How corporate data brokers sell your life, and why you should be concerned
Mon 24 Aug 2015
Your economic status, your prospects for buying a house, your pregnancy, your illness…your rape; it’s all for sale in one of the biggest and most clandestine global marketplaces ever to lobby and influence government. But the data brokers let the NSA take the public punches while they just take – and sell – your most intimate information…
For nearly two years, media coverage of the NSA has been near-constant, over concerns about the extent of their data collection on people around the world. But, there’s an even larger behemoth in the shadows gathering information about you. Unlike the NSA, they are accountable to few laws, very little accountability, and no oversight, laughing off investigative inquiries at even the highest levels of government. This is a massive ecosystem, with an insatiable desire to learn every detail of your life and then sell it to those who would use it to persuade you. In effect, it’s a sprawling black market—and as one would expect with a black market, many of the purchasers of this information are criminals who are using it to steal the identities and valuables of many. We can only hope that they’re the worst of the buyers.
Who are the data brokers and where do they get your data?
According the U.S. Federal Trade Commission’s report on the industry in 2014, these private companies, called data brokers, buy and sell data about individuals obtained from myriad sources including government records, financial transactions/purchases, online activities, some medical records, phone records, etc. This information includes address histories, criminal records, financial history, family ties, and religious/political identifications. Using this information, brokers make inferences about individuals and divide them into segments like ‘Expectant Parent’, ‘Bible Lifestyle’, ‘Financially Challenged’, ‘Allergy Sufferer’, ‘Discount Shopper’, ‘Diabetes Interest’, and ‘Thrifty Elders’.
Some extremely sensitive information can be sold very cheaply. World Privacy Forum Executive Director Pam Dixon’s testimony before the U.S. Senate included a screen cap showing that MEDbase 200 was selling lists of rape victims for 7.9 cents per name, as well as similarly-priced lists of those suffering from HIV/AIDs, genetic diseases, addictive behavior (conveniently broken down into sub-categories like gambling, sex, alcohol, and drugs) and dementia. The listings were taken down soon after Dixon’s testimony.
One has to wonder why Experian believes that giving consumers more information about the industry’s practices would harm public trust of the means of data collection
One might imagine that information like that could be easily abused. Indeed, as early as 2007, the New York Times reported that the data broker infoUSA was selling lists of 3.3 million ‘Elderly Opportunity Seekers’ of older people ‘looking for ways to make money’, 4.7 million ‘Suffering Seniors’ dealing with cancer or Alzheimer’s, and 500,000 ‘Oldies but Goodies’ of gamblers over 55. One list specifically noted that ‘These people are gullible. They want to believe that their luck can change.’ Naturally, telemarketing fraudsters snapped up these lists like maps to gold mines. The New York Times reported that though thousands of banking documents and court filings show that the companies selling this information are constantly confronted by the fact that the information is being used in fraud, but even after U.S. government investigators warned infoUSA’s executives of the matter the company did not stop dealing with criminals.
This is definitely not an isolated incident of criminals buying in bulk from data brokers, either. According to prosecution by the Federal Trade Commission, the company Ideal Financial Solutions purchased data on 2.2 million consumers from brokers and fraudulently siphoned millions of dollars directly from the victims’ bank accounts from 2009 to 2013. At least 16% of the records used in the scam were provided by broker LeapLab, who obtained victims’ bank information from loan applications, and resold 95% of these applications at $.50 each to ‘third parties who were not online lenders and had no legitimate need for this financial information’, including other brokers who then aggregated this information with other information and resold it yet again. This constant selling and reselling of data ensures that once information gets into the market, it can end up in anyone’s hands.
Acxiom: ‘Over 3,000 propensities for nearly every U.S. consumer’
The amount of information collected by the data brokers is truly massive. According to data broker Acxiom’s 2014 Annual Report and their 2013 Annual Report (the sections are identical) that they have in their databases ‘Over 3,000 propensities for nearly every U.S. consumer’ and ‘Multi-sourced insight into approximately 700 million consumers worldwide.’ Individual dossiers are kept current through ‘nearly 11 trillion consumer record updates per year.’
