Data has become the world’s most coveted commodity—more valuable than oil, lumber or the water drying up in the Colorado River.
And it’s prized even though it’s not rare or difficult to obtain. The dizzying growth of the digital economy over the last 15 years has fueled an explosion of data touchpoints linked to every American citizen.
On the surface, the volume of data may not seem like a reason for concern, but the ways it’s collected, assessed and “commoditized” can be frightening.
Data brokers—companies that collect, track and sell personal consumer data—set the stage for exploitation and manipulation by entities ranging from relatively benign consumer products companies to openly hostile foreign powers like China and Russia.
With mixed success, just two U.S. states have pushed back against data brokers and the risks created by their opaque business practices. It’s a daunting problem with potential roadblocks to reform, including questionable practices by the U.S. government.
DEFINING DATA BROKERS
Data brokers collect personal information about consumers from companies and other sources and then sell or license it for profit. The brokerage industry brings in big money, with most estimates north of $200 billion per year.
Although Google and Facebook are known for collecting data used to target advertising, data brokers operate differently. They collect very specific information that they can link directly to a person’s identity.
Look at websites like Spokeo. Data is readily available that includes a person’s name, address, phone numbers and location. But that’s just a taste of the public data that’s online. Brokers build profiles of people and then license or sell the information to third parties.
Who are these third parties? There’s no shortage of buyers.
Got a warehouse full of southpaw golf clubs and need to buy a list of left-handed retirees who are also “im-pulse buyers?” A data broker can identify potential customers based on their browsing history, demographics and data collected from a golfing app.
Running a Catholic news outlet and looking to identify a priest’s precise location to “out” him as a predatory homosexual? That’s what investigative journalists at The Pillar did when they obtained commercially available location data to determine priests had visited gay bars and private homes while using the dating app Grindr.
But this goes far beyond selling golf clubs or tracking clergymen. The national security implications are extraordinary. In December 2019, for example, New York Times writers Stuart Thompson and Charlie Warzel obtained data that tracked more than 50 billion pings from the cellular phones of more than 12 mil-lion Americans. Although it was a random dataset, the Times Privacy Project used additional public information to identify and track a Secret Service agent protecting then-President Donald Trump.
One can assume that if a handful of journalists can locate the president’s guards, the nation’s adversaries could also obtain that information. And if the president of the United States isn’t safe, who is?
SURVEILLANCE CAPITALISM
Data broker LiveRamp has collected information on more than 250 million Americans, according to its website. And it’s all for sale. Many data brokers feel no compunction about peddling information to foreign governments because it’s legal and lucrative.
Traversing the universe of these brokers and studying their capabilities can become downright exhausting. The rise of the digital economy and the adoption of mobile phones, which track location, browsing his-tory, personal preferences, shopping habits and much more, have led to an explosion in available personal data points.
Public policy governing data protection lags far behind the technology, according to Alan Butler, president and executive director of the Electronic Privacy Information Center, or EPIC, a nonprofit research center that strives to focus public attention on privacy litigation and policy.
The explosive expansion of technology and businesses has facilitated broader collection and tracking. And with artificial intelligence and big data now mainstream, the complexity and challenges will continue to accelerate, Butler said.
“A lot is changing when you think about the ubiquity of tracking technology and data analysis,” Butler noted. “It’s pretty daunting. We have to remember that the modern smartphone has only been around since 2008. It’s not only a supercomputer in your pocket, but it’s also a device with sensors and data analysis that is largely consumer-facing. These technologies provide features like GPS, cell phone tower data and more to tell me where I am.”
While users find that information valuable, the underlying technology also feeds the data to brokers who exploit it. In a 2014 book, Harvard professor emerita and EPIC board member Shoshana Zuboff coined the term “surveillance capitalism” to describe a system that commoditizes consumer data for profit.
“Data brokerage is one of the major proponents of surveillance capitalism,” Butler said. “In this case, data is taken away from its original context. It’s one thing for a company to identify and pinpoint where I am on a map. It’s another to sell it.”
REGULATORY REACH
The U.S. government’s focus on cybersecurity and data privacy has centered on preventing breaches and administering financial punishment to companies that are careless with consumer information.
But is that the right approach?
In May, the Biden administration issued an executive order for the government to “improve its efforts to identify, deter, protect against, detect, and respond to malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” Such attacks have become more common in recent years, with the Microsoft Exchange and SolarWinds hacks serving as two prominent examples.
Former President Trump’s emphasis on data security pitted his administration against China. The White House banned ByteDance and WeChat in the United States because data gathered on those sites could end up in the hands of the Chinese Communist Party. The party could then use the information for blackmail, intimidation and other threats to national security. Unfortunately, the reality was that the U.S. acted too late.
In August, Matthew Pottinger, a deputy national security advisor to Trump, told the Senate Intelligence Committee that China had stolen enough data to build a “dossier” on every American adult. Even more disturbing, it remains unclear whether U.S. policymakers understand that hacks and app store data policies are only part of the problem.
Hostile governments and other bad actors no longer have to steal information. They can simply buy it. Unfortunately, there’s a significant gap in understanding the role of data brokers. Only two states have passed laws to regulate data brokers and help customers protect their digital identities. California and Vermont require data brokers to register.
Although dozens of data companies have registered with Vermont, not many of them have supplied de-tails about their business practices, The Washington Post reports. Several missed registration deadlines and some didn’t register at all. Data broker Amerilist missed the state’s initial registration deadline by more than four months, The Post wrote in 2019.
How many established or new brokerages haven’t registered as required? And how would the state even know?
