Why Brokers, Not Breaches, Are America’s Largest Privacy Threat

By Rob Shavell, Co-Founder and CEO of DeleteMe.

Corporate data breaches have become so commonplace that they barely register as newsworthy events anymore. The number of records compromised by hacks increased by 141% in 2020, and massive social platforms like Facebook and commercial sites like Amazon and eBay have repeatedly suffered data leaks over the past year with no significant outcry or change in behavior from users. However, even as data breach numbers soar, the average person’s life is generally unaffected by corporate cybersecurity events. This is why data brokers, and *not* data breaches, are America’s largest privacy threat.

The reason why is that hackers targeting corporate institutions, for the most part, aren’t as interested in the contents of exfiltrated data as they are in the financial gain to be made by selling it to third parties or extracting ransom payments from companies with disrupted operations. Unfortunately, this doesn’t mean consumers are off the hook whenever their data is compromised. 

The real-world consequences of corporate data insecurity can quickly become apparent to the average internet citizen when they Google their name. Finding your personal information in unexpected places online can be an unwelcome surprise. However, it also provides valuable insight. The biggest threats to personal information privacy don’t necessarily come directly from corporate data breaches but rather from the thriving and mostly legitimate data brokerage industry. Sourcing, collating, and selling our personal information, there is an entire industry of data brokers built on monetizing consumers’ personal lives. 

What Are Data Brokers?

A shadow industry of data brokerage flies underneath most people’s radar. Lesser-known companies like Equifax, Epsilon, and TransUnion have become so efficient at collecting, compiling, and selling personal information that one company alone, Acxiom, can claim to hold multiple pieces of information on 10% of the world’s population, including data like date of birth, ethnicity, marital status, political party, presence of children, household interests, and similar. Other examples of information data brokers may collect include your home address, Social Security number, number of rooms and baths in your home, apparel preferences, and ability to afford products. Let’s be honest — that’s way too much information, and yet that’s just the tip of the iceberg. 

With this information assembled into easily accessible profiles, the enormous privacy risk data brokers present to individuals is evident. Whether through selling your information to malicious actors or falling victims to breaches themselves, data brokers directly increase the chances someone may fall victim to threats like doxxing, credit fraud, and even identity theft. Nevertheless, what they do is not only completely legal but constitutes a multi-billion dollar business based on monetizing your data, mostly without your consent or knowledge. 

Your Private Information Is Not Private

To comprehend the issue of data brokers, the first thing web users need to understand is that abuse of user data is a feature rather than a bug in today’s digital world. Tim Berners Lee, the creator of the world wide web, noted this fact in a recent letter where he highlighted the rise of “perverse incentives, where user value is sacrificed, such as ad-based revenue models” as a major threat to our security and freedom online. 

Unfortunately, as noted by Berners Lee, the concept of “privacy” is often at odds with the business models that power most online services. Social media sites are obvious offenders. While social media sites may not sell user data directly (although a UK governmental inquiry revealed that Facebook founder Mark Zuckerberg once suggested charging developers $0.10 a year to access a single user’s data), they nonetheless effectively rent marketers access to their users. Whenever an advertiser uses a service like Facebook, they get access to a vast suite of information about users.

Leveraging the vast trove of information people put online themselves, third-party data brokers often scrape social media directly. However, brokers also buy data from other companies as well as scour publicly accessible databases, like voter records, to collate comprehensive profiles and put people into specific categories. For example, a 2014 Federal Trade Commission investigation discovered that data brokers categorize consumers based on their financial transaction data. Common categories include “Bible Lifestyle,” “Leans Left,” “Plus-size Apparel,” “Novelty Elvis, ”and “Modest Wages.” They then sell this information to pretty much anyone willing to pay for it. Showcasing this personal information business ecosystem’s extent and interconnectedness, Facebook even buys user information from data brokers to better target ads. 

In most instances, the end result for this process for the consumer is a barrage of highly targeted ads. However, in some cases, data broker profiles may be incorrect and lead to severe consequences. Miscategorized by data brokers, individuals can face negative consequences like higher insurance premiums or missed job opportunities, all without ever knowing why. The availability of user profiles on data broker sites also makes it far easier for cybercriminals to scam people and launch attacks on companies. 

Privacy Laws Are Lagging

Against the threat outlined above, current privacy legislation is woefully insufficient. For privacy abusers like social media companies and data brokers, the law is generally on their side.

In the case of social media companies, blatantly abusive data practices are usually written into their terms of service policies that most people don’t read. On the other hand, because most of the data collected by data brokers is publicly available, they are not breaking the law by collecting it. While privacy laws are gaining momentum at the state level, at the moment, there is no federal law governing how people’s private data is collected, bought, and sold, either by social media sites or data brokers.

How to Take Back Control of Your Data

In a world where your information is collected, abused, and monetized multiple times over by both the online services you use as well as by third parties you have never even heard of, privacy can seem like an elusive goal. However, protection is still possible. Here are three quick tips for taking back command of at least a portion of personal information privacy.

1. Use social media wisely

Everything you share online can be scraped and ultimately turned into your monetizable digital identity. It’s impossible to delete this information after the fact — even if you delete a post, picture, or another piece of information from your own social media page or blog, it will still exist somewhere else on the internet. It’s essential to bear this in mind when using social media and keep your accounts private whenever possible. 

2. Use privacy-focused software

Pay attention to how the online tools you use approach user privacy. For example, when it comes to internet browsers, Google Chrome is effectively a tool for harvesting user data. Alternatives such as Brave and Firefox allow the same level of functionality without abusing your data to nearly the same extent. 

3. Delete your name from data brokers

Data brokers are a clear villain in the privacy space. Fortunately, however, it is possible to remove your information from them. Most brokers have an opt-out policy of some kind; however, actually opting out is an intentionally onerous procedure and something that needs to be done continuously to stop your data from reappearing. To automate this process, data broker removal services can coordinate opting out on your behalf. 

Final Thoughts

In a Pew Research survey, 93% of Americans indicated that being in control of who can get information about them is important. Yet while privacy is something that the vast majority of people value, it is something that data brokers continually abuse, almost always without your knowledge. This obviously shouldn’t be the case.

In the long run, a combination of stronger federal legislation, alongside a new approach to how online services are monetized and privacy preferences are communicated, is needed. However, right now, the most powerful tool for privacy-focused individuals is awareness. After that, taking proactive steps like removing your name from data brokers, watching what you do on social media, and choosing privacy-orientated companies is vital.