While Acxiom is perhaps the most visible of the classic data brokers (there’s even a creepy song comparing them to an omniscient God), others are not far off in database size. An executive at rival data broker, Experian, told me, under conditions of anonymity that their own databases contained over 1,000 propensities on nearly every U.S. consumer.
Even these databases are eclipsed by the data collected and stored about individuals on social media sites. European requests for information disclosures suggest that Facebook permanently stores all activity on the site, no matter how minor. This includes indirect information like one’s physical location (apparently latitude and longitude down to the 8th decimal place) at the time of login.
Obtaining someone’s location at any given point in time is fairly easy, by the way. A typical smartphone has four ways that it can be physically tracked: triangulation from cell towers, GPS, Bluetooth, and Wi-Fi signal—each of which are individually identifiable with serial codes that are globally unique to each phone’s hardware. According to former Wall Street Journal technical consultant Ashkan Soltani, the network provider Verizon leverages this data to monitor the physical behavior to its users and provides these insights in aggregate to advertising clients. Retailers (as well as airports and other locations where lots of people congregate) are now collecting this information at their stores in order to better monitor customer behavior.
It’s important to understand that gathering the raw data is only the first step in peering into individuals’ lives. By digging into the huge reams of data they’ve amassed, analysts can create models that extrapolate even more. As a New York Times article made infamous, retailer Target’s algorithms could use the purchases of key products to not only determine if a customer is pregnant, but accurately estimate when she is due so that they could send coupons corresponding to each stage of pregnancy.
Data brokers know about your drug use, your personality and your pregnancy
It doesn’t even take a large variety of data to reliably extrapolate a great deal of personal information. A well-known Cambridge-Microsoft study showed that just using Facebook Likes (from 58,000 volunteers,) researchers could infer traits like a user’s sexual orientation, political/religious beliefs, drug use, IQ, and personality with remarkable accuracy. Indeed, a follow-up study showed that when these models were applied to the typical Facebook user they were more accurate in gauging the user’s personalities than even friends and family members. Just as importantly, this model was also reapplied to identify Bing search users’ political and religious beliefs with only a small loss in accuracy, suggesting that models like these are not tethered to their sources. Many other studies have shown countless other ways that seemingly private information can be extrapolated from apparently innocuous publicly available data. Data brokers have far more than just our Likes recorded, so their models could be vastly more precise.
As for how much information these brokers have collectively, that’s anyone’s guess. The head of the Federal Trade Commission, the U.S. agency that supposedly regulates the industry, has admitted that her agency doesn’t even know how many data brokers exist, let alone what they’re all doing. The industry is very intent on keeping its dealings in the shadows, defying even senior U.S. government investigations.
Even in the face of a Senate committee investigation the brokers refused to reveal their data sources and clients. The 2013 report notes ‘Three of the largest companies – Acxiom, Experian, and Epsilon – to date have been similarly secretive with the Committee with respect to their practices, refusing to identify the specific sources of their data or the customers who purchase it.’
The policy influence of the data brokers
A request by Senator Edward Markey for more specifics on the brokers’ clients was met with a general reply from Acxiom noting that though they would not divulge their clients identities (valuing their privacy very highly) their clients include ‘47 Fortune 100 clients’, ‘5 of the 13 largest U.S. federal government agencies’ and ‘Both major national political parties’. The reply also noted Acxiom’s ‘long history of proactively engaging with policy makers’ adding ‘We are in numerous policy groups, and in some cases, have been a driving force in their creation’.
The letter (no longer available on Markey’s site) hints at just how much power these companies wield over lawmakers. According to a 2013 report by the Interactive Advertising Bureau, U.S. politicians use the information from the brokers to micro-target their political campaigns, despite (as a 2012 study showed) the fact that the vast majority of Americans are very uncomfortable with politicians gathering information on them and using said information to tailor ads to them.
This may partly explain why there’s no real regulatory drive to bring the brokers’ activities into the light. The Data Broker Accountability and Transparency Act of 2015, for example was proposed and then died in committee—as did the Data Broker Accountability and Transparency Act of 2015. It follows the noble tradition of the Data Security and Breach Notification Act (which would have been the first U.S. federal law requiring data brokers to inform consumers when hackers have stolen their data), which has been proposed and killed in committee every year from 2015 to 2009.
