Recent news over the potential ban of social media app TikTok by the United States has triggered concerns that foreign-owned social media apps can be potentially used for surveillance of American citizens. U.S. lawmakers have proposed divesting TikTok’s U.S. assets to American companies. Advocates of this approach believe that this would mitigate against data potentially landing in the wrong hands. Cyberpolicy scholar Samm Sacks, however, makes the case that American companies can still sell data to third-party data brokers, even after buying ownership of foreign-based apps. Those brokers could then turn around and sell the data to the Chinese government.
What are data brokers? What are the ramifications of the activities of this industry for national security? And what does this mean for governments and individuals?
The Industry in the Shadows
Data brokers are companies that aggregate information about consumers from different sources, then license or sell that information to other organizations. While it’s widely known that tech companies such as Facebook and Google collect data to improve user experiences and generate revenue from advertising, many people might not be aware of data brokers and their position in the advertising technology ecosystem.
Data brokers hoover up personal identifiable information – in which specific information distinguishers can be traced or attributed to an individual’s identity. Taken as a whole, information such as name, mobile numbers, locations, gender, and income brackets can be used to paint a profile of individuals. The more data obtained, the more granular a profile of an individual can be. These profiles are then licensed or sold to companies to inform their business operations in marketing or in advertising products and services to customers. Companies utilize data-driven marketing to deliver more targeted and profiled advertising to consumers.
However, the potential for misusing information collected by data brokers can be concerning. Companies seek to optimize the manner in which they access and collect data on the lives of people – their habits, decisions, preferences, relationships, and movements. This imperative to harvest as much personal data as possible has created the impetus to invent data collection technologies that are increasingly efficient, non-transparent, and invasive of privacy. Very often, people are unaware of how their data is collected and monetized, and usually “consent” to the wide “standard terms” of service contracts because they have no choice in matter. While there is the argument that companies like Google and Facebook “pay” for our data with “free” services, this does not take into account the many data brokers that profit massively from data collection.
Issues With Data Brokers
Recent data breaches and privacy concerns over the data brokering industry have led to questions regarding the relatively unregulated industry in the United States. Due to the competitiveness of the industry, data brokers prize collection methods and database size as competitive advantages. However, the unethical actions of some organizations have ignited calls for greater transparency. In 2014, a data broker was charged with selling the personal information of over hundred thousand consumers (without their consent) to a company which utilized that data – including bank account numbers – to steal millions of dollars from consumers.
The potential for data brokers to be hacked is a real and ever-present danger. In 2017, the credit brokerage firm Equifax was hacked. Equifax’s failure to ensure stringent cybersecurity practices contributed in part toward the hack. Investigations revealed multiple security vulnerabilities, including unencrypted sensitive personal information, and weak safeguards employed in the password administration systems. Stolen data from the breach was never recovered.
The amount of data stored with data brokers opens them to be prime targets of cyberattacks from state or non-state actors. Hackers who have breached the security systems of data brokers have sold entire databases for profit. In 2019, the database of data broker LimeLeads – containing 49 million business contacts – was put up for sale on an underground hacking forum. Security experts revealed that the company stored crucial customer data on an unsecured sever, allowing threat actors to gain access. While the server was eventually secured, the data of customers (containing user details including full name, emails, addresses) were advertised for sale on the forum. The data troves obtained from security intrusions could contribute to identity theft and phone scams as well.
Malware operators could also launch spear-phishing attacks targeting individuals and companies. This would be a boon for foreign intelligence services in obtaining high-value behavioral information about individuals or companies in a target country. The Equifax hack was revealed to be the coordinated effort of Chinese intelligence to steal trade and personal information of Americans.
Personal identifiable information can be deployed in the usage of political campaigns, as the infamous Cambridge Analytica scandal in 2016 demonstrated. Cambridge Analytica claimed that it created personal profiles on over 240 million Americans by mining personal data. This data was used to micro-target American voters during the 2016 presidential election. The same approach was used during the 2016 Brexit referendum in the United Kingdom – all without the knowledge of the public. Data from Cambridge Analytica may have helped to facilitate Russian interference in the 2016 U.S. election. In the hands of malicious actors, this data can become a tool for disinformation campaigns and influence operations.
