Thank you for taking the time to read this and I hope you walk away with a new perspective of how we use everyday technology. If you enjoyed this post, please do share with your network.
Last post I talked about how adverts work. I briefly mention how there is a group of people who track what you're up to and help advertiser's decide whether they should bid for that ad spot for you or not. Today I'm going to talk about one of the group's of people who collect this data.
Whenever you read about the latest 'data breach' or 'data misuse' scandal, it's sometimes the big companies you would think of - like Google, Amazon or Facebook (yes another Cambridge Analytica reference, I will not shut up about this). But generally, it really is against the interest of Google, Amazon or Facebook to misuse your data. If you don't trust them, you will not use their products and therefore you will not hand over your data to them which that can't then use to package up and sell/create new products.
I do believe Big Tech deserve the scrutiny they get for collecting the raw data from us, however there is a huge industry out in the open that gets away with all the scrutiny:
There are many types of data brokers, but the ones I want to focus on are the ones that hide themselves on your apps. A recent example of data misuse was by a data broker called X-Mode who was collecting location data of Muslims through a popular prayer time app, Muslim Pro, and selling off the location data to the US Military. This sent shockwaves through the Muslim community and even spawned a project that provided prayer times without storing personal data, Pillars.
But what even is a data broker? Why do we need them?
Data brokers are nothing new - they have been around since the 1950s
Data brokers are a type of information brokers. Information brokers popped up in the 1950s when the infamous 'credit scores' came around. What information brokers did is collect information, either from information available to the public or information from other private channels, and packaged it and sold it. They essentially see information like a commodity - a useful or valuable raw material like gold - collected it like crazy and found ways to sell it to consumers and businesses.
In the context of credit scores, information brokers collected data (or information) from public and private channels and then built a model that predicted how likely you are to afford credit. They then sell access to this model to banks and other lenders to help them decide if they will lend the money to you.
On a fundamental level, I don't think information brokers as a concept in the credit score situation was necessarily bad. It would be a bad business decision (regardless of how much money they had) for a bank to give out money to someone who won't be able to pay the money back - would you let someone borrow money if you know there was an indication that they may not be able to pay it back? How about someone who you know will always pay on time and all the money back?
Where I think these information brokers have gone wrong is how opaque they are. It's not widely available to understand what information points they use to give you a credit score (even if it is available at all). But these credit scores can literally dictate how we live our lives. It decides whether we get a loan, mortgage, car or even a mobile phone contract. Yet we have no idea what determines our score. In the UK there are three main agencies: TransUnion, Experian and Equifax. They all have vague descriptions of what goes into determining your credit score. Let's look at Experian's description of what influences your credit score according to their website:
"The Experian Free Credit Score runs from 0-999. It’s based on information in your Experian Credit Report – like how often you apply for credit, how much you owe, and whether you make payments on time.
You’ll lose points for having information on your report that suggests to lenders you’re unlikely to manage credit responsibly, such as previous late payments and defaults. You’ll gain points for things that lenders usually view positively, such as a track record of always paying on time and being on the electoral roll."
This doesn't tell me much. There are some obvious points like late payments or defaulting, but they don't actually give you the data points. We don't know why our score is what it is, yet this score might stop us from buying a house or being able to pay our utility bills on a monthly basis. If we are to play this game then at least tell us how the scoring system works?
But enough of my rant about the terrible credit score system we have at the moment.
Data brokers are the exact same thing. They collect data through multiple sources (mainly from digital sources, like social media, purchasing history, browsing history etc.), package it, and then sell it off to other people. You don't know what they are collecting, who's giving your information to them, what models they are making and who they're selling the information to. To top this all off, the laws around this are very vague/liberal, so they escape all scrutiny.
Data brokers have free reign in what they can collect, model and sell - legally
There are no specific laws around what models data brokers can and can't collect (otherwise known as data mining) - and some of the things they can collect is crazy outrageous. In 2013, a data broker was under fire for selling lists of rape victims, alcoholics and men with erectile dysfunction, selling at 1000 names for $79. If you fell in to one of those lists, you are worth $0.079. Your traumatic experience can be sold off to anyone who wants it and is willing to pay a very cheap price for it.
