Companies are collecting our data online all the time. Nobody wants to imagine their information is being collected and that companies are profiting from it – especially once you know how much of your data is really going into these companies’ hands. And worse, without the right context, it can be easy to misinterpret this data, creating a false and unflattering picture of you. We need better privacy and data protection online to keep us safe from these challenges.
See Erasing your Digital Footprint with Jeff Jockisch for a complete transcript of the Easy Prey podcast episode.
Jeff Jockisch is a partner at ObscureIQ, which provides advanced data removal and privacy risk mitigation for enterprises and government organizations, and a passionate data privacy researcher. One of his specialties is understanding commercial surveillance and the data broker industry. He spent a lot of time in marketing, so he understands why companies want to track this kind of data. About fifteen years ago, he got interested in digital privacy. But his interest was really sparked when he ran across an article about data brokers. The article discussed how they were selling lists of car accident victims, men with impotence problems, and women who had been raped. He was shocked they were just selling such invasive info.
Instead of going into compliance like most privacy professionals, Jeff wanted to discuss the intersection of data privacy and data science. He builds data sets about data privacy and tries to understand from that angle. His data broker database, the Codex, contains over 8,500 organizations collecting consumer information.
Nobody’s Tracking Data Brokers
National Public Data (NPD) experienced a breach earlier this year. They are a data broker company – they do identity verification, so they have to know a lot about you. Essentially, they buy data from a lot of different organizations and put it together into a profile, similar to a background check company. There are all sorts of those out there. NPD was a big one, but there are many smaller ones, too.
The issue of privacy and data protection around these data broker companies is so challenging because nobody is tracking data brokers. There are some state laws now asking these organizations to register. But there are only a few hundred registered at this point.
It’s really hard to get a handle on these [data broker] organizations because literally nobody’s tracking them. – Jeff Jockisch
Part of that is because the legal definition is so narrow. They have to be third party, so any data broker company that interacts directly with a consumer doesn’t count. They have to have a certain amount of revenue and do certain other things. There are a lot of loopholes these organizations can jump through to not be labeled a data broker. Jeff’s project has a broader definition, which is why he sometimes uses the term “commercial surveillance” instead of “data broker.” If they collect consumer information, they go into his database, whether they’re legally a data broker or not.
What Information Data Brokers Get
How big of a problem data brokers are for privacy and data protection depends on what kind of data they can have. And the answer is, it can be just about anything. They can grab your basic information from voter records or BMV records, both of which get sold. Court records, real estate transaction records, credit card transactions, pharmacy transactions, viewing habits, all of those can easily end up in a data broker’s file on you.
Virtually anything that you do that’s digital … if they’re not getting it directly, they’ll buy it from somebody who does. – Jeff Jockisch
Virtually anything that you do that leaves some kind of digital trace, they’ll either get it themselves or buy it from somebody who got it. That includes phone location data, which a lot of people find to be a major risk to online privacy and data protection.
Location Data is Dangerous
Location data is one of the biggest risks to your privacy and a huge data protection issue. Not only can someone use it to directly get information about you and your activities, it can also be used to infer things indirectly. Someone can use those data points to make up a story about you, and whether or not it’s true, it looks true because your location data supports it.
For an example Jeff gives in a seminar, imagine a woman who goes to a bar almost every night after work and stops by a marijuana dispensary regularly. You could build a story about a woman who gets drunk every night and smokes weed every day. But an alternative interpretation might be that she has a second job working at the bar and that she’s picking up her aging father’s medical marijuana prescription. You could draw either conclusion from the data. Even if all the data points are accurate, it’s very possible to infer the wrong thing.
In addition, geolocation data is sometimes very accurate and specific, and sometimes not very much, and it’s not always clear what level of specificity you’re getting. Does the location data say you’re there because you are, or because you’re somewhere within three miles of there and that’s the system’s best guess? It’s impossible to tell. And accuracy can change without warning, too. When you look at geolocation data, points that don’t make sense are often just wrong. There’s no way to know which are accurate and which aren’t.
Protect Your Data and Privacy
As a consumer, securing your privacy and data protection is a two-step process. First, you need to delete your digital footprint. There are consumer-level services that can help. Professional-level services like ObscureIQ are more expensive, but are also more effective.
The other thing you have to do is stop letting your data get out there. That means changing your behavior so the tech can’t track you. And it may involve uninstalling apps that track you, not using certain software, and avoiding other things that will send your info straight to data brokers.
