Published on October 06, 2021

Widespread surveillance has been normalized. To access our sensitive data, companies routinely scrape the internet, tap IoT devices, and monitor our phones around the clock. Unfortunately, we have virtually zero visibility into the shadowy ecosystem that is the data brokerage industry.

However, every so often, a data breach occurs, showcasing the disreputability of so many of these businesses. For example, a data breach from last summer revealed that a now-defunct broker, DeepSocial, had been aggregating and packaging data from 235 million social media profiles. Although such activity is against the terms and services of Facebook and Instagram, it is not technically illegal, assuming it’s publicly-facing information and none of the data belong to minors, which would likely be a COPPA violation.

DeepSocial may be gone, but the data brokerage ecosystem is thriving. As individuals, we neither have insight into the transactional process of these brokers, nor do we have any federal rights to change any of our personal information that is incorrect. Perhaps more importantly, as it currently stands, the FTC doesn’t have a strong federal data privacy law that would enable the agency to investigate unscrupulous data brokers.

Put simply, the data brokerage industry is in dire need of regulation. As Duke University cyber policy fellow Justin Sherman notes in his recent report,

“The data brokerage ecosystem represents the unrestrained aggregation of surveillance power as a service.”

The data brokerage world: “surveillance power as a service”

Seeing as all outsourced services seem to eventually morph into an “-aaS” acronym, let’s run with Sherman’s “surveillance power as a service” (SPaaS) designation; after all, it is certainly an apt description of the data brokers’ business model.

Data brokers gather information on individuals via many different methods. They crawl government records, use applications to pull data, and purchase or license data from a bevy of third parties. After successfully tracking and aggregating users’ locations, life events, purchases, financial data, political affiliations, and lifestyle interests, these brokers turn around and sell it to the highest bidders—be it insurance companies, super PACs, corporations, asset management firms, or intelligence agencies.

Moreover, as it currently stands, there is virtually nothing in U.S. federal law that limits the selling of this data. In fact, there is not even a shared definition of a “data broker” in federal law. At the state level, Vermont and California do require brokers to register with their respective state; however, the states’ narrow legal definition of “broker” allows most companies who buy and sell data to operate without any need to disclose their actions.

For the most part, data brokers are operating with impunity, and the industry is unregulated.

The major brokers’ unsavory activity

Sherman’s report, entitled “Data brokers and sensitive data on U.S. individuals: Threats to American civil rights, national security, and democracy”, looks at the public-facing advertising from nine behemoths in the data brokerage world: Experian, Equifax, CoreLogic, Verisk, Oracle, Epsilon, Acxiom, LexisNexis, and Nielsen. He also examines the advertising of people-search (“white pages”) websites.

What quickly becomes apparent is that much of the data collection is quite unsettling. To cite a few examples, Equifax, and others, buy payroll data from thousands of U.S. organizations; LexisNexis offers to identify relatives, neighbors, and associates who appear in social media posts and online photographs; and Verisk’s ISO ClaimSearch, the world’s largest database of property and casualty claims, pulls data from IoT devices from inside the home.

To substantiate his claim that data brokers undermine national security, Sherman notes that Axciom, LexisNexis, and Nielsen all openly offer to provide data on U.S. military personnel. Acxiom, through their partner NinthDecimal, sells individuals’ geo-locations, and it should be noted that many of these entities work with dozens of other data brokers as well; for example, Oracle owns and works with over 80 data brokers.

Threats to civil liberties

Whether data brokers’ activities undermine national security is up for debate; however, it certainly does appear that the rampant surveillance by these players is a threat to basic civil liberties. Sherman argues that the aggregation of data from across the web exacerbates existing algorithmic biases that disproportionately affect marginalized groups. Additionally, data brokers arguably help facilitate doxing efforts; they put victims of domestic violence in danger by exposing victims’ locations, and they allegedly place some politically active people in harm’s way by exposing their political affiliations. This last point—data brokers’ propensity to expose individuals’ political preferences—has not gone unnoticed.

As an example, allegedly, data broker Mobilewalla surreptitiously collected information on Black Lives Matter protesters via their mobile devices. The information included location data, home addresses, and other sensitive information, which prompted four U.S. senators to issue a press release, as well as a letter to the Mobilewalla CEO.

An excerpt from the letter reads,

“We are deeply concerned that Mobilewalla’s report advertises that the company can target thousands of Americans on the basis of their exercise of First Amendment rights. This use could include political targeting based on personal or religious beliefs, which Mobilewalla has previously facilitated. More concerning, once profiled on the basis of their location data or other information collected about them, people can be targeted not only for marketing or political purposes, but for law or immigration enforcement.”

In addition to Mobilewalla, Senators Elizabeth Warren (D-MA) and Ron Wyden (D-OR) have also looked into Dulles, VA-based Venntel, Inc. (Gravy Analytics), a broker that sells sensitive data to U.S. government agencies. Rather than enduring the hassle of getting warrants and dealing with cell phone companies, government agencies can get individuals’ sensitive information directly from data brokers. So, in essence, these data brokers allow agencies to “buy their way around the Fourth Amendment.”

