by Adam Tanner
Some say data brokers should draw the line at health and not seek out details of people’s ailments. “Let’s say cancer, for example. Is there some value to people understanding and having access to relevant research and new drugs when they are out searching for that stuff? Yeah,” says M. K. Marsden, a senior vice president at data broker Epsilon. “But I think that’s where it’s got to be like, you as a pharmaceutical company or you as the cancer center have to be there when they touch you. You don’t push at them. . . . When we’ve declared and we are explicit and we’ve asked for relevant messages of things like that, then it is appropriate to push. I think it’s a delicate dance that we are learning the lines of every single day.”
Government regulation could simplify that dance by setting out some of those lines more clearly. That could include some limitations on bulk access to public records, the core building block of data brokers’ records. In Las Vegas, Clark County Clerk Diana Alba feels that instant access to public records has gone too far. She has worked for decades with public documents, as has her colleague Cheryl Vernon. “I don’t know how you stop it. Before they opened up this whole Internet they should have given some thought to this,” Vernon says.
The rich and famous avoid some of this exposure by creating their own companies so that their names do not appear in public records. Law enforcement officers, judges, and others petition courts to seal their records. But such filings are complicated and expensive. Many celebrities do not go through the trouble. When I visited the Clark County Recorder’s office, former baseball pitcher Orel Hershiser, a Cy Young Award winner, had just registered a home purchase, an official told me. And officials say that even singer Michael Jackson’s past purchase of a Las Vegas home was in their system for anyone to look at.
One approach might allow individuals to continue to look up public records but set limits on outside firms buying in bulk and reselling. That’s how Las Vegas handles its police mug shots. Some local governments have also acted to limit what types of data they make available. For several years at the beginning of the 2000s, Clark County wedding licenses shown to anyone who asked included Social Security numbers. During this time someone obtained a copy of the marriage license for tennis superstars Andre Agassi and Steffi Graf, complete with Social Security numbers, and posted it on the Internet.9 Since 2003 the clerk’s office has redacted everyone’s Social Security numbers in response to growing public concern about identity theft.
“The data has always been public, but it was in government storage that was much less accessible than a website. The problem today is that these data brokers are taking advantage of out-of-date public records laws,” says Sarah Downey, a lawyer who worked for several years at Boston privacy company Abine.com.10 “These laws were built around paper documents in regulated storage: you used to have to go to a town clerk’s office to see them. It took time and effort that most people wouldn’t bother with. The Internet has fundamentally changed what it means for something to be ‘public,’ and unless public record laws adapt, we’re all in for a lot more privacy invasions.”
Downey oversaw Abine’s pay service, which helps users opt out from data brokers. Abine would make less money if people could easily erase their dossiers, but she advocates a one-stop removal option. “Whether it is established by Congress, the FTC, consumer rights organizations, or another group or entity, consumers need a simple method through which they can block their information from being sold by data brokers, something similar to the National Do Not Call Registry for telemarketing,” she said. In some situations, such as those involving firms that use personal data to shame people, new laws and the courts may be the best remedy.
As the person being profiled, right now you can ask each data broker to remove you, but the process for multiple removals is cumbersome and there is no inherent right to stay off the data broker rolls. In 2010 an Indiana court dismissed a lawsuit from a woman who alleged a privacy invasion because Intelius kept a record on her.11 Some countries have taken a different approach and enacted broad privacy-protection laws, including those in the European Union, as well as Taiwan, Vietnam, New Zealand, Malaysia, and South Korea.
Certainly, any US effort to limit a firm’s ability to collect and share personal data would kick up a fight. “Businesses with which I transact should have every right to talk about me to others, just as I can speak about them, absent contractual limits to the contrary,” says Tom Bell, a Chapman University law school professor who specializes in high-tech issues. “Regulations in this area do not strike me as cost-effective and raise serious First Amendment problems.” Politicians and their campaign teams have a direct stake in the debate as they make increasingly sophisticated use of personal data to target messages to voters.
Some experts advocate a national privacy agency or ombudsman to shed light on how private-sector data practices affect people. “Just like we established a new agency, the Department of Homeland Security, there should be a new agency that helps people evaluate risks: the Department of Risk Assessment, or it could be called Privacy and Risk Assessment,” says George Church, head of the Personal Genome Project. “Privacy itself is not a risk. It impacts on other risks. What are the odds that you will lose your job or never get a date again or have people spray paint your house because they don’t like the way you look in public? Those are the real risks. Privacy is just like an air sock, right? It’s telling you which way the wind blows.”
Church, who asks his volunteers to make their medical records and DNA test results available to researchers on the Internet, thinks companies should do more than require a click for customers to show an understanding of the risks. They could require a test, as he does for his volunteers: “I personally think that there should be a similar exam or criterion for everything you sign because 90 percent of what people sign or tick-box or whatever they do is not read and not understood, sometimes intentionally on the part of the agency asking for signatures.”
