As Duhigg demonstrated, crossing into a zone where privacy is expected is a recipe for trouble. Target should have anticipated that projecting the reproductive status of a woman would be invasive. Yet privacy intrusions span the full range from highly offensive to inane. President Clinton was once asked the question, "Is it boxers or briefs?" regarding his choices in underwear. Today, one might simply purchase such information.

One might expect that Target and other firms will argue that by choosing to engage in commerce with them, one waives any expectation of privacy regarding either purchases or profiling. Yet such an argument infers that one must shop with cash while wearing a mask to preserve some semblance of privacy in essential transactions. Certainly not a satisfactory answer.

Another premise presented is that by yielding privacy, consumers gain some advantage. Yet as I recall the creation of many customer membership or loyalty card programs in the 1990s, the consumer benefits appear questionable. In shopping for groceries at Safeway for example, one day a customer could purchase special promotional items. The next, one needed a "Safeway Club" card to make purchases at the sale price. As a mischievous graduate student I'd shop with friends and we would purchase beer using one card, fresh fruits and vegetables on a second, and staples on another. Then contemplate what analysts would do with that information. Yet such consumer evasion is hardly a practical strategy for maintaining privacy. Soon we may see facial recognition software used to identify customers -- obviating the need for even carrying such a card. I wish I had confidence that wasn't the next logical step. But I think we know better than that. This is certainly not the vision of an "empowered consumer."

***

Rapidly expanding and interconnected data thus raise the risk of adverse impacts arising from discrimination, posing the challenge of how to realize the benefits of technology while minimizing harm -- and applications involving personal health data present some of the greatest hazards. While considerable risk reduction can be achieved by simply securing health data in accordance with the ancient Hippocratic Oath, the creation of health data surrogates threatens to undermine that.

At the same time, it is important to note that even in the absence of the use of surrogate measures, the Recovery Act left significant gaps in the protection of health data. The Act did not address many internet health applications, nor is there even sufficient consumer warning regarding the risks associated with divulging health data in social networking. Individuals must recognize that what one shares regarding health on line is often not protected.

Despite the hazards posed by both actual and surrogate health data, an examination of what has been said about not only health IT, but information sharing more generally, yields an overwhelmingly positive view. An on-line inquiry will generate results dominated by tech luminaries who lead firms that have created such products as search engines, social networks, and marketing and communications applications -- but relatively few from legal or ethical authorities. It is significant that those search results ranked highest reflect glowing depictions of a world with an unimpeded flow of data -- yet these typically emanate from those who profit by the sale of personal data, including many uses that may not be in an individual's best interest. Ironically, many such luminaries are themselves not so trusting in terms of sharing their own information. This brings to mind the answer of Mark Zuckerberg of Facebook, to the question of why users would entrust their private data to him. His reply characterized his view of those who would do so: "Dumb f***s."

That underscores the problem. As many seek to mine the health data of Americans, either directly or via surrogate measures -- it has become the Wild West out there. And millions are just beginning to recognize that they are not the customers in such endeavors, but the product. Should we fail to better address the use of medical information and its surrogates, millions may find themselves not only product, but victim as well.

It may be time for the second civil rights bill of the 21st century.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.