Data brokers, who are they and how do they impact your privacy?
Data brokers work for companies that collect information about people from a wide range of sources in order to make a personal profile. These profiles are then sold to companies that desire personal information in order to market product.
Data brokers sell complied personal data to other companies (including other data brokers), organizations, government agencies, or other persons. In some cases, they exchange this information under cooperative arrangements rather than sell it. In other instances, they provide the information at no cost, making money through advertising or referrals.
The Federal Trade Commission (FTC) has defined data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” Protecting Consumer Privacy in an Era of Rapid Change (March 2012) at page 68.
Where do data brokers get your personal information?
- Data brokers can get information from a wide range of public records such as court filings, real property and tax assessor records; mortgages, driver’s license records, motor vehicle records, voter registrations, telephone directories, real estate listings, birth, marriage, divorce and death records, professional license filings, recreational (hunting and fishing) licenses, and census demographic information.
- Self reported information such as contest entries, sweepstakes and warranty cards.
- Social media such as Facebook. Data brokers can use these sites to gain access to a user's name, gender, location, and level of education.
- Cooperative arrangements in which companies will exchange existing information about their customer for additional information gathered by data brokers.
- Buying information from other data brokers, retailer or financial institutions. This may include consumer's’ web browsing activities from online advertising networks, data about purchases from retailers, catalog companies and magazines and data from websites where consumers register or login to obtain services, such as retail, news, and travel sites
Privacy concerns
The general population is largely unaware that their data is being collected and stored. Data broker companies prefer it this way. Data brokers are largely unregulated. If the population had a better understanding of what was being done with their data, it is likely there would be more concern.
A good example a data brokers company is Ebureau. This is a company you may remember from a video by Professor Dryer. This company is one of the top data collecting companies. Before this class I had never heard of it. Ebureau knows everything about us. Ebureau creates what is called an Escore, an Escore is like a credit score, except a Escore contains a lot more information. This information is then sold to companies who use it to decide if someone will be a profitable customer.
Companies can use this information to discriminate against users. They don’t just use cold hard facts either. Data brokers are notorious for inferring details based on the information gathered. Here is an example: if a user belongs to a data segment called “Biker Enthusiasts” that offers motorcycle related coupons to its customers, an insurance company using that same segment might infer that the consumer engages in risky behavior. Thus, information compiled by data brokers can seriously affect someone's life yet only one of the major data broking companies allows users to correct inaccurate data that has been compiled about them.
There are benefits of data brokers. Data brokers help create targeted ads which are efficient to both the company and the consumer. Data brokers also help prevent fraud. Four of the major data broking companies sell risk mitigation products. These products help companies ensure that Jane Doe of 123 Main street who wants to buy a boat is actually Jane Doe.
What is being done to protect user privacy?
The FTC first became concerned with the inner workings of data brokers in 1990. After conducting a thorough investigation the FTC suggested to congress that something should be done to increase transparency in the data broking business. Despite this, no legislations was enacted.
In 2012 the FTC tried to redirect interest in data brokers by issuing a report. This report called for more transparency in the data broker business, this report suggested that data brokers create a centralized website that anyone could access. This website would identify data broker companies, detailing their data gathering methods, as well as how the data are being used. This website would also give users the opportunity to correct incorrect data on them or opt out of having their information used completely.
The FTC also issued administrative subpoenas to nine data broker companies: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf, and Recorded Future. This subpoena requires these companies to respond to a detailed set of information requests. The Orders requested detailed information regarding the data brokers’ practices, including the nature and sources of consumer data they collect; how they use, maintain, and disseminate the data; and the extent to which the data brokers allow consumers to access and correct data about them or to opt out of having their personal information sold or shared. Their response has not yet been made public.
Congress has had a much more proactive responses to the FTC’s latest findings then it did in 1990. In 2014 a bill was introduced in an effort to protect consumer privacy. This bill did not make it through the Senate but a similar bill was introduced in 2015 by Edward Markey.
The “Data Broker Accountability and Transparency Act of 2015.”
