a terrorist is a secret, then it appears that Amazon, Google,
and Verizon can data share with impunity—and each can separately analyze
and conclude that the orderer-searcher-caller is a terrorist.  Perhaps
they cannot share the conclusion, but everyone already knows.  An
attempt to limit the earlier disclosure to prevent the later discovery,
where the earlier disclosure does not concern secrets, does not seem to
fit within the bounds of trade secret law.

The necessity to disclose information to make purchases, perform
searches, or make phone calls is at odds with trade secret law's
requirement to make efforts to keep information secret.  Thus, trade
secret law is not the solution to data mining.


-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list