You actually have to stop leaking the data. You have to change your behavior. – Jeff Jockisch
Most of this type of data tracking and privacy concerns is commercial. Unless you’re a certain type of person (and you’ll know if you are), the government doesn’t really care what you do. But ad tech wants to track you for marketing purposes. So many useful technology tools, including ones we use every day, are tracking us by default.
We have to take measures if we don’t want to tracked because all technology is just doing it by default. – Jeff Jockisch
It’s a double-edged sword. Good ad tech means you get relevant ads and businesses pay less to run ads. But it also means some people know a lot about you. For the average consumer, there’s a lot of disadvantages that you may not understand. In the best of all possible worlds, this kind of tracking could be beneficial. But Jeff doesn’t think we’re living in that world.
Data Removal Tools for Protection and Privacy
A lot of the consumer-level data-removal tools are decent. They get rid of the surface-level things so less comes up when someone searches your name. All they’re really doing is de-indexing your information, not removing it. It’s not going to keep your info away from a determined attacker, but there is some value in it.
You can get rid of more of it if you know how. It’s possible to change public records and to go after data brokers to make them delete more of your records. However, legally, data brokers don’t have to delete the whole record. The privacy laws most consumer-level tools use just get them to de-index, not delete. They have no legal obligation to delete any information that’s public information.
There are ways you can force them to do it, though. If you are actually under threat from someone, you can potentially force them to delete it under legal threat – if something happened to you and they didn’t delete it, you could sue them. Some of it also depends on how ethical the data brokers are choosing to be. Some data brokers are probably ethical and delete your information when you request removal. But there’s probably even more where your removal request just gets ignored.
How Our Data is Exploited
It seems like every day there’s a new data breach. Companies are collecting our information and not securing it (or trying but failing to secure it). Often, the biggest risk to privacy and data protection isn’t even the data itself, but infrastructure. Big companies hand data off to suppliers and service providers because they can’t do everything themselves. If you give your data to AT&T, they give it to ten companies downstream, and then each of those gives it to ten more companies, soon hundreds of companies will have your information, and one of them is going to get breached.
What are data brokers really doing? They’re building consumer profiles on us. The bad guys are doing the same thing. – Jeff Jockisch
From a criminal standpoint, online privacy and data protection is important because much of the data from these breaches ends up on the dark web. Criminals aren’t just exploiting individual pieces of information; they’re compiling them together just like data brokers to build consumer profiles. Once they have that profile, they can make synthetic identities, commit identity theft, or target you with scams or fraud.
Sextortion scams send millions of emails every day claiming they know you’ve been watching porn and are going to send that information to your friends or family if you don’t pay. It becomes much more convincing when they have your data and can tell you your address and specific names of friends and family. They don’t know who you are, they just got your information from a data breach. But the fear gets some percentage of people to pay.
The Future isn’t Lost
There are more privacy laws happening now. Things like the California Delete Act will help customers delete their info. This particular law doesn’t go into effect for a little bit yet, but once it does California residents will be able to delete their information from hundreds of data brokers with one click. We need more laws like that. But we also need to widen the scope, to cover more people and more companies that aren’t legally data brokers that still have our data.
The challenge with these privacy and data protection laws is that data brokers are massively powerful. Some estimates put it at a $400 billion industry, but it’s probably more. That’s a lot of money against us. These companies are large and powerful and don’t want to give that up. But 80% of consumers are on our side of this issue. No matter where you are on the political spectrum, nobody wants this. A lot of politicians are trying to fight back and get good policies passed. It’s slow, but we’re making progress.
Final Tips for Privacy Protection
Jeff suggests checking out the resources on ObsureIQ’s website. There’s all kind of things that can help you delete your digital footprint. Recently Jeff produced one resource called Seven Steps to Reduce Your Digital Dust by 90%, which offers seven straightforward steps to reduce how much data you’re leaking. He’s also working on a resource on how to create a secure sock puppet if you want to get on social media without leaking a bunch of your information.
Jeff also puts out a weekly newsletter called Tactical Privacy Wire. It gives advice like how to not leak your voter record and what to do if you still have a voter record in a state you used to live in. There are resources out there that can help you protect your data and privacy online. But you need to take action to protect yourself.
You can connect with Jeff Jockisch on LinkedIn, or find him online at obscureiq.com.