Shining the Light on Data Hunters
After researching the business of personal data for this book, I am struck not so much by the practices of any one company but by the intimate composite portrait that emerges from aggregating data from many different sources. One tile may not dazzle, but a mosaic of many tiles betrays a compelling and sometimes unexpectedly intimate portrait.
Often, all that a business needs is one or two tiles to piece together the rest of the picture. The cheerful store clerk asking for your ZIP code at checkout adds it along with the name from your credit card to the company’s files. From those two pieces of information it can pinpoint your dossier from a data broker and know a lot more than a five-digit ZIP code might suggest.12 Yet sometimes businesses do ask for ZIP codes for legitimate reasons. For example, automated gas pumps typically request ZIP codes with credit and debit cards to verify the user.13
Shopping clues such as subscribing to a premier cable TV package (lots of sitting) and fast food purchases (bad nutrition) may suggest obesity to health care companies or diet promoters. One data broker sells sightings of cars, complete with photo, for $10 a pop.14 I looked up a relative’s license plate number and found an image of her vehicle parked some months before in front of a medical clinic, potentially intimate information. Clues from Facebook as simple as “likes” can suggest someone’s sexual orientation. One researcher has shown it is theoretically possible to reidentify people who have revealed their innermost sexual secrets in anonymous scientific surveys for the Kinsey Institute.15
In composite, all this information that we share does yield deep insights into what makes us tick. “I don’t think consumers understand what they want and what they need in regard to online privacy,” says Ted Claypoole, a Charlotte, North Carolina, lawyer who cowrote the book Protecting Your Internet Identity: Are You Naked Online? “They love to read Amazon suggesting new books and music to them, but they find it creepy when ‘relevant advertising boxes’ follow them around the Internet as they surf. They will widely share the most intimate
personal details on social media, but then are genuinely surprised and rattled to think that business, government, enemies, or thieves might somehow use those details.”
Companies and data brokers emphasize they are gathering all this data to better target their goods and services. They just want to sell you stuff or make money selling your data to other marketers. It is worth stressing that many officials at the firms gathering consumer data are smart, hardworking, and well-meaning. I certainly got that impression from the current and past executives at Caesars, at online ad agency Dstillery, and other companies.
“I don’t think that the population we are talking about, for the most part, is populated by guys twirling their mustaches planning evil acts against good people,” says Michael Fertik, CEO of Reputation.com. “This is not a Manichaean struggle between good and evil. But most people who are interested in this field on either side of the question, on the shades of gray along the spectrum of the question, are good and decent people who want to do good and decent things. . . . The basic goal is to make sure that the right ad reaches the right person, right? And I also do believe that there is no intent to foul someone up in life. But what happens is over time these data points . . . get accumulated and get spread to people and used in ways that even the guys collecting in the first place had no idea they could anticipate.”
The possibility of unintended consequences highlights the reason why all consumers should care about personal data. Your data can and sometimes do get used in a way that is not in your best interest, and can even cause harm. Data brokers and marketers openly acknowledge that some businesses make unscrupulous use of personal data in ways that can damage people professionally or personally. “People have a right to be skeptical because for every person who is trustworthy in the industry there are probably a couple who are doing crazy weird things. That’s the scary dark side,” says Acxiom CEO Scott Howe.
A Simple Manifesto
We, the people about whom data is collected, should have a right to know who the data hunters are and what information they gather about us. Even among the vast majority of businesses making legitimate use of personal data for marketing purposes, many fall woefully short when it comes to providing insights into their activities. That is a mistake that will hurt these businesses in the long term. They should be clear about what they are doing, and customers should have a choice about the extent to which they participate. Some data brokers and marketers argue that curtailing their ability to track consumers will cripple the economy and the Internet. Such logic is patently nonsense. People will still want to buy things and consume even if they have a greater say in how others market to them.
Some of the companies and executives in this book, Caesars most prominently, have chosen to be open about how and why they gather personal information and how they use such details. And importantly, they offer benefits in return. The way they crunch the numbers may be complicated, but there is no reason for the basic data-gathering policy to confuse customers. It might be as simple as “If you join our loyalty program, we will collect lots of information about what you do in our properties. And we will buy outside information to better understand you, and, in exchange, reward you with free food, rooms, and other perks.”
Companies should not be allowed to obfuscate with long and dull privacy policies. Many companies collecting data create confusion by hiding behind legalese along the lines of “Company X does not share personal information with any third-party except as permitted by law.” Such notice is akin to a food company printing a nutritional label saying “We include only ingredients as permitted by law.” That gives plenty of leeway to add lots of saturated fat, sugar, salt, or other potentially unhealthy elements into the blend. “Too often we’ve been victim of ‘I agree.’ It’s like the thirty pages, online small-print thing; this is buried on page 22 in small letters and you have no idea where your data is going when you fill out the warranty card or something like that,” says Howe. “This should be transparent.”
