Hotline:+852 3958 3000
Widespread surveillance has been normalized. To access our sensitive data, companies routinely scrape the internet, tap IoT devices, and monitor our phones around the clock. Unfortunately, we have virtually zero visibility into the shadowy ecosystem that is the data brokerage industry.
However, every so often, a data breach occurs, showcasing the disreputability of so many of these businesses. For example, a data breach from last summer revealed that a now-defunct broker, DeepSocial, had been aggregating and packaging data from 235 million social media profiles. Although such activity is against the terms and services of Facebook and Instagram, it is not technically illegal, assuming it’s publicly-facing information and none of the data belong to minors, which would likely be a COPPA violation.
DeepSocial may be gone, but the data brokerage ecosystem is thriving. As individuals, we neither have insight into the transactional process of these brokers, nor do we have any federal rights to change any of our personal information that is incorrect. Perhaps more importantly, as it currently stands, the FTC doesn’t have a strong federal data privacy law that would enable the agency to investigate unscrupulous data brokers.
Put simply, the data brokerage industry is in dire need of regulation. As Duke University cyber policy fellow Justin Sherman notes in his recent report,
“The data brokerage ecosystem represents the unrestrained aggregation of surveillance power as a service.”
The data brokerage world: “surveillance power as a service”
Seeing as all outsourced services seem to eventually morph into an “-aaS” acronym, let’s run with Sherman’s “surveillance power as a service” (SPaaS) designation; after all, it is certainly an apt description of the data brokers’ business model.
Data brokers gather information on individuals via many different methods. They crawl government records, use applications to pull data, and purchase or license data from a bevy of third parties. After successfully tracking and aggregating users’ locations, life events, purchases, financial data, political affiliations, and lifestyle interests, these brokers turn around and sell it to the highest bidders—be it insurance companies, super PACs, corporations, asset management firms, or intelligence agencies.
Moreover, as it currently stands, there is virtually nothing in U.S. federal law that limits the selling of this data. In fact, there is not even a shared definition of a “data broker” in federal law. At the state level, Vermont and California do require brokers to register with their respective state; however, the states’ narrow legal definition of “broker” allows most companies who buy and sell data to operate without any need to disclose their actions.
For the most part, data brokers are operating with impunity, and the industry is unregulated.