Incognito — May 2022: Data Brokers: The Middlemen of Capitalism

Welcome to the May 2022 issue of Incognito, a monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month:

• Data brokers. Their business model is rooted in collecting as much data about you as possible and then selling it to third parties. How does this impact you? And is there anything you can do to stop them? 
• Recommended reads including “Meta Makes It Harder for Users to Doxx One Another.”
• Q&A: I know it’s not okay to reuse passwords, but what about usernames? Should we have a different username for each account, or can we use the same one?

And more!

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. You can also unsubscribe instantly if you like.

“If you’re not paying for it, you’re the product.” It’s a famous saying that most of us are familiar with. However, as we browse the internet, few of us realize the true extent to which we are being tracked online—and how our personal data is monetized. 

The “Middlemen of Surveillance Capitalism”

Vice describes it as the “Industry That Unmasks People at Scale.” Wired calls the firms within the sector the “…middlemen of surveillance capitalism.” So what are data brokers?

Data brokers are companies that aggregate people’s personal information from various online and offline sources and sell this data to third parties. 

• The data these firms have on you can include your gender, age, sexual orientation, income, home address, if you’re married/divorced, your political affiliation, what kind of laundry detergent you prefer, whether you purchase adult material, and so on. 
• Data brokers get this data from: third-party cookies that track you across the web, public sources such as voter registration information, retailers’ purchase histories, social media, apps that track your location, and other data brokers. 

Are You an “Affluent Baby Boomer” or a “Working Class Mom”?

Not only do data brokers collect all this information about us, but they also put people into specific categories. 

As noted by the Federal Trade Commission, some of these categories, like “Dog Owner,” may seem benign. However, others are much more intrusive. 

How would you feel if you found out that you were tagged as “Rural Everlasting,” a single person over the age of 66 with “low educational attainment and low net worth”? What about “Bible Lifestyle,” “Help Needed—I Am 90 Days Behind with Bills,” or “Diabetes Interest”?

That last one (“Diabetes Interest”) is especially interesting. If medical information is protected under HIPAA, how on earth do data brokers find out people are pregnant or have cancer? The answer is surprisingly simple: while the information you share with your physician is indeed confidential, your online health-related searches are not. 

Why Your Insurance May Suddenly Be Higher

It’s not just marketers who want to better target their ads that data brokers sell your information to. 

Data brokers have a vast and varied client base that includes individual consumers, insurance companies, financial services firms, real estate services, and technology companies, among others. 

For example, if you notice that your insurance bill has gone up for no apparent reason, it could be that your lifestyle/health has resulted in data brokers placing you in a specific category, i.e., “Cholesterol Focus” or “Biking Enthusiast.” 

Granted, the information that data brokers have on you and sell to others may not even be correct. For example, you may have searched online for information on cholesterol because a family member or friend has an issue, not you.

• A few years back, a reporter for The Atlantic requested to see the data that a data broker had on her. As it turned out, almost 50% of the information was incorrect. 

• Unfortunately, data brokers do not allow individuals to edit their profiles. 
• A man who took a data broker to court in 2017 said that the erroneous information they had on him might have cost him job opportunities.

A Way to Circumvent or Break the Law

For government entities, data broker firms provide a way to get around the Fourth Amendment protection against “…unreasonable searches and seizures.” Federal agencies from the IRS to the FBI and US Immigration and Customs Enforcement have been found to regularly purchase this data without warrants or public disclosures. 

Data brokers are also increasingly being used by:

1. Cybercriminals who are looking for data to personalize their social engineering campaigns.
2. Scammers who can use this information to trick vulnerable people. In 2021, the data broker Epsilon was told to pay $127.5 million for helping scammers carry out elder fraud schemes. 
3. Stalkers who want to find their victims’ addresses and phone numbers. 

What Are Data Brokers Saying?

Data brokers claim that the data they sell is “anonymized,” i.e., it can’t be linked to actual individuals. 

Although that may sound reassuring, the reality is that data brokers provide enough information to connect data to people. Not long ago, researchers outlined a method that, according to them, allows to successfully re-identify 99.98% of Americans in any dataset based on just 15 demographic attributes. 

That anonymized data is never really anonymous was proven before. In 2006, the internet company AOL published anonymized search records of its users for research purposes. None of the users were identified. Instead, they were assigned account numbers. Still, many of the searches did contain personally identifiable information. Based on searches like “60 single men,” “landscapers in Lilburn, Ga,” and “numb fingers,” The New York Times was able to unveil the identity of person no. 4417749 as a widow living in Lilburn, Ga. 

How Is Data Brokerage Still Legal?

Because data brokers get much of their information from public sources, their business model is technically legal. And although several states have passed legislation to rein them in, a comprehensive federal law hasn’t yet happened.

There are many reasons why. 

1. For starters, data brokers are spending millions of dollars lobbying Congress. 
2. But also, many politicians use data broker services themselves to drive their campaigns, from deciding whom to target and where to campaign and even the exact wording of their campaign messages. 

