Legal Questions Raised by the

Widespread Aggregation of Personal

Data

ADAM TANNER

INTRODUCTION

open my book What Stays in Vegas: The World of Personal DataLifeblood

of Big Businessand the End of Privacy as We Know It (What Stays in
Vegas)1 as ten agents of the Stasi secret police are following me around
on a single day in August 1988, a year before the collapse of the German
Democratic Republic. Communist East Germanys version of the KGB kept
a detailed, minute-by-minute log of my activities and took photographs as
they tried to fathom what motivated my visit to the great cultural capital of
Dresden. What exactly was I really up to? I was writing a travel guidebook,
the Frommers Eastern Europe and Yugoslavia on $25 a Day.
I tell this story to contrast how little Stasi agents understood about me
compared to what companies and commercial marketers know about
hundreds of millions of consumers today. Our personal data are gathered
at every turn in the Internet age, aggregated and used to produce
sophisticated profiles. We often have little choice whether and how our
data will be shared. With exceptions related to financial, medical, and
employment information, there are few legal restrictions on these practices
in the United States.2
My work seeks to illustrate the human face behind the zeros and ones
of digital data collected about our lives. Many of the corporate officials
gathering information about us are intelligent, well-meaning entrepreneurs

Fellow, Institute for Quantitative Social Science, Harvard University.

ADAM TANNER, WHAT STAYS IN VEGAS: THE WORLD OF PERSONAL DATALIFEBLOOD OF
BIG BUSINESSAND THE END OF PRIVACY AS WE KNOW IT (2014).
1

2 See Stephanie A. Kuhlmann, Do Not Track Me Online: The Logistical Struggles Over the Right
To Be Let Alone Online, 22 DEPAUL J. ART, TECH. & INTELL. PROP. L. 229, 230, 23840 (2011).

601

602

New England Law Review

v. 49 | 601

and executives doing their best to advance their businesses. Yet

collectively, they have created a system where individual privacy is under
assault.
Many marketers have told me they think it is great to have intimate
insights on their customers, yet they find it creepy that others know so
much about them.
There is a lot of stuff being done in the name of making money and in
the name of were going to provide a better user experience but yet if you
actually told the end user you were doing this stuff, they would be
aghast,3 says Jim Spanfeller, CEO and founder of the Spanfeller Media
Group, which operates sites including thedailymeal.com and
theactivetimes.com. The idea that we are hoodwinking the end user is
really a bad idea. I think it is shortsighted, although shortsighted might be
ten years or fifteen years, but I dont think it is going to help the industry as
a whole.4
The dangers to individuals, and thorny legal questions, are greatest
when advertisers use sensitive personal informationsuch as details about
a persons health or finances. As Spanfeller explains:
Lets say its just an ad for a cancer medicine, or its just an ad for
bankruptcy, or if its just an ad for your sexual orientation. All of
a sudden, that ad becomes completely transparent
to
people
around you or other marketers or other people who use the same
machine you use, or people who can easily look into your
browsing history when you go to someones site. . . . Now all of a
sudden you can, say, go to a bank site, I asked for a loan but they
looked in and saw that I was looking at bankruptcy ads or have
been targeted with a lot of bankruptcy ads so they didnt give me
a loan. None of which you are aware of. You are just totally
oblivious as to why that would happen.5

Surprisingly, the mysterious world of casinos presents far more clarity

when it comes to personal data than many businesses. One of the reasons
my book includes a major Las Vegas focus is that casinos offer customers a
straightforward model. Patrons can gamble anonymously if they prefer,
but most share personal information by signing up for loyalty cards. Such
programs allow casinos to track patrons in minute detail within the walls
of their establishments. In exchange, participants receive free food, rooms,
and other perks.
What Stays in Vegas looks at the worlds largest casino company,

Interview with Jim Spanfeller, CEO and Founder of the Spanfeller Media Group (2012).
Id.
5 Id.
4

