The “Weaponization of Data” Threats Associated with Data Brokers

As readers of this blog know, I have written several blog posts diving deeply into data brokers. Topics covered include a look at the different types of data brokers that are out there; the sources from whence data brokers collect their data; how data brokers profile, segment, and score us, and proposed laws at the Federal level and state levels (e.g., California and Texas).

In this blog post, I want to drill down and look at the potential threats data brokers pose to individuals, our national security, and even our democracy. Some of this content is excerpted from my book Containing Big Tech which you can order here.

A Quick Primer on Data Brokers

Data brokers are defined as businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship. Unlike Big Tech firms like Meta and Google, which primarily collects our online activity, data brokers collect information about us from online and offline sources, thus surveilling us just as significantly. Their data sources include property records, purchase history, social media profiles, and online web and mobile app activity tracking. So, for example, data brokers know the websites you have visited (e.g., a website on depression), your credit card purchases (e.g., you purchased adult diapers), and the apps you have installed (e.g., a gay dating app or a Muslim prayer app). And their hooks in your mobile apps can even track all your locations (e.g., you visited a Planned Parenthood).[1]

Threat to our Online Safety

Identity theft is a big issue with consumers. The Federal Trade Commission recorded over 1.4 million identity theft cases in 2021, compared to 650,000 in 2019 — a doubling in two years. According to the Internet Theft Resource Center (ITRC), identity theft can “destroy a person's credit, make it difficult to get housing, and, in some cases, drive people to contemplate suicide.” A recent survey by ITRC found that 67% of respondents said they could not pay their bills because of identity theft.[2]

Hackers could use the vast amount of information available through data brokers to guess your account login security questions (e.g., “what high school did you attend?”). But, even more significant, getting your email address and data, such as who your relatives are, can be all hackers need to send impersonation emails from those trusted parties to “phish” (i.e., trick) you into revealing your passwords or credit card information.

If hackers don’t want to buy this information from data brokers, they can always steal it. Data brokers are highly sought-after targets, given the massive amounts of highly sensitive data they store. Equifax was hacked, affecting 145 million people. Acxiom was breached in 2003, with 1.6 billion records stolen. Epsilon was hacked in 2011. LexisNexis has been breached. And in 2015, Experian’s servers were hacked, with over 15 million records accessed. They were then breached again in 2020. And these are large corporations with substantial security budgets, so smaller data brokers have likely been targets too.[3]

Threats to our Physical Safety

We increasingly see heated disagreements with local public officials and employees — such as county health commissioners, school board members, police officers, and judges — resulting in disgruntled citizens “doxxing” these officials. Per The Atlantic, doxxing refers to the “uncovering and deliberate weaponization of private, personal information.” Doxxing takes its name from hacker culture in which the online posting of private data “documents” was used as a means of revenge. This personal data includes photos, home addresses, cell phone numbers, email addresses, and details about family members, including kids’ schools. For example, in 2020, the personal information of a San Jose police officer and his family was posted online with the note to “do with this information what you will.” Therefore, the leaking of personal data gathered and sold by data brokers can lead to the threat of bodily harm to public officials and law enforcement.[4]

The same applies to victims of stalkers. According to the letter sent to the FTC in 2021 by Senators Amy Klobuchar and Lisa Murkowski, “one in four women and one in nine men experience intimate partner violence and often are forced to relocate to a relative’s house to find safety.” However, in light that people-search data brokers make it easy to see names and addresses of relatives, it becomes “difficult or impossible for victims to safely relocate with relatives.”[5]

Threat of Exploitation

When such sensitive personal data is collected, sold, and shared, it can lead to exploitation through scams and even blackmail. A third party could, for example, buy a list of segmented consumers with a specific medical condition and then target those consumers with a fraudulent quack cure. Or say a person is gay but has not informed their friends, fellow employees, or family members of that fact. But the online tracking of the person in terms of web searches or website visits could identify that person as gay. So now, data brokers and whomever they sold that information to have intimate knowledge of something a person has elected to keep secret and could be used as leverage against that person.