Another important issue: individuals are unable to revise incorrect data

Data brokers compile profiles on us by scraping data from mobile applications, social media, government websites, and the internet at large; then, they turn around and sell, share, or license these datasets to other brokers, who in turn, pass the data along to others. In this dystopian version of the game of “Telephone,” the information is not always going to be accurate by the time it reaches its final destination. That being the case, it is definitely worth highlighting the fact that individuals usually lack the ability to correct missing or erroneous information about themselves and their families. Such incorrect data can lead to a home loan refusal, job loss, or worse. As a caveat, we do have the right to correct some data, including rights related to credit reporting, clinical health data, and children’s data.

Sherman suggests that individuals should have the right to revise any incorrect data that brokers are selling and licensing. This seems appropriate. In a similar vein, the FTC should be empowered to investigate unfair broker practices.

Additionally, Sherman suggests that brokers should not be able to sell, license, or share sensitive data on U.S. citizens to non-state actors, foreign governments, or international security agencies, as this could jeopardize national security.

Counterargument: data brokers aren’t doing anything wrong

Jim Harper, a senior fellow at the right-leaning think tank, American Enterprise Institute for Public Policy Research, takes umbrage with much of Sherman’s assessment on the data brokerage landscape. In a recent blog post entitled, “What if data brokers aren’t doing anything wrong?“, Harper refutes much of Sherman’s report.

Harper does acknowledge that data brokerage is a “shadowy” industry; however, he compares it to credit reporting, which was disreputable decades ago, but has since gained legitimacy. Recognizing that apps collect information on us and sell it to the highest bidder, Harper contends that this is merely a form of efficiency. He posits, quite correctly, that data brokerage activities allow companies to reach customers more efficiently. With detailed dossiers on individuals’ personal preferences, companies can spend less money on marketing costs—which in turn, Harper argues, ultimately lowers costs for consumers and returns value to shareholders. This is true, but at what cost? At no point, does Harper try to make the case that data brokers are not violating civil liberties.

That said, he does make a persuasive case that Sherman’s fears about national security implications may be overblown. Harper writes,

“It is doubtful that generic information about present or past military service is terribly useful to foreign enemies. If information about particular dimensions of military service is both useful and routinely brokered, one wonders why it is available to the data brokers in the first place. And if data brokering allows foreign governments to microtarget election disinformation, our fragile democracy might need shoring up irrespective of the role data brokerage may have in disseminating information more efficiently.”

Harper believes that the data brokerage industry can gain legitimacy, and he fears that empowering the FTC, passing a federal data privacy law, and giving individuals more rights may come at the expense of business efficiency.

Harper suggests that Sherman’s argument is flawed, as he highlights the fact that Sherman’s report states that data brokers are “open and explicit” about what they are selling. Harper goes so far as to point out that Sherman uses this “open and explicit” phrase eight times in 16 pages. Harper asks, if this industry is so sketchy, then how are they open and explicit about what they’re selling? This is a false equivalency, and Harper is missing the point. Data brokers may, indeed, be open and explicit about what information they’re selling; however, they are most certainly not transparent about where it came from and how it got there. The bulk of the broker ecosystem is in the shadows, and there is currently no federal law to provide insight into this process.

As Sherman points out—and Harper willfully ignores—it is the limited visibility into the mechanisms within the data brokerage process that is the issue at hand.

It’s time for regulation

As it stands, the FTC lacks a strong federal data privacy law that could embolden the agency to go after unscrupulous brokers; additionally, there is virtually no federal law preventing brokers from selling most individuals’ personal data to foreign actors, insurance firms, law enforcement, or government agencies. That said, there has been some recent regulation in the world of finance.

Last week, the SEC issued a $10 million fine on private analytics firm App Annie, Inc., signaling that the SEC is taking a harder look at data brokers. According to the SEC, App Annie sold nonpublic, confidential user data through its “Intelligence” product, which was marketed to and purchased by trading firms. The user data was neither anonymized, nor was it aggregated, making it more valuable to asset managers—and also in violation of security laws. This SEC enforcement is the first of its kind against a third-party data broker, and many see it as a harbinger of things to come. It’s a step in the right direction, but whether this type of enforcement becomes more commonplace remains to be seen.

Nevertheless, a few things are certain: there is limited visibility into the shadowy ecosystem of data brokering, and we need more insights into the inner workings of this world. Additionally, individuals should have the right to change their information if its incorrect, and the FTC needs more power to go after brokers. Whether this should come under the umbrella of a strong, federal data privacy law is up for debate; however, data brokers’ unfettered surveillance absolutely needs to be addressed, even if Harper is right and such regulation makes businesses’ targeted advertising initiatives slightly less efficient.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan
x