2015

Aggregation of Personal Data

603

Caesars, as a case study of personal data gathering. They are clear about
what they do with such information: they use it to market, not to share
with other companies. By contract, many businesses do not give customers
a choice about whether or not their data will be collected and stored and
they often share it without consent. To what extent customers have a legal
right to control the fate of their data invites future debate and scholarship.
The Total Rewards loyalty program has been one of the underpinnings
of Caesars growth. At the same time, the companys fate highlights the
limits of big data. Because such information seeks to predict the future
based on the past, it is blind to unexpected twists of events. Caesars passed
on the opportunity to invest in Macau because its projections did not seem
to justify a massive investment. In recent years, this special administrative
region of China has dramatically outstripped Las Vegas casino revenue,
even after a sharp downturn since 2014, boosting the fortunes of Steve
Wynn and Sheldon Adelson, Vegas visionaries who often take a more
instinctive approach and did invest in Macau.
Two big investment funds failed to foresee the sharp economic
downturn of 2008, so they took out massive debts to buy Caesars shortly
before the recession hit. Saddled with massive debt, the casino giant could
not afford the interest payments and filed for bankruptcy protection in
January 2015. The next month, CEO Gary Loveman, the former Harvard
Business School professor renowned for his mastery of data, announced he
would step down.6
I.

The Risks from Anonymized Data

Most businesses deal with personally identifiable information (PII)

which includes: details about customers such as name, address, phone
number, email, and other details. The law has typically looked at such
information differently than anonymized data. For example, U.S. HIPAA
regulations bar the exchange of identified medical information without
patient consent, but allow the commercial trade if certain standards of
anonymization are followed.7
It may be time to rethink this approach, as anonymous information is
increasingly at risk. It was once thought that removing obvious identifiers
such name, address, or Social Security number would preserve anonymity.
Yet studies over the past two decades have shown that crossing different

6 Press Release, Caesars Entertainment, Caesars Entertainment Announces Management

Transition (Feb. 4, 2015), available at http://investor.caesars.com/releasedetail.cfm?releaseid
=894821.
7

Privacy of Individually Identifiable Health Information, 45 C.F.R. 164.502(a)(d).

604

New England Law Review

v. 49 | 601

data sets makes identification possible, even easy at times.

In researching What Stays in Vegas I identified three anonymous
volunteers in the Personal Genome Project, which shares intimate medical
data on the Internet in hopes of advancing science. I also found and
learned a great deal about a woman who had posted saucy photos on the
Internet. She had tried to hide her tracks by using a stage name, but other
clues allowed me to piece together her identity and find her.
In 2011, researchers took photos of students on a university campus
and re-identified about a third of them by matching them with publicly
accessible Facebook images. They then built on their previous research to
show they could predict Social Security numbers for some they identified.8
Others have shown it is possible to identify people from aggregating
anonymous Internet searches or Netflix movie rental patterns.
People need assistance and even protection to aid in navigating what
is otherwise a very uneven playing field,9 Alessandro Acquisti, the
researcher on the 2011 experiment, wrote in Science magazine in February
along with Laura Brandimarte and George Loewenstein. 10 [A] goal of
public policy should be to achieve a more even equity of power between
individuals, consumers, and citizens on the one hand and, on the other, the
data holders such as governments and corporations that currently have the
upper hand.11
That same issue of Science included a study of credit card purchases
for 1.1 million people over three months.12 Researchers showed it was
possible to identify 90% of people just based on what they purchased.13
Yves-Alexandre de Montjoye and others who conducted the credit card reidentification study concluded:
Our results render the concept of PII, on which the applicability
of U.S. and European Union (EU) privacy laws depend,
inadequate for metadata data sets. . . . Our findings highlight the
need to reform our data protection mechanisms beyond PII and
anonymity and toward a more quantitative assessment of the

Alessandro Acquisti et al., Face Recognition StudyFAQ, HEINZ, www.heinz.cmu.edu/~

acquisti/face-recognition-study-FAQ/ (last visited Apr. 22, 2015).
9 Alessandro Acquisti et al., Privacy and Human Behavior in the Age of Information, 347 SCI.
MAG., Jan. 30, 2015, at 509, 514.
10

Id.
Id. at 514.
12 Yves-Alexandre de Montjoye et al., Unique in the Shopping Mall: On the Reidentifiability of
Credit Card Metadata, 347 SCI. MAG., Jan. 2015, at 536.
11

13

Id.

