NSA

Everything We Know About What Data Brokers Know About You

The following article, by Lois Beckett, is also posted at The Daily Banter today, but I wanted to cross-post it here because it augments what I wrote last week, and what I’ve occasionally covered in the context of the NSA story, about corporate data collection and privacy. Again, if you’re alarmed about what NSA is up to, you should be a hundred times more alarmed by what corporations know about you, mainly because, unlike NSA, there’s no oversight, no accountability and no limitations. –Bob

By Lois Beckett, ProPublica

Sept. 13: This story has been updated. It was originally published on March 7, 2013.

We’re continuing to learn new details about how the American government is collecting bulk records of citizens’ communications — from demanding that a telephone company hand over the daily records of “all telephone calls in its systems,” to collecting an unknown number of emails, instant messages and Facebook messages.

It’s not clear how much information about ordinary people’s conversations the National Security Agency has gathered. But we do know there’s a thriving public market for data on individual Americans — especially data about the things we buy and might want to buy.

Consumer data companies scoop up large amounts of consumer information about people around the world and sell it, providing marketers details about whether you’re pregnant or divorced or trying to lose weight, about how rich you are and what kinds of cars you drive. But many people still don’t know data brokers exist.

Regulators and some in Congress have been taking a closer look at this industry, and are beginning to push the companies to give consumers more information and control over what happens to their data. The prominent data broker Acxiom recently launched aboutthedata.com, a site that allows you to review some of the information the company has connected to your name — and, potentially, edit and update it as well.

Here’s a look (originally published in March) at what we know about the consumer data industry.

How much do these companies know about individual people?

They start with the basics, like names, addresses and contact information, and add on demographics, like age, race, occupation and “education level,” according to consumer data firm Acxiom’s overview of its various categories.

But that’s just the beginning: The companies collect lists of people experiencing “life-event triggers” like getting married, buying a home, sending a kid to college — or even getting divorced.

Credit reporting giant Experian has a separate marketing services division, which sells lists of “names of expectant parents and families with newborns” that are “updated weekly.”

The companies also collect data about your hobbies and many of the purchases you make. Want to buy a list of people who read romance novels? Epsilon can sell you that, as well as a list of people who donate to international aid charities.

A subsidiary of credit reporting company Equifax even collects detailed salary and paystub information for roughly 38 percent of employed Americans, as NBC news reported. As part of handling employee verification requests, the company gets the information directly from employers.

Equifax said in a statement that the information is only sold to customers “who have been verified through a detailed credentialing process.” It added that if a mortgage company or other lender wants to access information about your salary, they must obtain your permission to do so.

Of course, data companies typically don’t have all of this information on any one person. As Acxiom notes in its overview, “No individual record ever contains all the possible data.” And some of the data these companies sell is really just a guess about your background or preferences, based on the characteristics of your neighborhood, or other people in a similar age or demographic group.

Where are they getting all this info?

The stores where you shop sell it to them.

Datalogix, for instance, which collects information from store loyalty cards, says it has information on more than $1 trillion in consumer spending “across 1400+ leading brands.” It doesn’t say which ones. (Datalogix did not respond to our requests for comment.)

Data companies usually refuse to say exactly what companies sell them information, citing competitive reasons. And retailers also don’t make it easy for you to find out whether they’re selling your information.

But thanks to California’s “Shine the Light” law, researchers at U.C. Berkeley were able to get a small glimpse of how companies sell or share your data. The study recruited volunteers to ask more than 80 companies how the volunteers’ information was being shared.

Only two companies actually responded with details about how volunteers’ information had been shared. Upscale furniture store Restoration Hardware said that it had sent “your name, address and what you purchased” to seven other companies, including a data “cooperative” that allows retailers to pool data about customer transactions, and another company that later became part of Datalogix. (Restoration Hardware hasn’t responded to our request for comment.)

Walt Disney also responded and described sharing even more information: not just a person’s name and address and what they purchased, but their age, occupation, and the number, age and gender of their children. It listed companies that received data, among them companies owned by Disney, like ABC and ESPN, as well as others, including Honda, HarperCollins Publishing, Almay cosmetics, and yogurt company Dannon.

But Disney spokeswoman Zenia Mucha said that Disney’s letter, sent in 2007, “wasn’t clear” about how the data was actually shared with different companies on the list. Outside companies like Honda only received personal information as part of a contest, sweepstakes, or other joint promotion that they had done with Disney, Mucha said. The data was shared “for the fulfillment of that contest prize, not for their own marketing purposes.”

Where else do data brokers get information about me?

Government records and other publicly available information, including some sources that may surprise you. Your state Department of Motor Vehicles, for instance, may sell personal information — like your name, address, and the type of vehicles you own — to data companies, although only for certain permitted purposes, including identify verification.

Public voting records, which include information about your party registration and how often you vote, can also be bought and sold for commercial purposes in some states.

Are there limits to the kinds of data these companies can buy and sell?

Yes, certain kinds of sensitive data are protected — but much of your information can be bought and sold without any input from you.

Federal law protects the confidentiality of your medical records and your conversations with your doctor. There are also strict rules regarding the sale of information used to determine your credit-worthiness, or your eligibility for employment, insurance and housing. For instance, consumers have the right to view and correct their own credit reports, and potential employers have to ask for your consent before they buy a credit report about you.

Other than certain kinds of protected data — including medical records and data used for credit reports — consumers have no legal right to control or even monitor how information about them is bought and sold. As the FTC notes, “There are no current laws requiring data brokers to maintain the privacy of consumer data unless they use that data for credit, employment, insurance, housing, or other similar purposes.”

So they don’t sell information about my health?

