Duke University’s Cyber Policy program has a new report that shows data brokers are openly and explicitly advertising sensitive information about US individuals for sale including demographic information, political preferences, even real-time GPS locations on current and former U.S. military personnel. The authors say such data brokerage is a virtually unregulated practice in the United States.
Guest: Justin Sherman directs data brokerage research for Duke’s Privacy & Democracy Project during his fellowship through Duke’s Technology Policy Lab.
Responses have been edited for clarity.
About data brokering
Data brokering is an industry whose entire business model is buying and selling our data. What a lot of people don’t know is that once you interact with a business directly, there’s an entire second layer of data sharing going on. Those companies are buying and selling and sharing and licensing all of that data around in this global multi-billion dollar, pretty unregulated, industry.
A lot of websites will tell you that they’re not selling your data. There’s no way to check that. There’s no way to enforce that. We see companies make all kinds of claims about cybersecurity or privacy that are exaggerated or not verifiable and end up being not true. The fact is, in the US, there are very few to virtually no restrictions on this industry, where all it’s about is buying and selling our information.
Also, this is a really important point, there are tons of third parties on those websites. When you go onto Amazon, there might be a number of other companies whose code, whose app services, Amazon is plugging into its website. [That other company] might also get information about you. Uber might use a bunch of plugins where advertisers or other companies are getting your GPS location data.
That’s a really important point — it’s not just the companies we interact with directly, but sometimes there’s a whole network of other code providers, advertisers, the third parties that are getting that information as well.
What did you find data brokers selling?
What I found was pretty disturbing. I found companies advertising sensitive demographic information, so things like your race, your gender, your income level, your marital status. I found data brokers advertising your political preferences and beliefs. There was one broker, for example, Affinity Answers, that has a whole list saying, “We can tell you if somebody likes Bill O’Reilly or Arianna Huffington or Anderson Cooper. We can tell you if they support the NAACP or the ACLU.”
There was also data on if people supported a party organization in their state. These companies, as I detail on the report, talk about knowing what you buy, where you buy it, when you bought it, how much you spent. Off of that, they can do all kinds of things like extrapolate your favorite stores and brands. They can perhaps make estimations about how much money’s coming into your household.
They also advertise real-time GPS location, quite literally your GPS location from your phone, which is obviously a very intimate piece of information.
On the danger of selling real-time location data
There are many cases of abusive individuals getting access to broker data and then using that to stalk, harass, hurt, even kill. People have quite literally been murdered, particularly women and members of the LGBTQ community.
Let’s say [someone who is concerned for their safety] moves to a different state. They change their address. [Using data brokers, the abuser can] find out where they live, where their kids go to school, and then hunt them down. There are lots of real cases of this.
Listeners may have seen that there was a Catholic website called The Pillar that bought real-time GPS location data from a data broker that got it from Grindr. [People used that data to stalk] this closeted priest, who was using Grindr. They followed him around, tracked him as he met up with men through the application, and then they outed him.
There’s a lot of real potential harms that can occur.
On the regulation status of data brokerage
When it comes to things like what do you buy, where do you travel, which political figures do you support, what’s your GPS location — as sensitive as that stuff is, as dangerous as that could be in the wrong hands, it’s not something that our policy makers have regulated.
Why the report authors think the unregulated sale of data is undemocratic
There are a bunch of controls in place around what federal law enforcement and security agencies can gather vis-a-vis data on Americans: warrants, Fourth Amendment controls, etc.
The reality is a lot of that can be circumvented by just buying data from a data broker. The FBI, Immigration and Customs Enforcement, Department of Homeland Security … a bunch of federal agencies have been reported (or caught really), buying phone location data, and buying data on smart thermostats and other devices in your home to be able to see is someone and living in a particular residence, for example. There’s all kinds of these cases, and that I think is an example of why [the ability to purchase such data from brokers] is undemocratic.
We, as a country, have spent years (very imperfectly and we’re still far behind right with privacy), trying to figure out, “Okay, we have these boundaries, we’ve set up between the government and citizens and spying on citizens, and we have these Fourth Amendment protections we need to keep updated.” And here comes the data brokerage industry offering a lot of these agencies away around it.
Take the FBI. There’s prohibitions in place where they can’t just go to a cell company and willy-nilly get data on let’s say a hundred million people’s phone records.
However, what they can do is they can go to a data broker that got it from the cell company and just buy the data. They don’t need a warrant, and they don’t need to disclose it, and there’s no oversight. So stuff like that I think is part of why this is really just an undemocratic sort of ecosystem.
- Any federal privacy law has to address data brokerage. If the privacy is only about the relationship between you and one app or you and one commerce platform, we’re missing that whole second layer of data sharing and buying that’s going on.
- Congress needs to give the executive branch the ability to put some export controls around data sales. For example, if you’re selling to an entity that has a tie to a foreign military organization or a foreign intelligence service, we’re going to block you from selling a hundred million Americans’ GPS locations.
- Give the Federal Trade Commission (FTC) more authority and more resources. It’s not just the ability to investigate data brokers themselves, it’s also making sure the FTC can investigate misuses and abuses of data broker data. (For example, there are brokers who advertise data on people with Alzheimer’s and dementia. This has actually happened: scammers have then bought that data, and used it to target Medicaid scams to people with brain health issues.)