2015

Aggregation of Personal Data

605

likelihood of reidentification.14

Another area that bears scrutiny is the legal liability of companies

whose inadequate security enables malicious hackers to steal personal
information. Target, Adobe, Home Depot, and JPMorgan Chase are among
the many companies that have announced significant security breaches in
the last year or two.15 Last year, after JPMorgan Chase said that data on
seventy-six million American homes16two-thirds of all householdshad
been hacked from its systems, I called their customer service and asked
how I might be impacted. What breach are you referring to? the
telephone agent asked me. I could not tell if the agent was being coy or just
confused amid numerous breaches.
In one of the latest incidents, Anthem, one of the largest U.S. health
insurers, said in February that external hackers accessed personal
information about current and former customers, including Social Security
numbers, employment information, and income details17 impacting 78.8
million people.18 Lawsuits have typically followed such major breaches.
Should such a firm be subject to sanction for leaving vulnerabilities in their
systems, or sympathy because they are the victim of crime?
[I] know you expect us to protect your information,19 Joseph
Swedish, president and CEO of Anthem told his members in an open letter.
We will continue to do everything in our power to make our systems and
security processes better and more secure.20 Are such pledges enough
when surely the same fate will befall another unfortunate company in the
months ahead?

14

Id. at 539.
Data Breach Lawsuit Legal News and Information, LAWS & SETTLEMENTS,
http://www.lawyersandsettlements.com/lawsuit/data-breach.html# (last visited May 8, 2015);
Heidi Turner, More Lawsuits Filed in Home Depot Data Breach, LAWS & SETTLEMENTS (Dec. 18,
2014, 8:00 AM), http://www.lawyersandsettlements.com/articles/data-breach/home-depotgreater-chautauqua-federal-credit-union-20325.html#.
15

16 The details were provided in JPMorgan Chases Oct. 2, 2014 filing to the U.S. Securities
and Exchange Commission. JPMORGAN CHASE & CO., CURRENT REPORT (Oct. 2, 2014), available
at http://www.sec.gov/Archives/edgar/data/19617/000119312514362173/d799478d8k.htm.
17 Letter from Joseph R. Swedish, President and CEO of Anthem, Inc. to Anthem Members
(Feb. 2015), available at https://www.anthemfacts.com/ceo.
18 Email from Jill Becher, Anthem Spokeswoman, to Adam Tanner (Apr. 2, 2015) (on file
with author).
19
20

Swedish, supra note 17.

Id.

606

New England Law Review

v. 49 | 601

II. Differing Perspectives on Data

On the legal front, another interesting privacy debate revolves around
the right to be forgotten. A European court has ruled that when it comes to
Google searches, citizens have the right to have certain search links to web
pages removed.21 During a recent trip to Europe, I learned how tangled
such cases can be thanks to Michael Persson, a journalist at the Volkskrant
newspaper in the Netherlands. He asked his readers to share what
happened when they tried to have information removed from Google.
One reader told Persson that his newspaper had photographed him in
1994 while he was relaxing in a park playing a didgeridoo, the elongated
wind instrument. All these years later, people searching for his name in
Google quickly find an image of a man with a beard and scruffy
appearance. Now a financial advisor, the reader would prefer that
potential clients see other information instead. Upon his request,
Volkskrant agreed to remove the image from the web; however, it still
remains in the newspaper archives. 22
Another reader said that when he was sixty years old in the 1990s, he
made a single pornographic film, acting out the fantasy of the older man
getting lucky with a younger woman. The man, who used his real name in
the credits, knew that someone might come across the performance in an
adult video store, but thought his escapade would otherwise attract little
attention. Yet the Internet today allows someone searching for his name to
find the old video in just a few clicks, as well as an IMDB movie website
entry. Google removed some links but not all, judging that anyone trying
to learn about the man had a right to know about the appearance.
Persson stated:
As a journalist, I used to follow Googles line: erasing anything is
tampering with history. But from these cases I learned that
people have a right to have different personalities in different
times of their lives. Googling someone can obfuscate these
distinctions. You cannot reduce a person to the search results on
his or her name.23

