The Secretive World of Selling Data About You

Credit Card Data
Consumer scores are similar to FICO credit scores, but unlike them aren’t regulated as to what factors can be used and how transparent the score and its contributing factors are to the scored individual. Beawiharta Beawiharta/Reuters

You’ve probably had the experience of receiving mail, paper or electronic, from companies that obviously obtained your name from another company’s list of customers. But what if you were to have a medical operation refused, without knowing it was because the hospital obtained a secret report that listed you as unlikely to pay? What if a college covertly turned you or your child down because they suspected you were unlikely to complete four years of payment? What if you didn’t get a job, without knowing it was because of a report that listed you as a possible drug addict?

Those are the claims being made by critics of data brokers, companies which collect personal information on people through both public and private sources—from court records to websites to store sales—and provide it to a wide range of buyers. A large portion of data brokerage is used for identity verification or fraud prevention. Much of it is used for traditional marketing.

But data brokers are serving a growing clientele eager to know a person’s ethnicity, spending habits, sexual orientation, and specific illnesses such as HIV, diabetes, depression or substance abuse. This information may be found directly in data broker records, or, increasingly, it may be predicted from other data. It’s practically impossible for anyone to find all the information being passed around about themselves, or to correct it. As shady as it might sound, the entire industry is completely legal.

Data brokers are notoriously secretive. Only one, Acxiom, granted Newsweek an interview with a company officer, despite two months of requests to dozens of firms. “A lot of the information, the deals that take place, are proprietary in nature,” says Paul Stephens, a director at Privacy Rights Clearinghouse in San Diego, which advocates for consumer rights regarding personal information. “It’s hard to tell who’s selling what to whom.” In fact, it’s unknown exactly how many data brokers operate in the United States, because so many keep a low profile. Credible estimates range from 2,500 to 4,000. There are supergiants in the field—Acxiom, Experian. But there are myriad smaller companies that few have heard of: Exact Data, Paramount Lists, Datalogix, Statlistics.

How do data brokers collect information? As you might guess, Web browsing is a bountiful source. What sites you visit, what topics or products you research there, what you buy, even what you post in forums can be turned into an entry in a broker’s database. But there are offline sources as well. Public court records are, of course, public. But retail store owners have found they can bring in additional revenue by selling their sales records to broker companies.

The worst that may happen to you in these cases is you’ll get junk mail you don’t want. But more insidious things can happen when brokers go beyond names and addresses to selling other information, which brokers’ clients usually download from a web server. Several years ago a broker named InfoUSA sold a list of 19,000 verified elderly sweepstakes players to a group of experienced scam artists, who stole over $100 million by calling people on the list and pretending to be government or insurance workers who needed bank account information to ensure their pill prescriptions. The New York Times turned up one InfoUSA list whose description read, “These people are gullible. They believe that their luck can change.”

That’s the looming threat of data brokerage: While many brokers claim, probably honestly, to only provide publicly available information that can be used to verify someone’s identity or prevent fraud, there’s a fast-growing market for what’s called “consumer scores.” Instead of a straight list of names, addresses, and other info, a consumer score is a computer-generated number that attempts to predict your likelihood to get sick, or to pay off a debt. Consumer scores are similar to FICO credit scores, but aren’t regulated as to what factors can be used and how transparent the score and its contributing factors are to the scored individual.

“Everything has moved to scores. Lists are a commodity,” says Pam Dixon, executive director of World Privacy Forum, an advocacy organization also in San Diego. “We’re moving into a very different world.” In the 1950s, credit agencies began creating scores on potential lenders that included factors, such as race, that were later banned by federal regulation.

Today, consumer scores have no such regulation for accuracy, transparency or fairness. With modern computers, scores can include thousands of factors. You might be surprised what can go into a score for your health: How much merchandise you buy, how much online shopping you do, and your ethnicity, which can be guessed by a computer program based on the other information available about you.

“We’re living in a world where businesses and important life opportunities are being decided based on this amalgamated data,” Dixon says. “Most colleges and universities use some sort of predictive analytics to figure out if a student will be able to pay for the full four years. There’s a score for that. Companies are applying aggregate credit scores (not FICO scores) to individuals.  It affects what work you get, how much you pay for health insurance, and potentially what schools you get accepted to.”

World Privacy Forum has prepared a lengthy report on consumer scoring. Dixon summarizes a key story in the report: “A major national health plan came to the quants wanting to know how they could figure out how much to charge people. If a woman did a lot of online shopping, she was predicted to be a much higher health risk. If a couple bought hiking boots, that was considered a good factor. I doubt that when someone goes online to buy a scarf they think, ‘This is going to affect my healthcare.’ People could be paying more for healthcare, but we’ll never know. Acxiom and Experian sell lists of people with diseases. They claim it’s a propensity [instead of a numeric score], but there’s your name.”

