A ‘policy data leak’ in Colorado crosses up Airbnb’s privacy protections

By Robert Gilway
|
November 23, 2020
| No Comments

The spread of technology into every corner of the economy has a way of exposing issues that are ripe for renewed debate. Many privacy implications of a digital dollar, for example, spring from the impressive financial surveillance system our country has built up over 50 years. Now Telluride, Colorado may just rip the cover off of travel surveillance. It wants hosts of short-term rentals to report personal information about guests through an online portal, threatening the business licenses of hosts who do not. It’s an interesting story of digital overreach arising from policies that began well before the widespread use of computers.

Via REUTERS.

Airbnb may raise as much as $3 billion next month if its initial public offering goes as planned. The company updated its privacy policy at the end of October, possibly as part of tuning itself up for its debut as a publicly traded company. Airbnb’s privacy policy discusses necessary information-sharing among guests and hosts, and it has fairly standard terms restricting itself from other sharing of user information. Also standard (and characteristically ambiguous) are the company’s terms allowing disclosure “to courts, law enforcement, governmental or public authorities, tax authorities, or authorized third parties, if and to the extent we are required or permitted to do so by law.”

But those terms restrict what Airbnb does with personal information. What hosts and guests do with each other’s information is a different story.

Days after Airbnb issued its policy, the San Miguel County (Colorado) Lodging Oversight Committee distributed an email announcing to hosts of short-term rentals that it wants information about all guests staying in the Telluride area. A handy video depicts how to enter information into an online portal.

If you are normal, seeing this might make you wonder why on earth a lodging regulator wants to collect personal information about guests. You might be surprised to learn that many jurisdictions have required hoteliers to collect and maintain such information for decades on the chance that it may be useful to law enforcement. The US Supreme Court limited one dimension of this traveler surveillance in 2015 when it ruled that Los Angeles couldn’t require hoteliers to turn over guest records on demand. That case scrupulously avoided the question whether hoteliers and hosts could be required to maintain data for law enforcement’s benefit.

Mandatory record-keeping about travelers was quaint when information
was collected on paper and housed in dusty manila folders across the country.
The comings and goings of law-abiding travelers would be extraordinarily hard
to catalogue or exploit, so nobody did. But today’s era is different.
Collecting traveler information in digital databases primes it for sharing and
uses well beyond administering comfortable stays in a ski resort town.

Telluride’s policy is not a technical “data leak” of the kind that exposed data about 10 million travelers according to reports last week. It could be described as a “policy data leak,” in which people’s personal information is unnecessarily collected, their privacy is compromised, and their data is put at risk without strong justification.

I, at least, can perceive no good justification for Telluride
to collect traveler data like this. COVID-control and contact tracing can be
served by requiring hosts to maintain records themselves — unshared — and then
for only 14 or so days after a departure. If there are planning insights
available to San Miguel County from data like this, surely non-personal
information about visitors can do the trick.

This is not public welfare regulation causing hosts to abate
harms, nuisances, and risks. The email announcing this data-collection
requirement says it will “provide San Miguel County innovative analytics and
reporting.” So I believe that gathering such data cannot be justified as an
“administrative seizure” (the name you have to give seizure of records under
the “administrative search” doctrine). Perhaps a jurisdiction like this should
buy anonymized data from willing sellers rather than take it by threatening business
licenses.

Policies like this have had traction for decades because big hotels and similar businesses have multiple, ongoing interactions with government. It is unwise for such entities to fall on their ski poles for principle. Instead, they have quietly accepted small, routine accretion of regulatory burdens over decades, including privacy-invasive burdens. As Airbnb and other platforms have “democratized” the hotel industry, people with a stake in principle and the privacy of their guests may raise issues with this kind of data demand. It seems entirely appropriate that they do so.

Learn more: Should Congress do privacy legislation? | Should consumers choosing badly lose their authority over privacy? | The COVID-19 pandemic and privacy

The post A ‘policy data leak’ in Colorado crosses up Airbnb’s privacy protections appeared first on American Enterprise Institute – AEI.

Housing Finance, Housing Policy