How the United States handles personal data has ramifications for

21 European Commission, Factsheet on the Right to Be Forgotten Ruling (C-131/12), available

at http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf.
22

Adam Tanner, These Embarrassing Cases Test The Internets Right To Be Forgotten, FORBES
(Nov. 18, 2014, 7:57 AM), http://www.forbes.com/sites/adamtanner/2014/11/18/theseembarrassing-cases-test-the-internets-right-to-be-forgotten/ (quoting journalist Michael
Persson).
23

Id.

2015

Aggregation of Personal Data

607

other regions. Ronald Leenes, the director of Tilburg Institute for Law,
Technology, and Society at Tilburg University explored this problem at a
recent event he moderated in Amsterdam.
They are constantly testing the limits and export the U.S. model
to Europe and elsewhere . . . Given their dominance of US
companies in cyberspace, we can ask ourselves
whether
the
practices you discuss in your book and presentation display our
common future. . . . We do have stricter regulation. Is this
adequate to keep data brokers at bay? Color me skeptical here.24

III. The Business of Humiliation

Another important area for legal review has to do with the business of
humiliation, which uses true facts or photos to shame people, often for
profit. One chapter in What Stays in Vegas describes one business that
started out by posting millions of criminal mug shots on the Internet. 25
People horrified that others could so easily find these images would then
pay to remove them. Such practices are changing. In January, a new
California law took effect that bans websites from taking money for
removing mug shots.26 Other states, including Utah, Illinois, Oregon,
Georgia, Texas, Colorado, Wyoming, and Missouri have passed similar
legislation.27 Still, variants of the practice continue.
One area where the law is evolving involves revenge porn, the posting
of intimate images to scorn a former lover. Those who grew up before the
era of smartphones may find the practice hard to understand, but such
devices have made many couples into amateur pornographers, spicing up
love lives by filming themselves solo and together. In my research, I have
met several people whose lives have been turned upside down by such
activity.
Holli Thometz started sending explicit images and videos to her
boyfriend when she moved to a different part of Florida for graduate
school. You are having these interactions with somebody that youre in an
intimate relationship through the phone, the way that you would have an

24 Adam Tanner, Why The World Watches Americas Lead On Privacy Issues, FORBES (Nov. 13,
2014, 8:29 AM), http://www.forbes.com/sites/adamtanner/2014/11/13/why-the-world-watchesamericas-lead-on-privacy-issues/ (quoting Ronald Leenes).
25

TANNER, supra note 1, at 137, 142.

Booking Photographs: Commercial Use, S.B. 1027, Reg. Sess. (Cal. 2014).
27 Mug
Shots
and
Booking
Photo
Websites,
NCSL
(Nov.
19,
2014),
http://www.ncsl.org/research/telecommunications-and-information-technology/mug-shotsand-booking-photo-websites.aspx (listing legislation introduced, pending, and enacted in
2014).
26

