It is a truism of the digital age that while our preferences are sold by data brokers to companies, our names and identities are not disclosed. This allows corporate America to know that I like to ski and drink premium coffee – so it can harmlessly tailor my digital ad streams to include offers on discount tickets at a resort or a new java blend – all without compromising my privacy.
This tailoring allows social media platforms like Facebook to be free, while ensuring the ads I see are relevant. As for privacy, I could care less who knows that I like to ski or sip hot coffee.
Justin Sherman, a fellow at Duke University’s Sanford School of Public Policy who leads a research project into the “data brokerage ecosystem,” recently testified before the U.S. Senate Committee on Finance. He exploded these comforting truisms, demonstrating that our digital portraits are far more intimate than most Americans realize. Sherman said:
Data brokers gather your race, ethnicity, religion, gender, sexual orientation, and income level; major life-events like pregnancy and divorce; medical information like drug prescriptions and mental illness; your real-time smartphone location; details on your family members and friends; where you like to travel, what you search for online, what doctor’s office you visit, which political figures and organizations you support.
Your digital portrait, sans name and Social Security number, is then packaged in a bundle with like identities with file names like “Rural and Barely Making It,” “Retiring on Empty: Singles,” “Credit Crunched City Families,” “viewership-gay,” and “seeking medical care.”
Despite HIPAA and other healthcare privacy laws, health insurance companies can aggregate millions of Americans’ medical diagnoses, tests, prescriptions, and socioeconomic data, along with personal and family characteristics. Millions of members of the U.S. Armed Services also have their data swept up, which has allowed criminals to use service members’ data to sell them worthless education scams.
On top of what data brokers know, they also use algorithms to “infer” sensitive information about people, from income to sexual orientation. All of this is packaged and sold to companies along with extracted information about our lives, from our GPS location histories to our shopping receipts. In a related Wired piece, Sherman added that “reidentification has become horrifyingly easy.” In 2008, researchers at the University of Texas at Austin were able to identify by name half-a-million Netflix users’ political preferences and other potentially sensitive information from their movie ratings.
Perhaps most concerning of all is that foreign governments, from Russia to the People’s Republic of China, do not need to hack our computers to know everything about us. Like our own government, foreign governments can simply purchase our data. And in many markets, such as China, private companies (think TikTok) have a legal obligation to turn over our data as well.
Sherman sums up the scene by noting that data brokerage is almost wholly unregulated, declaring: “Data brokerage is a threat to civil rights, to U.S. national security, and to democracy.”
He recommends that Congress take three steps:
These recommendations contain much complexity and would require a great deal of policy finesse to avoid curtailing or collapsing legitimate businesses. We caution that Congress and states should take time to fully understand all the issues at play in data brokerage to avoid negative unintended consequences. A good first step, however, should be taken now – passage of legislation, the Fourth Amendment Is Not for Sale Act, which would at least limit the ability of the U.S. government to browse through our data, the most personal of our effects.