Abstract
In today’s connected world, data has become an integral part of driving innovation, shaping the way people interact with the digital world. However, concerns surrounding data privacy have also emerged as a crucial challenge faced in the digital age. Data engineers, corporations, and governmental organizations need to take responsibility for safeguarding data and protecting user privacy, especially as the exchange of personal information becomes more prevalent. It is important to understand the components of data ethics and the current legal and ethical frameworks for data sharing, as well as case studies, such as the 2023 MGM Casino Cyberattack, to find potential resolutions for this issue.
Introduction
Data is the backbone of the interconnected digital world. Although it has encouraged innovation and convenience, it has introduced new ethical challenges in the realm of engineering regarding the acquisition, usage, and protection of user data. This dilemma has resulted in tensions between the benefits of data-driven innovation and the necessity of protecting user privacy. In response, numerous questions have been raised about the extent of access corporations and governments should have to personal data and under what circumstances [1]. With the significant rise in data breaches and illicit data acquisitions, the ethical debate has intensified, leaving experts in a difficult position to determine future guidelines for ethical data sharing.
Privacy is becoming a blur in the digital world; therefore, developing regulations to safeguard individual rights and establish accountability within the tech industry is crucial [2]. Ethical concerns surrounding data privacy and its effect on both individuals and the community emphasize the significant requirement for an impartial equilibrium between corporations’ use of data and the rights of users based on justice and fairness in data ethics.
Data Ethics
Data fuels innovation; therefore, it is critical to have a framework that focuses on regulating how organizations obtain, process, and use data. Data ethics provides this framework, instilling a moral obligation in data engineers to ethically utilize data to ensure privacy, security, transparency, justice, and fairness for all users.
Data sharing has become an integral part of the digital age and is required to access online resources such as websites and mobile applications. Generally, organizations ask for user data to identify individuals, which can range from an email address to more sensitive information like name, location, and age.
However, the sensitivity of user data raises significant concerns about its potential misuse and the consequences of it falling into the wrong hands. Cybercrimes such as identity theft and scams are prevalent when user data is mishandled or accessed by malicious entities. Therefore, organizations must prioritize data ethics and responsibly handle and protect user data.
Ethical Data-Sharing Guidelines
Ethical data-sharing guidelines are crucial in the digital landscape to establish a framework for responsible handling of user information. Four key components comprise the framework of data ethics: privacy, security, transparency, and justice. Although organizations are not strictly forced to adhere to these principles, they serve as a moral compass for data engineers. These guidelines also provide users with a baseline that can be applied to evaluate organizations’ data-sharing practices.
Privacy
Protecting privacy is a fundamental aspect of ethical data sharing. It ensures that individuals’ personal information is safeguarded and that they have control over how their data is collected, processed, and shared. Privacy involves more than just confidentiality; it also encompasses the idea of autonomy and control over one’s data. Respecting privacy means protecting individuals from unwarranted surveillance, exploitation, or intrusion into their personal lives. It involves responsibly handling sensitive data such as health, financial, and location information.
Security
Data security protects confidential and sensitive information from unauthorized access, acquisition, disclosure, or use by individuals, groups, or organizations. It is crucial to maintain the confidentiality and integrity of shared data to prevent potential harm to both individuals and organizations. In the case of a breach, personal and sensitive information may be exposed, leading to identity theft, financial fraud, and other forms of misuse. Data breaches not only put individuals at risk but also undermine trust in data-sharing practices, leading to potential legal consequences, financial losses, and reputational damage for the parties involved. Two commonly used security strategies that have been implemented to strengthen data security are strong encryption and two-factor authentication.
Encryption: Encryption is a process used to secure data by converting it into a code known as ciphertext. This process is used to prevent unauthorized access to sensitive information. The ciphertext can only be decrypted using a specific key that is known only by the authorized parties. Encryption is used in various applications, including online banking, email communication, and file sharing. By encrypting data, the information remains secure even if unauthorized parties intercept it.