608

New England Law Review

v. 49 | 601

interaction with them in person, she says. Technology has allowed us to

do that.28
After three and a half years, the pair broke up. All of a sudden the
erotica that spiced up their long-distance love lives became a weapon.
Some of her videos appeared on revenge porn sites. One, tagged as
Masturbation 201 by Professor Holli Thometz went viral, causing deep
humiliation and anger.
In a different part of Florida, Bekah Wells started dating a bodybuilder.
He encouraged her to take erotic photos. She had just gotten a smartphone
and agreed. Eventually they filmed an erotic video together. When I
looked at it with him I said, you know, this is really lame, she says. It
was not at all like you think a video like that would be.
The relationship ended in 2010. Later, she was horrified when a Google
search of her name turned up some of her photos on revenge porn sites. It
is such a violent form of betrayal. If you can just imagine your most private
intimate moment youve ever had, this was essentially that, just broadcast
to everybody, she says. My heart raced, I hyperventilated probably for 10
minutes, I couldnt think straight, I started just crying hysterically.29
Seeking a new start, Thometz legally changed her name. But soon the
images were linked to her new name Holly Jacobs. She decided the stigma
was too great, so she left academia and became a leading anti-revenge porn
advocate with her group the Cyber Civil Rights Initiative. Wells also
fought back by forming a women against revenge porn website. Both have
advocated making revenge porn a crime. Wells asks, Why should it be fair
that I be punished and not him?30
Publicity around such cases has led to change. Since 2014, a growing
number of states have passed laws against revenge porn and authorities
have stepped up enforcement. In January 2014, the FBI arrested Hunter
Moore, 27, whom Rolling Stone Magazine called The Most Hated Man on
the Internet.31 Moore had brazenly promoted revenge porn on
isanyoneup.com. He and another were charged with hacking into email
accounts to steal erotic images. In April 2015, Kevin Bollaert, 27, of San
Diego was sentenced to 18 years in prison for operating a revenge porn
website32a sign of shifting social and legal mores against such incidents.

28

Interview with Holli Thometz (on file with author).

Interview with Bekah Wells (on file with author).
30 Id.
31 See Alex Morris, Hunter Moore: The Most Hated Man on the Internet, ROLLING STONE (Nov.
13, 2012), http://www.rollingstone.com/culture/news/the-most-hated-man-on-the-internet20121113.
29

32

Press Release, California Attorney Generals Office, Attorney General Kamala D. Harris

2015

Aggregation of Personal Data

609

Sitting behind a computer, committing what is essentially a cowardly and

criminal act will not shield predators from the law or jail, said California
Attorney General Kamela Harris.33
Another legal question is raised by sites that seek to intimidate rather
than profit. For example, one radical anti-abortion activist set up a website
on which he posted photographs of people entering abortion clinics,
committing various crimes to which they should answer.34 It also called
on supporters to photograph and videotape people who work at clinics,
including at their houses and near their cars. Furthermore, it asked for
home addresses, Social Security numbers, and other personal details.

CONCLUSION
Although my book does not specifically look at the business of
personal data through a legal framework, it, in effect, asks whether U.S.
laws need to offer more privacy protections. Overall, I think that the
evolution of electronic personal data parallels the development of past
technologies such as automobiles or factories. The development and
evolution of the horseless buggy or factories producing goods for the
masses helped advance societies and transform the way we live. Yet they
also brought unexpected negative consequences, such as injuries and
pollution. Over time, governments mandated protections including seat
belts, airbags, and pollution controls.
Many companies have failed to provide proper transparency into their
practices regarding what kind of personal information they gather and
how they use and share that information. Even with the best of intentions,
assembling extremely detailed consumer dossiers on hundreds of millions
of Americans impacts us in unforeseen ways. We as a society need to have
an open, informed public debate regarding these issues, and we may well
need to implement new safeguards and regulations against possible abuses
and adverse consequences.

Announces 18 Year Prison Sentence for Cyber-Exploitation Website Operator (Apr. 3, 2015),
available
at
https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harrisannounces-18-year-prison-sentence-cyber.
33

Id.
The Nuremberg Files, CHRISTIAN GALLERY, www.christiangallery.com/atrocity (last visited
Apr. 21, 2015).
34