Actually, they do.

Data companies can capture information about your “interests” in certain health conditions based on what you buy — or what you search for online. Datalogix has lists of people classified as “allergy sufferers” and “dieters.” Acxiom sells data on whether an individual has an “online search propensity” for a certain “ailment or prescription.”

Consumer data is also beginning to be used to evaluate whether you’re making healthy choices.

One health insurance company recently bought data on more than three million people’s consumer purchases in order to flag health-related actions, like purchasing plus-sized clothing, the Wall Street Journal reported. (The company bought purchasing information for current plan members, not as part of screening people for potential coverage.)

Spokeswoman Michelle Douglas said that Blue Cross and Blue Shield of North Carolina would use the data to target free programming offers to their customers.

Douglas suggested that it might be more valuable for companies to use consumer data “to determine ways to help me improve my health” rather than “to buy my data to send me pre-paid credit card applications or catalogs full of stuff they want me to buy.”

Do companies collect information about my social media profiles and what I do online?

Yes.

As we highlighted last year, some data companies record — and then resell — all kinds of information you post online, including your screen names, website addresses, interests, hometown and professional history, and how many friends or followers you have.

Acxiom said it collects information about which social media sites individual people use, and “whether they are a heavy or a light user,” but that they do not collect information about “individual postings” or your “lists of friends.”

More traditional consumer data can also be connected with information about what you do online. Datalogix, the company that collects loyalty card data, has partnered with Facebook to track whether Facebook users who see ads for certain products actually end up buying them at local stores, as the Financial Times reported last year.

Is there a way to find out exactly what these data companies know about me? (Updated 9/5/2013)

Not really — although that’s beginning to change.

You have the right to review and correct your credit report. But with marketing data, there’s often no way to know exactly what information is attached to your name — or whether it’s accurate.

Most companies offer, at best, a partial picture.

In September, Acxiom debuted aboutthedata.com, which allows to you review and edit some of the company’s marketing data on you, by entering your name, address, birth date and the last four digits of your social security number.

The Federal Trade Commission’s Julie Brill tweeted that “more data brokers should follow” Acxiom’s example. But the effort received mixed reviews from users, privacy advocates and government regulators, the New York Times reported.

Previously, Acxiom only let customers review a smaller slice of the information the company sells about them, including criminal history, as New York Times reporter Natasha Singer described last year. When Singer requested and finally received her report in 2012, all it included was a record of her residential addresses.

Other companies also offer some access. A spokeswoman for Epsilon said it allows consumers to review “high level information” about their data — like whether or not you’ve purchased “home furnishings” merchandise. (Requests to review this information cost $5 and can only be made by postal mail.)

RapLeaf, a company that advertises that it has “real-time data” on 80 percent of U.S. email addresses, says it gives customers “total control over the data we have on you,” and allows them to review and edit the categories it associates with them (like “estimated household income” and “Likely Political Contributor to Republicans”).

How do I know when someone has purchased data about me?

Most of the time, you don’t.

When you’re checking out at a store and a cashier asks you for your Zip code, the store isn’t just getting that single piece of information. Acxiom and other data companies offer services that allow stores to use your Zip code and the name on your credit card to pinpoint your home address — without asking you for it directly.

Is there any way to stop the companies from collecting and sharing information about me?

Yes, but it would require a whole lot of work.

Many data brokers offer consumers the chance to “opt out” of being included in their databases, or at least from receiving advertising enabled by that company. Rapleaf, for instance, has a “Permanent opt-out” that “deletes information associated with your email address from the Rapleaf database.”

But to actually opt-out effectively, you need to know about all the different data brokers and where to find their opt-outs. Most consumers, of course, don’t have that information.

In their privacy report last year, the FTC suggested that data brokers should create a centralized website that would make it easier for consumers to learn about the existence of these companies and their rights regarding the data they collect.

How many people do these companies have information on?

Basically everyone in the U.S. and many beyond it. Acxiom, recently profiled by the New York Times, says it has information on 500 million people worldwide, including “nearly every U.S. consumer.”

After the 9/11 attacks, CNN reported, Acxiom was able to locate 11 of the 19 hijackers in its database.

How is all of this data actually used?

Mostly to sell you stuff. Companies want to buy lists of people who might be interested in what they’re selling — and also want to learn more about their current customers.

They also sell their information for other purposes, including identity verification, fraud prevention and background checks.

If new privacy laws are passed, will they include the right to see what data these companies have collected about me?

Unlikely.

In a report on privacy last year, the Federal Trade Commission recommended that Congress pass legislation “that would provide consumers with access to information about them held by a data broker.” President Barack Obama has also proposed a Consumer Privacy Bill of Rights that would give consumers the right to access and correct certain information about them.

But this probably won’t include access to marketing data, which the Federal Trade Commission considers less sensitive than data used for credit reports or identity verification.

In terms of marketing data, “we think at the very least consumers should have access to the general categories of data the companies have about consumers,” said Maneesha Mithal of the FTC’s Division of Privacy and Identity Protection.

Data companies have also pushed back against the idea of opening up marketing profiles for individual consumers’ inspection.

Even if there were errors in your marketing data profile, “the worst thing that could happen is that you get an advertising offer that isn’t relevant to you,” said Rachel Thomas, the vice president of government affairs at the Direct Marketing Association.

“The fraud and security risks that you run by opening up those files is higher than any potential harm that could happen to the consumer,” Thomas said.

How do data brokers impact you? Join Lois and other tech reporters for a discussion of data brokers and privacy this Friday at 1 p.m. ET. You can tweet us your questions with #MyDataChat.


(Originally posted at Pro Publica)