Minority Report: Visibility
and Targeting Advertisement
Big
Data provides the access for companies to engage in targeted advertising. Often
when I hear of this I wonder if we are not relatively close to becoming the society
in Steven Spielberg’s film,
Minority Report (2002); where targeted
advertisements and predictive algorithms are taken to the extreme—where adds publicly speak to consumers exposing their preferences, and law enforcement
predicts crime before it occurs. Because Big Data is essentially unregulated
many argue for guidelines. The Data Broker Accountability and Transparency Act
of 2015, “DBATA” establishes procedures to ensure the accuracy of the
information collected on individuals in an attempt to promote greater
transparency in the uncharted sea of data aggregation. Because best practices
are not cohesive across the spectrum of Data Brokers, it is essential that
sound regulation emerge to prevent data breach. Although the proposed law adequately
brings to the forefront issues such as: (1) access to personal information; (2)
accuracy; and (3) transparency—it raises questions regarding consent in
regulating consumer behaviors.
I.
The Data Broker Accountability and
Transparency Act of 2015
The
FTC which would enforce the Data Broker Accountability and Transparency Act of
2015, (“DBATA”): Prohibits data brokers
from obtaining or causing to be disclosed personal information broker knows to
counterfeit; (2) requires data brokers to ensure accuracy; (3) data brokers
provide an means to where individuals can review their personal information;
(4) individuals a cost-free means to review their personal or identifying
information and dispute the accuracy of such data; (5) requiring big data to
reveal the source of the information and correct it; and (6) requires data
brokers to provide individuals a reasonable way of determining how they
personally would allow their information to be sold or shared for marketing
purposes—target marketing. The DBATA defines a data broker— “a commercial
entity that collects, assembles, or maintains personal information concerning
an individual who is not a customer or an employee of that entity in order to
sell or provide third party access to the information.”
There
are three companies, the largest data brokers in the US, all fighting against
any form of governmental oversight and transparency. These
companies are Acxiom, Epsilon, and Experian. Why is this interesting?
Recently a Florida based oncology clinic was the victim of a data breach, which
exposed 10 thousand patients’ social security numbers, ages, insurance
information, gender, marital status, and extensive medical history. This is a
very common and startlingly under appreciated occurrence. The oncology
clinic offered the victims’ of this data breach Experian's Protect My ID.
Ironically, Experian is the third largest data broker in the nation, and again
Experian thrives on data like security numbers, ages, insurance
information, gender, marital status, and extensive medical history. It is this
type of tautology that defines the current status of data brokers in the US. In
a CBS News 60 Minutes report the CEO of Epsilon, stated that
there should be no governmental oversight because, “citizens are happy to share
their private information”, which justifies his company’s business practices.
This circular thinking is specious at best and terrifying at worst. Epsilon
claims to have over 8 Billion records of commercial transactions in the US.
This was the most recent number I could find on the company, and it comes from
2014. Clearly Data Brokers need to tighten security.
This
fact is exemplified by a shocking statistic about Acxiom, the largest data
broker in the US. In 2014, Acxiom claimed to have over 1500 data points,
(think: age, gender, sexual identification, health history, shopping patterns,
educational level, and socioeconomic status, etc.) for more than 220 Million Americans.
That is ¾ of the total population. One can only imagine how exhaustive the data
is on anyone, if not everyone. The
fact that a company has that much information on ¾ of our nation is potentially
disastrous. As of March
11, 2016 there have been 896,258,345 records compromised from 4,790 data
breaches made public since 2005.
If
just 1 of the big 3—Acxiom, Epsilon, and Experian—were to have significant data
breach (assuming they haven’t been exposed as there are currently no laws to
compel the companies to inform the public of data breaches)what private
personal information could suddenly and irrevocably become public. Still, Wired
Magazine reports that Facebook puts all other data brokers to shame. Facebook
has billions of uses freely pouring out their souls generating a rich harvest
of data to monetize. Facebook only wants your data to sell on to the highest
bidder, full stop. Facebook
has untold stores of personal data freely given by grandmas, teens, and
snooping mothers, all to be monetized. And this is the core problem with
the DBATA
Act policy, where does data mining and brokerage start and active participation
begin.