This threat of exploitation is not theoretical. For example, the data broker InfoUSA sold a list of 19,000 elderly sweepstakes players to a group of experienced scam artists. The scam artists then stole over $100 million by calling the victims and impersonating government officials who needed the victims’ bank account information. Another example is the FTC fining the data broker firm Epsilon $150 million for helping to facilitate elder fraud scams. In the Deferred Prosecution Agreement (DPA) it signed with the FTC, Epsilon acknowledged it sold consumer lists to many mass-mailing fraud schemes. The fraudsters had sent false “sweepstakes” and “astrology” solicitations that “disproportionately affected the elderly and other vulnerable individuals.”[6]

Threat to our Civil Rights

The profiling, segmentation, and scoring of consumers by data brokers can lead to discrimination. Examples include The Markup finding dozens of cases where consumers were denied housing because screening services used incorrect data from data brokers. Fast Company also documented instances where consumers could not get jobs because of inaccurate data. In fact, reporting has shown that a significant portion of data brokers' data on us is incorrect. For example, NATO did a comprehensive analysis and found that “quantity overshadows quality in the data broker industry” and “that on average only 50–60% of data can be considered precise.” This means essential life decisions (getting a job, a loan, etc.) for consumers can be influenced or made by businesses based on scores and profiles that leverage inaccurate data.[7]

The sensitive nature of the collected and inferred data provides many opportunities for intentional discrimination. For example, potential employers may be influenced by political interests or affiliations (e.g., one data broker advertises consumers interested in the NAACP, National LGBTQ Task Force, and Planned Parenthood) or medical conditions such as pregnancy in their hiring decisions. Your inferred medical conditions, such as cancer, could also affect your insurance premiums. Or your financial score could be used by a college to turn you down as you may only be considered as likely to pay for part of the four years.[8]

The use of our location data raises further civil rights concerns. For example, four members of Congress wrote a letter in 2020 to the data broker firm MobileWalla expressing their concerns that the firm had “identified characteristics of American protestors at Black Lives Matter demonstrations using location data, including data on where protesters resided.” Another example is that various LGBTQ dating apps sold users' location data to a broker. And multiple data brokers were found to have been selling the personal data — including location data — of users of Muslim prayer apps to US military contractors.[9]

A big issue emerging in post-abortion rights America is to what extent will citizens or governments use data from data brokers to track people coming and going from abortion clinics. They could also buy data on who is doing internet searches for words such as “abortion” and who is using period tracking apps. For example, two firms offering location data made headlines in the Spring of 2022 when reporters could purchase data from them that could track phones going to and from Planned Parenthood — one firm had sold the data for $160. And in May of 2022, it was reported that another data broker was selling personal data regarding who has installed period tracking apps. The reporter had bought a sample of that data for $100.[10]

In all of these cases, the data brokers have said they only provide MAIDs associated with the data, ensuring anonymity. But researchers have found it is easy to correlate MAIDs with actual consumers when combining that data with other data sources. Or by simply tracing patterns of movement with the location data, it is possible to deduce who the individual is being tracked (e.g., a mobile device is traced returning to a single-family residence every evening). For example, data broker Fog Data Science, which claims it has billions of data points on 250 million devices, says it can provide a person’s “pattern of life,” which lets its customers track individuals to their “bed downs” (i.e., places where people sleep) and commonly visited “locations of interest.”[11]

Finally, data brokers directly help the government procure sensitive data about Americans' behavior and activities for which the government would typically need a warrant. For example, the Supreme Court held in 2018 that the government must obtain a warrant before getting cell phone location data from telecommunications carriers under the Fourth Amendment. But according to a Congressional probe, buying data from data brokers lets the government "buy its way around the Fourth Amendment" as restrictions do not apply to “commercially obtained data,” even for US Citizens.[12]

Government purchase of sensitive personal data — i.e., warrantless searches — from data brokers is, in fact, common. For example, Ars Technica reported in 2020 that the US Secret Service bought location history data from a data broker firm. The article further noted that “agencies under the Department of Homeland Security — including Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) — have purchased access to cellphone location activity for investigations.” Specific to ICE, it was also reported by CNet in 2022 that the agency skirted around state sanctuary laws that restricted its ability to get data from state and local enforcement. Instead, it utilized data brokers like LexisNexis to “provide real-time access to immigrants' personal data and whereabouts.”[13] 