Lawmakers’ complicity in shielding data brokers from scrutiny does not protect them from the system’s horrific security issues.
In an experiment, Brian Krebs of Krebs on Security, sought to see how easy it would be to obtain the full address histories and social security numbers of all 13 members of the U.S. Senate Commerce Committee Subcommittee on Consumer Protection, Product Safety and Insurance. He only needed to go to two identity theft service sites to obtain them all, as well as the same information about the head of the Federal Trade Commission and the Consumer Financial Protection Bureau. If their information is up for purchase by criminals, how could we possibly imagine that any of the rest of ours is safe? Despite issues like this, the industry has been consistently adamant that they don’t need any further oversight or transparency.
When the Federal Trade Commission proposed a centralized list of data brokers that consumers might look over to better understand the market, Experian replied that this would ‘have the unintended effect of confusing consumers and eroding trust in e-commerce.’ One has to wonder why Experian believes that giving consumers more information about the industry’s practices would harm public trust of the means of data collection. Personally, I can’t ever recall losing trust in someone when I found out that they were acting honestly and benevolently. Indeed, the company even acknowledges in the same statement that there are ‘literally dozens and dozens of smaller data providers with long histories of questionable practices’, which is where Experian says the FTC needs to focus its efforts.
Experian’s purchase of Court Ventures
Experian is very well versed in smaller data providers with questionable practices. After all, they bought one.
Specifically they had acquired Court Ventures, a court records broker who had been providing direct access to sensitive personal data (including social security numbers and bank information) on over 200 million Americans to the identity theft marketplace Superget.info. Experian VP of Government Affairs and Public Policy Tony Hadley testified to congress in 2014 that the Secret Service notified the company of their subsidiaries criminal activities nine months after Experian acquired them, and apparently Experian’s due diligence had failed to scrutinize the monthly wire transfers Court Ventures was receiving from Singapore. Regarding Court Ventures, Hadley testified ‘We were a victim, and scammed by this person.’
Just a few months earlier Hadley had testified before the same committee that ‘Experian shares data responsibly—by carefully safeguarding compliance with all privacy and consumer protection laws and industry self-regulatory standards, advancing and observing industry best practices, and establishing and monitoring adherence to our own corporate policies and practices.’
Despite the clear failure of these safeguards, Experian and the rest of the data broker industry continue to argue that they are sufficient, resisting all calls for further transparency and accountability.
The national security implications of the information that data brokers retain
The current lack of oversight not only allows criminals and arguably private companies to abuse personal data, but it may pose a national security threat. The recently revealed Chinese breach of a U.S. government database of 4.1 million employees is just part of a series of cyber-breaches (originating in China) of personal information databases including the theft of 80 million Social Security records and the breach of travel records database of United Airlines of travel records. U.S. officials and analysts conclude that the breaches are part of a Chinese campaign to build a massive database on U.S. citizens, the most obvious application being for espionage.
The current opaque data broker market could allow China and other governments to simply buy the information they want without having to steal it, particularly as the models for extrapolating data become ever more accurate.
Before we start rounding up angry mobs to storm the databases where our records are kept, however, let’s acknowledge that data brokers provide tangible benefits to all of us.
While I might find it slightly unsettling that Google Maps tells me the locations of where I live, work, and am about to go to a party, without my having to ask, it is convenient. While tailored advertising might sound manipulative, Amazon’s ‘You May Also Like’ has led me to many great books that I would have overlooked. Beyond clear examples of personal data analysis providing conveniences like this, we all indirectly benefit from it making institutions more efficient and keeping costs down.
Unfortunately, data brokers have learned that becoming more transparent opens them up to backlash by a public that still isn’t particularly aware of how much data is available about them and what’s being done with it, and so reacts to any such revelations with shock, confusion, and panic. Fear of such a backlash encourages these companies to remain in the shadows. Naturally, this only further fosters public ignorance and mistrust, which only makes it worse when the public gets a glimpse of what’s going on.
The cycle of mistrust keeps brokers operating what amounts to a black market for personal data. Black markets aren’t known for the integrity of their participants. They aren’t known for their efficiency or reliability either, so even the data brokers are suffering from the current state of affairs.
If we are to break the cycle, we need an open dialogue about how data is to be used.