Law in the Internet Society

The Bio-Data Commons(edited)

-- By AnnaShifflet - 15 Oct 2014


The store of information about the public's activity levels, heart rates, sleep patterns, and more has grown exponentially with the advent of the FitBit? , Jawbone, and Azumio. The companies that own and operate these biofeedback products have structured their collection of this information broadly and in a way that has the potential to become a modern commons. A prime example of the modern commons is the knowledge commons. The knowledge commons stems from content creation and distribution over the internet that is widely available to, and for the benefit of, the public. The content was created by the contribution of some, but not all, of that public. For a discrete example, consider Wikipedia. (See also the "cooking-pot" market)"cooking-pot market"). Data collection has the potential to become a commons, but whether it becomes a commons or is fully privatized depends on the future use of the data. Consequently, regulation of bio-data collection should follow the model of knowledge commons governance, which looks to historical efforts to regulate the commons.

Building the Bio-Data Commons

In simple terms, a commons is a resource accessible to all members of society. While commons are most often associated with collective ownership, the concept does not preclude private ownership that is then shared freely. The modern cultural commons is an example of a commons in which private ownership exists, by statute in the intellectual property system, but is shared freely through the voluntary use of licensing mechanisms like the CopyLeft? license. In contrast, historical commons often required contribution from all potential beneficiaries, whereas knowledge commons participation is voluntary. In the context of bio-data, contribution is involuntary once an individual uses a biofeedpack product, but the choice to use one is voluntary. Furthermore, ownership depends on one's temporal perspective and the legal treatment of bio-data. Prior to using a biofeedback product, any individual has control over his or her bio-data. This control does not constitute ownership, however, because the bio-data is not property. Once a user, the company that operates the product has control over the bio-data, and, through the contractual provisions of the companies' privacy policies, certain rights to determine the future use of the data.

The quotation marks actually means she doesn't own, because it isn't property. You might want to take that into account. This is also why the cultural commons, which are directly interwoven with a statutory monopoly scheme creating property where none would otherwise exist are distinct from this situation.

Once a user, the company that operates the product "owns" the bio-data.

Here the quote marks mean, no they don't, but there are some contractual provisions somewhere that determine the relative rights of the two parties in the event of particular occurrences. That's not the same thing, and doesn't necessarily lead to the same conclusions, particularly with respect to third parties, including regulators.

The use of the biofeedback product can thus be construed either as a contribution by an individual of his or her data to the common pool managed by the product's company, or as the involuntary contractual privatization of a good. The view one chooses between these two alternatives largely depends on the company's later use of the data. If the data is used for the benefit of the public at large, the transaction will likely be viewed as a contribution to the commons, or at worst expropriation in the public interest, but if it is used for the benefit of the product's company, the transaction will look more like stealing.

As it stands, bio-data is on the cusp of becoming a commons, and equally at risk of being held hostage through contract by the data collection companies for their private benefit and profit. . Data collection has reached the first stage of commons creation, the collection of a private good into a collective pool, but has yet to complete the second stage, the use of that pool. Like historical commons, which often mandated contribution or restricted private ownership of a certain type of good, bio-data requires contribution by all users of biofeedback products and restricts private ownership privacy regarding the data by refusing to offer users a collection opt-out right. The knowledge commons model is different, in that it is generated through the voluntary participation of users who post or edit content or publish information publicly. However, like the knowledge commons, data collection can be used by the broader public. While traditional commons only directly served the community that participated in them (although they served the broader public insofar as they protected natural resources from privatization and consumption, for example), the knowledge commons is provided for the benefit of any individual, regardless of his or her contribution. Similarly, bio-data can be used by and for the benefit of the public at large, not just by users of the products that perform the collection.

The Pivotal Moment

As stated above, whether bio-data becomes a commons depends on future use, and more importantly, the nature of restrictions on use. By formulating these restrictions sooner rather than later, the public can push data towards the commons model and preemptively address foreseeable externalities. Alistair Croll wrote "You decide what data is about the moment you define its schema." In the context of bio-data and commons formulation, this statement means that restrictions and permissions formulated now (or ideally, long ago) can define the "schema" of bio-data as a commons that works in the public interest.

