Remember, this is just one data broker operating in an industry that is estimated to include thousands of similar companies. “Estimated” because, of course, the industry flies almost completely under the radar.
Quick. What's your most valuable possession? Your house? Your car? An old family heirloom handed down to you by your grandfather? Your family photo album?
Whatever your answer to the question, it's most likely that you responded immediately with some physical object that you own. But what if I were to tell you that one of the most valuable things in your possession is not material at all? What if I were to say it was the bits and bytes representing data about your name, age, address, gender, marital status, sexual orientation, likes, dislikes, friends, income, political affiliations, shopping habits, location history, and a thousand other immaterial facts about you and your identity?
Sound absurd? To people of a certain age, the idea that the collection of such information would be possible, let alone salable, would be absurd. But as more and more of our life revolves around our second life in cyberspace, that cyber confessional that we entrust with our secretest secrets and most personal details, this information is not only increasingly available for collection, but actually being collected, gathered, and sold in a completely opaque data brokerage industry that is so secretive that no one even knows its precise size.
Acxiom. Datalogix. Epsilon. Although these are giants in the data brokerage industry, until quite recently few even knew there was such a thing as a “data brokerage industry.” The first big exposure came in November 2012, when a congressional inquiry forced a number of data broker companies to provide information about their operations. The most detailed response came from Acxiom, the Arkansas-based industry leader that boasts 23,000 servers selling dossiers containing 1500 data points per person on an estimated 700 million people worldwide with annual sales topping $1.13 billion. According to the document provided to the inquiry by Acxiom, their data comes from corporate (retail purchases, loyalty card data, other data brokers, etc.), government (real estate assessor records, motor vehicle records, licensing and voter records, court records, etc.) and unspecified “self-reported” sources (consumer surveys, product registration forms, etc.). Although going out of their way to deny that they collect anything illicit, like detailed financial information or protected health information (the company even boasts how it “screens all businesses and data compilers from which we receive data to ensure the data has been legally and ethically obtained”), they do admit collecting identifying and contact information, court records, financial “indicators,” demographic information, “lifestyle indicators,” health “interests,” and other dubious categories demanding judicious use of sneer quotes. What are health “interests,” for instance? According to Acxiom, this might include “interests in diabetes, arthritis, homeopathic, organic and senior needs.” But don't worry, there's no protected health information passing hands here, like whether you actually have diabetes or arthritis or are purchasing homeopathic medicine. And financial “indicators?” That includes “estimated net worth, estimated income, and type of credit card.” Even creepier is what falls under the very broad “lifestyle indicators” category:
“cooking, sports, reading, computers, fashion, travel, exercise, crafts, movies, online shopper, retail purchase frequency and type of retail purchase (e.g., electronics, groceries, gas travel), media channel usage (e.g., Internet, TV, yellow pages, radio), type of social media user (e.g., Twitter, Facebook, LinkedIn, YouTube), license and registration data (e.g. professional, hunting, fishing, boaters, firearms, ATV, snowmobiles, aircraft) and Acxiom’s life-stage cluster.”
Remember, this is just one data broker operating in an industry that is estimated to include thousands of similar companies. “Estimated” because, of course, the industry flies almost completely under the radar.
So what's the problem here? So what if some company collects or even sells information about my Scottish Terrier or my model airplane collection or my wife's birthday or what brand of batteries we tend to buy? Big deal.
One response to this skepticism comes from a New York Times story published two years ago. It revealed how Target used a “GuestID” system to link all interactions with their customers into a detailed personal profile of each customer's information, including “your age, whether you are married and have kids, which part of town you live in, how long it takes you to drive to the store, your estimated salary, whether you’ve moved recently, what credit cards you carry in your wallet and what Web sites you visit.” Using this information, they are able to use sophisticated data mining algorithms to determine your future buying needs. The program was specifically implemented to go after the “holy grail” of retail target demographics: new parents. The program was a stunning success. Within the first year of its operation, a man walked into his local Minneapolis Target branch to complain to the manager. He was furious that the company had sent his teenage daughter a mailer full of coupons for baby products, maternity clothing, and nursery furniture. The man called back later to confirm that his daughter was indeed pregnant. Target had known about it before her own father. In response to the complaints, Target didn't change their practices, they just made them more subtle. Now they'll slip the baby product coupons in with a mixture of other products to make it look randomized.