Threat to our National Security and Democracy

Three major data brokers — Acxiom, LexisNexis, and Nielsen — advertise their ability to provide data on former, current, and active-duty US military personnel. This can be used to determine where both soldiers live and are deployed. There is no law restricting whom data brokers can sell personal data regarding military personnel. Hence it is conceivable that foreign entities or even front groups for terrorist groups could acquire this data for nefarious purposes.[14]

Another example of the threat to our National Security data brokers pose is that it is possible to surveil personnel associated with the Central Intelligence Agency (CIA) and National Security Agency (NSA). In April 2022, it was reported by The Intercept that a company called Anamoly 6 claimed it had purchased “reams” of location data from various data brokers and could now track roughly 3 billion devices in real time. The company was also able to demonstrate how it could track one individual “around the United States and abroad to a training center and airfield roughly an hour’s drive northwest of Muwaffaq Salti Air Base in Zarqa, Jordan, where the US reportedly maintains a fleet of drones.” Not surprisingly, Anamoly 6 pointed out this capability was enabled “by general ignorance of the ubiquity and invasiveness of smartphone software development kits, known as SDKs.”[15]

And as I discuss extensively in my book Containing Big Tech, the Cambridge Analytica scandal of 2016 showed how reams of personal data taken from Facebook could be misused for political manipulation. Similarly, Russia’s Internet Research Agency targeted black communities in 2016 to dampen voter participation. So, foreign entities could use data brokers' treasure trove of personal data such as email addresses, phone numbers, and demographic data to attempt to sway public opinion. For example, emails or texts could be sent to voters urging support or opposition to particular candidates. Or emails and texts could be sent impersonating candidates or purposely communicating false information regarding how and when to vote.[16]

Summary

Well, there is some hope. If consumers are able to gain control of their data and be able to easily delete it, it means less data that could be weaponized against us all.

As the person who proposed and co-drafted the California Delete Act (Senate Bill 362), I think this bill could mitigate some of the risks of data brokers vis a vis immigrant rights, domestic violence survivors, reproductive rights, and kids’ online safety. I think those blog posts provide a compelling case for why Californians should support California Senate Bill 362 or why at the federal level the DELETE Act would be incredibly helpful to mitigate these threats.

Footnotes

[1] NATO StratCom COE, “Data Brokers and Security,” 2021, https://stratcomcoe.org/cuploads/pfiles/data_brokers_and_security_20-01-2020.pdf. Federal Trade Commission, “Data Brokers: A Call for Transparency and Accountability,” 2014, https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.

[2] Tableau, “The Big View: All Sentinel Reports by Federal Trade Commission,” May 5, 2022, https://public.tableau.com/app/profile/federal.trade.commission/viz/TheBigViewAllSentinelReports/TrendsOverTime. Bree Fowler, “Your Digital Footprint: It's Bigger Than You Realize,” CNet, April 4, 2022, https://www.cnet.com/news/privacy/features/your-digital-footprint-its-bigger-than-you-realize/. ITRC, “2021 Consumer Aftermath Report,” https://www.idtheftcenter.org/wp-content/uploads/2021/09/ITRC_2021_Consumer_Aftermath_Report.pdf.

[3] Yael Grauer, “What Are 'Data Brokers,' and Why Are They Scooping Up Information About You?” Vice, March 27, 2018, https://www.vice.com/en/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection. Paul Boutin, “The Secretive World of Selling Data About You,” Newsweek, May 30, 2016.

[4] Kaitlyn Tiffany, “Doxxing Means Whatever You Want It To,” The Atlantic, April 22, 2022, https://www.theatlantic.com/technology/archive/2022/04/doxxing-meaning-libs-of-tiktok/629643/. Michael Balsamo and Colleen Long, “Report: Officers’ personal information leaked online,” San Jose Mercury News, June 10, 2020, https://www.mercurynews.com/2020/06/10/report-officers-personal-information-leaked-online/.

[5] Senator Amy Klobuchar, “Klobuchar, Murkowski Urge FTC to Protect Domestic Violence Victims’ Information Online,” March 4, 2021, https://www.klobuchar.senate.gov/public/index.cfm/2021/3/klobuchar-murkowski-urge-ftc-to-protect-domestic-violence-victims-information-online.

