An “information Big Bang.” That’s how in 2018 data privacy advocate Cameron Kerry described the growth of personally identifiable information (PII). In a thought-provoking piece on data privacy, he predicted “the data explosion that has put privacy and security in the spotlight will accelerate.”
He couldn’t have been more correct. DeleteMe has been tracking the availability of personal information online for years, and the growth rate – both in terms of quantity and detail of PII being sold – has more than doubled since 2019.
While a large portion of that growth has been driven by growing numbers of people moving online for both shopping and work needs due to the Covid pandemic, growth in information detail is also a product of newer methods of information gathering, and better ability by data brokers to connect the dots between individuals and their networks of associations.
And this greater level of personal detail is fueling new kinds of online threats (like ransomware), as well as making existing ones (like identity theft and fraud) easier for bad-actors and more damaging for consumers.
Leveraging our internal research and survey data, DeleteMe is publishing our 2021 PII Marketplace Report to share insights about the growth of the online personal information ecosystem, and the problems it’s creating for consumers and businesses.
Below are four of our key findings:
1. PII Availability Is Growing
The amount of personal information available online is growing rapidly. Between 2019 and 2021, the volume of PII (measured by individual pieces of information like names, addresses, phone numbers, relations, job-details, and other details) grew 150%, fueled by ‘more people moving online’ as well as expanding detail in individual profiles on data broker sites.
A significant portion of this growth can be attributed to the pandemic. Since restrictions and social distancing began, people have started using the internet in new or different ways than before the outbreak. More of us are now working, shopping, and socializing online, with almost a third of American adults saying they’re online “almost constantly.” However, we’re also required to share more data about ourselves, with more types of people, at every form of commercial or social interaction. Whether it’s shopping at a new (online or retail) vendor, interacting with our network of personal contacts, trying to maintain personal health, or even simply parking our cars, everything we do is being mediated by services that demand more personal detail.
2. PII Itself is Becoming More Detailed
The problem is not just that there’s more PII; it’s also that the kind of information that is discoverable is becoming more robust. Compared to 2019, when DeleteMe typically found 255 pieces of PII per user, in 2021, we found an average of 491 points of data for each individual. This represents an increase of more than 60% in one year.
Raw, directory-level data – like names and phone numbers – have long been accessible from public sources like phone directories and voter-records. However, acquiring more sensitive information, like our age, work history, credit score, social media activity, and criminal background, used to be much harder. It also usually necessitated paying a significant fee.
This has since changed. Data is now farmed from our browser histories/mobile applications, business transactions, social media profiles & activity, and the inevitable institutional data breaches, all of which ultimately feed into dark-web marketplaces where consumer information is traded in vast quantities.
As a result, it’s now a trivial practice to link ‘directory-level’ personal data to a person’s location & travel patterns, time spent on various online and offline activities, keywords searched, and the names/frequency of sites they visit.
As evidenced by countless articles, including a 2020 Wirecutter piece titled “Big Companies Harvest Our Data. This Is Who They Think I Am,” not everything on an individual’s data broker’s profile may be correct. However, some things are inevitably likely to be right, especially now that data brokers have become better at cross-referencing personal information.
The increased accuracy of the information provided by data brokers plus the new level of detail available about pretty much anyone is incredibly valuable to a variety of third parties, including law enforcement agencies, marketers, and cybercriminals.
3. PII Feeds a Booming Industry of Consumer Fraud & Business Exploitation
While the motive for information gathering often originates with advertiser desires to better target consumers, the growing mountain of personal information has fed an ecosystem of both institutional and individual fraud, identity theft, and personal abuse/harassment.
On an individual level, we are also seeing more news stories that use supposedly anonymous device and app data to expose people’s personal lives.
Currently, there are no federal laws that would make the buying and selling of such “anonymized” data illegal — and government agencies are increasingly taking advantage of this loophole. In 2020, the Internal Revenue Service (IRS) was under investigation for buying Americans’ cellphone data in the hopes that it would help them track potential tax-cheats. The Department of Homeland Security has done the same, as has the Defense Intelligence Agency, the FBI, Immigration and Customs Enforcement (ICE), and various US police departments.
On an organizational level, PII is driving an explosion of social engineering methods that enable successful ransomware attacks on businesses. The more personal information a threat-actor has on someone, the easier it is for them to craft convincing phishing emails and communications that entice recipients to click on a malicious link or an attachment.
However, the easy availability of PII is not just a personal or organizational problem. According to Justin Sherman, a fellow at the Duke Center on Law & Technology at Duke University’s School of Law, it’s a national security issue. Because data vendors rarely discriminate against buyers, our PII could easily fall into the hands of foreign actors who could then use it for espionage purposes, to abuse election systems, or expose the military to risks.
4. Consumers Are Increasingly Aware of PII-Driven Problems, and Are Concerned
With consumers spending more time online, privacy concerns are becoming more mainstream. Our surveys found that more than half of consumers now want more stringent limits and greater transparency on how their PII is collected, shared, and used.
The kind of data consumers care about is changing too. In the past, individuals tended to be most worried about the disclosure of specific information such as their current or past employers, court records, or family information. Today, the average person is increasingly wary of having basic data, like date of birth, phone number, and email exposed, reflecting a growing awareness of the dangers of even basic identifying information.
This may have something to do with increasing consumer reliance on secondary authentication, and the knowledge that these methods are not invincible. Moreover, consumers feel most annoyed and at risk from robocalls, account breaches/identity theft, and harassment — threats fueled by basic data. Emerging technologies like facial recognition and location-tracking data also rank high on consumers’ list of worries.
As to who is most likely to abuse their PII — consumers currently still place quite a lot of trust in governmental organizations. That said, it’s worth noting that skepticism of these organizations is growing, no doubt due to recently published examples of law enforcement misuse of online data. Meanwhile, trust in commercial organizations and search engine providers regarding personal data continues to decline.
With PII leakage posing a rising threat to individual privacy, corporate cybersecurity, and personal well-being, tighter regulation on data collection and processing is needed.
State-level legislation like what is currently in place in states like California, Virginia, and Colorado is a positive step. However, a federal privacy law similar to the EU’s GDPR needs to happen.
While comprehensive federal legislation remains beyond the horizon, more targeted legislation such as the “4th Amendment Is Not For Sale Act” (which would place limits on how PII can be shared between the private and public sector) or a single national “opt-out” standard like the Global Privacy Control Initiative (giving consumers greater control to opt-out of personal data collection) may be critical near future stepping stones.
Beyond that, better education about privacy is essential. Although our study found that more consumers are now taking the time to understand the privacy features and tools available to them, many still take no measures at all to protect their privacy online. And that’s a problem. The more people think that data privacy is utterly out of their control, the more power data vendors and everyone who uses them will have.