So how is this collected 'legally'?
The trap is when you sign up for free services, or download free apps/games, and you click the 'I agree' button. In the terms of service there is the clause of 'trusted third parties' who will get access to some of your data. As someone who tries to read terms of services before I click to sign up to them, I can tell you that data brokers are never mentioned.
In those terms of service they normally have the clause about 'trusted third parties' who will get access to some of your data. What this normally means is that there is a small bit of code that reads the information that the app collects and sends it back to someone else, normally a data broker, but can also send it back to other people, like researchers. By clicking ‘ I agree’ (and in some apps, you can't use the app without agreeing), you give them permission to do whatever they want to do with the data.
This clause isn't necessarily bad, but it's so vague and general that I'd argue such a clause should be illegal. It can mean meteorologists want to know location to monitor weather reports and use it to improve weather forecasts, or it can mean a data broker wants to know where you're going to work out, who you are, your routine and build a profile of you to sell. The data broker can then use that data from the weather app and combine the information with other data they collect from you in other apps (like a free to play game, or a free to use shopping platform that finds bargains for you) to know if you're a specific category bucket - for example you may be in the high earner bucket, but also impulsive buyer category bucket.
It's time we push for regulation for data miners and brokers
Actually, the best time to regulate data brokers was yesterday. The next best time is today. Data brokers aren't going to stop being shady any time soon - data mining (so how data brokers get their data) is expected to be a $274 Billion industry by 2022. With an industry so lucrative and people's literal wellbeing at stake here, there is no reason for us to not be able to regulate and audit the data miners and data brokers.
For the immediate change, there are 2 clear things that can be done that I believe will reduce the incentive to mine data relentlessly and force some accountability. These aren't perfect, but definitely a starting point.
1. Regulate the type and how data that can be mined
Data brokers should have limits and laws that prevent them from mining, collecting and selling information such as rape victims (like our previous example), or locations of Muslims to defence contractors (and subsequently the US military). Rules need to be put in place exactly what categories are off limits, for example personal trauma. Data brokers should have to declare how they mined the data they are in the possession of.
2. Audit data brokers and large corporations to verify the data sources and techniques
This may sound like a boring corporate speak - but I really do think that this is the way forward. Any organisation that collects data should have an external body performing an audit to confirm who any data is shared with and what is shared. The audit should give a document or a stamp of transparency that should be made be available to anyone who wants to know. For example, if I made a weather app, I'd need someone else to come in and verify whether I am sharing the data with anyone else and if I am, what I am sharing. The stamp or audit result document would basically list who I am sharing my data with and what. That way if I was sharing my data with X-Mode, a user can search up X-Mode and see who they work with etc. and essentially make their own decision of whether they trust my app. Of course, the data brokers should undergo a similar exercise and be certified.
Or even better - the external body doing the check can give their own opinion of confidence that the organisation isn't sharing data with any questionable data brokers. This may sound like something that requires a lot of effort but this is an old concept - we already do it with finance and many other industries! We can see a breakdown of how money is spent by the government or charities or the details of all documentations and tests performed before a new drug passes government certification. We need to demand the same for our data and hold not only hold big tech but data brokers accountable.
Some steps have been made to make life harder for tracking - Apple recently has implemented privacy labels (with Google following suit) and giving you the option to block privacy trackers. These things are great, but Apple have a literal financial incentive to advertise these features, because after all being "privacy focused" is their brand (but also trust them to go through all your images on your phone locally without your permission!). We need someone who doesn't have a financial incentive to push forward this privacy first accountability.
Data brokers have influenced historical events by mining, packaging and selling data to nefarious actors. If they are not clamped down, as this person put it, they are a threat to democracy.
We need to act before it's beyond repair.
If you have a better idea than I do, if I’ve missed out anything or you think I am talking absolute rubbish, feel free to reach out either by commenting on the post, or by emailing me on firstname.lastname@example.org
If you enjoyed this post, subscribe to Tanvir Talks, where I publish a newsletter once a month breaking down the big questions asked in tech into digestible chunks for you to consume, the average consumer. I also have a podcast where I do the same thing!