Sign up to our newsletter
The latest security news direct to your inbox
In 2011 we saw an increase concern about, and scrutiny of, what exactly social networking sites do with the data you input, both internally as well as what gets shared with third parties. But in 2012 some of that scrutiny will shift to those third parties as more people ask: What are they doing with my data? In fact, there is a whole shadow industry of data brokerage that sits quietly behind the scenes, buying and selling, categorizing, aggregating, sorting and marketing big bundles of data. Some players in this industry have tentacles that reach deep into the Internet, compiling mashups of composite data, gathered from both free and non-free sources, normally under the thin guise of, “providing you more relevant results/ads/whatever” after you, “personalize your settings.” According to the Privacy Rights Clearinghouse list at the time of writing, there are over 200 organizations involved in variations on this theme, no small number.
The reason websites/services can “provide you with more relevant _____” after you, “personalize your settings” is because your information gets mined, sliced, diced and sold in the marketplace, not because the parties involved love you. This is big business. The machine that brokers the data, with or without value added, is the wild west of data – yours.
That’s the rub – they’re making money off your data, and you don’t really know what happens to it. That’s why they want to know your likes and dislikes, preferences for sites you visit, vendors you do business with. If I followed you around the town for a day and noticed things like where you visited, shopped, dined, what vehicle you drove, what kind of drinks you prefer and when you purchased them, I’d have a tidy profile about you that has real marketing value. This is exactly what these companies are involved in, although they gather the information as you sit on the couch in your sweats late at night, or as you tap on your smartphone while waiting for an appointment.
They normally counter with the argument that the data is anonymized, and therefore, doesn’t violate privacy law. But if I followed you around for a day and figured out all of the above, plus where you live, how anonymous is the composite? After all, if I walked up to your house and knocked on your door, I’d know an awful lot about you specifically, not the generic “you as a data point.” Your name and personal details are then fairly easy to correlate. Data brokers command higher prices based on the accuracy and granularity of their data, so obviously they’d be financially motivated to provide higher levels of accuracy, which are obtained by gathering more data points and developing a more accurate digital dossier of you, which is then worth more in the market.
Also, their data has another value: trending. If I can watch your trends over time, I now can provide more accurate predictions to my customers about what you may be interested in purchasing in the future. This is a composite “you may also like” feature on steroids, which also has market value, especially as it becomes increasingly accurate over time due to data resolution improvements. While not every attempt to customize results for the user is ill-intentioned, the fact is that the information may prove too tempting not to monetize, and what recourse does the user have once it’s out there?
So far, very little attention has been given to this whole shadow industry. I still think the day of intense scrutiny is a ways off, like the second half of 2012 at least, but it’s coming. It will become front and center when parts of the shadow industry behave badly, or overstep bounds, and then hit the headlines, prompting other inquiries for business similarly situated. But by then, with ever-deeper silos of information about you out in the marketplace, controlling the data sprawl will be very difficult.
In the meantime, if the data is inaccurate and things like employment decisions are made using it without disclosing it to an applicant, it sends a confusing signal to an otherwise strong candidate, you. Normally this is countered by the employer saying they were just drawing from a large, qualified pool, not because they admit they poked around and found a misreported “problem” with you. Think credit reports. How hard it is to remove an inaccurate entry? But this time, we’re not even entirely sure who to go to in order to remedy the situation. So while mostly invisible, they may have a very direct impact on consumers’ lives, and the consumer may have very little recourse until it’s too late.
Author Cameron Camp, ESET