Not Just the NSA: Data Brokers Amass Detailed Profiles on Everyone Online

This month, a strongly worded Washington Post op-ed by Federal Trade Commissioner Julie Brill calling for transparency in the business practices of the online data broker industry provoked a heated response. While the ACLU and other privacy advocates have long had their suspicions about how and why data brokers were tracking individuals, as the commissioner stated in her op-ed:

It took the NSA revelations to make concrete what this exchange means: that firms, governments or individuals, without our knowledge or consent, can amass large amounts of private information about people to use for purposes we don’t expect or understand.

Clearly displeased with the link to the NSA scandal, Linda Woolley—CEO and president of the Direct Marketing Association—fired back with an open letter to the commissioner. In the letter Woolley attacks the commissioner, claiming she disregards the benefits of data collection and unfairly demonizes the entire industry. But the commissioner is right to focus on the data broker industry’s troubling practices.

Interestingly, that massive, secret databases of individuals are being created and sold is not the issue under debate. That’s a simple and open matter of fact. For example:

• One aggregator, PeekYou, boasts, “Our patented technology analyzes content from over sixty social sites, news sources, homepages and blog platforms and identifies the actual people behind it, combining their scattered digital footprints into a comprehensive record of their online identity.”
• RapLeaf advertises as having “Real-Time Data on 80% of U.S. Emails.”
• Brill points out that one of the largest such aggregators, Acxiom, reportedly has information on about 700 million active consumers worldwide, with some 1,500 data points per person.

The excellent Wall Street Journal series, What They Know, provides a feel for what these databases can mean for people. One story was about Linda Twombly, a 67-year-old woman who, when surfing the Internet, was flooded with ads for Republican candidates leading up to the 2010 primary elections. The Journal revealed that RapLeaf Inc had a profile on her that included her full name and identified her as a conservative who was interested in Republican politics and the Bible, and donated to political and environmental causes. “Holy smokes,” she said. “It is like a watchdog is watching me, and it is not good.” The Journal found that RapLeaf’s profiles included such sensitive information as a person’s household income range, age range, and political leaning; the gender and age of children in the household; and personal interests in topics including religion, the Bible, gambling, tobacco, adult entertainment, and “get rich quick” offers. In all, RapLeaf segmented people into more than 400 categories.

But Wooley seems to want to focus on what she characterizes as a lack of harm caused by the existence of these databases. Ok, then, let’s talk about harm. Commissioner Brill wrote (and the ACLU has also pointed out) that data brokers are running their data through advanced algorithms that can make “alarmingly personal predictions about our health, financial status, interests, sexual orientation, religious beliefs, politics and habits.” Brill explained that while this may seem benign to some, this data could be used to determine “what offers we receive, what rates we pay, even what jobs we get.”

In 2006, for example, the New York Times reported on a man whose job offer was rescinded after a mistake by Acxiom. He lost a job that would have doubled his salary. Another New York Times report told the story of a 92-year-old veteran who was bilked out of more than $100,000 by criminals who identified him from marketing lists.

While Woolley repeatedly stressed that this kind of data collection is harmless, she still pushed back on granting individuals access to their personal profiles. She even defended secretly sharing the data with third parties the individual has no relationship with and has disclosed no information to. She claims the exchange is “essential for business success” and that these “behind the scenes” deals will enrich people’s experience in the marketplace. Essentially, she’s just asking us to trust them.

Unfortunately, we are not dealing with companies that inspire a lot of trust. While RapLeaf never meant to sell Twombly’s real name with her profile information, the Journal reported they had sold personally identifiable information—such as a unique Facebook ID number, which can be traced back to a person’s real name—to at least 12 companies. While RapLeaf has reportedly cleaned up its act, we can’t just assume such mistakes will always be caught and fixed, considering the lack of transparency these companies enjoy, and the rapid development of these new technologies.

Brill wrote that as we discuss the need for transparency surrounding government surveillance, Americans should also have the right to know what commercial data brokers know (or claim to know) about them. To help consumers regain such control, Brill has put forth her “Reclaim Your Name” initiative, which would establish a simple one-stop shop for consumers to see what data aggregators have collected about them, and delete or edit data as they see fit.

While we believe “Reclaim Your Name” is a great first step, ultimately Congress must act to regulate the industry and restore Americans’ robust privacy protections. We applaud the Commissioner for her hard-hitting op-ed, and her initiative.