The Optimal Data Policy Against Malicious Use of Data

Recent events surrounding digital businesses, hacking, scandals, and the protection of personal data such as Cambridge Analytica, Equifax, and Marriott, have highlighted the potential consequences of the ubiquitous availability of personal information. The malicious use of data should be the top concern for digital privacy, according to the latest research of three professors of economics, Itay P. Fainmesser (Johns Hopkins University), Andrea Galeotti (London Business School) and Ruslan Momot (HEC Paris).

The three researchers proposed a framework to analyze the interactions among digital firms, users, and adversaries and found that users have different preferences for the services offered. That is, for a given service, some value it more than the others. Customer preferences are personal information, which may be used by the firms to enhance their services. For example, Amazon recommends suitable products based on your preferences, and Uber allocates the closest taxies given your location. Firms get access to such information by tracking users’ activity and usage of the services. However, their storage of personal data could also be used maliciously by adversaries. The bigger the store of personal data storage attracts more significant attacks from adversaries or hackers.

The malicious use of data hurts users directly, as in the notorious example of Cambridge Analytica shows. However, as underscored by their research, users' total loss is over 100 percent more harmful than the direct loss of the users from the incidents because users reduce their online activity and personal data sharing. Knowing less about users, firms provide worse services, which harms users in return. Firms suffer as well, resulting in an even higher total welfare loss.

To fight against the malicious use of data, firms have two weapons-- data protection policy and data storage policy, both of which incur trade-offs. The research found that more robust data protection always reduces adversarial activity, increases user activity, and the information collection of firms; however, it also requires more investment.

Less data storage, on the other hand, does not necessarily reduce adversarial activity or increase total welfare. As firms choose to store less data, the level of adversarial activity, consumer activity, and the collected information first increase and then decrease. This non-monotonicity reflects a natural tension between the benefits and costs of personal data sharing to users.

The research distinguished two different revenue models of digital firms, that is, advertisement-driven firms (i.e., Facebook and Google) and transaction-driven firms (i.e., Amazon and Uber). They found that in typical situations when the cost of data protection is not too high, advertisement-driven firms might be motivated to collect and store more personal data than transaction-driven firms, which is consistent with public opinions. Firms driven by advertising rely more on selling personal information-related services. However, when the cost of data protection is too high, advertisement-driven firms cannot afford to safeguard their data storage to encourage users’ sharing of personal data. As a result, they choose to store less than transaction-driven firms.

Their analysis sheds light on the complexity of challenges facing data governance and privacy protection in data-driven economic development. Their findings call for more attention and effort against malicious use of data, instead of getting stuck in the bog of regulating data use that highlights potential conflicting interests.

    Related Frontiers