Bringing Light to the Shadowy World of Data Brokers

This is the first of a three part series respectively covering the current state of the data broker industry, the threat it poses to national security, and a novel proposal for resolving these issues while maintaining or increasing profitability for data brokers.

 

Experian’s new report predicting data breach trends in 2017, provides a glimpse into just how much information on every one of us is stored in private databases and how poorly managed that information is.

As early as 2014 a White House report stated that “we  live  in  a  world  of  near-ubiquitous  data  collection.” This data collection provides the backbone for the huge (and largely opaque) ecosystem of private and government groups that buy and sell personal information. On the one hand this ecosystem enormous convenience and indeed make our current economy possible. On the other, the systemic lack of transparency of any of these groups or their transactions poses numerous risks to not only defrauding individuals, but posing numerous national security risks. To resolve these issues, I propose an alternative market-based framework intended to increase data security and accountability while enhancing the profitability of private stakeholders.

To begin grasping the issue’s scale, consider the example of one of the most visible data aggregator: Facebook. Facebook records a phenomenal amount of details on the behaviors of its nearly 2 billion active users, which it uses to assign them over 52,000 unique attributes. When helping their customers—that is advertisers—target their marketing, Facebook supplements their own data by partnering with nine different data broker firms around the world. Facebook also works with these brokers to match specific offline purchases with ad views by users to ensure that its ad targeting is effectively persuasive. Considering that Facebook Likes alone have proven sufficient for impressively reliable algorithmic extrapolations of users’ personal information such as sexual orientation, religion, relationship status, and alcohol use, one can only begin to imagine how much Facebook can infer about its users.

But even Facebook touches on only a portion of this opaque marketplace. Just one of its data suppliers, Acxiom has multi-sourced information on over 700 million individuals, whose data it uses to conduct over 1 trillion transactions per week globally with over 3,000 clients including over half of Fortune 100 according to its 2016 annual report. Strangely, the 2016 report did not repeat the claim from the 2014 and 2013 reports that it has records of “Over 3,000 propensities for nearly every U.S. consumer”.

Such information can include categories such as social relationships, legal history, financial records, health information, Social Security number, ethnicity, address history, religion, political affiliation, purchase histories…—indeed minute details on nearly every aspect of individuals’ lives is available for sale.

Some of the information being sold by these brokers is incredibly sensitive, such as the lists of rape victims, dementia sufferers, HIV/AIDS sufferers, or those with addictive behaviors (helpfully sub-categorized into “alcohol”, “drugs”, and “gambling”) being sold for 7.9 cents per name in 2013. Even six years prior in 2007 federal agencies acknowledged that criminals were using data sources like these to target telemarketing scams, buying lists like “’Elderly Opportunity Seekers,’ 3.3 million older people ‘looking for ways to make money,’ and ‘Suffering Seniors,’ 4.7 million people with cancer or Alzheimer’s disease. ‘Oldies but Goodies’ contained 500,000 gamblers over 55 years old, for 8.5 cents apiece. One list said: ‘These people are gullible. They want to believe that their luck can change.’” Nor is this merely sporadic: Experian, one of Facebook partners and major player in the industry, was advertising marketing lists based on medical prescription use, among their many categories.

For even more direct defrauding in a recently settled FTC case, criminals used information from re-sold payday loan applications purchased from a data broker to directly steal over $25 million from millions of bank accounts.

The current arrangement of data broker industry also facilitates identity theft. Experian subsidiary Court Ventures was providing access to the financial records, SSN’s and other information of 200 million Americans to online identity theft marketplace Superget.info—3.1 million of which were actually queried. When these identity theft sites can’t purchase the data from the brokers they steal them, like ssndob[dot]ru, which sold records on four million Americans obtained by covertly piping them from the databases of several brokers. (And brokers have been found stealing from each other as well.) These identity theft sites are sufficiently comprehensive that in a 2014 experiment, Brian Krebs was able to obtain from just two sites the SSN’s, phone numbers, and address histories for all 13 members of the Senate Subcommittee on Consumer Protection, Product Safety and Insurance, as well as the heads of the FTC and Consumer Financial Protection Bureau. However, due to a great deal of redundancy between data brokers databases, it’s typically impossible to determine from which brokers these data originate and thus identify any vulnerabilities or illicit sales in the overall industry.

