Verizon is in the the news and under the gun for its use of supercookies to track mobile users.
The company uses the tracking technology — alphanumerical customer codes known as supercookies — to segment its subscribers into clusters and tailor advertising pitches to them.
Although Verizon allows subscribers some choices regarding the use of their information for marketing purposes, the company does not permit them to opt out of being tagged with the persistent tracking technology.
Within the first cluster proposed by Solove, the most relevant problem is surveillance. In the context of big data, it is useful to distinguish between active and passive surveillance. Installation of devices such as a GPS tracker is active surveillance. Active surveillance, where the activity is undertaken for the primary purpose of collecting data, is normally associated with law enforcement and espionage and is, for the most part, a “small data” problem. What is relevant in the context of big data is “data exhaust,” or passive surveillance in the form of data that are a by-product of some activity. Where systems are explicitly engineered to collect more data than are needed for normal operations, the line between passive and active is blurred.
The harms are the gathering of information about a person through active or passive surveillance. The former may be prohibited or constrained. But the latter is difficult to control without negative effects on the activity that generates the data as by-product. If the base activity is one that benefits the data subject and is one that he/she engages in willingly, there may be merit in not prohibiting collection, and instead focusing remediation on subsequent processing, as suggested by Mundie.
Harm may also be caused by over-engineering systems to collect data that are not needed for normal operations.
And here is what we proposed in our draft guidelines:
Mobile Network Operators (MNOs) will not engage in active surveillance of their customers, except as required by applicable law. MNOs will desist from collecting more data than are needed for the efficient operation of the networks and the supply of good service to customers. To the extent feasible, data collection practices will be transparent.