Oracle facing data backlash for violating the privacy of billions

Data privacy and protection are prevalent topics in the US and European tech world, and software giant Oracle has just reinforced why they’re such important subjects. The company has been implicated in collecting detailed information profiles on five billion people, shining a harsh light on the lack of comprehensive privacy legislation at the federal level in the US, akin to Europe’s General Data Protection Regulation (GDPR).

The US District Court for the Northern District of California will be hearing from plaintiffs Michael Katz-Lacabe, Dr Jennifer Golbeck, and Dr Johnny Ryan, privacy activists from the US and Ireland who claim they are “acting on behalf of worldwide internet users who have been subject to Oracle’s privacy violations,” bringing to light how a Fortune 500 company is actively structuring dossiers of information on users based on ad tracking and targeting data, through what the Oracle complainants are alleging amounts to a “surveillance machine.”

Data Profile Sales

Given the murky nature of data protection laws in the US, the representatives of the class action lawsuit on behalf of 5 billion users are alleging violations of a wide array of federal, California state, and constitutional laws, including the Federal Electronic Communications Privacy Act, the Constitution of the State of California, the California Invasion of Privacy Act, competition law, and the common law.

Among other things, the suit accuses Oracle of compiling and selling user data in violation of California’s state constitution. That’s undoubtedly why the suit is being brought in California’s state courts, which have clearer, better defined acts protecting the privacy rights of users’ personal data, in contrast with many other US states and indeed, with federal level rulings as well.

The suit is asking to be certified as a class action ruling to represent up to 5 billion individuals, and is demanding that Oracle stop its data gathering activities, which include the use of web browser cookies and other tracking technologies to follow user behavior around the internet. The data can indicate which web platforms have been visited, which emails have been opened, which kind of links get clicked most, and much more.

Marketers use this valuable tracking information to build individualized profiles on users, including education levels, income data, political leanings, and various interests, so that they can be targeted with ads that align with their supposed individual preferences. By itself, a lot of this data is innocuous – but when gathered and crafted into purposeful biodata, they become invaluable to advertisers looking to make more targeted approaches to individuals.

And ‘invaluable’ this information is, because data collectors sell these personal data for large sums, and almost always without the end-users’ knowledge or consent. This forms the basis for the allegations against Oracle, one of the most widely used software providers globally, which is functioning in this regard as a data broker – selling compiled user profiles ostensibly to the highest bidder.

The Power of Data

To that end, the  plaintiffs are seeking unspecified damages from the lucrative sale of their personal data by Oracle. “As a data broker, Oracle effectuates ongoing, comprehensive surveillance of the Plaintiffs and Class members which grievously intrudes upon their privacy,” the California filing reads. “Ordinary people, such as the Class members, do not and cannot possess an appropriate level of knowledge about the substantial threats that Oracle’s surveillance poses to their own autonomy.”

These legal proceedings might come as a shock to some, but the comprehensive data gathering by Oracle for ad revenue generation is by no means new. In fact, Larry Ellison, Oracle’s rockstar founder and chairman, proudly announced as much in his keynote address at Oracle OpenWorld 2016, saying that among other things, his company accumulates “information about consumers, and you combine that with their demographic profile, and their past purchasing behavior. We can do a pretty good job of predicting what they’re going to buy next.

“Now, where does this demographic data come from? Where does this past purchasing stuff come from? Well, Oracle Data Cloud is the largest database. There are two big databases that keep track of consumers, if you will, and have a lot of information about consumers.”

Two Billion To Go

One of those two databases has become internationally renowned for its data grabbing and selling practices such as in the Cambridge Analytica scandal, and that is social media juggernaut Facebook. The other, Ellison admitted in 2016, is “less well known. It’s Oracle’s Data Cloud. We actually have more consumers in our data cloud than they have in theirs. They have great data, don’t get me wrong, Facebook has incredible data assets, but so do we.”

“And in our data cloud, marketers are able to target consumers and do a much better job of predicting what they’re going to buy next. I believe five billion consumers are in our identity graph – five billion. How many people are on earth? Seven billion – only two billion to go.”

But even though these details are freely admitted, observers feel that the US class action will face an uphill struggle that might take years to resolve, due in large part to the opaque legal standing of the suit in the US, which does not have a holistic federal law that covers the expanse of these relatively groundbreaking allegations.

The European Cases

Oracle, along with fellow titan Salesforce, faced a similar legal challenge in the UK and Netherlands a couple of years ago, which cited the continent-wide GDPR legislation to question whether it was legal to track users around the web without their permission. Unfortunately, both the Dutch ruling (the suit was found inadmissible after the class action was stated to have no legal standing) and the UK ruling (action suspended pending a similar privacy case against Google, which ultimately failed) experienced dead ends.

The UK and Dutch decisions, even with a well-established region-wide data protection policy in the GDPR, along with the abstract structure of similar legislation in the US, illustrate both how powerful Big Tech lobbying can be, as well how the data privacy rights of individuals continue to be divisive and unresolved.

To what extent are consumer’s rights protected, and how much control is permissible for the data gatherers? The debate goes on, in courtrooms and online forums, but the resolutions are unlikely to be forthcoming anytime soon.