It’s easy to see why an insurer, a college, or another high-price business would want scores on those they are considering doing business with. Just like a FICO score, a consumer score could save a business from losing money. It could save an insurer from undercharging someone who then needs expensive coverage. But consumer scores could also create a secret blacklist.

In that shadow, there are three causes for concern. First, consumer scores are a secret. If those who sell them are evasive about explaining details, those who use them usually are almost totally unknown.  Second, collected data is often incorrect. “We found a 50 percent accuracy rate in Acxiom data we looked at,” says Dixon, “and they are considered among the best.”

Stephens agrees: “For the most part, the information is not vetted. The cost of vetting it would be prohibitive. There’s a recognition within the industry and among the people who buy the data that the information is not 100% correct.” Clients use it anyway, because inaccurate data is more helpful than no data. But you don’t have to be a computer scientist to realize that a score calculated from incorrect data can be misleading.

Third, and most disturbing, there’s nothing consumers can do about any of this. They don’t know what data is being collected, or by whom. They don’t know what’s being done with it. They don’t know where it is going. They probably imagine specific lists being sent around, not calculated scores that may seem unrelated to the original data. And if they are concerned, there’s no way to see or correct the information about themselves being passed around.

To that end, Senator Edward Markey (D-Mass) introduced a bill last year called the Data Broker Accountability and Transparency Act of 2015. The Senator told Newsweek, “What was a business of data keeping has morphed into data reaping, resulting in the covert collection of dossiers on hundreds of millions of Americans. Consumers, not corporations, should be in control of their private data.” The bill would require data brokers to let consumers review their personal data for free, and to provide a means to seek correction. In the case of public records, consumers could also learn the source of misinformation, although this would leave many unknown sources a secret. The bill would also prohibit the use of fraud or misrepresentation to obtain collected records or individual information.

The federal government’s focus on data brokers has been ongoing for several years. In 2013, the Senate Commerce Committee issued a report noting that of nine companies it looked into, three refused to divulge their data sources and one, Experian, also refused to name its customers. More recently, the Senate Subcommittee on Privacy, Technology, and the Law has held two hearings at which Dixon testified alongside representatives from Acxiom, Experian, the Direct Marketing Association and the Federal Trade Commission. The industry’s lack of transparency irks lawmakers. “Right now, many Americans don’t know that their personal information is being collected and sold on the Internet,” Senator Al Franken (D-Minn), a member of the committee and co-sponsor of the bill, told Newsweek. “Data brokers trade on the privacy of consumers and operate in the shadows.”

There’s one more worry about thousands of tidbits of information about hundreds of millions of people being passed around through the Internet: What if someone breaks into a major data broker’s computers? In October, Experian’s credit arm had 15 million customers’ information, including social security numbers, breached. If that can happen to Experian, what about the thousands of lesser-known, possibly less well-protected brokers? Has it happened already, and we just don’t know?

Getting answers from the data brokers themselves, as Congress found, is next to impossible, except for those who’ll briefly claim that they only provide basic identification services and don’t sell marketing lists or consumer scores. The one company that provided Newsweek with a telephone interview was Acxiom, probably the largest, which claims to have an average 1,500 pieces of information on more than 200 million Americans. “In any industry you have big players with high reputational risks,” the company’s Chief Privacy Officer Emeritus, Jennifer Glasgow, tells Newsweek. “They tend to act more responsibly.”

Acxiom has set up a website, AboutTheData.com, where those who sign up can see what information the company has on them and edit it. Glasgow pointed out the other side of the transparency issue: How many people will now edit their records to lower their age? What other data might they falsify given the chance?

But Glasgow doesn’t dismiss the worries over what Senator Markey called data reaping. She says even more sensitive, more personal data may be scooped up in the future. “We have camera data, the Internet of Things [gadgets such as thermostats and health-monitor bracelets], a tremendous amount of data coming on the scene. Location data is far more revealing of who you are and what you do, even your health issues.” Another worry is what she calls “surrogates for protected information,” such as using someone’s address, purchases, and other info to let a computer calculate their race where the law prevents obtaining it directly.

What can be done? The big data brokers are averse to government regulation, claiming that it’ll run up their expenses and slow down their work, even as smaller scofflaws ignore the rules and hide from prosecution. As for letting you take charge, Acxiom’s consumer site is a bold gesture, but even if thousands of other companies did the same, who would be able to find them all and do the work of going through one’s records everywhere?

A one-stop site for every data broker in America sounds great, but it’s a project on a scale beyond HealthCare.gov, what with thousands of companies’ systems to keep in sync. For now a website, StopDataMining.me, offers links and instructions to opt out of what it claims are the 50 top data brokers.

It seems likely that data collection and consumer scoring will only increase, at a fast-growing rate. Trying to escape it seems futile. A better focus might be to try to define what is and isn’t acceptable to collect, what is and isn’t acceptable use, and how to keep data brokers from keeping their information about us a secret from ourselves.