Two-Factor Authentication (2FA): Two-factor authentication, also known as 2FA, is a security protocol that provides a layer of security to online accounts. Users are required to provide two forms of identification to verify their identity to gain access to an account. The first form of identification is usually a password, while the second form is usually an SMS or push notification. SMS, or text messaging, is used to send a temporary code to the trusted number associated with the user account. The user is then prompted to input the code to gain access. Push notifications alert a user’s mobile device stating that there was an attempted login into the user’s account. The user is then asked if they want to grant or deny access to the recent sign-on. Two-factor authentication is especially useful for preventing credential-based attacks such as phishing, a tactic that cybercriminals use to manipulate individuals into revealing their login information.
Transparency & Informed Consent
Transparency is the active and ongoing effort to educate individuals, build understanding, and ensure that data sharing aligns with ethical principles and individual rights. Creating easily understandable documents such as privacy policies and terms of service that cater to a diverse audience is required to achieve transparency. Transparent communication should be user-friendly and avoid overwhelming users with technical language that is difficult to understand.
Educating individuals about data privacy, their rights, and the broader implications of data sharing is key to ensuring that they are informed enough to make a decision. Establishing clear communication channels to keep individuals informed about any changes and updates creates a more trustworthy and secure experience for users. Transparency reports provide detailed insights into data-sharing activities and foster accountability and visibility into how collected data is used. This level of transparency serves as a valuable tool for identifying and addressing any potential privacy concerns.
Informed consent depends heavily on transparency. Obtaining legitimate consent requires ensuring that a person has a clear understanding of how individual data will be collected, processed, and utilized [3]. The use of overly complex or vague language should be avoided, and individuals should be informed of the possible risks associated with data sharing, such as data breaches. True consent involves individuals seeking and evaluating information about data practices and agreeing to terms with a complete understanding of the potential consequences.
Justice & Fairness
In the data-sharing dilemma, justice and fairness are crucial to ensuring that everyone affected by data collection and distribution is treated equitably and ethically. The Markkula Center for Applied Ethics states that making a decision that ensures each individual gets what they deserve is used as the foundation of justice and fairness [4]. People do not deserve to have their data exploited and are entitled to know what will happen to their data upon agreeing to the terms and conditions. Every user should be entitled to privacy, security, and complete transparency from the data-collecting organization before giving their consent.
By prioritizing justice and fairness in data practices, organizations can build trust with their users and the public [5]. When individuals have control over their data and are aware of how it is being used, they can make informed decisions about whether or not to share it. Companies must leave it up to the user to decide whether data sharing is right for them without forcing them to give their consent.
Ethical Violations
At first glance, the ethical data-sharing guidelines that companies are expected to follow may seem reassuring to users, providing them with the understanding that companies do care about their safety and privacy. However, these guidelines are violated constantly without any repercussions to the company, and even the most minimal data can be used to identify an individual. There is no concrete way for a user to determine whether or not a company is withholding information from them regarding the usage of their data, so a user cannot be sure of whether to trust the company in question. Even if a company claims to stand for privacy, security, transparency, and justice, it can easily exploit loopholes to preserve its image and take advantage of the data it has collected.
Profiting From Private Information
Many organizations use data to improve their digital products and services, like wearable fitness trackers and websites. However, capitalism fosters the use of data for personalized and intrusive marketing here in the United States. While it may seem convenient to receive recommendations for products and services that align with one’s interests, it is important to understand that this comes at the cost of the user’s privacy. Companies collect extensive data on a user’s digital habits and patterns of behavior, including online communication, social media engagement, information consumption, and digital entertainment. Algorithms heavily assess these patterns to create targeted apps that reveal personal details like name, location, personality traits, and behavioral patterns, effectively tracking the user’s entire digital life. It is similar to being under constant surveillance without knowing who is watching.
In addition to being used by companies to improve their digital products and services, user data is often sold to other parties for profit. A third party can now access a user’s personal information without their consent, often with malicious intent to use this information to commit identity theft or fraud [6]. Selling user data to a third party exhibits a company’s clear disregard for user privacy.
