Common Threads Connecting Data Brokers and Privacy & Security Risks
As readers of this blog know, data brokers are entities that knowingly collect, sell, and share the personal information of a consumer with whom the business does not have a direct relationship. In past blogs, I have discussed the different types of data brokers, the sources from whence data brokers collect their data, the risks associated with data brokers (as narrated by John Oliver), and proposed laws at the Federal level and state levels (e.g., California and Texas). In this blog post, I will discuss the common threads that connect these risks together.
Quick Review of Data Brokers and Privacy and Security Risks
As noted by the California Department of Justice (DoJ), the unauthorized or harmful acquisition and misuse of consumer information can introduce risks to consumers. Recent headlines highlighting this include a Gay/Bi dating app and a Muslim Prayer app selling data on people’s location to a data broker, millions of workers’ paystubs being sold to data brokers, data brokers advertising that they can sell real-time location data of active military personnel, and an antiabortion group based in Wisconsin using location data bought from data brokers to target ads to Planned Parenthood visitors.
Furthermore, in past blogs, I have looked at the risks of data brokers to immigrant rights, domestic violence survivors, reproductive rights, and kids’ online safety as reasons to support California Senate Bill 362 (aka the California Delete Act). And in chapter 2 of my book Containing Big Tech, I cover in detail the various threats to our online and physical safety, civil rights, and to our national security and democracy. Finally, Justin Sherman, a former researcher at Duke University’s Sanford School of Public Policy, has also done a great job of documenting some of these risks in detail in this document.
The point is that there are a lot of privacy and security risks that emanate from data brokers with a lot of documented real-world examples as shown by the links above.
Five Common Threads Connecting These Threats
I see five common denominators across all these threats.
First, as it relates to data brokers, most consumers don’t even know that their data is being collected by data brokers, who is collecting it, which third parties are buying that collected data, and for what purposes the third parties are using it. This means the shadowy nature of the data broker industry compounds many threats.
Second, a lot of the data that data brokers have is inaccurate. For example, in exercising my California “right to know” privacy rights with two of the largest data broker firms, one broker’s data said I was unmarried, and the other stated my religion is Catholic — both of which are inaccurate. Other examples include one person reporting that a large data broker was only 50% accurate with their data and another finding that a data broker’s data on him “was laughably inaccurate” with only 27% accuracy.[1] Furthermore, NATO did a comprehensive analysis and found that “quantity overshadows quality in the data broker industry” and “that on average only 50–60% of data can be considered precise.”[2] This means essential life decisions (getting a job, a loan, etc.) for consumers can be influenced or made by businesses based on scores and profiles that leverage inaccurate data.
Third, data brokers will claim that they will often anonymize sensitive data when they sell it to third parties. Still, it is possible to reidentify consumers when combining data from multiple sources. For example, in the case of location data, analysis of frequently visited locations (e.g., someone’s home) can lead to quick identification. For example, one study found that “researchers could uniquely characterize 50% of people using only two randomly chosen time and location data points.”[3] In another example, journalists with the New York Times were able to identify individuals belonging to the President’s Secret Service detail and described the process “as easy as combining home and work locations with public information.”[4] This means that data brokers cannot honestly promise anonymity for consumers.
Fourth, it is “virtually impossible” to track data origination and destinations. Data brokers often share or sell their data with other data brokers who may share or sell that data to another. This means that highly sensitive or inaccurate data can promulgate across hundreds or even thousands of data brokers and their customers, meaning a consumer may never be able to get their “zombie” data entirely deleted or corrected. It also means there are now more targets for hackers to be able to steal your sensitive data.
Fifth, because the United States does not have a comprehensive federal privacy law, most consumers in the United States don’t have any rights vis a vis data brokers to request access, correction, or deletion of their data. Furthermore, if you have these rights, data brokers often make it difficult to exercise them. For example, Consumer Reports did a comprehensive study in which 543 California residents made “Do Not Sell” requests to 234 data brokers listed in the California Attorney General’s data broker registry. The survey found that “consumers struggled to locate the required links to opt-out of the sale of their information” and “many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt-out.”[5]
Summary
These threats associated with data brokers seem to have reached critical awareness and have become a bipartisan concern. Luckily for Californians, there is a bill that it is winding through the California State legislature that can help — SB 362 aka the California Delete Act.
This bill would create an online portal for consumers to request that data brokers delete any data they have on the consumer and no longer track them. One can think of this bill as the equivalent of legislation that gave us the incredibly popular “Do Not Call” registry (operated by the Federal Trade Commission with over 240 million registrants). In this case, this bill applies to Californians’ data stored and collected by data brokers. By giving Californians the ability to hit the delete button, many of the risks associated with data brokers go away, as one cannot weaponize data they don’t have.
Footnotes
[1] Paul Boutin, “The Secretive World of Selling Data About You,” Newsweek, May 30, 2016, https://www.newsweek.com/secretive-world-selling-data-about-you-464789. Kalev Lateru, Forbes, “The Data Brokers So Powerful Even Facebook Bought Their Data - But They Got Me Wildly Wrong,” Forbes, April 5, 2018, https://www.forbes.com/sites/kalevleetaru/2018/04/05/the-data-brokers-so-powerful-even-facebook-bought-their-data-but-they-got-me-wildly-wrong/?sh=250ca7c93107.
[2] NATO StratCom COE, “Data Brokers and Security,” 2021, https://stratcomcoe.org/publications/data-brokers-and-security/17.
[3] Bennett Cyphers and Gennie Gebhart, “SafeGraph’s Disingenuous Claims About Location Data Mask a Dangerous Industry,” Electronic Frontier Foundation (EFF), May 6, 2022, https://www.eff.org/deeplinks/2022/05/safegraphs-disingenuous-claims-about-location-data-mask-dangerous-industry.
[4] Stuart Thompson and Charlie Warzel, “How to Track President Trump,” New York Times, December 20, 2019, https://www.nytimes.com/interactive/2019/12/20/opinion/location-data-national-security.html.
[5] Consumer Reports, “California Consumer Privacy Act: Are Consumers’ Digital Rights Protected?” October 1, 2020, https://advocacy.consumerreports.org/wp-content/uploads/2021/05/CR_CCPA-Are-Consumers-Digital-Rights-Protected_092020_vf2.pdf.