How to Stop Data Brokers From Selling Your Information

You’re not completely helpless when it comes to data brokers. There are certain things you can do to make it harder for them to collect data about you and sell it to others. 

Use a private web browser and search engine. To avoid trackers as you browse the internet, use a browser that takes privacy seriously, like Brave or Firefox, or a search engine like DuckDuckGo (which just launched a browser for macOS, currently in beta). Brave and DuckDuckGo now also block Google’s Accelerated Mobile Pages (AMP). Through AMP, a publishing technology, Google hosts content on its own servers, which makes pages load faster. However, privacy advocates say that AMP lets Google collect even more information about people’s browsing habits. 

Avoid sharing information on social media and forums. Data brokers scrape social media platforms and even password-protected forums for personal information. The latest court ruling deems this practice legal. The only way to avoid this is to refrain from oversharing online.

Keep the number of apps you have on your phone to a minimum. Like websites, many apps have trackers that send you information, including your location data, to data brokers. If you’re an iPhone user, know that this happens even with Apple’s privacy policies in place.

Disable location tracking on your phone. Whether you’re using an Android phone or an iPhone, you can disable location tracking on your phone.

Know your rights. Depending on where you live, you may be able to see the kind of information data brokers hold on you. For example, under the California Consumer Privacy Act, residents of the state can opt-out of data collection and ask data brokers to delete any information they have on them. 

Opt-out of data brokers. Data brokers don’t have to honor your request to opt out, but many do. We have a free guide on how to remove yourself from the most popular data brokers. However, the process varies from data broker to data broker. While some let you fill in a form, others may require you to create an account with them, mail your opt-out request or verify your request over the phone. Remember that data brokers will relist your data after a while, so it’s important to be on this task continuously. For those who don’t have the time to go through this process repeatedly but still value their privacy, DeleteMe’s data broker removal service can remove your information from these sites on your behalf. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

LinkedIn Most Imitated Brand in Phishing Campaigns

The employment-oriented social media platform LinkedIn is now the most imitated site by social engineers. It accounted for 52% of phishing attacks across the world in Q1 of 2022. That’s a 44% increase from the last quarter. Other brands threat actors like to hide behind include DHL (14%), Google (7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%), Maersk (1%), AliExpress (0.8%), and Apple (0.8%). 

Louis Vuitton Accused of Violating Illinois BIPA with Virtual Try-On Feature

The North American unit of the French luxury fashion house Louis Vuitton was sued for unlawfully collecting and storing consumer biometric data through its “Virtual Try-On” tool. The tool, which allows users to virtually try on eyeglasses, allegedly collects customers’ facial scans and other sensitive biometric identifiers and information without first informing users or getting their permission.

Clearview AI to Offer Its Services to Banks and Private Businesses

The controversial face recognition company Clearview AI is branching out. The company best known for selling its software to law enforcement agencies is now planning to provide its technology to banks and other private businesses. In this way, it hopes to compete with tech giants like Microsoft and Amazon in facial recognition verification. The company claims that the technology will not rely on its 20 billion image database used by the police. 

Meta Makes It Harder for Users to Doxx One Another

By the end of the year, Meta (formerly Facebook) will end an exception to its policy that lets users post people’s residential information on the platform if it is publicly available. This is in response to a recommendation from Facebook’s own Oversight Board. On the other hand, Meta users will be able to post photos of home exteriors if they’re featured in a news story, except if it’s in the context of protests against residents.

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: I know it’s not okay to reuse passwords, but what about usernames? Should we have a different username for each account, or can we use the same one?

A: If you use the same username across different accounts, then it is easier for malicious individuals to track you across the internet. 

For example, if a stalker or cybercriminal knows your username on one social networking site, they can type in that username into Google and see your other accounts, including those on other social media (Instagram, Twitter, YouTube, etc.) and online forums. 

In doing so, they can build an entire profile on you (i.e., where you live and work, who you’re friends with, what your interests are, and so on.) 

Consequently, reusing your username — even if it doesn’t include identifying information like your name and surname — increases your risk of account hijacking, stalking, doxxing, identity theft, and social engineering attacks.

Q: Will doing a factory reset of my device reset my personal information?

A: That depends on the device. For computers and laptops with flash storage or solid-state drive (SSD), you’ll also want to encrypt the drive before formatting the storage drive and resetting the operating system. 

Wirecutter has a step-by-step guide on how to do this based on your operating system. You can skip the encryption step with computers and laptops that have a mechanical hard drive. 

Since iPhones and iPads are encrypted by default, all you need to do is disable Find My Device before you do a factory reset. Most Android phones are also encrypted by default, but you should ensure this is enabled before resetting your phone. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe or @Abine).

Share with friends! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. What are your thoughts on data brokers? Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito! Stay safe and we’ll see you in your inbox next month.