Data brokers threaten your privacy – here’s what to know

If you’ve started noticing the term “data broker” in the past few months, you’re not alone. While they’ve been a problem for a while, a recent Segment by John Oliver explore how they work and a Apple’s new ad highlighting the practice have both drawn attention to the issue, helping to bring this increasingly important practice out of the dark corners of the internet. If you’ve ever wondered about the details, here’s what you need to know.

Data brokers, also known as information brokers, are companies that aggregate, process, and license information to other companies. Although some of the data they sell is environmental or statistical, they often combine data about individual people from multiple sources to create lists of email addresses, phone numbers, or physical addresses that can be sold. to marketers. This is the kind of practice that concerns us.

Data brokers are under intense scrutiny right now as people are understandably increasingly concerned about privacy. A Pew Research study found that 79% of Americans were concerned about the amount of data companies were collecting about them, and 81% of Americans believed that the potential risks of data collection outweighed the potential benefits.

What does a data broker do?

A sterile definition of a data broker is a company that collects, enhances, and then sells information to other companies. While this is strictly a true definition, it paints a much nicer picture than what can happen with data on people.

First, the collection. Data brokers collect information in a variety of ways, including purchasing it from third-party companies (for example, your credit card company, a grocery store loyalty program, or a free app), searching databases (such as court records, housing records, or social media), and directly track your online activities. If you’ve ever checked a box when registering on a site that says something like “you agree that we may share your data with certain third-party partners,” chances are your data has been sold to a data broker. Likewise, many free apps, including top social media companies and delivery apps— sell the data they collect to third parties.

[Related: The dangers of digital health monitoring in a post-Roe world]

Then, data brokers generally cleanse, combine and process the information they have collected. This involves things like merging different listings (like linking purchases you’ve made on a website with biographical information you’ve provided to a dating app), getting rid of redundant data (like purging international buyers datasets they want to sell to US companies), and otherwise prepare it to sell in pre-packaged listings or as targeted market segments to other companies.

Finally, data brokers sell these listings, often under topics such as “high-income vegetarians” or “gym-goers who buy protein powder”, although sometimes like topics like “people with erectile dysfunction”, “people with alcoholism”, or worse.

Although data brokers and apps selling personal data are sometimes fined by the FTC for flagrant conduct, such as selling information used by scammers to defraud people or sharing sensitive data too broadly, mostly the practices they use are legal. The United States does not have federal data protection laws like the GDPR, i.e. the General Data Protection Regulation, in the EU.

For starters, most data collection is opt-in. You check a box indicating that it is acceptable for an application to share your data or for a service to track you with a cookie. Even if you never read the privacy policy, that is technically consent. (On iOS, you can go to Settings, then Privacy, then Tracking to learn more about Apple. attempts to prevent apps from tracking you; here is more about the topic for Android users.)

Additionally, while data brokers claim that the data they sell is anonymized, researchers have found that supposedly anonymized datasets are surprisingly easy to anonymize. It only takes 15 characteristics (including age, gender or marital status) to re-identify someone 99.98% of the time. In a shocking example last year, a priest resigned after The Pillar, a Catholic news site, identified him using location data from Grindr he had purchased from a broker.

And where the United States has privacy laws, like HIPAA, which prohibits healthcare providers from sharing your data without your consent, often does not apply when it comes to information you might share with an application that is not part of your healthcare organization health, for example. This is why the Electronic Frontier Foundation (EFF) calls for strict federal consumer data privacy laws.

Watch John Oliver’s track, below.