But aside from the creepiness of this information collection and data mining, it poses an even more immediate threat: that less scrupulous criminals will go to any length to access that data, including cyber robbery. Data theft is becoming an increasing phenomenon, and perhaps it is only fitting that the greatest data theft story of last year involved Target. A team of hackers managed to steal the personal data (including the credit card numbers) of 40 million Target customers. Interestingly, a recently-published, in-depth report on the attack from Business Week seems to point to inside help in the operation, or incompetence of such a stunning level that it beggars the imagination. As the report notes, the alarms triggered by the hackers as they implanted the (rather rudimentary) malware to steal the data should have been “impossible to miss” and were set off before the hackers had even begun transmitting the data from Target's internal network, meaning that “Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.” When personal information becomes a valuable commodity, retailers (or at least their criminal employees) become their own customers' potential enemies.
Even more worrying is the fact that the government is one of the customers for the data collected by some of the biggest data brokers. In this case, the word “customers” is no exaggeration. In 2009, the ACLU obtained a guide from the Tucson police department listing how much each of the major American telecoms providers charge for wiretaps (from $50 to $2000 depending on duration), data requests (around $50 for text messages and $150 for voicemails) and location data (as much as $100 per day per target). Just this past Thursday, the Syrian Electronic Army published a number of hacked Microsoft emails detailing how much they charge the FBI for access to their customers' data ($100 per request in December 2012, $200 per request in November 2013). The government literally buys up personal data from corporations under color of law. The government gets your info, the company gets some extra pocket money, and you never even know that the government is collecting information on you. Big Brother would be jealous.
Assuming you are outraged by stories like this (in other words, assuming you have a pulse), the question is what you can do about it. As the spotlight of scrutiny has started to chase the data broker cockroaches into the clear light of day, growing public ire has led to some half-hearted attempts at transparency and “data control” to stop a full-on pitchfork protest from running these data brokers out of town. Acxiom, for its part, launched a website, AboutTheData.com, to allow users to see and edit some of the information that they have stored in their data banks. Only some of the data, of course, as the rest is what they keep back in order to sell to their customers. It's their business, after all. The good news is that even this partial transparency has peeled back the curtain enough to show the frail little man hiding behind the Wizard of Oz pyrotechnics; a startling amount of their information on customers turns out to be wrong. The bad news is that a lot of incorrect information about you is floating around the world, often without your knowledge, and being used by everyone from advertisers to credit agencies to potential employers to make decisions about you and your future.
Such moves by Acxiom are transparent attempts at doing just enough to forestall the inevitable crackdown by Congress on the largely unregulated data brokerage industry. It should be no surprise to readers of the Forecaster, however, that the government is unlikely to be a savior in this case. A March 2012 report by the Federal Trade Commission on “Protecting Consumer Privacy in an Era of Rapid Change” came up with some less-than-useful suggestions: asking mobile service providers to strengthen privacy protections (although presumably not so strong that the NSA can't backdoor all of your data); creating a central website for data brokers to provide information about their businesses and access rights to their data; and creating an industry self-regulated Do Not Track list for web users. Admirable enough, but hardly earthshaking and doubtful to address the fundamental problems of how every detail of our personal life is being turned into a commodity for sale to the highest bidder.
Once again, the question is what we can do to take matters into our own hands rather than waiting for a toothless government agency to set up some regulatory framework to allow for the information pillaging to continue apace under cover of law. There are a number of sites out there that are offering people more information about the data brokers that exist and how to opt out of them on a one-by-one basis, but wouldn't it make more sense to stop giving these companies our information in the first place? It's a tough thing to change our surfing habits, or to forego the use of certain websites or loyalty cards or discount coupons or boxchain megastores in favor of customer-friendly non-dataselling mom and pop stores and user-respecting non-tracking independent websites, but in the end, the decision to stop feeding our data to these companies may be the best investment we can make for protecting what is fast becoming our most valuable commodity: our data.