Data Brokers and Privacy and Security Risks
I testified to Congress last week on the data brokerage ecosystem. Here's what to know about the industry and its risks to privacy, safety, and security.
Last week, I testified to the House Energy & Commerce: Subcommittee on Oversight & Investigations on “Who is Selling Your Data: A Critical Examination of the Role of Data Brokers in the Digital Economy.” I testified wearing my hat at Duke University’s Sanford School of Public Policy, where I run its data brokerage research project and lecture on cybersecurity, privacy, and technology policy.
The multi-hour hearing was strongly bipartisan and focused on everything from risks to consumers’ privacy and safety to the cybersecurity and national security risks associated with invasive, unregulated uses of individuals’ data. Here’s what to know about the hearing and data brokerage’s privacy and security risks. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
Data brokerage is a multi-billion-dollar, virtually unregulated industry of companies gathering, inferring, and aggregating and then selling and sharing individuals’ data — with substantial risks to personal privacy and safety as well as US national security.
Data Brokerage and Its Risks
The following is excerpted from my written testimony before the House.
Today, and for the past several decades, hundreds and thousands of companies have surreptitiously collected data from public and private sources about each and every American. Oftentimes, they will use tools and techniques to “infer,” or predict, additional data about Americans. These companies then repackage and resell that data on the open market, with very few controls. This is the data brokerage ecosystem, worth billions of dollars in the United States, and composed of everything from large, publicly traded companies like Experian and Oracle to smaller data brokers that hide from the public eye — and companies that quietly sell data on their customers on the side, just to make an additional profit.
Data brokerage is a virtually unregulated practice in the United States (except for a few, limited state laws and some narrowly targeted federal regulations discussed below). Brokered data is widely available; purchasable at low cost; often sold by brokers with little to no vetting; and can be used to profile, track, and target consumers, including people in marginalized communities, veterans, military servicemembers, government employees, first responders, elderly Americans, people with Alzheimer’s, students, and teenagers.
The customers for this data range from banks and other financial institutions, insurance and health insurance firms, companies doing market research and running advertisements, and law enforcement agencies buying data without warrants to predatory loan companies, criminal scammers, abusive and violent individuals, and, potentially, foreign actors. Because the data brokers selling this data appear to do very little customer vetting, the data they sell is often accessible to nearly anyone.
Military servicemembers — Data brokers gather, package, and advertise highly sensitive data on current and former members of the US military, which poses privacy and safety risks to servicemembers. In 2018, the Federal Trade Commission (FTC) successfully filed an injunction against a “lead generation” data broker that created websites falsely advertised to prospective servicemembers as military recruitment sites (such as army.com, armyreserves.com, armyenlist.com, navyenlist.com, and marinesenlist.com), when in reality the company was not doing military recruitment but collecting data on those prospective servicemembers and quietly selling it to post-secondary schools. In other cases, data brokers do not necessarily have to use that level of deception but can collect data legally, due to a lack of regulation. For instance, in 2007, the New York Times uncovered a mass-fraud scheme targeting World War II veterans, among others, such as a 92-year-old Army veteran whose name a list broker put in a dataset and sold to telemarketing criminals. Many other data brokers advertise data points on hundreds of thousands of current and former US military personnel.
Survivors of domestic and gendered violence — Data brokers known as “people search websites” aggregate millions of Americans’ public records and make them available for search and sale online. Abusive individuals have used this data — including highly sensitive information on individuals’ addresses, whereabouts, property filings, contact details, and family members — to hunt down and stalk, harass, intimidate, and even murder other individuals, predominantly women and members of the LGBTQ+ community. Although these brokers often point to opt-out functionalities on their websites, they still expose Americans’ data by default, usually without those Americans knowing — and for those who do attempt to remove their information from people search websites, the process is often onerous and ineffective.
Elderly Americans and people with Alzheimer’s — Data brokers sell data on elderly Americans and people with Alzheimer’s, dementia, and other brain health conditions. In 2020 and 2021, the Department of Justice charged three data brokers — Epsilon, Macromark, and KBM — with conspiracy to commit mail and wire fraud for knowingly selling, for roughly a decade each, lists of vulnerable Americans, including elderly Americans and people with Alzheimer’s, to criminal scammers. The criminal scammers then used that brokered data to steal millions of dollars from these people. Each data broker sold this data knowingly because they profited off the sale of the data. For instance, as the Justice Department described in its court filing against Epsilon, “the Employees were familiar with the clients’ practices, as well as their deceptive solicitations”; “worked to develop and increase business with clients engaged in fraud despite receiving notice that those and similar clients had been arrested, charged with crimes, convicted, and otherwise were subject to law enforcement actions”; and “engaged in this conduct, in part, to benefit Epsilon, to enrich themselves through sales-based compensation, and to enable the fraudulent clients to solicit new customers.”
Americans with mental health conditions — Data brokers collect and sell data on Americans’ mental health conditions, including data on people suffering from depression and anxiety and the prescriptions they take. A recent study from my team at Duke detailed a number of data brokers advertising both aggregated and individually linked data on Americans with depression, attention disorder, insomnia, anxiety, ADHD, bipolar disorder, panic disorder, Post-Traumatic Stress Disorder (PTSD), and more. In some cases, the advertised datasets also included data on individuals’ races, ethnicities, ages, genders, zip codes, religions, number of children in the home, marital statuses, net worth, credit scores, dates of birth, or whether the person was a single parent. One broker even advertised data on Americans with cancer and on people who had suffered strokes. This data could be used in predatory marketing activities or abused by scammers. But gaps in the Health Insurance Portability and Accountability Act (HIPAA) mean that numerous apps and websites outside the scope of HIPAA’s narrow “covered entities” are entirely free to legally collect, aggregate, and sell, license, and share Americans’ health information on the open market.
Congressional Solutions
In my written and oral testimony, wearing my hat as a senior fellow at Duke’s Sanford School of Public Policy, I made three recommendations to Congress:
First, strictly control the sale of Americans’ data to foreign companies, citizens, and governments — which currently can entirely legally buy millions of US citizens’ data directly or through front companies.
Second, ban the sale of data completely in sensitive categories, like health data and location data, which can be used to follow, stalk, and harm Americans.
Third, stop companies from circumventing those controls by “inferring” data — using algorithms and other techniques to make predictions about information they haven’t technically collected.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.