Professional Documents
Culture Documents
Data Trade
Instaread Short Cuts bring you up to speed on the latest research, analysis, and
commentary on today’s hottest topics. In this Short Cut, we explain data
brokering, a practice in which private online data is collected, analyzed, and
sold to groups who hope to use the information to manipulate behavior. Do you
want to learn more about how companies gather so much information about
online users? Or are you curious how much companies and other organizations
can learn about you through your online interactions, and what you can do to
protect your privacy? Find out more in this Instaread original.
The market for data on individual consumers and users is red-hot. But several
companies have also been caught, red-faced and red-handed, using their
clients’ data in dubious ways. The most notorious of these potential abuses
came to light in the aftermath of the 2016 US presidential election—but it was
many years in the making.
Two years after myPersonality’s collection efforts ended, another app called
This is My Life was uploaded to Facebook. Although it was created by
Cambridge University researcher Aleksandr Kogan, the app wasn’t made
strictly for academic purposes. Inspired by myPersonality, Kogan originally
hoped that any data gathered by his app could be used in a partnership using
a model developed by fellow Cambridge colleague Michal Kosinski. Kogan
proposed that Kosinski license his analytical model to a United Kingdom
marketing company called SCL, where it would be applied to any data
collected by This is My Life. Kosinski refused Kogan’s proposal, however, so
Kogan took his app to SCL and created his own model for interpreting the
data. SCL later merged with American hedge fund Renaissance Technologies
and rebranded as Cambridge Analytica, a data firm that has since become
synonymous with political scandal and the misuse of private data gathered
online. [2]
Between 2014 and 2018, Kogan’s app and analysis model helped Cambridge
Analytica collect data on more than 40 million Facebook users. [3] The
personal data was later used by the campaign for Donald Trump, which
deployed Facebook ads to influence voter behavior in the 2016 election. [4]
Cambridge Analytica has also since been accused of illegally participating in a
pro-Brexit campaign in the United Kingdom. [5]
Cambridge Analytica isn’t the only company to collect and distribute vast
amounts of information about people’s private lives. Data brokering, or the
practice of gathering and selling data to parties who hope to use it for their
own purposes, has become a lucrative industry in an era when many internet
users freely share personal details in exchange for online convenience. Every
time a user clicks a link, shops online, opens an app, or goes on a walk while
carrying a cell phone or smart device, information about that behavior is
added to a dossier that, in many cases, is sold to the highest bidder. [7]
Americans haven’t always been so complacent about their data privacy. In the
late 1980s, when the US Senate held confirmation hearings on the nomination
of Robert Bork to the Supreme Court, a journalist named Michael Dolan
learned that he and Bork used the same video rental company. On a whim,
Dolan decided to go ask a store clerk whether he could look over Bork’s rental
list. [9] The list contained nothing controversial—mostly Alfred Hitchcock and
James Bond movies, along with a few titles featuring Meryl Streep. [10]
However, the story Dolan wrote, which appeared in the Washington City
Paper, almost immediately sparked controversy. Before long, politicians were
introducing laws on the local, state, and federal level to prevent anyone from
leaking another rental list. [11] The Video Privacy Protection Act (VPPA),
passed in 1988, has since served as one of the major pieces of legislation cited
whenever concerns about the distribution of private data are brought up. [12]
VPPA is notable not only for being outdated, but also for being one of the few
laws the United States has passed to protect private data. Although federal
and state regulations limiting the type and amount of personal data that can
be shared do exist, there is no overarching, comprehensive law that protects
American consumers. [15] That lack of legislation has left the United States
behind other government efforts to protect private information, such as the
European Union’s General Data Protection Regulation, or GDPR. [16] Among
other protections, GDPR requires that companies offering services in the EU
provide clearer consent notices that alert users to whether and how their data
will be collected. It also prevents those companies from bundling together
permissions that have little to do with one another so that a user can be
induced to agree to multiple policies at once. The GDPR additionally requires
that companies gain permission from a parent or guardian before gathering
info on users under the age of 16. [17] Without stricter regulations, American
consumers who want to ensure that their data isn’t distributed either have to
rely on companies’ own internal ethical guidelines to keep the information
private, or they must forego internet use altogether. The lack of
comprehensive legislation also means that even if companies promise not to
misuse the data they collect, they have no legal incentive for keeping their
word. For many, buying and selling data is too lucrative an opportunity to
pass up.