“Prohibits data brokers from obtaining or causing to be disclosed personal information or any other information relating to any person by making a false, fictitious, or fraudulent statement or representation, including by providing any document that the broker knows or should know to: (1) be forged, counterfeit, lost, stolen, or fraudulently obtained; or (2) contain a false, fictitious, or fraudulent statement or representation.”
Senator Markey stats that the data broker industry is a "shadow industry of surreptitious data collection that has amassed covert dossiers on hundreds of millions of Americans, Data brokers seem to believe that there is no such thing as privacy." In addition, co-sponsoring Senator Richard Blumenthal (D - Conn) thinks that brokers are "insidious, invisible threats" to privacy.
The Direct Marketing Association, a trade group that represent data brokers, believes that brokers are taking steps on their own to improve transparency and that the industry should be self-regulating.
While the Data Broker Accountability and Transparency Act requires that the FTC set up a website for consumers to make some decisions regarding their personal data, it requires the FTC to proffer specific rules about how this is done. This is a standard method used by the Congress to get things done. The Congress lays out concepts and a plan of action and then requires a department of the executive branch to specify regulations through a public process.
There are two failings to this approach. The first is that the public process involved in rulemaking favors industry. In order for consumers to contribute to the making of rules and statutes through a public process, they must be involved and knowledgeable. This is difficult for individual consumers. On the other hand, industry has resources and can hire analysts and lobbyist to engage in these processes, follow process and influence the making of statutes.
The second failing is that industry self-regulation is an historic myth. The history of industry in the United States is that of aggressive marketing and innovation. This has led to centuries of economic growth. Occasionally however, government regulation is necessary. Information is a commodity and can be privately owned and traded on the market. But personal informations is naturally owned by individuals and should be traded at the behest of the owner and under conditions the owner specifies.
The Data Broker Accountability and Transparency Act, therefore is flawed in that it doesn’t specifically recognize that individuals own their own data. The act should require that data be kept by the individual unless contracted for otherwise.
I would say with any large storage of personal information is that there needs to be a highly secure security to prevent data breaches. From what Mary said in her post, it seems like the data brokers have access to a lot of sensitive data about millions of people. If one of these data brokers were hacked, then the potential damage would be huge.
ReplyDeleteDoing some further research, I found this website that lists ways/links to opt out of being tracked by data brokers. I think it's worth a look: http://www.stopdatamining.me/opt-out-list/
I agree with Junkang that there should definitely be a high threshold of security on this information. I think it's very strange that there are not very many regulations on this kind of business. They are profiting off selling people's personal information, and there are virtually no laws preventing or regulating this? Seems pretty sketchy to me. It is also crazy how many people don't know this kind of thing goes on. I know I wasn't aware before this class, and Mary also mentioned she had never heard of Ebureau. I don't like that. I realize it's in the best interest of the data brokers, but I think there should be legislation enacted that is in the best interest of the public and voters instead.
ReplyDeleteWhat I think is so interesting about the data broker business is that as Mary showed us, it is such a large industry, yet it remains virtually unregulated, and the general population knows very little about it. To me, this raises a bunch of problems. For example, as Junkang said, someone's data could be hacked, and a good deal of personal information could be leaked without them even knowing it was there in the first place. As we've talked about in class, there are certain questions that need to be answered about collecting this type of data like who holds onto it, what purposes is it used for, etc. Yeah, it may be nice to get a targeted ad to alert you on what you may be interested in buying, but in my opinion the cons far outweigh the pros. I see this almost in the same vein as giving up privacy rights in the name of combating terrorism.
ReplyDeleteThis is an interesting topic and one that I didn't know much about before this, other than that it happens. I think that regulation definitely needs to be instituted and that there needs to be a minimization of how much information and what type of information can be collected by the Data Brokers. While I understand the appeal, especially from a business perspective, of having information that can target advertising, I don't think this best suits the public's interests. I do not propose banning the collection of data, but I do see a blatant need for regulation enforced by the FTC as well as rights for individuals regarding the data that is collected.
