Usage Creep Featured Pattern: P1285 December 2018

Author: Christian Feest (Send us feedback.)

As data become increasingly easy to gather and use, companies sometimes do more with those data than users bargained for.

Abstracts in this Pattern:

Companies are finding more ways to leverage users' personal information to improve existing services and develop new ones; however, companies sometimes engage in usage creep—gathering and leveraging this information in ways that go beyond what users expect or intended to permit. For example, reports suggest that third-party developers regularly access the email inboxes of users of Google's (Alphabet; Mountain View, California) Gmail and develop software products and services on the basis of individuals' data. Although Google announced in mid-2017 that it would stop scanning Gmail inboxes, the company still allows third parties to access Gmail for development purposes.

Examples of usage creep also appear in the consumer-genetics industry, where companies may use customer-provided genetic information in ways customers did not expect or agree to. People submit their DNA to companies such as Ancestry.com (Lehi, Utah) and 23andMe (Mountain View, California) to obtain health or genealogical information, and these companies establish large DNA databases. Parabon NanoLabs (Reston, Virginia) has used such databases to solve years-old cold cases by comparing DNA evidence from a crime scene with DNA samples in the databases. Many people who submit their DNA to consumer-genetics companies were unaware that their genetic information would see use in law-enforcement applications. And GlaxoSmithKline (GSK; London, England) and 23andMe recently announced a partnership that gives GSK access to 23andMe's genome database for use in researching diseases and developing new cures. This application goes beyond what many customers agreed to when they provided their genetic information. Though customers can opt out of their genetic information's seeing use in research, customers who consent may be unaware of the specifics of how companies use their data.

Concerns about overstepping in the collection of data also exist. A group of Naperville, Illinois, citizens recently brought a case against the City of Naperville, arguing that new smart electricity meters performed unreasonable search by recording electricity consumption in homes every 15 minutes. The court ruled that although the actions did constitute search, the search was not unreasonable in the context of measuring power consumption. Likely, follow-up cases will have to define with greater clarity when search exists and when it is unreasonable.