Current Regulatory Efforts
Globally, what measures have been taken to address this issue? The European Union’s General Data Protection Regulation (GDPR) has tightened the limits of data disclosure by data brokers. Non-profit foundation The Privacy Collective very recently initiated class action litigation in The Netherlands against data brokers Oracle and Salesforce for breaching GDPR provisions in processing and sharing citizens’ data in the EU. A similar lawsuit under the GDPR and the United Kingdom’s Privacy of Electronic Communications Regulation will apparently be filed soon in the U.K.
In the United States, discussions are ongoing as to the creation of a national data broker registry. The proposed Data Broker List Act 2019 will require data brokers to join the registry, overseen by the Federal Trade Commission. The bill aims to empower the FTC to maintain a comprehensive information security program to safeguard consumer data from security breaches or data disclosures. In February 2019, the state of Vermont put in place a new law requiring data brokers to register with the secretary of state. In March 2020, the first enforcement action under this law was brought against Clearview AI for the fraudulent acquisition of brokered personal data by using screen scraping technology. However, the law does not go far enough in requiring disclosure of the information in their databases, what data is collected, or who the buyers are. There is also no requirement for brokers to enable consumers access to their own data or to opt out of data collection.
There is currently no designated legislation to oversee data protection at the federal level in the United States, but that might potentially change. With anti-trust concerns regarding tech companies looming in Congress, there has been bipartisan willingness to enforce data protection standards. A new Senate bill was introduced in February 2020 for the creation of a federal data protection agency to enforce data protection practices in the United States.
In Singapore, the Personal Data Protection Commission (PDPC) has taken enforcement action against unauthorized sale and disclosure of personal data by data brokers for marketing purposes. The PDPC has enforced action against companies who have purchased marketing lists (containing consumer data) without valid consent. It has also established a Do Not Call Registry for people to register with to limit specific telemarketing calls and messages from being sent to their mobile numbers. Buyers of marketing lists are expected to ensure marketing lists purchased are obtained via legal sources and do not contravene any data protection laws in Singapore.
Make the Data Industry Critical Information Infrastructure
At the individual level, what can be done to protect personal data? Apart from understanding how personal data is “shed” when using social media platforms or apps online, how personal data is being used for marketing purposes, and their right of consent with regards to their data — and taking steps to opt out from corporate marketing databases and block trackers (which are largely done on a piecemeal basis and therefore onerous) — there may not be much more that can be done.
Advances in the technology surrounding data harvesting and exploitation have outstripped the effect of current regulatory mechanisms. Given the competition to acquire and commodify data and burgeoning revenues, the data broking industry is unlikely to regulate itself, and their activities require governmental intervention. With the digital transformation, data essentially underscores all aspects of our lives; it is fueling our decision-making. Relied upon by both the public and private sectors as a fundamental resource for societal management and economic functioning, data is the target of cybercriminals, state and non-state sponsored actors. Yet we are struggling and, in some cases, have failed to coherently protect it given the role it occupies. It may be necessary to deem the data industry sector as a critical information infrastructure that becomes subject to more stringent security regulation.
This may be a first step toward ensuring proper safeguards in comprehensively securing our data for all the purposes it is put to. Government database operators, data aggregators, business data users, and brokers will be required to bolster cybersecurity measures to protect data and to uphold transparency and accountability for the usage of personal data in their activities. Individuals must be given more power over how their data is collected from them and the use to which it is put. A balance must be sought between commercial purposes and innovation, and the public interest in upholding data protection and safeguarding it as a vital resource.
Dymples Leong is a senior analyst and Teo Yi-Ling a senior fellow with the Centre of Excellence for National Security (CENS), S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore.