Column: Shadowy data brokers make the most of their invisibility cloak
It shouldn’t surprise anyone that businesses use “secret” scores to grade consumers on a variety of factors, including creditworthiness and likelihood of declaring bankruptcy.
It’s been known for years that such scores exist. The New York Times highlighted the practice Monday with a look at one person’s score.
But the more insidious part of the equation is the largely unregulated industry of data brokers that make billions of dollars annually buying and selling people’s personal information — your information, not to put too fine a point on it.
Without these companies, there’d be no secret scores. They are the root of the problem.
“We have an entire data-collecting, data-sharing industry operating in the shadows,” said Dylan Gilbert, policy counsel for the advocacy group Public Knowledge. “The average consumer has no idea these companies even exist, let alone what their names might be.”
This is a big deal. As Harry Potter learned with his invisibility cloak, you can get up to all manner of mischief if no one can see you.
“If people have no idea what’s happening with their data,” Gilbert told me, “they have no way of truly protecting their privacy.”
That may finally be changing.
California Gov. Gavin Newsom last month signed into law a bill — AB 1202 — that requires data brokers to register with the state attorney general. Their names and contact information for the first time will be available to the public.
The data broker directory is among California’s sweeping privacy safeguards that take effect Jan. 1. Only one other state, Vermont, has similarly shined a light on data brokers.
At the federal level, lawmakers are considering the Data Broker List Act, which would create a national registry overseen by the Federal Trade Commission.
The bill has bipartisan backing. It was introduced by Sen. Gary Peters, a Michigan Democrat, and Sen. Martha McSally, an Arizona Republican.
However, Gilbert at Public Knowledge said he doesn’t expect the legislation to get anywhere amid the current focus on impeachment proceedings. Moreover, many privacy experts say the legislation doesn’t go far enough.
Michael Zimmer, an associate professor of computer science at Marquette University, called the federal bill “helpful but woefully inadequate.”
“Consumers really need meaningful regulation of data brokers,” he said. “They need the ability to access and correct their profiles, to limit how they may be used ... or to opt out completely.”
The danger of not knowing what’s behind the industry’s invisibility cloak was a theme that came up repeatedly in my conversations with privacy experts.
“The more data a company has on you, the more they are able to create a complete digital picture of who you are, and exploit that in a variety of means,” said Jordan Fischer, a law professor at Drexel University.
The data broker industry is believed to be worth about $200 billion. Some of the biggest players are known to all, such as the credit bureaus Experian, Equifax and TransUnion, which maintain files on millions of Americans.
Others are smaller, quieter firms that specialize in gathering people’s personal information from public and private sources, and making it available to other companies for marketing, employment, financial and other purposes.
“Creating a list of data brokers is a first step in helping consumers know who these actors are, but that does nothing to constrain their practices,” said Jen King, director of privacy at Stanford Law School’s Center for Internet and Society.
California’s new privacy law will allow consumers to instruct companies to delete their personal information and to opt out of having their information shared.
That means you’ll be able to contact your phone or cable company, say, and tell them to no longer make your personal info available to others. The law applies to any company doing business in the state.
Privacy experts I spoke with said it’s unclear at this point whether you’d be able to contact every firm listed on the state’s pending directory of data brokers and similarly tell them to knock it off.
For example, the privacy law says consumers can opt out of having their data shared by companies with third parties. But what if that company got its information about you from elsewhere? Is there still a third party if the first party (you) isn’t part of the picture?
“I’d say you could still opt out,” said Paul Schwartz, co-director of UC Berkeley’s Center for Law and Technology. “But there’s a little ambiguity.”
Even if you could, the onus would be on consumers to contact potentially hundreds of data brokers and opt out from each one individually — a task few people would have the time or patience to embark upon.
Moreover, how would you know if they’ve honored your opt-out request?
I went through California’s privacy law and couldn’t find any language addressing this question, other than a provision in Section 1798.135 that a business must “respect the consumer’s decision to opt out for at least 12 months” before seeking permission to resume data sharing.
Zimmer at Marquette University likened California’s and Vermont’s data broker directories to the federal do-not-call list — a well-intended idea that never lived up to its purpose.
The do-not-call list is a resource that “just about every telemarketer has figured out how to get around, let alone simply ignore,” he said.
Data brokers haven’t exactly earned the public’s trust. In June, the Senate Committee on Banking, Housing and Urban Affairs held a hearing on how the industry operates.
Not one data broker showed up.
The solution is clearly to use an opt-in approach rather than opt-out. That is, requiring businesses to seek permission upfront before they can share data.
Unfortunately, we’re nowhere close to a law that so boldly, and explicitly, places consumer interests ahead of those of businesses.
“Having a list of data brokers is better than not having a list,” said William McGeveran, a law professor at the University of Minnesota. “But it’s still far short of accountability.”