[6] Paul Boutin, “The Secretive World of Selling Data About You,” Newsweek, May 30, 2016. US Department of Justice, “Marketing Company Agrees to Pay $150 Million for Facilitating Elder Fraud Schemes,” January 27, 2021, https://www.justice.gov/opa/pr/marketing-company-agrees-pay-150-million-facilitating-elder-fraud-schemes.

[7] Justin Sherman, “Data Brokers are a Threat to Democracy,” Wired, April 13, 2021, https://www.wired.com/story/opinion-data-brokers-are-a-threat-to-democracy/. Lauren Kirchner, “When Zombie Data Costs You a Home,” The Markup, October 6, 2020, https://themarkup.org/locked-out/2020/10/06/zombie-criminal-records-housing-background-checks. Steven Melendez, “When Background Checks Go Wrong,” Fast Company, November 17, 2016, https://www.fastcompany.com/3065577/when-background-checks-go-wrong. NATO StratCom COE, “Data Brokers and Security,” 2021, https://stratcomcoe.org/publications/data-brokers-and-security/17.

[8] Justin Sherman, “Data Brokers and Sensitive Data on US Individuals,” Duke University, Sanford Cyber Policy Program, 2021, https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-Individuals-Sherman-2021.pdf. Paul Boutin, “The Secretive World of Selling Data About You,” Newsweek, May 30, 2016.

[9] House Committee on Oversight and Reform, “Warren, Maloney, Wyden, DeSaulnier Probe Data Broker's Collection of Data on Black Lives Matter Demonstrators,” August 4, 2020, https://oversight.house.gov/news/press-releases/warren-maloney-wyden-desaulnier-probe-data-brokers-collection-of-data-on-black. Jon Keegan and Alfred Ng, “Gay/Bi Dating App, Muslim Prayer Apps Sold Data on People’s Location to a Controversial Data Broker,” The Markup, January 27, 2020, https://themarkup.org/privacy/2022/01/27/gay-bi-dating-app-muslim-prayer-apps-sold-data-on-peoples-location-to-a-controversial-data-broker. Joseph Cox, “More Muslim Apps Worked with X-Mode, Which Sold Data to Military Contractors,” Vice, January 28, 2021, https://www.vice.com/en/article/epdkze/muslim-apps-location-data-military-xmode.

[10] Joseph Cox, “Data Marketplace Selling Info About Who Users Period Tracking Apps,” Vice, May 17, 2022, https://www.vice.com/en/article/v7d9zd/data-marketplace-selling-clue-period-tracking-data.

[11] Bennett Cyphers, “Inside Fog Data Science, the Secretive Company Selling Mass Surveillance to Local Police,” Electronic Frontier Foundation, August 31, 2022, https://www.eff.org/deeplinks/2022/08/inside-fog-data-science-secretive-company-selling-mass-surveillance-local-police.

[12] House Committee on Oversight and Reform, “Warren, Maloney, Wyden, DeSaulnier Probe Data Broker's Collection of Data on Black Lives Matter Demonstrators,” August 4, 2020, https://www.warren.senate.gov/oversight/letters/warren-maloney-wyden-desaulnier-probe-data-brokers-collection-of-data-on-black-lives-matter-demonstrators.

[13] Kate Cox, “Secret Service buys location data that would otherwise need a warrant,” Ars Technica, August 17, 2020, https://arstechnica.com/tech-policy/2020/08/secret-service-other-agencies-buy-access-to-mobile-phone-location-data/. Rae Hodge, “ICE Uses Private Data Brokers to Circumvent Immigrant Sanctuary Laws, Report Says,” CNet, April 22, 2022, https://www.cnet.com/news/politics/ice-uses-private-data-brokers-to-circumvent-immigrant-sanctuary-laws-report-says/.

[14] Justin Sherman, “Data Brokers Are Advertising Data on US Military Personnel,” Lawfare Blog, August 23, 2021, https://www.lawfareblog.com/data-brokers-are-advertising-data-us-military-personnel.

[15] Sam Biddle and Jack Poulson, “American Phone-Tracking Firm Demo’d Surveillance Powers by Spying on CIA and NSA,” The Intercept, April 22, 2022, https://theintercept.com/2022/04/22/anomaly-six-phone-tracking-zignal-surveillance-cia-nsa/.

[16] Justin Sherman, “Data Brokers and Sensitive Data on US Individuals,” Duke University, Sanford Cyber Policy Program, 2021.