Illusory Transparency
Illusory transparency describes situations where organizations claim to be transparent about their data handling practice but keep the inner workings of their data collection and distribution process unknown. This creates a false sense of openness and leads to uninformed consent. There are several ways in which illusory transparency can be executed, the most common of which is by presenting users with lengthy and complex privacy policies that are difficult to comprehend fully. Unfortunately, agreeing to terms and conditions without reading or understanding them has become a norm in the digital age. Not many people have the time to sift through the information when they simply want access to the service.
This can be seen as coercion because users have no choice but to agree to data collection, regardless of their knowledge of the company’s data collection methods. If they refuse certain policies, they cannot negotiate with the organization and are completely turned away from the service altogether. This is the case with social media apps such as Instagram and Facebook, resulting in the company’s unfettered access to user information and digital habits.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA), enacted in 2018, is the strictest data privacy law in the United States [7]. It addresses data privacy concerns, promotes ethical data regulations, and aims to give California residents more control over their data.
The CCPA provides California residents with specific rights regarding their personal information [7]. These rights include the ability to know what personal data is being collected, sold, or disclosed, as well as the right to request that their personal information be deleted. If a data breach occurs, consumers have the right to take legal action if their unencrypted personal information is accessed or stolen due to a business’s failure to implement proper security measures. The CCPA also has provisions regarding the sale of minors’ personal information, requiring firms to obtain opt-in consent for the sale of personal data for consumers under the age of 16.
Businesses that are subject to the CCPA regulations are obligated to reveal their data collection and sharing policies to their users. As per the CCPA, they must include a clear link on their website titled “Do Not Sell My Personal Information.” Users can opt out of the sale of their personal information by using this link [7]. The CCPA applies to businesses that satisfy certain criteria, such as having a gross annual revenue over $25 million, collecting or selling the personal information of 50,000 or more California consumers, households, or devices annually, or deriving 50% or more of their annual revenues from selling consumers’ data [8].
Other State Consumer Privacy Laws
With the absence of a comprehensive federal law on data privacy, there is a growing trend among states to enact their own consumer data privacy laws. These laws would give American consumers greater control over how their data is obtained and used by companies. Currently, 12 states have already implemented comprehensive data privacy laws, including California, Virginia, Texas, and Delaware, among others.
Introducing laws like the California Consumer Privacy Act (CCPA) is a vital measure in addressing the ethical issue surrounding data sharing. These laws establish consistent frameworks that reduce discrepancies and offer a comprehensive approach to protecting consumers’ privacy rights. Implementing such laws is crucial to creating a more transparent and ethical data-sharing environment while establishing a firm foundation for responsible data practices.
Case Study: 2023 MGM Cyberattack
The MGM casino cyberattack in September 2023 was a significant incident that drew attention to the vulnerabilities and security issues of large, reputable organizations. It was reported that MGM lost around $100 million due to the attack that was masterminded by a group of hackers known as Scattered Spider, who employed sophisticated techniques to access MGM’s systems and compromise its data [9]. The attackers used ransomware, specifically the ALPHV (BlackCat) ransomware-as-a-service operation, which allowed them to encrypt critical data and demand payment from MGM in exchange for its release.
The consequences of the cyberattack were severe, with MGM confirming that personal information, including names, contact information, gender, date of birth, and sensitive documents like driver’s licenses, passports, and social security numbers, were compromised. In the aftermath, MGM compensated its users with free identity protection and credit monitoring services. However, it is questionable whether the compensation was sufficient given the severity of the damage that was caused and the future repercussions that could occur. As such, the situation was not handled ethically because MGM did not take sufficient steps to mitigate damages. MGM could have provided earlier notification to the consumers rather than waiting to confirm the logistics of the attack, giving consumers a heads-up to be more vigilant regarding potential phishing attacks or suspicious activity. The MGM cyberattack contributes to the growing concerns about the security of personal data in the digital age, prompting a reevaluation of data-sharing practices and necessitating more robust protective measures to restore public trust.
Achieving Impartial Equilibrium
There are numerous approaches to achieving an impartial equilibrium in the realm of data ethics. Aside from implementing more general laws throughout the nation to help with the data-sharing dilemma, tailored data-sharing laws and data literacy empowerment are excellent methods to help address the ethical challenges associated with data sharing. These approaches protect individual privacy rights by redistributing some of the power currently held by businesses.
