Who Will Own Your Data If the Tech Bubble Bursts?

Imagine that Silicon Valley’s nightmare comes true: The bubble bursts. Unicorns fall to their knees. The tech giants that once fought to attract talented developers with mini-golf and craft beer scramble to put out fires.

This is the setting of a cyber-doomsday scenario developed by researchers at Berkeley’s Center for Long-Term Cybersecurity and published last month. They gamed out five different scenarios based on current trends in online security—and this one is by far the most alarming.

If stock prices plunge, the researchers ask, what will be left of the Facebooks and Twitters of the world? Like a broken-down car that can only be scrapped for parts, the only thing worth salvaging from the shells of former tech companies may be user data.

In their report, the researchers imagine a slow start to the tailspin that eventually leads to the collapse of our current Internet Age. It starts with a disillusionment with Silicon Valley (“When did we stop trying to change the world and instead just make indulgent products for rich 30-year-old singles?”) and subsequent developer exodus to Asia. Europe starts regulating technology even more aggressively, and investors start rolling their eyes at buzzwords like “innovation.” Finally, some outside event—a revolution overseas, a contentious election—shakes up markets, and the collapse begins. Stock prices soon fall by 90 percent.

Desperate companies will resort, if they can, to selling the detailed data they’ve meticulously collected about their users—whether it’s personally identifiable information, data about preferences, habits, and hobbies, or national-security files. That data, formerly walled-off and spoon-fed only to paying advertisers, would be attractive to both licit and criminal buyers. Easily searchable datasets could generate new innovations and  investments—but it would be difficult to know who’s buying up sensitive datasets, and why.

If contracts and privacy policies prevent a floundering company from selling user data, there’s still another way to profit. Most privacy policies that promise not to sell user data include a caveat in case of bankruptcy or sale. In fact, a New York Times analysis of the top 100 websites in the U.S. last year found that 85 of them include clauses in their privacy policies like this one from Facebook:

If the ownership or control of all or part of our Services or their assets changes, we may transfer your information to the new owner.

This is the virtual equivalent of a beater getting hauled to the junkyard. If a Facebook-like social media company can’t legally sell off its data, then it may just sell itself in order to cut its losses. Among the post-crash rubble, the principal value that a potential buyer might see in snapping up the company is its data. It’s like an acquisition hire, but for a huge and detailed dataset.

But it’s not just social-networking, online shopping, and other technology companies that have to plan for this eventuality. Just about every company holds user data now, in one form or another. Even our own privacy policy here at The Atlantic says that a sale, merger, or bankruptcy may lead to a transfer of personally identifiable information. (To be sure, the data that a magazine maintains doesn’t measure up to the trove of private tidbits that people share with their social-networking apps—it’s mainly information about print subscribers.)

Even without doomsday scenarios, there’s already evidence of what the demise of a data-rich company would look like. When RadioShack filed for bankruptcy last year, one of the assets it put up for sale was its meticulously compiled database of information on millions of its customers. This set off a scramble of opposition from all sides: AT&T and Apple claimed to be the rightful owner of some of the data, and officials in a handful of states warned that the sale could violate state laws. The Federal Trade Commission stepped in, too, suggesting to a judge that RadioShack should only be able to sell the data to a company “substantially in the same line of business,” and that the buyer should be bound by the same privacy policy that was in place when consumers shared their personal data with RadioShack. If the buyer wanted to use the data differently, the FTC said, it should have to get the consent of the consumers.

This wasn’t the FTC’s first such intervention, either: In 2000, the commission sued a website called Toysmart.com for deceptive data practices. That case is what led many companies to add language about selling data to their privacy policies in the first place.

It’s one thing for federal regulators to keep an eye out for consumer data when a big retailer or tech company folds every few years. But in the event of a crash, it’s unlikely the FTC would be able to keep up with the sheer number of previously overvalued data-rich companies offering themselves up for sale. If that’s the case, the post-bubble technology industry will take your data down with it as it slips beneath the waves.