The New York Times takes a look at privacy events over the last few weeks:
It was not a good week for those who guard their privacy. First, we learned that Apple and Google have been using our smartphones to collect location data. Then Sony acknowledged that its PlayStation network had been hacked — the latest in a string of troubling data breaches.
You’d have to be living off the grid not to realize that just about everything there is to know about you — what you buy, where you go — is worth something to someone. And the more we live online, the more companies learn about us.
But to what extent do others have a right to share and sell that information? That is the crux of a data-mining case that had arguments last Tuesday before the Supreme Court. The case, Sorrell v. IMS Health, is ostensibly about medical privacy: Vermont passed a law in 2007 that lets each doctor decide whether pharmacies can, for marketing purposes, sell prescription records linking him or her by name to the kinds and amounts of drugs prescribed. State legislators passed the law after the Vermont Medical Society said that such marketing intruded on doctors and could exert too much influence on prescriptions. […]
But with the recent headlines about privacy invasion — the PlayStation hack followed a recent breach at the online marketing company Epsilon that exposed e-mail addresses of customers of Citibank, Walgreens, Target and other companies — the Vermont case is tapping into a much broader conversation about consumer protection and informed consent.
The case raises questions about who is collecting, managing, storing, sharing and selling all that data. Just as important, privacy advocates say, it raises questions about whether data brokers are adequately safeguarding it. […]
There are a few laws, like the Video Privacy Protection Act, that prohibit businesses from releasing personally identifiable records, like video rental histories, without customer consent. The Digital Advertising Alliance, a coalition of online marketing groups,introduced a program last year that notifies consumers about online tracking and allows them to opt out of advertising tailored to them.
The Vermont law amounts to a kind of do-not-call option for doctors who may welcome visits from pharmaceutical sales reps but don’t want drug marketing based on their own prescription records. […]
The central concern is privacy — of both doctors and their patients. While pharmacies remove the names of patients before selling the records, those names are replaced with unique codes that track patients over time from doctor to doctor, according to the Vermont complaint. That means data firms could create a profile that includes a person’s prescriptions as well as the names of the pharmacies and dates at which the person picked up the medications, says Latanya Sweeney, a visiting professor of computer science at Harvard.