Tailored Data-Sharing Laws
As there is no simple solution to address all data ethics issues, it is crucial to develop some guidelines that can be used to evaluate whether data collection is necessary. One potential approach could be granting users the freedom to decide whether to share their data rather than requiring that they do so to access a paid digital resource. If the user agrees to share their data, the company must ensure that the user’s data is protected and secured. In the event of any cybercrime or data breach, the company should be held responsible for compensating the user for any compromised data. This is one way ethical and equitable data collection could be enforced.
Data Literacy & Education
Improving knowledge regarding data sharing begins with education and empowerment. Organizations must actively engage in transparent communication to educate users about the value of their data, the purposes of collection, and the protective measures in place. Users must be aware that reading privacy policies is critical to ensure that they are not being taken advantage of. Data engineers should be held accountable to break down concepts found in the privacy policies should an individual have any questions and allow them to have a comprehensive understanding before determining whether or not to share their data.
By Mary Karapetyan, Viterbi School of Engineering, University of Southern California
About the Author
At the time of writing this paper, Mary Karapetyan was a sophomore at the University of Southern California pursuing a degree in Computer Engineering and Computer Science. She enjoys exploring new destinations, playing the guitar, and keeping up with the latest technological innovations.
References
[1] J. Krämer, D. Schnurr, and M. Wohlfarth, “Trapped in the Data-Sharing Dilemma,” ProQuest, https://www.proquest.com/docview/2168848276?pq-origsite=gscholar&fromopenview=true.
[2] G. Biczók and P. Hui Chia, “Interdependent Privacy: Let Me Share Your Data,” SpringerLink, https://link.springer.com/chapter/10.1007/978-3-642-39884-1_29.
[3] F. D. Bellamy, “U.S. data privacy laws to enter new era in 2023”, Reuters, https://www.reuters.com/legal/legalindustry/us-data-privacy-laws-enter-new-era-2023-2023-01-12/.
[4] R. Guerrero, “A Fairness & Justice Approach to Engineering: Equitable Authorship & Contribution to the senior design thesis,” Santa Clara University, https://www.scu.edu/ethics/focus-areas/more-focus-areas/engineering-ethics/ethical-considerations-in-the-senior-design-project/a-fairness–justice-approach-to-engineering/.
[5] “Ethics of Artificial Intelligence,” UNESCO, https://www.unesco.org/en/artificial-intelligence/recommendation-ethics?TSPD_101_R0=080713870fab20006e546177b5dd2d46ba41af2e5834f64a7b9a0f67f325a02eacf6aa14a5df351b08920d77611430002c0dd1f2110b50aa062c45500239ca9ea055dd30857a8c0ade0a2541fca6a25840233b559209d51e50497432d3eddffc.
[6] “Your data is shared and sold… what’s being done about it?,” Knowledge at Wharton, https://knowledge.wharton.upenn.edu/article/data-shared-sold-whats-done/.
[7] “California Consumer Privacy Act (CCPA),” State of California Department of Justice – Office of the Attorney General, https://www.oag.ca.gov/privacy/ccpa.
[8] Mi T. Tran, “The Data Privacy Compromise: Reconciling State and Federal Regulatory Regimes on the Path to Preemption”, 55 Loy. L.A. L. Rev. 1133 (2022). Available: https://digitalcommons.lmu.edu/llr/vol55/iss4/6.
[9] Z. Siddiqui, “Casino giant MGM expects $100 million hit from Hack that led to Data Breach,” Reuters, https://www.reuters.com/business/mgm-expects-cybersecurity-issue-negatively-impact-third-quarter-earnings-2023-10-05/.
Links for further reading
What Is the Future of Data Sharing?
Looking into public opinion on data sharing and company trustworthiness
How to Overcome the Harms of Excessive Data Sharing
Companies are falling short to protect consumer data, but there are ways to protect it
Five ways CISOs can solve the Data Sovereignty Dilemma
How to keep your data protected in an unruly cyber environment
U.S. Data Privacy Protection Laws: A Comprehensive Guide
Understanding your rights to privacy in the U.S.