Web

How data brokers profit off you without your (or the law’s) knowledge

a data broker’s world

“I’ll take the next in line over here.”

As I lumber to the lone open register of the CVS in Rhinebeck, New York, the middle-aged mom-type behind the counter gives me a kind smile. “Find everything you need OK?” she asks. “Yep, thanks,” I say, plopping down my armful of assorted products and pulling out my wallet.

“And do you have your CVS card with you today, sir?”

I fumble through my pocket, pulling out a jumbled tangle of keys and little plastic cards, each with its own unique bar code stamped on the back. Stop & Shop. PetSmart. Ace Hardware. I find the red one that says “ExtraCare CVS/Pharmacy.” It’s bent. I halfheartedly try to revive its original shape, thinking it might not scan.

These are the companies that “know more about you than you know about yourself.”

The nameless CVS clerk swipes my key-laden card across the infrared beam of her computerized register. My “guest number” appears on the screen. The woman begins to ring me up: a copy of Wired magazine, a box of CVS brand “Allergy Relief” medicine, a bottle of Aveeno Active Naturals Stress Relief Moisturizing Lotion, a box of Durex condoms, and four-pack of no-name AA batteries. Each one finds its way into a white plastic CVS bag.

“Your total comes to $20.14,” says the clerk. “And your savings today is $2.30”

 This scene may seem like a simple trip to the store, something each of us does countless times every week. What many of us may not realize, however, is that the use of CVS ExtraCare and other loyalty rewards cards is but one of many ways we toss precious details about ourselves into the grip of an impossibly complex shadow industry that has increasing control over our lives.

I’m talking, of course, about data brokers.

Those concerned with even minor violations of privacy have likely heard the term “data broker,” probably with a scowl on our faces. These are the companies that “know more about you than you know about yourself.” They collect information about the lives of nearly every adult in the U.S., from what we buy to who we love. And they use that data to make themselves, and countless other companies, bloody rich.

At least, that’s a common description that pops up when talking about the data broker industry. The reality is, we don’t really know what exactly defines a data broker.

“There’s no general agreement on the definition of a data broker,” says Tiffany George, an attorney in the Federal Trade Commission’s Division of Privacy and Identity Protection. And because we don’t even know what constitutes a data broker, it is currently impossible for the government to successfully regulate the industry.

… our offline activities and Facebook activities have become inexorably intertwined

Frustrated with the FTC’s answer to this basic question, I reached out to David Jacobs, consumer protection attorney for the Electronic Privacy Information Center (EPIC), to see if he could better pin this creature down.

“Typically, a data broker is a company whose primary business is to collect or maintain personal information, either itself or through contracts with other companies, and then regularly provides access to this information in exchange for some sort of consideration, like money or something else,” says Jacobs.

But that definition does not show the full picture, says Jacobs. For example, the companies or organizations that collect our data in the first place are not generally considered “data brokers.” This means Facebook, Google, Foursquare, or CVS are not actually data brokers – instead, they are rich sources for the data broker industry.

In recent years, however, the barriers between data broker and data source have become increasingly unstable. Facebook, which arguably “knows” more about us than any other consumer-facing company, currently partners with three of the largest data brokers in the U.S.: Datalogix, Acxiom, and Epsilon.

These partnerships mean our offline activities and Facebook activities have become inexorably intertwined. My purchase of Durex condoms may be compared against the number of Durex Facebook ads served to my demographic – 30, white, male, single – to discover their effectiveness, and better ensure that I continue to buy the product.

Defining the data brokers

Within their industry, there are two main types of companies: primary data brokers, and secondary data brokers. Primary data brokers gather your data straight from the sources: courthouses, police departments, consumer rewards card programs, trademark offices, and more.

“These are the ‘third-party partners’ that partner with companies like CVS, like Stop & Shop, to help them analyze their data,” says Sarah Downey, an attorney and privacy advocate for online privacy company Abine. “But they also sell that data.”