Under DBATA, we
are allowed to see how and where our data is being used and sold. Currently
data brokers operate under the assumption that the public is fine with their
practices and tacitly agree to the sale of personal information, essentially
implied consent. This is exactly why opting-out is not nearly enough when considering
the intrusive nature targeting advertisement, data mining, and brokerage. In
fine, Although the DBATA Act on the whole should not be enacted whole cloth, their
“best practices” are neutered by the lack of regulatory enforcement, bringing
to light enormous concerns over accuracy, consent, and transparency. So how are
we to face the issues surrounding Big Data? It will have to be through an
affirmative opt-in regulatory scheme.
Would you like
to know the extent and type of data these companies are selling? That is a
reasonable request, but there are no laws compelling data brokers to comply. Epsilon claims to be a marketing firm, and shuns the label of data
broker. You have the ability to contact them and use their website to see the types of data they collect, but none of
the data they keep on you as an individual. Imagine if the financial industry
had this level of transparency. In Short, we as consumers would have no way to
see or understand how or what is being sold and stored. Most individuals have no
clue as to the content and extent of the information gleaned by data brokers.
For instance, unlike governmental data collection, commercial data brokers link
specific names to said data. The Info Law Group article asks many questions
about anonymity:
The truth is
this, anonymity is an antiquated idea in our modern age. Your name, and far
more is linked and harvested by big data firms. For example, there are several
niche data brokers that market lists of named individuals. Want to buy a list
of LGBTQ individuals, easy this data point and these individuals’ names are
sold by Statlistics. A
company called Paramount Lists sells
the names and other data points of people with alcohol, sexual, and gambling
addictions. And this nugget of gold,
a list of (named) individual’s with an STD, Exact
Data has a custom tailored list for marketers and potential employers. Again
data firms sight their in house best best practices and self-regulation is
sufficient, but the questions remains how adequate is their security. In addition, how accurate are these
lists, and how do companies accumulate such a profile?
II.
Modern Society an Individual’s Personal
Information is Akin to a Commodity
Again, here is
where Facebook obtains this free commodity by users’ searches without a opt-in
requirement for specific personal searches while linked to Facebook. However, some
argue that going down this road with the FTC and the DBATA Act, will only
result in the vicious overstepping of the government. It is important to note that in modern society an individual’s personal information is a commodity, akin to gold, pork bellies, or orange juice. Yet, tangible
commodities are highly regulated by US law, and
under US regulations commodities brokers have been one of the largest engines
for wealth creation in the history of mankind. Yet, companies that buy and
sell the commodity of personal information feel that they are somehow beyond
reproach. They often site the idea of trade secrets, or how burdensome
oversight will harm a multi-billion-dollar industry. But again take the
financial sector as being analogous to data broker firms. Finance is heavily
regulated. But companies that produce, apply, and profit from computational
investing operate under governmental oversight. Even with said oversight and
mandatory transparency these firms are able to maintain the integrity of their
algorithms. The idea that any form of oversight will compromise big data’s
trade secrets is pabulum, spouted by companies functioning in the
“wild west,” of a bleeding edge industry. The scope of their influence is so
powerful and vast it is hard to say where these assumed trade secrets end and
begin. This quote from Direct Marking News summarizes the nature and
interconnectivity of modern data brokers:
“You can't look at the data-driven
economy as if it's a vertical like energy or hotels… It's a horizontal that
cuts across all of the verticals. Exxon Mobil can just as easily be part of the
data-driven economy as Hilton.” Direct
Marketing Association CEO Linda Woolley
For instance, Marriott and Disney consistently gather data
and information on their consumers, we know they use this for targeting
advertisements, but it begs the question in the current climate are these “data brokers,” or a Hotel and Entertainment
Company. Targeted marketing could reach individuals in need. Or it could aid in
developing more effective means of research and treatment outreach to at risk
populations. Still, these positives can be utilized under appropriately applied
oversight. And yet, the DBATA policy shouldn’t be considered a panacea to our
growing big data problem. The US Government is really the biggest player in big data. And its desire for oversight
should in no way be considered a wholly benevolent cause. The US government
wants this type of data just as much as a corporate entity; only
under the auspice of national security (and the real cheddar in this game new
tax revenue.)
III.
Targeting Advertisement in Big Data to Sale
You Other Products?