Lack of transparency remains a severe problem. Most Americans don’t know where the estimated 4,000 or so data brokerages are operating. The brokers rarely discuss business practices or models in public. In 2019, the Senate Committee on Banking, Housing and Urban Affairs convened a hearing to explore the data brokerage industry and potential regulation, but the data brokers invited to participate didn’t bother to show up. The Senate moved on.
Meanwhile, the Freedom of Information Act offers consumers access to their personal data, but that feels like a bust. Even if a consumer tracks down the data broker and requests personal data, the amount of in-formation would be overwhelming.
“If you contacted LiveRamp and ask them for all of your historical data, you’re going to receive a data dump that will be unbelievable,” Butler says.
THE REGULATORY EFFORT
Sens. Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) have been outspoken critics of the data brokering business. In May, Wyden’s office released a draft of the Protecting Americans’ Data from Foreign Surveillance Act of 2021. Wyden said in a statement that “shady data brokers shouldn’t get rich selling Americans’ private data to foreign countries that could use it to threaten our national security.”
The bill would establish rules on how foreign nations or other entities gain access to sensitive data. In addition, Wyden and Paul have introduced The Fourth Amendment is Not For Sale Act, which bars governments from purchasing Americans’ geolocation data.
Legislators have proposed other bills, but selling data to foreign nations isn’t the only problem. Timing is an issue. A slow-moving bureaucracy provides only a weak defense against a powerful and agile data brokerage industry.
The Federal Trade Commission, for example, is empowered to regulate data brokers under Section 5 of the FTC Act if the agency can prove the companies engage in unfair or deceptive practices. Meanwhile, the FTC and the Consumer Financial Protection Bureau can both wield powers laid out in the Fair Credit Re-porting Act. But it’s not clear that the leadership at either agency is interested in regulating the industry.
Butler doesn’t believe that the FTC has enough reach. Moreover, the agency lacks an understanding of brokerages’ business practices, which have been transformed by algorithmic tracking, artificial intelligence and advances in data collection, he said.
Consumer privacy requires far greater oversight, according to Butler. So EPIC has pushed for creation of a data protection authority or agency with a regulatory mandate—something similar to the Securities & Ex-change Commission or Human Health & Services but for data and privacy management.
THE LOBBYING ASSAULT
Even if broad support emerges for regulatory oversight, two key factors may continue to stymie reform. First, the data brokerage industry is casting aside its naturally secretive nature to spend prodigious amounts very publicly in its effort to influence regulation and legislation. Second, the U.S. government remains a large customer of the data brokerage industry.
Last year, the size of the data brokerage industry’s lobbying budget rivaled those of two gargantuan companies—Facebook and Google—according to The Markup, a nonprofit investigative newsroom. Twenty-five registered data brokers in Vermont and California spent a combined $29 million on lobbying last year, the organization says. Oracle, which owns several data collection companies, reportedly shelled out $9.57 mil-lion for lobbying efforts last year, while the three major credit bureaus, Experian, Equifax and TransUnion, each spent more than $1.35 million.
The Markup contacted all 25 of the registered data brokers to ask about their lobbying activities, but a few companies—including LiveRamp and Inmar Intelligence—denied that they were data brokerages despite self-identifying as such in Vermont or California. In reality, LiveRamp, the industry’s biggest spender on lobbying, lavished $630,000 on such activities last year.
Meanwhile, the fact that data brokerages have found reliable customers in the U.S. government makes it more difficult to put the genie back in the bottle through regulation. Government purchases of cell phone data and other information on Americans circumvent the Fourth Amendment, Vox and other media have reported.
Although a federal judge noted in a ruling in Carpenter v. United States (2017) that the government must obtain a warrant to compel companies to hand over sensitive personal data, agencies can instead incentivize a data broker to obtain data. As the Washington Post notes, the government doesn’t need to force wireless companies like Verizon to produce geolocation data. A wealth of apps that track cell tower pings collect that information to sell.
Agencies that have purchased data include the FBI, Internal Revenue Service, Department of Homeland Security and Drug Enforcement Administration, The Washington Post reported. Immigration and Customs Enforcement paid more than $1 million to data firm Venntel for mobile location data, while the Defense Department purchased location data derived from a Muslim prayer application and a Muslim dating app.
Meanwhile, the government remains far behind the times when it comes to protecting data privacy, as evidenced by the fact that the 1986 Electronic Communications Privacy Act remains the most important effort to govern the sector. In the 25 years since the bill became law, cellular phones, mobile networks and digital devices have proliferated—not to mention the explosion of data.
Each day that governments fail to act provides another opportunity for a new problem with da-ta privacy to emerge. George Orwell put it this way: “If you want a picture of the future, imagine a boot stamping on a human face—forever.”
An Invasion of Privacy?
Credit bureaus like Transunion, Equifax, Experian and their smaller competitors might soon begin incorporating data from browsers, searches and shopping histories into more accurate credit scores, according to a new report from the International Monetary Fund.
That’s a terrible plan for two reasons, says Alan Butler, President and Executive Director of the Electronic Privacy Information Center.
“First, this creates new problems that arise in the traditional credit reporting system,” Butler told Luckbox. “These include improperly limiting access to credit, misidentifying people and various biases (social, political and financial). It creates possible barriers that aren’t justified.”
The second issue is the specter of an authoritarian using data surveillance to control the populace, he continued. Already, the Chinese Communist Party uses a social credit system to track citizens’ activities. It awards points for what it considers good behavior and subtracts them for supposedly bad behavior. Positive scores earn benefits, like the right to fly on commercial airlines, while those with negative scores could find themselves excluded from the financial system.
Butler describes the system in China as “dystopian and terrifying.”
Originally published In Luckbox Magazine. Subscribe for free at getluckbox.com/dailyfx
Be the first to comment