Among their customers are secondary data brokers. This includes companies like eVerify and Intelius, which combine even more social-network and Web-analytics data with our offline profiles. Even further down the chain are companies like Spokeo, BeenVerified, and PeekYou, “people search” providers that aggregate data from other primary and secondary data brokers, as well as online profiles and other source material. According to Privacy Rights Clearinghouse, there are more than 200 online data brokers.

spokeo

It is this barrel-bottom group of data brokers, which allow anyone with as little as $15 to purchase personal information, that make the case for the kind of legislation that is currently not possible due to the industry’s squishy definitions.

Writing for Jezebel, an anonymous woman says her rapist was able to track her down, likely thanks to a Spokeo profile containing “incredibly detailed” information about where she lived, and many more details about her life.

“It listed everything from the types of pets I had to my profession, and included a street-view map showing our building,” she wrote. “I went to see if my profile appeared on any other directory sites (and there are quite a few out there), but none of them had anything nearly as comprehensive as the Spokeo listing.”

The services offered by BeenVerified, which advertises itself as a “background check company,” allegedly enabled a similarly horrifying tale.

“My husband was killed in March 1987. The person who killed him was tried, and convicted in 1992,” wrote an anonymous author from Poughkeepsie, NY, on RipOffReport, in 2011. “The defendant went to jail and was released last July after only serving 18 yrs out of a 25-life sentence. The defendant being savvy and enraged at being incarcerated has been using beenverified.com to try to find ‘me.’

… there’s little the law can do to stop it.

“I called, wrote, called and wrote over 500 times to not just beenverified.com but to dozens of other companies who, when you put my name in their data base my address pops up, this madman that killed my husband doesn’t need anything else to find me since these big companies are handing out my address like it was candy. Why isn’t the government or any other lesser government agency doing [anything] to protect the victims of violent crimes? Who looks out for us?”

While I was unable to verify this story, despite repeated attempts to contact the author, it illustrates an important fact: People-finder services like Spokeo and BeenVerified could very well be used for precisely these kinds of activities. And for now, there’s little the law can do to stop it.

What they know

The full extent of what data brokers have on us remains a tightly protected secret – we only know that it’s in the neighborhood of some 1,500 data points. Companies like Axiom argue (PDF) that unveiling this information would damage their business by eliminating a competitive edge. Even so, there exists a basic set of information that we know so far.

Data brokers acquire their data from two primary sources: public records, and voluntarily provided information. Here’s what they know from public records:

Name
Gender
Age
Ethnicity
Education level
All your phone numbers
Every address you’ve ever had
Who your relatives are
Who you’ve lived with
Social Security Number
Driver’s license number
Driving record
Real estate transactions (including appraisals)
Trademark filings
Marriage licenses and divorce decrees
Any unsealed lawsuits or legal actions
Birth certificates
Death certificates
Census statistics
Voter registrations (political affiliation)
Utility companies you’ve used
Government spending reports
Political campaign contributions
Sex offender registrations
Legislation minutes
Business and entity filings
Professional and business licenses
Criminal records

The second chunk of data is provided by all of us voluntarily, even if we’re not aware of the ways in which it will be used. It comes from publicly available information on your social media profiles, sweepstake cards, warranty cards, mail-in rebate forms, forum posts, Web browser cookies, loyalty rewards cards, mobile applications, and more. The information derived from these sources includes:

Employment history
Sexual preference
What you buy
Where you shop
Which websites you visit
Magazines your read
Books you buy
Who you connect with online
Your preferences (such as Facebook “likes”)
Your IP address
Your mobile device ID
Your current location (via GPS in your mobile devices)
Which ads you click
Your relationship status
Operating systems
Which browsers you use

Even a vast array of information about our health – data that is supposed to be protected under the Health Insurance Portability and Accountability Act (HIPAA) – can be derived from voluntary surveys, purchasing histories, website visits, and even fitness tracking devices, then packaged and sold to anonymous buyers.

Data brokers will often combine all the information outlined in these two lists to build complex profiles about each of us. These profiles are used for an increasing number of purposes, from serving targeted advertising to crafting insurance policies to providing background checks for employers. And the number of uses for this data is increasing by the day.

Credit-reporting agency Experian provides a prime example of our data in use. The marketing wing of the company mixes and matches our data to pinpoint “life-event triggers,” the moments when fundamental parts of our lives change – having a baby, buying a house, or moving to a new apartment. Retailers and other businesses then purchase these inferences in an attempt to win over the new you at your most volatile and vulnerable point.

“Marriage, birth of a baby, and purchase of a new home are all joyous occasions, yet they are also triggers for when consumers have specific needs for products and services,” writes Experian on its “Life-event Triggers” product page. “Empower your organization with the knowledge to reach these customers right when they’re ready to purchase.”

 What we don’t know (Hint: A lot)

The most pressing concern for citizens and lawmakers is that the above list is likely far from complete. We don’t really know what these companies know about us. Fortunately for us consumers, that may soon change.

Last November, a group of lawmakers headed by U.S. Rep. Edward Markey (D-MA) sent letters to nine companies – Acxiom, Epsilon, Equifax, Experian, Harte-Hanks, Intelius, Fair Isaac, Merkle, and Meredith Corp  – in an attempt to find out more about the data broker industry. While all companies responded to the inquiry, the Members were still left scratching their heads.

Personal Information form

“The data brokers’ responses offer only a glimpse of the practices of an industry that has operated in the shadows for years,” said the lawmakers in a joint statement. “Many questions about how these data brokers operate have been left unanswered, particularly how they analyze personal information to categorize and rate consumers.”

The FTC, which launched the charge last year with its “Privacy by Design” initiative, followed up Markey’s inquiry last December with what may be the most powerful effort to date to crack the nut that is the data broker industry: an investigation into nine data brokers – Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf, and Recorded Future – all of which must turn over thousands of records for analysis.

“There are lots of different business models; there are a variety of different types of information being collected by businesses in the industry, and different levels of access and protections being afforded to consumers,” says George. “So what we are trying to do is shed more light on those issues; learn about different business models, different types of data that are being collected … and see if there are any recommendations that we can make to increase transparency for consumers.”

The FTC will begin analyzing the data soon. According to an FTC spokesman, the Commission has not yet decided it when it will announce its findings, or any hint at what they might be.

FCRA: The most important (flawed) law we have

One of the things the FTC aims to pin down through its study of data brokers is which companies are acting like credit reporting companies or background check companies, which must abide by the Fair Credit Reporting Act (FCRA), among other laws.

… if we don’t know what they are doing, there’s no way to judge whether their activities break the law.

The FCRA, which is designed to protect our most sensitive information, is perhaps the most applicable federal law on the books when it comes to data brokers, and provides consumers with some important rights (PDF): the right to free credit reports, the right to correct false or incorrect information, the right to know whether an organization has requested a background check or credit report, and more.

Because so little is known about many of these data brokers’ business practices, however, it is nearly impossible for the government to figure out how to pin them down – if we don’t know what they are doing, there’s no way to judge whether their activities break the law.

Many of the primary data brokers, like LexisNexis and Acxiom, must comply with the FCRA, as parts of their businesses deal with things like financial records or insurance “risk” scores. For many other data brokers, the situation is more opaque – plus, according to the FTC, our laws are currently inadequate to provide consumer protections.

“There are no current laws requiring data brokers to maintain the privacy of consumer data unless they use that data for credit, employment, insurance, housing, or other similar purposes,” wrote the FTC in a statement. All other uses are fair game – and many of them, especially marketing, will almost certainly remain legal, no matter what the FTC uncovers. The death of data collection for marketing purposes is not on the table.

Keeping background checks in check

As creepy and invasive as targeted marketing may be to many people, the consequences of receiving well-timed coupons or browser history-based ads fall fairly low on the serious scale. Background checks, another major product offered by the data broker industry, are a different beast entirely.

… InfoTrack Information Services revealed that he was a rapist. Problem? He was no such thing.

According to an April 2012 study (PDF) from the National Consumer Law Center (NCLC), background checks are one of the most common ways data brokers are used – and also one of the most problematic. Even FCRA-compliant checks often contain confusing, incomplete, or straight-up incorrect data, the NCLC found. And this often leads to qualified candidates being disqualified for entirely bogus reasons.

In 2011, Kathleen Casey was offered a job as a pharmacy technician, after two years of unemployment. All she needed to do was pass a background check, and the position was hers. But when her report came back, it indicated that she had a 14-count criminal indictment, which included scamming an old man, and writing bad checks, reports the AP. Thing is, the report was for an entirely different Kathleen Casey, one who lived nearby but was 18 years younger than our hopeful job applicant. The background check provider, First Advantage, had mixed them up.