Data can also be harvested through extensions that are downloaded onto
internet browsers. These extensions usually help users improve their online
experience by offering services like password storage, the ability to block
certain websites, or the ability to quickly search for discounts on online
shopping. When the extensions are downloaded, however, users often
unintentionally agree to also sell access to information about anything they
did through the browser while the extension was installed. The companies
behind the extension can then use the data themselves, or sell it to data
brokers. In a 2019 episode of NPR’s Fresh Air, Washington Post tech columnist
Geoffrey Fowler explained how he worked with an independent researcher to
identify a website called Nacho Analytics, which sells access to information
that can reveal which sites individual users go to, down to web addresses.
Fowler was able to use this information to find tax returns and medical
documents that had been uploaded to online storage services. Fowler even
found out that an extension used by a colleague had gathered that coworker’s
work username, information that was then available for sale on
NachoAnalytics.com. When Fowler reached out to Nacho Analytics for
comment, they pointed out, truthfully, that their business model was not
illegal. As Fowler said of the incident, “I think it’s really telling about the state
of the economy, the internet economy, that what they’re doing is actually
considered pretty common.” [23]
What’s in a Name?
For avid users of Facebook, Twitter, and other social media websites, the
collection and sale of personal data may not seem like a big deal. After all,
people reveal plenty of personal details about themselves directly through
their profile pages. Being unconcerned about data privacy is unwise, however,
if only because the monetization and distribution of personal information by
private companies could increase someone’s risk of identity theft. Add the fact
that many dossiers constructed by data brokers aren’t even accurate, and the
practice of selling data becomes even more alarming. [24]
Opting Out
At the moment, there’s little that individual users can do to correct inaccurate
dossiers created by data brokers. The data is hard to find and is distributed in
such a manner that incorrect copies might proliferate even if the data broker
makes every effort to remove inaccuracies from a profile. In some states,
consumers have filed lawsuits to force data collectors to correct inaccurate
information. A Virginia resident named Thomas Robins, for example, sued the
website Spokeo after he discovered that the site listed him as a 50-year-old
married man with children who was working in a technical field, a description
that didn’t match him at all. Spokeo is a people search engine, a website that
uses publicly available data from courts and local governments to list people’s
names, phone numbers, addresses, and other personal information in a
manner similar to a phone book. Robins’s case was initially escalated to the
Supreme Court, which found that Robins had provided insufficient evidence
for his claim that Spokeo’s inaccuracies had harmed his ability to get a job.
The US Court of Appeals for the Ninth Circuit eventually ruled in Robins’s
favor, but since his case was not taken up again by the Supreme Court, it
hasn’t resulted in any broader changes in how companies collect, list, and
verify information online. [28] [29]
Limiting the amount of information data brokers can gather, and opting out of
services like Spokeo that collect and display information from public records,
can provide internet users with some amount of protection. However, users
who decide to actively opt out of data broker services should know that they
may have to repeat the process every few months, as some companies use
automatic collection methods to grow their lists. Using ad blockers, deleting
unnecessary smartphone apps, and opting out of pre-approved credit cards
can also limit the amount of information that third parties can track.
Ultimately, however, the most effective method for limiting data collection is
to never go online in the first place. Even then, personal information can still
end up in the hands of data brokers through the activity of friends and family.
Individual responses cannot address the wider privacy concerns caused by
data brokering. Comprehensive legislation could provide users with more
online protections, and allow them to opt out of any service that might make
nefarious use of personal information. [30] But so far that legislation has not
been enacted. For now, at least, the data trade is still heating up.
References