Tracking us all: A look at the data brokerage industry

Analysis and Commentary, Emerging Technologies, Ploughshares Monitor

Published in The Ploughshares Monitor Volume 43 Issue 3 Autumn 2022

By Mehnaz Hossain

In 2016, Cambridge Analytica processed supposedly private data from millions of Facebook users to create psychological profiles that were then sold to the Trump campaign. These profiles were used to target American voters.

In 2020, Vice Media’s Motherboard broke the story “How the U.S. military buys location data from ordinary apps.” It revealed that Muslim Pro, a popular Muslim prayer app, was selling its users’ location data to defence and military contractors.

In 2021, Monsignor Jeffrey Burrill, an administrator for the U.S. Conference of Catholic Bishops, resigned after a newspaper bought cellphone and geo-location data that showed his activity on LGBTQ+ social app Grindr and tracked him to gay bars.

In these examples, commercial data brokers scooped up and commoditized swaths of private data in a new and insidious form of mass surveillance. They sold data to third-party industries for profit, largely without the informed consent of those surveilled. In many ways, this new generation of surveillance capitalism is the most dangerous yet.

Mass surveillance in the 21st century

Mass surveillance has mostly operated just below the level of public awareness, often targeting specific communities that governments have deemed threatening. Following 9/11, U.S. surveillance targeted Muslim-Americans and foreign nationals from Muslim-majority countries. Royal Canadian Mounted Police have regularly surveilled indigenous communities in Canada, including the 2011 closed-door meeting of the Yinka Dene Alliance.

Edward Snowden’s 2013 leak of the U.S. National Security Agency (NSA) program PRISM revealed the broad scope of government surveillance and the indiscriminate collection of the private data of almost everyone. Snowden revealed that the NSA was monitoring the phone calls of Brazil’s then President Dilma Rousseff and Brazilian embassies while also spying on Petrobras, Brazil’s state oil corporation.

Enter commercial data brokers

The newest entries into the world of mass surveillance are firms of commercial data brokers, which collect and sell the private information left behind by almost everyone who uses the Internet.

Perhaps corporate-led surveillance today is so pervasive that it has crossed into the realm of the familiar and accepted. We live with it because we don’t want to give up the benefits of the online world and see no way to have one without the other.

It is disturbingly easy to buy and sell an individual’s private data. Each time we visit a website, open an app, or use the GPS on our phones, we are subjected to ‘cookies’ that, usually under the guise of improving user service, collect user data and track Internet activity. But cookie ‘crumbs’ can reveal an individual’s demographic data, locations, and habits.

Data brokers such as U.S.-based Acxiom or Oracle Canada combine this information with publicly available ‘offline’ information such as marriage certificates, property deeds, driving records, and court cases to create individual profiles. They then sell these profiles to anyone willing to pay – marketing firms, private companies, political organizations, militaries, even criminals.

The collecting and brokering of private information infringe on the individual’s right to informed consent in any use of personal data.

But even when consent is required, as in the European Union (EU), if cookies are accepted, then an individual cannot know if their information is being sold or how it is being used. And it has become almost impossible for an individual to opt out without withdrawing altogether from the online world and the range of services and access it offers.

The dealings of these brokers can be as dangerous as government mass surveillance to vulnerable communities, partly because they make use of everyday, seemingly innocuous operations, like posting on Facebook or online shopping. And, even though the brokers capture information on almost everyone, targeted communities suffer the most. Already disenfranchised, these groups feel even less free and more threatened.

Individuals can also be targets and victims of data brokers and their customers. Healthcare companies and insurers use purchased data on an individual to project future claims and secure higher premiums from that individual in advance. Such a process can affect anyone and everyone, because the space is basically unregulated.

A regulatory grey area

Existing regulations are inadequate. For instance, Canada’s data privacy law allows the commercialization of ‘anonymized’ data. However, this data is usually easy to attribute to an individual once a profile has been created with offline data.

Canada’s Personal Information and Electronics Document Act does attempt, nevertheless, to safeguard the privacy of Canadians by covering a wide variety of collection and usage methods. And the EU’s General Data Protection Regulation provides a standard level of protection for citizens of all member states.

However, regulating data brokers is complicated by the disaggregated nature of Internet infrastructure and the lack of stringent U.S. laws on Internet governance. Data from any source can be routed through the servers of a different country and be subject to that country’s privacy laws – or the lack of such laws. The chances are very good that a message sent to a neighbour in Canada, for example, will be routed through U.S. servers. While on this journey, the data becomes available for the taking.

The future of a surveillance society

Public outrage flares up when the Edward Snowdens of the world reveal the amount of snooping that is occurring, but quickly dies down again. Perhaps corporate-led surveillance today is so pervasive that it has crossed into the realm of the familiar and accepted. We live with it because we don’t want to give up the benefits of the online world and see no way to have one without the other.

We should not assume defeat so readily. There are steps that we can take to regain our privacy. The first is to become uncomfortable with the amount of access others have to our lives. The second is to start pushing for more global governance of the data brokerage industry so that companies are held accountable.

While we are not all equally exposed to the risks of surveillance, we are all watched all the same. We are being watched, tracked, and even recorded by multiple unknown actors who then pass on information to other unknowns who use that data in unknown ways. It is past time that we pushed back against the intrusion of strangers into the sanctity of our private lives.

Mehnaz Hossain was a 2022 Ploughshares Peace Research Intern

Spread the Word