ReplyDeleteHas anyone bought shoes off of Amazon lately? The last time I did, the recommendations made to me were in colors I liked and only results in my size showed. While I agree with the above comments that this pro is far outweighed but the cons, I believe that with the progression of technology data aggregation can make industrialized societies massively more efficient. To be clear, I do believe that there needs to be stringent regulation against the abuse of aggregated information. Best efforts should be made to protect this information; it should be anonymized as much as possible, kept from human eyes to the highest degree possible, etc. I also agree that the negatives weigh far more than the small benefit gleaned for most people - today. In the decades to come, however, I believe this is the type of practice that will be so useful it will seem commonsense.
ReplyDeleteI agree. To give another example, I was flying out of LAX recently and opened up Google Maps to get directions. As soon as I opened the app I was presented with LAX as a destination with my appropriate terminal and flight information listed. This was simultaneously horrifying and awesome. I use Google for email, so thats probably where maps got the information. I think that it raises the questions “Should companies be regulated differently if they are using data internally?”, “How should companies like Alphabet (parent company of Google) which have a wide offering of services transfer data internally?” (They serve ads as their primary business model), and “Does Google have an unfair competitive advantage if they are allowed to transfer information internally?” I think the best approach is simple clear legislation that requires some transparency on the part of information brokers such as what information is stored and a process for updating invalid or unjust information. I would like to be able to delete tracking information about me, but I’m not sure that this should be considered a legal right.
DeleteI agree largely with what Michael said. The pros of targeted ads far outweigh the cons. For me, I don't even like targeted ads that much. Sure, I mean it's nice to see a sweater I'd like to buy while I'm surfing around on Facebook or Amazon but the fact that my online movements and purchases are being tracked makes me more uncomfortable than it persuades me to buy more sweaters. Like Anne said, prior to Mary's post I had never heard of any of the data broker agencies which also makes me wary. The other concern I have is the potential for inaccurate information. It's bad enough that data brokers are profiting off of my personal information but the potential for that information to be incorrect and impact my life, like in the insurance example Mary gave, makes me think that there should be stringent restrictions. I agree with Mary's conclusion that data should be kept by individuals.
ReplyDeleteOne more thought I just had is that maybe the data that the data brokers own could reset every 5 or so years. For example, if they had a file on me, 5 years from the day it was collected the data would disappear. That may be hard to regulate but it might assuage some privacy concerns. It certainly would make me a little more comfortable with idea of "big data" if I knew my information wasn't floating out there indefinitely.
DeleteDid you mean to say "The pros of targeted ads far outweigh the cons"?
DeleteOops, no, sorry, I tried to type too fast there. I meant to say "The cons of targeted ads far outweigh the pros". Thanks for catching that for me, Sheyne. Mixed up my words there.
DeleteThis comment has been removed by the author.
DeleteI do agree with the idea that a person owns all the data that they create, and I really like the concept of creating a central site where data brokers have to disclose their data collection methods and allow for corrections. However, I disagree with Mary's assertion that the FTC is unfit to enact regulations on data brokers. While there is the danger of the regulations being influenced by data broker lobbyists, the danger is overblown. Even if the general population in any way directly contributed to the regulations (they don't, they merely comment), there are plenty of privacy advocates out there to protect public privacy. As for everyone else's worry about data breaches, I see this as a minor issue. Most of the data broker information is all publicly accessible anyway, its power comes in the methods used to combine and analyze it. A dedicated person could likely come up with a comparable dataset through the same means that the broker came upon it. Obviously there are potential issues surrounding big data, but my concerns lie mostly surrounding the potential use of this data (for example, the discriminatory uses outlined in the NY Times article), rather than the collection and storage of it. I think that this is where regulation should be focused.
ReplyDeleteI agree with the sentiment that regulation is needed for data brokers. With this data collection, huge amounts of personal information are being stored. With this amount of information, protections for the consumer are needed, such as secure storage and the opportunity to opt out of this data collection. Consumer education should also be implemented. Opt outs and being able to ask that data is destroyed are useless if consumers don’t know these rights. Data brokers need to be regulated and consumers should be given power over their personal information.
ReplyDeletehttp://www.creepypasta.com/psychosis/
ReplyDelete