For example, Azumio has partnered with research scientists, including academic scientists from Stanford University, to use bio-data in scientific study. Results that advance scientific understanding of biological processes and patterns represent both the use of bio-data as a commons for the public good and a positive externality of the commons. (See Jawbone's earthquake sleep study.)

On the other hand, Azumio could decide to take advantage of this line in its privacy policy -- "Azumio reserves the right to use Anonymous Data for any purpose and disclose Anonymous Data to third parties, including but not limited to our research partners, in its sole discretion" -- to sell bio-data to health insurance companies, who then connect that data to individuals due to ineffective anonymizing techniques. Insurance companies may then discriminate based on activity levels or resting heart rates. This outcome would indicate that bio-data is not a commons, because data is used by a private party for private gain. (It would not be an externality because it affects users of the biofeedback product and not the public.) While this right stems from a contract between the data collection company and the individual user, because it gives the right to sell the data, it seems to create a property right in the data collector. A third party or regulation could find this contract unenforceable or unconscionable, however, does the right to sell not mean the right to covert to property? Does this mean that an individual with a desire to sell his or her bio-data, rather than contribute it freely, create a property right in the data?

It is also possible that individuals could be required by statute or regulation to provide bio-data publicly. This would force a bio-data commons on a large scale, but would only provide snap-shot data. This could be achieved through adding public health data questions to the census or creating a new, legally required, census-like survey about public health data. Despite the likely political fallout and public pushback, this could be achieved by using the census requirement as precedent.


Ultimately, just as the knowledge commons' governance efforts stem in some part from an understanding of commons governance more broadly generally, regulation of bio-data should reflect the aim of making bio-data a commons that serves the public interest. The view is complicated by the fact that bio-data is not property, and therefore views on ownership and privatization in the commons are not perfectly analogous to a bio-data commons. Despite this, people generally feel a right of privacy with regard to their personal information. This sense should be protected legally, by creating a consumer right to personal data. With this right, concepts of ownership and the commons map more closely to the bio-data situation.

From a consumer right to personal data flows a requirement to to follow one of two mandated models. The first, the commons model, restricts unconsented sale to or access by third parties of any data and requires collaboration with research scientists to use the information for the public good. The second, the private good model, requires a collection opt-out for product users. If a company reserves the right to use collected data for its own gain, users must also retain the right to use the product for their own benefit, without the collection of that data in the common pool. Another option is to force a bio-data commons through a census-like survey. This may be difficult from a logistical perspective, and certainly creates negative externalities, but would provide the most information to scientists for the public good. However, this would not resolve the issue of the use of individual data through bio-feedback products, which would remain valuable both for its regular updates and for its connection with specific people, and therefore should still be protected by a user right to his or her personal data.

An "understanding of common governance generally" might be too general, for the reasons provided above. Nor is it clear what you believe are the differences between "anonymous" and aggregate data, or why contract provisions that are obviously subject to an infinite number of public regulatory interventions should be treated as property or "property." You're right that one possible outcome of all this analysis would be a consumer right to the "small data," concerning only his- or herself. Another way of looking at that is that there's a design flaw in the machines, which could be rectified by changing their software. But the "anonymous" (actually just badly pseudo-anonymized) or aggregate data is another question. You might ask it slightly more generally, by asking about public health data in general. And then, if you want to be bold about it, you can ask yourself whether people could be required to produce such data for aggregation, if not, why not, and where that leads you.

I am not sure what the difference between anonymous and aggregate data really is. Initially I wrote, "Anonymous data, unlike aggregate data, is individual and possibly still packaged data that has been scrubbed of its identifying features. In contract, aggregate data is data that has been collected, anonymously, from such a volume of individuals that is represents trends and statistics rather than the health of an individual." However, in trying to articulate this distinction it seems to me that the difference may be merely the strength of data analysis software required to repackage and identify the data.


Webs Webs

r6 - 24 Jan 2015 - 20:02:14 - AnnaShifflet
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM