Wednesday, June 25, 2014

PRIVACY: Is there anything that's secret?

Everything We Know About What Data Brokers Know About You

Facial Recognition Japan animated GIFby Lois Beckett ProPublica.

June 13, 2014: This story has been updated. It was originally published on March 7, 2013.

We've spent a lot of time this past year trying to understand how the National Security Agency gathers and stores information about ordinary people. But there's also a thriving public marketfor data on individual Americans—especially data about the things we buy and might want to buy.

Consumer data companies are scooping up huge amounts of consumer information about people around the world and selling it, providing marketers details about whether you're pregnant or divorced or trying to lose weight, about how rich you are and what kinds of cars you drive. But many people still don't know data brokers exist.


The Federal Trade Commission is pushing the companies to give consumers more information and control over what happens to their data. The White House released a report this May outlining concerns that these detailed consumer profiles might lead to race or income-based discrimination—what the White House called "digital redlining."

It's very hard to tell who is collecting or sharing your data—or what kinds of information companies are collecting. Early this year, Office Max sent a letter to a grieving father addressed to his name, followed by "daughter killed in car crash."

Here's a look at what we know—and what we don't—about the consumer data industry.


How much do these companies know about individual people?

They start with the basics, like names, addresses and contact information, and add on demographics, like age, race, occupation and "education level," according to consumer data firm Acxiom's overview of its various categories.

But that's just the beginning: The companies collect lists of people experiencing "life-event triggers" like getting married, buying a home, sending a kid to college—or even getting divorced.

Credit reporting giant Experianhas a separate marketing services division, which sells lists of "names of expectant parents and families with newborns" that are "updated weekly."

The companies also collect data about your hobbies and many of the purchases you make. Want to buy a list of people who read romance novels? Epsiloncan sell you that, as well as a list of people who donate to international aid charities.

A subsidiary of credit reporting company Equifax even collects detailed salary and pay stub informationfor roughly 38 percentof employed Americans, as NBC news reported. As part of handling employee verification requests, the company gets the information directly from employers.

Equifax said in a statement that the information is only sold to customers "who have been verified through a detailed credentialing process." It added that if a mortgage company or other lender wants to access information about your salary, they must obtain your permission to do so.

Of course, data companies typically don't have all of this information on any one person. As Acxiom notes in its overview, "No individual record ever contains all the possible data." And some of the data these companies sell is really just a guess about your background or preferences, based on the characteristics of your neighborhood, or other people in a similar age or demographic group.


Where are they getting all this info?

The stores where you shop sell it to them.

Datalogix, for instance, which collects information from store loyalty cards, says it has information on more than $1 trillion in consumer spending "across 1400+ leading brands." It doesn't say which ones. (Datalogix did not respond to our requests for comment.)

Data companies usually refuse to say exactly what companies sell them information, citing competitive reasons. And retailers also don't make it easy for you to find out whether they're selling your information.

But thanks to California's "Shine the Light" law, researchers at U.C. Berkeley were able to get a small glimpse of how companies sell or share your data. The studyrecruited volunteers to ask more than 80 companies how the volunteers' information was being shared.

Only two companies actually responded with details about how volunteers' information had been shared. Upscale furniture store Restoration Hardware said that it had sent "your name, address and what you purchased" to seven other companies, including a data "cooperative" that allows retailers to pool data about customer transactions, and another company that later became part of Datalogix. (Restoration Hardware hasn't responded to our request for comment.)

Walt Disney also responded and described sharing even more information: not just a person's name and address and what they purchased, but their age, occupation, and the number, age and gender of their children. It listed companies that received data, among them companies owned by Disney, like ABC and ESPN, as well as others, including Honda, HarperCollins Publishing, Almay cosmetics, and yogurt company Dannon.

But Disney spokeswoman Zenia Mucha said that Disney's letter, sent in 2007, "wasn't clear" about how the data was actually shared with different companies on the list. Outside companies like Honda only received personal information as part of a contest, sweepstakes, or other joint promotion that they had done with Disney, Mucha said. The data was shared "for the fulfillment of that contest prize, not for their own marketing purposes."


