The inescapable bulk collection and analysis of personal data by private-sector data brokers is often discussed in terms of privacy rights or economic benefits, but in a very real sense the current lack of oversight and transparency in the personal data market poses a national security threat. Not only might it provide an espionage advantage (the reason officials have put forward for the apparent Chinese cyber-campaign to breach databases on millions of U.S. citizens in order to build their own database), but coupled with advances in quantitative sociological modeling it could allow our adversaries new avenues to reliably (and perhaps deniably) influence the American public. To resolve this threat and ensure that the U.S. and other democracies are not vulnerable to refined forms of sociological attack, we must reform the private data-broker sector, making it both more secure and more efficient in supporting the research needed to survive in this rapidly-evolving theater of warfare.
As laid out here, data brokers are the many private companies that collect, aggregate, buy, analyze, and sell information on individuals. More narrowly defined, the data brokers are companies like Experian and Acxiom, whose 2013 and 2014 Annual Reports indicate that the company’s databases include “3,000 propensities on nearly every U.S. consumer” and “Multi-sourced insight into approximately 700 million consumers worldwide,” which are kept current through “nearly 11 trillion consumer record updates per year.” “Propensities” is not defined in the document, but presumably it refers to some of the diverse categories that data brokers collect specified in the 2014 Federal Trade Commission report on the industry, such as “Address History,” “Race & Ethnicity,” “Religion,” “Family Ties,” “State Licenses and Registrations,” “Uploaded Pictures,” “Bankruptcies,” “Political Leanings,” “Gambling,” “Net Worth Indicator,” “Guns and Ammunition,” “Ailment and Prescription Online Search Propensity,” and many, many others.
Brokers acquire data from many sources including government records, online browsing information, purchase records, etc. They acquire this information either directly or from anyone who will sell them, including other data brokers. The data are often quite cheap. As of 2013, one company, MEDbase 200 was selling (for 7.9 cents per name) lists of rape victims, dementia sufferers, HIV/AIDS sufferers, and people with histories of addiction (helpfully divided into categories like drugs, alcohol, and sex) among many others.
Several instances suggest a very spotty record on data brokers’ professional responsibility when it comes to selling data.
As early as 2007, broker infoUSA was found by the New York Times to be selling lists of millions of “Elderly Opportunity Seekers” (older people “looking for way to make money”), “Suffering Seniors” (seniors dealing with Alzheimer’s and cancer), and another list whose selling document specifically noted “These people are gullible. They want to believe that their luck can change.” Even after executives were informed by government investigators (as well as banking documents and court filings reviewed by the Times) that these lists were being used extensively for telemarketing fraud (a multi-hundred million dollar criminal industry at the time) infoUSA did not halt the criminal transactions.
Another data broker, Ideal Financial Solutions has been charged by the FTC as being something of the tip of the iceberg in layers of consumer fraud. Firstly, Ideal was charged with directly stealing over $25 million via fraudulent charges on consumers’ debit cards (about $30 each). The rabbit hole went deeper when the further FTC investigation caused them to allege that of the 2.2 million records that Ideal had purchased, at least 16% were obtained from broker LeapLabs who, had purchased financial information from payday loan applications and resold 95% of them “for approximately $.50 each to third parties were not online lenders and had no legitimate need for this financial information.” This August, the FTC announced that it had reached a multi-million dollar settlement with several executives at other data brokering firms which the FTC alleges not only sold consumer financial data to Ideal while knowing that the information would be used for fraud, but actively helped Ideal conceal the fraud.
There would seem to be no honor among data brokers, either. Executive e-mails revealed in the AshleyMadison leak speak of that company’s CTO hacking into the customer database for the dating service of the magazine Nerve.com. He allegedly gained access to not only all customer information (sending a link to AshleyMadison’s CEO with an extracted sample), and the ability to compose messages between users.
Defrauding 2.2 million customers or breaking into a dating site’s database is just a drop in the bucket, however. Court Ventures, a broker of court records and a subsidiary of larger broker/credit bureau Experian, had been providing access to the financial records of 200 million U.S. Americans to the online identity theft market Superget.info (both before and for 10 months after Ventures’ acquisition by Experian). The incident has descended into an almost comical flurry of lawsuits, with Experian and Court Ventures’ former owners suing each other, and Experian the subject of a class-action lawsuit by the victims of the theft, who according to the Justice Department have already been victimized for $65 million in fraudulent income tax returns (which is not counting for other types of fraud not yet quantified).
Online black markets for data usable in identity theft are very extensive. In a 2014 experiment, KrebsOnSecurity looked into two of the most popular sites to see if he could obtain the Social Security numbers, address histories, and phone numbers for all 13 members of the Senate Commerce Committee Subcommittee on Consumer Protection, Product Safety and Insurance. Not only were those up for sale on the sites, so were the same information for the heads of the FTC and the Consumer Financial Protection Bureau.