Data Brokers Know Where You Areand Want to Sell That Intel
At the end of July, a Catholic priest resigned from the church, after Catholic news site The Pillar outed him by purchasing location data from a data broker on his usage of Grindr. The incident didnât just illustrate how people can wield Grindr data against members of the LGBTQ community. It also highlighted the dangers of the large, shadowy, and unregulated data brokerage industry selling Americansâ real-time locations to the highest bidder.
In a new report for the Cyber Policy Program at Duke Universityâs Sanford School of Public Policy, I surveyed 10 major data brokers and the sensitive data they advertise. They openly and explicitly promulgate data on individualsâ demographic characteristics (from race to gender to income level) and political preferences and beliefs (including support for the NAACP, ACLU, Planned Parenthood, and the National LGBTQ Task Force), and on current US government and military personnel. Several of these firms also market another disturbing product: Americansâ geo-locations.
Acxiom, one of the largest brokers with data on billions of people worldwide, advertises âlocation-based device dataâ on individuals. Need to know if someone has visited a location multiple times in the last 30 days, like a church, their therapistâs office, or their exâs house? Theyâve got you covered, according to a company marketing document. What about other insights based on individualsâ locations? Check out data from marketing firm NinthDecimal, according to a 2018 fact sheet, an Acxiom âpartnerâ that provides âmobile device location and location context insights.â Military personnel, Acxiom says, can be located too: it offers âverification and location of military servicemen (deployed but missing from base)â as part of commercial work for credit card issuers and retail banks.
LexisNexis, another behemoth, advertises the ability to âdetermine a personâs current whereaboutsâ using recent driver license records. Experian outright advertises mobile location data. Oracle, which took a notable turn towards data brokerage in the last decade, advertises marketing services based on a userâs real-time location. In 2019, Oracle partnered with location data provider Bluedot (one of many such partners), who claimed that its data would provide a twenty-fold improvement in pinpointing an individualâs location. Among other factors, Bluedot claimed to track the number of times an individual visited a location and how long they were there. A few years earlier, Oracle added PlaceIQ to its data marketplace, a company which then had data âfrom 475 million location points, 100 million unique users, and more than 10 billion daily location-enabled device movements.â
Then of course there are people-search or âwhite pagesâ sites, which allow internet users to search for data on anyone by entering their name. Scraping property records, tax filings, voting records, and more, these data brokers aggregate government and other publicly available documents and make them publicly searchable, for a small fee or at no cost whatsoever. While they donât advertise individualsâ real-time geo-locations, they do provide relatively up-to-date information on where people live.
Perhaps none of this is surprisingâ"data breach after data privacy scandal have spotlighted just how intimately private companies track Americansâ daily lives. However much these companies wish to normalize their surveillance, down to the exact sidewalk you stand on or restaurant you sit in, we canât forget that data brokers selling this location data threaten civil rights, national security, and democracy.
On the civil rights front, federal agencies from the FBI to US Immigration and Customs Enforcement purchase data from data brokersâ"without warrants, public disclosures, or robust oversightâ"to carry out everything from criminal investigations to deportations. In doing so, data brokers circumvent limits on companies directly handing data to law enforcement (e.g., a cellular company can sell user data to a data broker which can then sell the data to the FBI). The federal government agencies using the data may then also circumvent a variety of legal restrictions in place around searches and seizures as well as federal controls which arenât applied to âopen sourceâ or âcommercially obtainedâ data, even if the data is on US individuals.
In this context, real-time location data presents a real opportunity for abuse, particularly where law enforcement is conducting operations against individuals or groups from historically marginalized communities. In August 2020, four members of Congress penned a letter to the firm Mobilewalla for just this reason, after the company advertised that it identified characteristics of Black Lives Matter protesters using their phone location data.
Private companies buy such data all the time, and itâs likely all too tempting to hoover information to discriminately target ads: tracking an unwitting American as they leave a police station, an abortion clinic, or the office of a cash lender, for example. Individuals also use this kind of information to discriminate against others. The Pillarâs outing of a priest is hardly the first and won't be the last time an individualâs real-time location data will be acquired by a third party intent on inflicting harm. Research from my colleagues at Dukeâs Cyber Policy and Gender Violence Initiative has identified numerous ways in which abusive individuals can use people-search websites to obtain data broker data for stalking, harassment, and physical violence against intimate partnersâ"violence which is overwhelmingly directed at women and members of the LGBTQ community. Anyone with the means to buy this data could similarly obtain location data on activists, political organizers, and other people for violent or harmful ends.
On top of all this, foreign intelligence or security organizations could buy up data broker data, with virtually no restrictions, to conduct intelligence operations or identify the real-time locations of diplomats, government, or military personnel. (Think of how FitBit data exposed the real-time locations of service members on military basesâ"except where a foreign organization can buy the data, legally, directly from an American data broker.) All of this harms national security, as companies aggregate and sell highly sensitive data on US individuals with no public visibility into what kind of vetting, if any, is done of potential buyers.
The only way to mitigate these companiesâ threat to democracyâ"through their extraordinary and unchecked surveillance powerâ"is regulation. Congress must integrate the data brokerage ecosystem into a strong federal privacy law, restricting the constant buying and selling of Americansâ sensitive data. It must also consider giving the executive branch export control authorities to limit the sale of this kind of sensitive data to certain foreign entities, and it must consider giving the Federal Trade Commission greater authority to investigate data brokersâ many unfair and exploitative practices. While the country waits for that full-force policy response, meanwhile, Americansâ real-time locations are up for sale on the open market.
WIRED Opinion publishes articles by outside contributors representing a wide range of viewpoints. Read more opinions here, and see our submission guidelines here. Submit an op-ed at opinion@wired.com.
More Great WIRED Stories
0 Response to "Data Brokers Know Where You Areand Want to Sell That Intel"
Post a Comment