Last year the app Path-Social for iPhone
was found to be surreptitiously cloning users contact lists. The parent company
gathered said ill-gotten information and sold it. The small penance of $800,000.00
does not even come close to the financial benefit they received by the privacy
intrusion. But, this act
is some how worse than Angry Birds, one of the most successful apps of all time
buries the fact that they tack and
sell you data in their user agreement. In either case the end users suffer. Consumers
should be aware of how their technology is being used and third party companies
that collect their data.
IV.
Information
Contrary to Purpose it was Gathered for:
An article in the New York Times addresses how this named data could effect ethic minorities, and underprivileged populations. And this is tragically accurate. How will ones’ history of alcohol, sexual, and gambling addictions play into getting a home, loan, or a job? Sadly, all of this new data directly effects credit, employment opportunities, and personal growth. In short big data is a new form of oppression.
Notice and
consent are paramount for the future in data collection but is it enough?
Obviously when data is collected in the aggregate by big data companies there
is more of a risk of de-identification. One could argue that consent doesn’t
necessarily solve this problem thus the need for regulation. The harm in
identifying a group of individuals in travel or credit worthiness is terrifying
in regard to discrimination and government is not equipped to handle this data
any better.
V.
Opt-In
Should Be Required Merely, as it is Akin to a Digital Trojan Horse
The current DBATA lacks in regard to consent. Because many people may not understand the extent of
how their data will be (and is) utilized in the aggregate, an expressive affirmative opt-in is essential in regard to conform consent. Considering how many agreements we make everyday just using technology,
it would be crazy to think how many legal agreements we make in a week without
even blinking an eye. Who really understands when they play Angry Birds that Rovio Games tracks your location and sells it
to advertisers. Many consumers
may not mind information that they willingly have given such as, information to
a clothing store in order to receive discounts to other similar stores. But many customers perhaps would protest the ability for
geo-location and their iPhone tracking to be used to send them advertisements
even when the data is incredibly accurate.
VI.
Knowledge a Right for Consumer and
Informed Consent: Targeting Advertisements:
Democrat Sens.
Richard Blumenthal of Connecticut, “called data brokers ‘insidious, invisible
threats’ to privacy on the Internet.” As they collect personal information
people most of the time are completely oblivious to. Reselling
this information is a huge concern to the privacy of an individual.
As more people
become concerned with how their information is used and the utilization of
market forces, companies will naturally comply with customer demand for
transparency. In contrast, others declare that this is the precise reason that
consumers should be able to correct personal information, prevent the sharing
for marketing purposes—targeting advertisements.
In some aspects
being provided an avenue to correct personal information, creates a more accurate
view of a persons’ identity. Yet, there is a fear that this information will be
used to an extent a person did not consent to. For instance, an individual born
a man but identifies as female may personally want targeting advertisements for
a certain genre but would not want their information used for a different
purpose such as research. In contrast, another viewpoint Rachel Thomas—DMA's
Vice President of Government Affairs, believes data brokers continually improve
transparency to consumers on their own everyday. She stated that: "That
kind of transparency is happening every day, in terms of self-regulation in the
marketplace."
VII. Reclaim
Your Name a Positive Step Forward
“Reclaim Your Name would empower the
consumer to find out how brokers are collecting and using data; give her access
to information that data brokers have amassed about her; allow her to opt-out
if she learns a data broker is selling her information for marketing purposes;
and provide her the opportunity to correct errors in information used for
substantive decisions – like credit, insurance, employment, and other
benefits.”
Julie
Brill, urges a catch-all central server to “Reclaim Your Name.” One
hypothetical Brill used: Imagine a disclosure on your receipt says that:
“We will analyze your purchases to predict what health conditions you have so
that we can provide you with discounts and coupons you may want.” She opines
that such a statements would shock the majority of people but that is exactly
what Big Data is doing. Because Data Brokers are very specialized in how they
conspire behind close doors to piece together small amounts of information in
order to then use said information, a Reclaim Your Name would be a positive
step forward for information you already agreed to share but did not in reality
give informed consent in the aggregate of such data. Brill
gives the now famous example of the young teen girl who unwillingly revealed
her pregnancy to her parents by the collection of her data and advertisements.
The question of whether or not this Web Portal would actually increase consumer
understanding is questionable. However,
one incredibly important aspect of awareness that is concerning many is the
ability for people to correct errors of substantive outlook of someone
credit worthiness. Knowing how this data is collected and used is incredibly
important and there should be some regulatory use on this aspect.
I think Chalene brought up a good point regarding the question of who would be considered a data broker under the DATA Act. The proposed legislation defines a data broker as “a commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or provide third party access to the information.” The proposed definition still allows the FTC to exempt a data broker from the Act. (https://www.congress.gov/bill/114th-congress/senate-bill/668/text). The cited article about Facebook being one of the largest data brokers brings up the issue of whether a commercial entity like Facebook (or Google, LinkedIn, etc.) would be considered a data broker under this Act. They collect and maintain personal information, and they do sell or provide third party access to that information. The question would be whether or not users are “customers” as defined by the statute. Facebook also could argue that they don’t collect the data in order to sell it, but that they merely create a forum for “giv[ing] people the power to share and make the world more open and connected.” (https://www.facebook.com/facebook/info?tab=page_info). It could be argued that companies like Facebook already allow a user to control the accuracy of the content so there is not as much need for the protection of the DATA Act. However, the exclusion of companies like Facebook from this statute would leave a large gap of personal data that would be unregulated.
ReplyDeleteI think there could be logistical issues with the Act's proposal. As Chalene and Laura pointed out, it may be difficult to unambiguously define, and later determine, who qualifies as a data broker. Furthermore, the Act is intended to allow consumers to correct information held by data brokers, but most of the data held by brokers is not published so that an individual could monitor this data for accuracy. How would an individual even know that the data collected about them needs to be corrected? Therefore, the Act would require a greater degree of transparency regarding the data being collected--but one of the main privacy concerns with big data collection is that the information will be revealed to others. Therefore, the very remedy mandated by the Act could potentially worsen certain aspects of large data collection that is a major concern for privacy advocates.
ReplyDeleteWhile I agree that data brokers present a unique threat to individual privacy, Julie Brill's argument that consumers should be allowed to know how data brokers collect our data is important. Consumers cannot protect their private data unless they know what companies are collecting and commoditizing it. Companies that engage in this enterprise, therefore, should have to notify their customers how their data will be used. Without such disclosure, the market cannot effectively regulate data harvesting because markets need educated consumers to be effective. I have to think most people would think twice about patronizing a business that they know is selling or aggregating their data. From this perspective, the DATA act may only be a half measure that disregards the larger problem of businesses not disclosing to customers their intent to aggregate and sell data. Consequently, the Act needs to define these businesses as data brokers or otherwise requires these businesses to provide consumers with notice about how their private data will be used.
ReplyDeleteGovTrack.us estimates that S.668 Data Broker Accountability and Transparency Act of 2015 (“DBATA”) a 4% chance of passing: https://www.govtrack.us/congress/bills/114/s668 A similar Act was introduced in 2014, but failed to clear the Senate, and this bill is very unlikely to become a law. The fact that such a bill is being considered reflects the growing concern regarding the need for greater transparency in the world of data brokers. I agree with John’s comments that without transparency, this market may not be able to effectively self-regulate.
ReplyDeleteLaura brings up a good point with the exceptions, although I am not sure if the language in Section 2 (“on behalf of a nonaffiliated third party concerning an individual who is a customer or an employee of that third party”) necessarily applies to entities like Facebook that have a direct relationship with their customers. That language seems more applicable to commercial clearinghouses that process transactions on behalf of other parties, or entities like cloud service providers who provide hosting and other types of services to unaffiliated third parties that have relationships with their customers. For example, Surescripts, the company that enables the vast majority of electronic prescriptions between healthcare entities and pharmacies in the United States, could fall under this exception because it is processing those transactions on behalf of unaffiliated third parties that have relationships with their customers (patients), so the exception language seems appropriate.
Finally, with regard to personal information as a commodity, I agree with Chalene’s position; however, Facebook is neither a utility nor a common carrier in the United States, although they have offered a “walled garden” version of the internet in other countries. A consumer has a choice with regard to using Facebook, whereas no meaningful choice exists with regard to utilities like Rocky Mountain Power. See http://bit.ly/1S5YR1E A consumer signing up for these services agrees to a contract, which imposes an obligation to read the language. Unfortunately, the vast majority of consumers either do not read or cannot understand the fine print. However, instead of presenting the same information in a dry format like a legal contract, web service providers could be required to illustrate with examples of the different places where a consumer’s data could end up if they sign up for that service, before a user ever enters into an agreement.