This may be only the tip of the iceberg of the abuse. Industry oversight in the U.S. is minimal so all of the example problematic issues have been picked up largely by chance. In 2014 FTC Chair Edith Ramirez, whose agency theoretically has jurisdiction over data brokers, admitted that her agency didn’t even know how many data brokers were active, let alone details of their activities.

What FTC the can report is “a fundamental lack of transparency about data broker industry practices.” Indeed the brokers are so resistant to sharing information about themselves that, they refused to provide specifics on their data sources and customers to even a 2013 Congressional inquiry.

Their confidence in refusing such high-level inquiries may originate from the identities of a few of their customers in particular. Jeffrey Chester, executive director of the Center for Digital Democracy notes that political campaigns frequently use data from brokers to target their advertisements, so “There’s no political pressure on Congress, really, to act. The data-broker lobby is incredibly powerful.”

Politicians may have good reason to worry about unveiling their relationships with data brokers, as a 2012 survey found that the majority of Americans are deeply uncomfortable with the idea of political ads tailored to them by their personal information, which is more or less the standard practice.

Unfortunately, the resultant lack of industry transparency raises not just a criminal threat to individuals, but several national security threats. Not only does it create several espionage risks, but it could facilitate foreign manipulation of U.S. public opinion.

But we’ll get into that next week.

Unsafe Harbor?

This week heralded some very big news: the European Court of Justice (ECJ) ruled that the EU-US Safe Harbor was invalid for failing to satisfy EU privacy laws. Suffice it to say, this is a big deal. I’ve discussed the Safe Harbor briefly in the past, but in short, it was a compromise between EU and US privacy laws that helped keep our international system running smoothly, at least for major multinational corporations like Facebook and Google. Invalidating the Safe Harbor certainly will upset the apple cart, and the ECJ opinion may have serious lasting consequences, so let’s dive in. Continue reading

What’s the Deal with Ireland?

If you read my last article on the Microsoft Ireland case, you’ll recall that Microsoft operates one of its major cloud storage facilities in Ireland. While not itself eyebrow-raising, Microsoft is not the only corporation making headlines in Ireland. Recently Twitter announced that it would be processing all non-US Twitter users, some 300 million people, in Ireland. Eyebrows elevated yet? Or what about the fact that the top 10 US tech firms all have their international headquarters in Ireland? So what’s the deal with Ireland? Tech companies are flocking to the Emerald Isle, and presumably not just because they are after its Lucky Charms. Ireland appears to be offering a pot of gold for tech companies, so I thought I’d expand upon my discussion of the Microsoft Ireland case to discuss the role Ireland is playing in the US-EU divide over privacy. Continue reading

Facebook Threats: What’s Not to Like

I finally got around to listening to the oral argument for the Supreme Court case Elonis v. United States, which attempts to determine when threatening language online can be proscribed under the First Amendment, and I’d like to talk about it. The case involves a man who wrote threatening rap lyrics on his Facebook page about killing his ex-wife. I always find First Amendment debates fascinating, and the application of old First Amendment law to modern technologies seems right up my alley.

At its core, the case is very simple. “True threats” are one of the categories of speech that are exceptions to the First Amendment, and therefore not subject to “strict scrutiny,” the highest legal standard. The question is two-fold: what mens rea requirement do we apply to true threats, and does communicating a threat through social media implicate the defendant’s mens rea? Continue reading

Gamergate and E-Harassment

I’ve wanted to talk about Gamergate for quite some time now. As a self-proclaimed casual gamer, seeing the ugly underbelly of the video game world exposed is both harrowing and eye opening, and necessarily provokes a lot of thoughts. For those who don’t know, Gamergate is a social media phenomenon (see also #gamergate) wherein a critique of video game journalism rapidly descended into a misogynistic free-for-all involving widespread harassment of female game designers and game critics. While discussions about sexism and misogyny in gaming did not originate with Gamergate, the extremity of the backlash in this instance does seem to be unique, and has led to numerous discussions about gamer culture, internet culture, and the host of problems they present. I don’t want to oversimplify what is inevitably a complicated issue, but it’s hard to deny that the reason #gamergate became such a big deal is because of its implications for gender politics. Continue reading