It's Data Privacy Day. Do you know where your data is?

As you're reading this, companies are collecting everything they can about you. Some groups want to do something about it.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read

January 28 is Data Privacy Day. Do you know who is buying and selling your data?


You already know companies track your behavior in Web browsers and mobile apps, and soon they'll monitor you through your smart refrigerator and fitness band.

Yep, you're a walking, talking data source.

Despite the nagging sense that your information is constantly collected, few people know exactly what gets scooped up or what happens to it.

Harvard's Data Privacy Lab and software maker ForgeRock are among the groups and companies hoping to change that. Today, on Data Privacy Day, which is devoted to your right to control your data, they seek to point a way out of a seemingly sinister forest.

Could there be a sunny spot where we're not forced to choose between sacrificing our info or going without a desirable service? Yes, but apparently it will take a lot of effort to get there.

Data Privacy Lab director Latanya Sweeney said that right now the average person has no idea just how much personal data is bought and sold. That particularly applies to health care data, which gets anonymized -- supposedly -- and sold to a network that remains obscure.

"The purpose is kind of mysterious," said Sweeney, who is a former chief technology officer for the Federal Trade Commission.

Sweeney and her research team want to reveal who is sharing your info. Their project, "All the Places Personal Data Goes," aims to illustrate the path your personal info takes from one place to another. On Tuesday, the Knight Foundation awarded the project $440,000 to expand its efforts.

This means Sweeney's group will continue using public-records requests and other methods to gather information on data buyers and sellers and make it available to journalists and others. The project will also soon host a data-visualization competition to bring the issue to life.

The Data Privacy Lab has already proved that some "anonymous" health care data can actually be pieced together to identify patients. In 2013, the lab published an unsettling discovery, which drew on hospital discharge records collected by Washington state that detailed everything from a patient's age and gender to diagnoses and treatments.

Sweeney's team then found news stories about car accidents and other emergencies and used them to put names to the records. After the team released its findings, Washington state changed its anonymization process.

That's the effect Sweeney hopes to have on a larger scale: shine a light on data and promote changes to protect privacy. Though the project started with health care, it has since expanded to cover data from mobile phones.

"What we really want to be able to do is cover the full waterfront," Sweeney said.

Power to the people

Eve Maler, ForgeRock's vice president of innovation and emerging technology, said companies can decide to take the lead and actually help customers decide how their information gets shared.

In the 1990s, Maler co-invented XML, a popular coding system that lets software and online services exchange data automatically. Now she's pushing another system, one that lets Internet users control their personal data.

Called User-Managed Access (UMA), the protocol forms a backbone that programmers can build on to give us more choice when we use services. After helping develop the protocol, Maler joined ForgeRock to create a UMA-based product that companies can use in everyday services.

On Wednesday, San Francisco-based ForgeRock launched that product, Identity Platform. Philips, for one, is using it in health care products to help patients share health data with doctors and others on a limited and revocable basis.

ForgeRock has also worked with New Zealand's government to test a system that lets citizens safely choose to share with caregivers digitized records that help them obtain benefits.

The most important part of ForgeRock's system, Maler said, is the ability to opt in to, rather than out of, sharing data. If you want to send workout information from your smartwatch, for example, you should be able to hit a button that says "share," rather than wonder to whom your watch is relaying your health stats.

Other companies are also looking at using the UMA protocol to create tools for letting people decide what and when to share.

Of course, companies will continue mining and selling our personal data. Market researcher IDC predicts the Big Data industry, which collects all kinds of info including yours, will be worth $48.6 billion by 2019. But Maler said some companies actually want to give customers choice. There is some evidence to support this. Google, for instance, has introduced more-customizable privacy options for apps on phones that run its widespread Android operating system.

A sunny land where people control their own data? Sweeney, Maler and others have made that their cause. Too often, people must either accept that devices, services and apps are collecting data or just not use them.

"They're over a barrel," Maler said, "and that's not right.