The “as permitted by law” phrase does not necessarily mean companies promiscuously share your data. It may embody the unscholarly legal term of “covering your ass.” In case things change in the future, they warned you. Other words with limited meaning include privacy texts that say the company only shares data with “third-party companies with which we have a business relationship.” That could mean any company that buys or rents the data: that’s a business relationship.
“Our laws should require commercial sites, and maybe others, to be specific about what data is collected, how it is used, and how you can see what the commercial entity is holding about you,” says Ted Claypoole. “Of course, most consumers will not read the privacy policy, but if this data was offered in a consistent and recognizable box—like the nutrition box on food products—then consumers who care can understand and make informed decisions about what happens to their data, and go back to correct inaccuracies later.” Until the time of easy nutrition label–style privacy policies, you can always call up a company and ask what it does with your data. Companies want your business, and alienating people runs counter to that. Often they will let customers opt out of data sharing.
We should understand how the company uses our data and whether and how it shares the information with others. “The information should be used only for the purposes that the customer believes that they are sharing it around,” says Gary Loveman. “So, for example, if I share information with a casino company, I shouldn’t have it used for political campaign purposes, or to raise money for Planned Parenthood.” In the world of casinos much personal data actually ends up staying in Vegas. What gamblers do on the casino floor as recorded by loyalty programs is not shared with others. The casinos know a lot, and they closely guard those insights as an important corporate asset.16
Overall, companies should be able to pass what Caesars executive Joshua Kanter sees as the key standard: the Sunshine Test. In other words, if managers embrace practices that would cause discomfort if featured on the front page of a major newspaper, perhaps they should think again about what they are doing. Yet in researching this book, I have found many firms reluctant to talk openly about their data-gathering practices, often adapting a defensive or evasive pose that raises questions about the propriety of what they are doing. In 2014, the Direct Marketing Association, the trade group of data brokers and marketers, went so far as to ban me from attending any future events (the lifetime ban was overturned a few weeks later). My questions and subsequent articles had apparently made some marketing firms uncomfortable. “Our industry is doing a lousy job marketing itself,” says Howe, who surprised me by distancing himself from many of the DMA’s views.17 “If you do things that are great for customers and you deliver them choice, then those companies are going to win, and folks that survive by tricking consumers, they will eventually die because they become the most hated companies in the world.”
“I do not agree with Mr. Howe—the industry doesn’t do a bad job so much as it doesn’t do enough of a job,” says JoAnne Monfradi Dunn, president and CEO of data broker Alliant, who also serves as chair of the DMA’s board of directors. “As we move from broadcast marketing to customer engagement, it will be even more important for marketers to be part of the national conversation, and to be partners with customers in their brand choices and relationships.”18
Occasionally marketers admitted why they did not want to be open about their practices. One marketing executive told me his travel company was beginning to target advertising through browser fingerprinting. This technique recognizes people’s browsers not via cookies, which can be removed, but through a computer’s more durable attributes such as what programs are downloaded onto the browser. Then he asked that I not print his or his company’s name: “At the end of the day, there isn’t really a legal case against it, there isn’t really a privacy case against it. It’s really a PR thing. What are you going to do when the Wall Street Journal decides to write a nasty article about the practice?” he
said.
Shifty practices will come to light. Much as the maker of an unsafe vehicle or adulterated food will one day have to face the music, unscrupulous personal data collectors will have to face those whose data they have abused. Advocacy groups, investigative journalists, congressional committees, and the legal system will all play a role in this process. Companies in the ecosystem of personal data can also help. For instance, search companies such as Google could give lower rankings to humiliation sites, and credit card firms could decline to process payment for objectionable businesses (moves they appear to have embraced recently for mug shot websites).
Since many companies supplement what they observe about you with outside dossiers, you should be able to go to the source and see what data brokers know. Companies such as Experian and Epsilon are still reluctant to crack open the vault. “Trust us, we have good policies” is not enough. Data brokers should allow consumers to peek in and amend or delete their files if they want to. In some cases marketers would gain if people corrected mistakes and refined their preferences to receive better targeted ads and offers. In other cases people would remove data or opt out entirely, so the files would become less all-inclusive.
One of this book’s narratives tells how thoughtful data analytics experts at Caesars ultimately decided, after many years, to start using outside data from brokers such as Acxiom. When Acxiom partially opened its dossiers to the public in late 2013, it revealed plenty of mistakes, some trivial and others significant. The initiative showed that data brokers and companies, for all of their insights about us, have not become all-knowing oracles. Just days before he left Acxiom as the marketing chief to become a managing director at JPMorgan Chase, Tim Suther spoke openly about the limitations of personal data. “It’s like searching for the fountain of youth,” he said. “You know that people are searching for that one bit of information that reliably predicts or describes people, and it just doesn’t exist. You know we are all complex human beings with changing needs, changing context.”