Incognito — August 2023: Government Agencies Use Data Brokers to Snoop

Welcome to the August 2023 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Confirmed – government agencies are using data brokers to snoop on us. Here’s what you need to know. 
• Recommended reads, including “Google Confirms It Uses Public Data to Train Its AI.”
• Q&A: Is Meta’s Threads really terrible for privacy?

There have been reports of government agencies using data brokers to spy on Americans for decades. Now, a newly declassified government report confirms that the US government is, in fact, using data brokers to learn more about US citizens.

Read on to learn why this matters. 

The Big Picture

A newly declassified report from the Office of the Director of National Intelligence (ODNI) verifies that government agencies buy sensitive data about millions of Americans from data broker sources. 

• For example, the report outlined how the Defense Intelligence Agency uses data brokers for social media reports on persons seeking a security clearance. 

This is not good news. There are a ton of problems with the US government being able to acquire information on us without our knowledge or consent.

Fourth Amendment Who? 

The Fourth Amendment doesn’t apply to information obtained from data brokers, which means:

1. Obtaining Americans’ sensitive data is super easy for government agencies to do. The kind of information government agencies are acquiring through data brokers today would previously have had to come from targeted and predicated collection, like search warrants and wiretaps. 

2. There’s very little accountability. No one really knows which government agencies are buying information from data brokers or what they do with this data. 

What about Carpenter v. United States? In the 2018 Carpenter case, the Supreme Court ruled that the government needed a warrant to force companies to share sensitive data with them. But when they use data brokers, government agencies aren’t forcing anyone to do anything – they’re simply making a business transaction. 

Good news. The Fourth Amendment Is Not for Sale, legislation that would stop government agencies from being able to buy Americans’ information from data brokers, passed the House of Judiciary Committee, which means it’s that bit closer to becoming a federal law. The bill is now off to the full House. 

Who Cares, It’s All Anonymized… Right?

Wrong. While data brokers say that the information they sell is largely anonymous, previous research shows that de-anonymizing personal data is not only possible but easy – as long as you have enough data points about someone. The ODNI report confirms this, too. 

Tip: This digital tool created by privacy researchers shows you how easy it would be to re-identify you from an anonymous data dump. 

Whatever, I’ve Got Nothing to Hide

The fact that you’re reading this means that you probably care about your privacy and don’t love the idea of government agencies knowing your business. 

Data broker information can reveal a ton of little details about our lives, including whether we attended a specific rally or religious event. Data like this can be used to “pry into private lives, ruin reputations, and cause emotional distress and threaten the safety of individuals.” 

And, as already mentioned, there’s no telling who within government agencies has access to our data. The report itself notes that it’s not impossible that our personal information could end up being used for harassment, blackmail, stalking, and similar purposes, including LOVEINT abuses (government officials spying on their love interests). 

Moreover, information collected for one purpose may end up being used for something else. For example, the Centers for Disease Control and Prevention (CDC) bought location data to see if Americans complied with Covid-19 restrictions, but the government agency had other plans for this data, too. 

Besides, it’s your money that’s being spent on this sneaky data collection. “Americans should be furious their tax dollars are being used to buy their own personal information, even if they’re not suspected of any crime,” said Senator Ron Wyden (one of the people to introduce The Fourth Amendment Is Not for Sale Act) in an interview with Vox.

Stopping Government Surveillance

The government will probably never ask you to carry a tracking device everywhere you go or share all your social interactions. They don’t have to.

With smartphones, the Internet of Things (IoT), and similar technologies, plus data brokers collating all this information in one central place, this is pretty much what has happened, without your permission. (Well, technically, with your permission – but who really reads the terms and conditions of every app, device, etc., they use?) 

With government surveillance now relying largely on data brokers, stopping these shadowy operators who trade in our personal information is critical. 

In the absence of legislation reining in data brokers, your best bet is to keep doing what you’ve probably been doing already: opting out of data brokers, keeping your socials private, and deleting apps you don’t need. 

But also: Lobby Congress, either through organizations like the American Civil Liberties Union (ACLU) or directly – here’s a Vox guide on how to do it. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Spyware Found on Google Play Store

Security researchers found two spyware apps masquerading as file management tools on Google Play. The two apps have a total of 1.5 million installs and collect excessive, sensitive user data (including real-time location, users’ contact lists, and pictures, videos, and audio recovered or managed from within the apps) that is then sent to servers in China.

Tech Support Scams Go Analog

The FBI’s Internet Crime Complaint Center released a bulletin warning about tech support scams that target older Americans. Scammers contact individuals via the phone, email, or a popup and, after an elaborate scam that involves remote access software and promises of a refund, tell the victim to send cash wrapped in a magazine through a shipping company.

Estee Lauder Hacked by Two Ransomware Groups

The beauty company Estee Lauder appears to have been hacked by two separate ransomware groups – BlackHat and Clop – after appearing on their leak sites. The company said it took steps to stop attackers from expanding within the network, but BlackHat said it still had access, while Clop said it had more than 131GB of Estee Lauder’s data. 

Google Confirms It Uses Public Data to Train Its AI

Google has updated its Privacy Policy to say it can scrape the information people share on the internet to train its AI models. This information can then be used to develop new features or products, according to Google. Before this update, the policy said that Google might use publicly available information to train its “language models,” like Google Translate. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Can I keep my professional and personal online profiles separate? I don’t want someone who finds me on LinkedIn to also be able to find my Twitter.

A: Really good question!

What you’re talking about here is a relatively popular concept known as privacy by compartmentalization.

In your case, the goal would be to only have your professional accounts and information come up when someone searches your real name online. 

This involves the following steps: 

• Only using your name for either professional or personal accounts. So, if you use your real name for LinkedIn, use a pseudonym for Twitter and other personal accounts. 
• Creating and using a separate, dedicated email address and phone number for  LinkedIn. 
• Not sharing your birthday, real phone number, and other personal information on work accounts. 
• Not connecting/referencing your personal accounts on your LinkedIn. 
• Only publishing information that is related to your job/career on LinkedIn. 
• Not uploading a photo on LinkedIn if you don’t have to. 
• Opting out of data brokers (who often connect people’s personal and professional lives). 

Really determined individuals may still be able to connect your professional and personal lives. However, by doing the above, you will make it much, much harder. 

Q: Is Meta’s Threads really that terrible for privacy?

A: In terms of the data Threads collects about users, yes – it’s pretty terrible. Wired has a good article that looks at all the information Threads collects about its users, plus how its privacy policy compares to its competitors. 

At the same time, Threads’ data collection practices are not any worse than those of other Facebook products, like Instagram, which you may be using already.

In an interview with Forbes, global cybersecurity advisor at ESET Jake Moore said, “If people are already invested in Instagram, I think the natural step of adopting Threads is a straightforward move at no extra cost to privacy.” 

That being said, Moore also says there’s no knowing how Threads’ data collection and use practices may change in the long term. 

The general consensus seems to be: If you’re already in the Meta ecosystem and are looking for a Twitter replacement, there’s probably no harm in trying Threads (just remember that if you decide to delete your Threads account, you will also delete your Instagram). 

If you’re not in the Meta ecosystem, however, you’re probably better off avoiding Threads, especially considering that there are other alternatives. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.