Feds Crack Down on Data Brokers

J. Elizabeth Hill, a nurse living in San Diego, recently received a Gmail message from her nephew. Pasted inside was an article about soldiers in Afghanistan and the discrepancies regarding the ammunition they use.

Nine days later, Hill received via snail mail at her home address a catalog for a company that sells magnum semi-automatic air pistol revolvers, border patrol survival knives, self-cocking crossbows, armor-piercing "performance ballistic alloy" ammunition rounds, Israeli-issue gas masks, plus lots of other survival gear and military surplus items.

"I have never owned, fired, or even handled any type of weapon," Hill says, "And I have never visited a website connected to the military, war, or weapons of any kind. In addition, this is the first and only email I have ever received that mentioned these types of keywords. Does this mean my name will start showing up on lists of potential terrorists?''

Hill has good reason to be concerned. There are nearly 200 companies out there that collect and sell your personal information. And there's very little you can do if that information is flat-out wrong or gives a false impression of who you are.

In fact, it's perfectly legal for online data brokers to collect information about you from any number of sources and then to aggregate and sell that information. The Interactive Advertising Bureau says personal information on Internet users is worth $31 billion a year, up 22% from last year.

However, there is a glimmer of hope.

Last month, for the first time ever, the Federal Trade Commission stepped in and spanked a data broker, in this case it was Spokeo, to the tune of an $800,000 fine for selling personal information to employers and job recruiters without taking steps to protect consumers under the Fair Credit Reporting Act.

The FTC also sent warning letters to six unidentified mobile app makers notifying them that their background screening apps may be violating federal statutes. The collecting of personal information is not at issue in these cases, it's the use of that information for employment screening, housing, credit or other purposes that fall under the Fair Credit Reporting Act.

Where Spokeo crossed the line, according to the FTC, is that it failed to maintain reasonable procedures to verify who its users are and that the information would be used for a permissible purpose; that it failed to ensure the accuracy of consumer reports and that it failed to provide proper user notice. Also, Spokeo was posting endorsements of its service on news and tech websites, but those endorsements were written by Spokeo employees, according to the FTC.

Spokeo has agreed to change its practices and the FTC settlement should have a ripple effect throughout the industry. But the fact remains that these companies can legally gather whatever information they can about you, and there's not much you can do about it.

Who Are These People?

"Most of these broker sites are actually search engines that scatter little Pac Man bots through cyberspace collecting every scrap of data that's ever been recorded anywhere in the world. They justify this privacy intrusion by labeling it as a safety measure; that is, a way to check out your babysitters to ensure that no secret child corrupters are watching your children. Others claim it's a fast way to connect with old friends," says Jack Stratton, independent IT consultant and former Novell systems analyst.

For example, a Spokeo.com ad says, "Find a lost relative or contact an old school chum." USA People Search's marketing materials say, "Some people do people searches to try and reconnect with an old friend or family member. Others may be looking for criminal, marriage or other types of public records. Fortunately for users of USA-People-Search.com, information from bankruptcy records to divorce records, and everything in between, is easily accessible with a click of the mouse.''

Alexandra Senoner, head of corporate communications & public affairs at 123people.com puts it this way: "123people is a vertical search engine dedicated to people search. Based on a proprietary technology, it empowers users to find information on themselves, friends, relatives, or people of public interest by searching across more than 200 international, regional, and local data sources such as Facebook, LinkedIn, Twitter; news sites, blogs, company websites, local sources such as white pages, videos, email addresses, Wikipedia results, and many more."

According to Sarah A. Downey, an attorney at Abine, an online privacy company, "There are over 180 different data brokers and that doesn't include those companies that sell criminal records and employment history for employment background checks. Many of these brokers are co-owned or affiliated and share databases. For example, Intelius owns the information and controls the opt-out requests for about 70% of the data broker industry. And Confi-Chek owns Veromi.com, CriminalSearches.com, PrivateEye.com, EnformionUSA-People-Search.com, PublicBackgroundChecks.com, and PeopleFinders.com, among others."

Three of the largest data brokers are Acxiom (claims 32 billion data records), Lexis Nexis (boasts 500 million unique consumer identities), and Intelius (advertises millions of customers).

Where Do They Get This Information?

"Information comes from a variety of sources," Downey says. "Some are voluntary submissions such as warranties, rebates, sweepstakes, online accounts, and social networks; but some of these sources are unavoidable because they're part of everyday life; for example, voter registrations, marriage and business licenses, birth and death certificates, property and title records, bankruptcies, liens, judgments, criminal records, apartment leasing information, mortgages, and utility company bills. And then, some data brokers get your information from other data brokers, which just perpetuates the exploitation. It's like that game of gossip: one incorrect piece of information can end up on a lot of different websites."

Cha-ching of scraping: Data brokers digging up & selling your digital dirt

Alan Webber, principal analyst and partner at Altimeter Group, LLC. "These sites simply use information that is already publicly available, but generally difficult to obtain from a logistics perspective. I would not call it exploitation, but these sites do expose the fact that there is a lack of control in how personal information is made available and used."

"We obtain our data from public sources, some online and some offline," says Jim Adler, chief privacy officer and general manager of data systems at Intelius. "Online data comes from data that's available to search engines, but the information is only as reliable as the public records."

"One of these sources is your email account," Downey adds. "Google has every email you've ever sent or received, every conversation you've had in Gchat, every video you've watched on YouTube, and every Google search you've ever done. Under Google's new privacy policy, this information is now stored in one common profile for you. It's a massive amount of personal information that's tough to put into perspective."

Subscribe to the Security Watch Newsletter

Comments