For Sale: Practically All the Details of Your Personal Life

Linda Musthaler
By | June 09, 2014

Posted in: Network Security Trends

When documents released by Edward Snowden showed that the National Security Agency (NSA) is collecting various types of data on ordinary American citizens, a lot of people were quick to voice their opinion that this is just wrong. Many Americans don’t believe our federal government should be able to snoop on us to learn who we choose to call or exchange emails with. Many people argue this is against the law (although the NSA does get legal clearance to collect the data it wants). What if there were companies that collected all sorts of personal information about you – your social security number, your income level, your health issues, and much, much more – and used this data to profile you and sell the information to others to make a profit? Would that bother you? Would you expect this to be against the law?

Well, it happens every day, and it’s perfectly legal. In fact, it’s a very profitable business model.

The Federal Trade Commission (FTC) recently published the report Data Brokers: A Call for Transparency and Accountability. It’s an eye opener for anyone who thinks they lead a private life. Companies known as data brokers collect and sell just about every kind of data point about your life, and it goes far beyond what the NSA is doing with phone calls and emails.

A data broker is a company that legally collects data from a wide variety of sources and packages it for use by others. The most common uses of data broker services are for marketing, fraud detection, and finding people. (You know when you Google your college roommate’s name and a bunch of companies offer to sell you access to their full background check and arrest record? That’s a data broker at work.)

Data brokers do not need your permission to collect information about you, mostly because they usually get it from public sources or private sources where you’ve agreed that your information can be disclosed to “affiliates” of that company. This includes sources like government records (think marriage license, car registration, arrests, tax authorities, etc.); credit bureaus; websites, including computer cookies, social media and public forums; retailers; and just about anywhere else, online or offline, where you might leave a paper trail or digital record for your everyday activities and transactions. Data is even acquired from other brokers.

According to the FTC report, one data broker has 3,000 data segments for nearly every U.S. consumer. And of course, the data is not anonymized because it is tied to specific individuals. Some of the data that’s collected, stored and sold may be considered highly sensitive. What’s more, some of it might be obsolete or completely wrong—but you wouldn’t know this because people rarely have the opportunity to see the personal data that’s collected on them, or to correct or delete it. (Data brokers admit that they rarely delete data; they simply don’t make it available to their customers.)

In this era of Big Data, data brokers use data about us to make inferences; for example, what kind of products we are likely to buy, where we are likely to go on vacation, what kind of health issues we might have, and so on. Maybe actual data doesn’t give the answers to questions marketers have but by putting two and two together, the picture gets a little less fuzzy. For instance, if your browsing history shows you have looked up the treatments for diabetes and your shopping history indicates you’ve switched to buying sugar-free products, someone could infer that you or someone close to you has diabetes.

Such an inference could be used for good or for bad purposes. On the good side, you might start seeing online ads for diabetes treatment trials in your area. On the bad side, a potential employer might choose not to hire you for fear of high insurance claims if you really do have diabetes. These kinds of decisions are made, not based on factual data, but on suppositions stemming from the factual data.

Another thing that data brokers do is categorize us in many different ways—some of which can be sensitive or even offensive. The FTC report says brokers have categorized people according to age, ethnicity, income, educational level, household demographics, and much more. For example, people in the category of “Urban Scramble” are of a Latino or African American heritage and they have a low income level. A financial services company might purchase the data in the Urban Scramble category to market high interest payday loans.

By now you might be feeling a little creeped out that companies know so much about you and are willing to sell the information for a shekle or two. As consumers, we actually benefit in some ways from the work that data brokers do. For example, in my case, it’s no coincidence that my local banks are sending me information about low interest loans to pay for college. They know my household includes two recent high school graduates.

Credit card companies use this broad range of data to spot fraud. If your card issuer knows “you” (really your data) well enough, it can identify anomalous behavior that doesn’t fit your typical profile and slow down the transaction until it can confirm that you really are traveling in Eastern Europe this week.

Of course, there’s also tremendous potential for harmful use of the data. Suppose you want to rent an apartment and the landlord denies your application based on erroneous data in your profile; for instance, an arrest record that truly isn’t yours. You’ll never know why you didn’t get the apartment.

And what happens if your identity gets stolen and lots of bad stuff starts showing up in your data: unpaid credit card bills, forged checks, Social Security fraud, etc. While none of these things may be your fault, you have no idea that records of these activities are permanently associated with your identity maintained and resold many times over by data brokers.

Another huge risk is the prospect of a data broker experiencing a data breach. This is what happened to the background check data broker ChoicePoint in 2005. Scammers set up bogus companies and contracted with ChoicePoint to gain access to the personal information of 163,000 people. ChoicePoint was roundly criticized for not knowing that it was selling sensitive information to thieves. Data brokers also are susceptible to cyberattacks where data is siphoned out through computer systems. Since data is usually stored indefinitely, a cyberthief who gains access will have a real treasure trove at his disposal.

The whole purpose of the Federal Trade Commission’s report is to say that there is a lack of transparency in the data brokerage business. To be clear, the business of collecting and selling personal data is not illegal.The FTC is simply saying that brokerage firms should be more open with consumers about what data is collected and how it is used.

The FTC is calling on Congress to develop legislation that would allow consumers to have access to the data about themselves, and to be able to opt out of having data shared for marketing purposes. Consumers also should have the right to know the original source of the data.

The FTC recommends that brokers practice “privacy by design”—in other words, that they consider privacy issues at every stage of product development. The agency also recommends that they collect only what they need and properly dispose of data that is no longer useful; that they refrain from collecting data on children and teens; and that they take precautions on the downstream use of data. This latter recommendation puts the onus on data brokers to know how their customers plan to use the data and assure that it’s not for illegal purposes.

Now that you know a bit about the data brokerage business, do you still think the NSA is the biggest threat to your privacy when/if it happens to collect your phone and email information?

If you want an interesting read, take a look at the FTC’s report on data brokers and transparency (or lack thereof). It’s posted here.

You May Also Be Interested In: