Data Brokers' Collection of Internet Activity Data Raises Privacy Issues

Some find the data collected on them amusing or even boring, but privacy advocates say there is good cause to worry.

Everybody who spends much time on the web knows their activities are tracked for marketing purposes. Do a little online shopping for hats, and you will quickly see ads for hats popping up on other websites you visit.

[Hack of major data brokers weakens bank authentication]

But, the collection of individual data by so-called Big Data brokers goes well beyond your online shopping. Those companies -- there were 253 of them as of this past March, according to a directory compiled by the Privacy Rights Clearinghouse -- collect and sell information to marketers on everything from your marital status, whether you might be pregnant or have a newborn, have cancer, are trying to lose weight, are gay or straight, how much you make, what credit cards you use, your lines of credit, where you live, what your house cost, what kind of car you drive or if you might be looking to buy a new one, your race, occupation, political leanings, education level, have one or more children in college, have pets to what your hobbies are and more -- much more.

The clichA(c) is that data brokers know more about you than you know about yourself.

But this, according to those brokers, is a very good thing for you, the consumer. One major broker, Acxiom, which has been very much in the news over the past month for allowing consumers to view a portion of the data it collects on them through a new portal -- AboutTheData.com -- is using that higher visibility to assure people that not only is this collection harmless, but it also brings them a host of economic and other benefits.

The company did not respond to a request for an interview, but Rochelle Sherman, writing on Acxiom's AboutTheData.com blog, contended that one major benefit is that online advertising is much less irritating -- free of "full-page pop ups and big flashing ads." When "responsible, data-driven marketers" use big data effectively, "the experience doesn't feel creepy or intrusive -- it fits into our lives," she wrote.

The results of more and more data, she said, include lower prices, free online content, advertising that is much more relevant to individuals, quicker and easier transactions, niche products you might not otherwise be able to find and "what you want when you want it."

[FTC's 'Reclaim Your Name' alone won't rein in data brokers, experts say]

Well, perhaps. Some of those who have taken Acxiom up on its offer to look at what the company has collected on them have come away both bemused and bored. Paul Rosenzweig, founder of Red Branch Law & Consulting and a former deputy assistant secretary for policy in the Department of Homeland Security, is one of them.

In a post for New Republic, Rosenzweig said he found Acxiom's information on him, "interesting, illuminating, and mundane." In some cases, he wrote, the data were wildly inaccurate -- it said he had spent only $1,898 in past two years. It got his ethnic heritage and a number of other things wrong.

[How to keep your real name and face out of Google's ads]

Rosenzweig concluded that nothing he found surprised him, "and the level of detail was only somewhat discomfiting. In fact, what struck me most forcefully was (to borrow a phrase from Hannah Arendt) the banality of it all."

In an interview, Rosenzweig said the depth of the data could become intrusive at some point, "but at the level I've seen, it's trivial," he said, adding that even if data brokers have incorrect information, there is little danger from it. "I think that the audit and oversight mechanisms we have in place -- seen in the IRS scandal -- make it (damage to individuals) unlikely to happen, and likely to be found out if it does," he said.

That, not surprisingly, is not how most privacy advocates see it. They point out that Acxiom collects 1,500 data points on hundreds of millions of people -- estimates range from 190 million to 700 million -- and consumers have very little control over limiting that collection or its use.

They also note that Acxiom is only one of hundreds -- perhaps thousands -- of firms that collect data on people. Pam Dixon, executive director of the World Privacy Forum (WPF), compliments Acxiom for, "a positive first step in opening this portal."

But, she said, the number of brokers is vastly more than 253. "Our estimate is approximately 4,000 industry members sector-wide," she said. "Not all of them are consumer-facing. We have a substantive report coming out about the policy issues associated with data brokers in the next month, as part of a series of reports. We are announcing this at the National Press Club next Tuesday."

And Jody Westby, CEO of Global Cyber Risk and a privacy expert, said most people don't view a flood of "relevant" ads as a favor. "Just because people browse on the Internet does not mean that they want to be bombarded with targeted information about whatever they were searching for," she said.

[Big Data can be a big headache for data defenders]

Besides that, the company requires anyone who wants to view their own data to provide identification through sensitive personal information including part of a Social Security number, a copy of their driver's license, a current utility bill or a check. And while it allows consumers to opt out of it from being used for marketing purposes, or to "opt out" entirely, that process is lengthy and doesn't erase the data or prevent Acxiom or any of hundreds of other data brokers from collecting it.

Westby said she didn't take Acxiom up on its offer to view her data because the authentication information the company requires is, "also used by criminals for identity theft." If the company had said it would delete the information once it had confirmed her identity, that might have helped, she said, but, "instead, they only say they will not use this information for marketing purposes -- whatever that means."

And Acxiom's move toward partial transparency -- AboutTheData.com only allows consumers to see "summary" information on them -- draws little praise and much criticism from an organization like the Electronic Frontier Foundation (EFF). Adi Kamdar, an activist at EFF, wrote recently on the EFF blog that he thinks Acxiom, "is trying to ward off federal privacy regulations by flaunting transparency -- a diluted term, in this case -- around user data."

In an interview, Kamdar said while the Fair Credit Reporting Act (FCRA) restricts the sale of such information, "for purposes of employment, insurance, etc., which include notice requirements, data brokers usually get around this by stating in their terms of service that their customers cannot use such information for the purposes protected by the FCRA, or they offer specific employment background check services."

David Jacobs, consumer protection counsel at the Electronic Privacy Information Center (EPIC), called Acxiom's new portal, "a step in the right direction, but it's important to understand how limited it is. Acxiom is only one data broker out of hundreds, and data brokers are only one class of businesses that track consumers."

[Facebook legal skirmish highlights user privacy risks]

Jacobs said some people may be amused or relieved at how inaccurate their profile data is, but, "as profiles become increasingly integrated into decision making, those inaccuracies will impact more than simply the type of ads you receive."

Susan Grant, director of consumer protection at the Consumer Federation of America (CFA) agrees. She said her profile on Acxiom was wrong about a number of things, "but worst of all, they think I am a plus-size woman's apparel buyer. I am a petite size. Who knows what kind of assumptions can be made about me if they think I may be overweight?"

Grant said the point is that this information, especially when it is acquired by organizations like health care providers, government and law enforcement, can be used for much more than marketing.

"Even if it was accurate information it would be scary, because none of it directly indicates that you are up to no good," she said. "Just as with stopping and frisking black people with no probable cause, it is unfair to tag people as potentially bad actors with no evidence, based on profiling."

Dixon agrees, saying her organization is much less concerned about ads than about, "eligibility issues and changes in offers and opportunities -- or the lack thereof -- that impact quality of life and/or life opportunities. Will I get luxury car-level kinds of opportunities based on my habits, or will I get a clunker car level of opportunity presented to me based on my habits -- as perceived by a data broker?" she said.

And, other than the limits imposed by the FCRA, which Kamdar argues is somewhat easy to circumvent, there are few legal controls on data brokers. Kamdar said that while the Federal Trade Commission (FTC) has been looking into data brokers' practices, "they don't have to be licensed by the government."

Justin Brookman, director of consumer privacy at the Center for Democracy and Technology (CDT), said it would be difficult to impossible to license data brokers. "Are newspapers data brokers? Is Google.com a data broker? Data brokers by and large collect and sell truthful information about people, so any law is going to have to be fairly narrowly construed to avoid interference with the First Amendment," he said.

[Negligence by security camera vendor harms customers' privacy, FTC says]

This, he added, does not make it impossible to curb egregious behavior by brokers. "We filed a complaint with the FTC a couple of years ago against Spokeo.com," he said. They had really detailed information about ethnicity, religion, and creditworthiness that was based on really sketchy data. The FTC eventually got an $800,000 settlement out of them for not complying with the Fair Credit Reporting Act."

Still, as is the case in anything facing the Internet, restrictions are only as good as those doing the restricting. Security blogger Brian Krebs reported this past week that a company bought by Experian, one of the nation's three major credit bureaus, was tricked into selling bank account and credit card data plus Social Security and drivers license numbers of at least a half-million Americans to an identity theft service.

Meanwhile, the prospects for consumers who want to control, block or delete the accumulating, micro-detailed dossiers of their lives are dim.

Julie Brill, a member of the U.S. Federal Trade Commission, proposed what she called the "Reclaim Your Name" initiative in an address at the 23rd Computers Freedom and Privacy Conference this past June. Brill, in an op-ed in the Washington Post in August, said the idea is to demand voluntary transparency from data brokers, "that know much more about us than we do about them."

The danger, she wrote, is that mountains of data are compiled into, "sophisticated algorithms that...may fuel more than just what ads we are served. They may also determine what offers we receive, what rates we pay, even what jobs we get."

Reclaim Your Name, she said, would have four components: Let people find out how brokers are collecting and using their data; give people access to the data collected about them; allow people to opt out of the use of their data; and to correct errors in information used for "decisions about substantive benefits."

Susan Grant calls Reclaim Your Name, "a great concept," but said it ought to be turned into legislation. And she argued that opting out should be the default for consumers. "Marketers talk about how much consumers want these benefits, but if that is the case, why not ask them to affirmatively agree to provide their data?" she said.

Pam Dixon said the WPF has, "requested a single opt-out portal from the FTC for many years. We are particularly interested in a portal for FCRA-covered entities and specialty credit bureaus. Consumers have a very hard time finding them and asserting their rights under the FCRA."

Westby is dubious that the initiative will do much to improve privacy. Taking Acxiom up on its offer to suppress information for marketing purposes, "will not reduce the number of ads and offers you receive -- it just means that some of them may be less relevant to you," she said. "That's ridiculous. In fact, to opt-out may actually result in more ads because they will not be targeted."

Still, there are a few things consumers can do to stay under the radar. Justin Brookman said he uses "loyalty" cards, which are another way retailers and data brokers track consumer buying habits, "but I fill them out with false information."

This story, "Data Brokers' Collection of Internet Activity Data Raises Privacy Issues" was originally published by CSO .

Join the discussion
Be the first to comment on this article. Our Commenting Policies