In similar case, detailed in the NCLC study, one Samuel M. Jackson of Illinois was denied a job after a background check requested by his prospective employer from data broker InfoTrack Information Services revealed that he was a rapist. Problem? He was no such thing.

The actual rapist was one Samuel L. Jackson (no, not that bad motherf**ker), who was convicted of rape back in 1987 – when Samuel M. Jackson was 4-years-old. The other Jackson was also incarcerated in a Virginia prison at the time M. Jackson submitted his job application, and M. Jackson is white, while L. Jackson is black. Aside from having similar names, the two men could not have been less similar on paper.

According to the NCLC, these kinds of mix-ups are happening constantly. And while it may be possible for people to correct errors in their background files – a right under the FCRA – most still miss out on landing the job.

Background-Check

“Even applicants who successfully remove errors from their background check reports are frequently denied employment,” reads the report. “In fact, when surveyed, several advocates indicated that they had never seen applicants get the job after correcting the report.”

In short, says the NCLC, “the reality is that the FCRA, as currently interpreted, fails to adequately protect consumers when it comes to employment screening.”

A fleeting dash of hope

Flawed though the FCRA may be, it is the main weapon the FTC has against data brokers who play loose and fast with our information – and the Commission is pulling the legislation from its holster more and more often.

Last June, Spokeo settled with the Federal Trade Commission to the tune of $800,000 for advertising its services to human resources departments and recruiting agents looking for cheap background checks – a service the company is not allowed to provide because it does not comply with the FCRA. And in January, mobile app publisher Filiquarian Publishing, its subsidiary Choice Level LLC, and the companies’ CEO Joshua Linsk also settled with the FTC for violating the FCRA by providing noncompliant criminal background checks through their mobile apps. The respondents could face civil fines of up to $16,000 per violation if they continue to provide companies with background checks.

As a result, Spokeo and other companies have littered their websites with notices they are only for use by individuals who want to learn more about, say, a new fling, not businesses doing background checks. But some privacy advocates believe these notices are mostly for show – think head shops that adorn their counters with signs that say bongs are “for tobacco use only,” says Downey. “That’s how these sites are.”

Look on the bright side

While the data broker industry is often vilified, it also provides society with a slew of benefits – upsides that a company like Acxiom uses to justify what many believe to be egregious invasions of privacy.

“In many ways, these data flows benefit consumers and the economy.”

“Through the provision of information products, ‘data brokers’ help businesses, non-profit organizations, government agencies and political organizations and candidates understand and connect with people in an effective fashion,” the company wrote in its letter to Rep. Markey (PDF). “Data brokers save their clients millions of dollars by more effectively coordinating the marketing and fundraising communications and utilizing channels the consumer prefers.”

Acxiom is not alone in this assessment. “In many ways, these data flows benefit consumers and the economy; for example, having this information about consumers enables companies to prevent fraud,” wrote the FTC in December. “Data brokers also provide data to enable their customers to better market their products and services.”

So on one side, we have the murky, troublesome privacy implications data collection and dissemination present; on the other, the ability for companies to make better decisions and take fewer risks, which in translates into better profits, more jobs, and better marketing for consumers looking for a good deal.

The road ahead

While many data brokers allow users to “opt-out” of having their data collected, the process for doing so alone is nearly impossible. “To actually opt-out effectively, you need to know about all the different data brokers and where to find their opt-outs,” writes Lois Beckett in ProPublica. “Most consumers, of course, don’t have that information.” Because of this, companies like SafeShepherd and Abine offer expensive services that promise to wipe your personal information off the data brokers’ map. And until the government figures out what a data broker is, what these companies know, and a way to stop them from secretly swapping our information, that’s as good as it’s going to get.

Of course, that process could take years, maybe more – if it happens at all. Some believe empowering users with the ability to control their own data is the next big thing in tech, that the market will correct itself in our favor. Others say data collection will only increase, as our cars, appliances, and homes gather even more details about our lives. Given the way things have gone so far, I’m betting that $2.30 I saved at CVS on the latter.

Editors' Recommendations