Where else do data brokers get information about me?

Government records and other publicly available information, including some sources that may surprise you. Your state Department of Motor Vehicles, for instance, may sell personal information— like your name, address, and the type of vehicles you own—to data companies, although only for certain permitted purposes, including identify verification.

Public voting records, which include information about your party registration and how often you vote, can also be bought and sold for commercial purposesin some states.


Are there limits to the kinds of data these companies can buy and sell?

Yes, certain kinds of sensitive data are protected—but much of your information can be bought and sold without any input from you.

Federal law protects the confidentiality of your medical recordsand your conversations with your doctor. There are also strict rules regarding the sale of information used to determine your credit-worthiness, or your eligibility for employment, insurance and housing. For instance, consumers have the right to view and correct their own credit reports, and potential employers have to ask for your consent before they buy a credit report about you.

Other than certain kinds of protected data—including medical records and data used for credit reports—consumers have no legal right to control or even monitor how information about them is bought and sold. As the FTC notes, "There are no current lawsrequiring data brokers to maintain the privacy of consumer data unless they use that data for credit, employment, insurance, housing, or other similar purposes."


So they don't sell information about my health?

Actually, they do.

Data companies can capture information about your "interests" in certain health conditions based on what you buy—or what you search for online. Datalogix has lists of people classified as "allergy sufferers" and "dieters."Acxiom sells data on whether an individual has an "online search propensity" for a certain "ailment or prescription."

Consumer data is also beginning to be used to evaluate whether you're making healthy choices.

One health insurance company recently bought data on more than three million people's consumer purchases in order to flag health-related actions, like purchasing plus-sized clothing, the Wall Street Journal reported. (The company bought purchasing information for current plan members, not as part of screening people for potential coverage.)

Spokeswoman Michelle Douglas said that Blue Cross and Blue Shield of North Carolina would use the data to target free programming offers to their customers.

Douglas suggested that it might be more valuable for companies to use consumer data "to determine ways to help me improve my health" rather than "to buy my data to send me pre-paid credit card applications or catalogs full of stuff they want me to buy."


Do companies collect information about my social media profiles and what I do online? (Updated June 12, 2014)

Yes.

As we highlighted last year, some data companies record—and then resell—all kinds of information you post online, including your screen names, website addresses, interests, hometown and professional history, and how many friends or followers you have.

Acxiom said it collects information about which social media sites individual people use, and "whether they are a heavy or a light user," but that they do not collect information about "individual postings" or your "lists of friends."

More traditional consumer data can also be connected with information about what you do online. 

Datalogix, the company that collects loyalty card data, has partnered with Facebook to track whether Facebook users who see ads for certain products actually end up buying them at local stores, as the Financial Times reported in 2012.

In fact, the effort to connect online and offline information about you is one of the hottest new trends in the data industry. Companies are increasingly trying to use information about your offline purchases to target you online.

And it's not limited to what you buy: in the 2012 elections, companies were able to match your voting record to a cookie on your computer—allowing candidates to target you with online ads based on whether you're a registered Democrat or Republican—or how much you donated to political campaigns before.


Is there a way to find out exactly what these data companies know about me? (Updated 6/12/2013)

Not really—although that's beginning to change.

You have the right to review and correct your credit report. But with marketing data, there's often no way to know exactly what information is attached to your name—or whether it's accurate.

Most companies offer, at best, a partial picture.

ProPublica's Julia Angwin requested information about herself from data brokers, and was "equally irked by the reports that were wrong—data brokers who thought I was a single mother with no education—as I was by the ones that were correct—is it necessary for someone to track that I recently bought underwear online?"

In September 2013, Acxiom debuted aboutthedata.com, which allows to you review and edit some of the company's marketing data on you, by entering your name, address, birth date and the last four digits of your social security number.

The Federal Trade Commission's Julie Brill tweeted that "more data brokers should follow" Acxiom's example. But the effort received mixed reviewsfrom users, privacy advocates and government regulators, the New York Times reported.

Previously, Acxiom only let customers review a smaller sliceof the information the company sells about them, including criminal history, as New York Times reporter Natasha Singer described in 2012. When Singer requested and finally received her report in 2012, all it included was a record of her residential addresses.

Other companies also offer some access. A spokeswoman for Epsilon said it allows consumers to review "high level information" about their data—like whether or not you've purchased "home furnishings" merchandise. (Requests to review this information cost $5 and can only be made by postal mail.)

RapLeaf, a company that advertises that it has "real-time data" on 80 percent of U.S. email addresses, says it gives customers "total control over the data we have on you," and allows them to review and edit the categories it associates with them (like "estimated household income" and "Likely Political Contributor to Republicans").


How do I know when someone has purchased data about me?

Most of the time, you don't.

When you're checking out at a store and a cashier asks you for your Zip code, the store isn't just getting that single piece of information. Acxiom and other data companies offer services that allow stores to use your Zip code and the name on your credit card to pinpoint your home address— without asking you for it directly.


Is there any way to stop the companies from collecting and sharing information about me? (Updated 6/12/2013)

Sometimes—but it requires a whole lot of work.

Some data brokers offer consumers the chance to "opt out" of being included in their databases, or at least from receiving advertising enabled by that company. Rapleaf, for instance, has a "Permanent opt-out" that "deletes informationassociated with your email address from the Rapleaf database."

But to actually opt-out effectively, you need to know about all the different data brokers and where to find their opt-outs. Most consumers, of course, don't have that information.

We collected a list of data brokers that will give you copies of your data, and another list of data brokers that allow you to opt-out.

Of the 212 data brokers she identified, less than half—92—accepted opt-outs. For most of them, the op-out process was laborious. Many required her to submit some form of identification, such as a driver's license, in order to opt out. In some cases, she wrote, "I decided not to opt-out because the service seemed so sketchy that I didn't want to send in any additional information."

But she was able to clear her information from some databases: "A search for my name on some of the largest people-search websites, such as Intelius and Spokeo, yields no relevant results," she wrote.

In a 2012 privacy report, the FTC suggested that data brokers should create a centralized websitethat would make it easier for consumers to learn about the existence of these companies and their rights regarding the data they collect.


How many people do these companies have information on?

Basically everyone in the U.S. and many beyond it. Acxiom, recently profiled by the New York Times, says it has information on 500 million people worldwide, including "nearly every U.S. consumer."

After the 9/11 attacks, CNN reported, Acxiom was able to locate 11 of the 19 hijackers in its database.


How is all of this data actually used?

Mostly to sell you stuff. Companies want to buy lists of people who might be interested in what they're selling—and also want to learn more about their current customers.

They also sell their information for other purposes, including identity verification, fraud prevention and background checks.


If new privacy laws are passed, will they include the right to see what data these companies have collected about me?

Unlikely.

In a 2012 report on privacy, the Federal Trade Commission recommended that Congress pass legislation"that would provide consumers with access to information about them held by a data broker." President Barack Obama has also proposed a Consumer Privacy Bill of Rightsthat would give consumers the right to access and correct certain information about them.

But this probably won't include access to marketing data, which the Federal Trade Commission considers less sensitive than data used for credit reports or identity verification.

In terms of marketing data, "we think at the very least consumers should have access to the general categories of data the companies have about consumers," said Maneesha Mithal of the FTC's Division of Privacy and Identity Protection.

Data companies have also pushed back against the idea of opening up marketing profiles for individual consumers' inspection.

Even if there were errors in your marketing data profile, "the worst thing that could happen is that you get an advertising offer that isn't relevant to you," said Rachel Thomas, the vice president of government affairs at the Direct Marketing Association.

"The fraud and security risks that you run by opening up those files is higher than any potential harm that could happen to the consumer," Thomas said.

How do data brokers impact you? See the back-and-forth from 2013 Twitter chat with three privacy reporters.