Congressional inquiry responses released: Data brokers refuse to name sources

A Congressional inquiry told nine major data brokerage companies to explain how they collect and sell consumer information. The data dealers have responded with PR and generalities.
Written by Violet Blue, Contributor

Data brokers have compiled secret dossiers on what's estimated to be 500 million people and they're refusing to name data sources to a Congressional inquiry - or transparently explain what's being done with the privacy-invading data they're collecting and compiling.

Yet in their crafted responses to Congress, we learn important details: for instance, some of their sources range from permissioned apps to the State Department Terrorist Exclusion list.

It also turns out that the nine largest data brokers in the world are making billions selling your personal data, habits, interests and more as "information services" such as list sales to clients for prospecting purposes (finding new markets for clients), database access, "Identity Verification and "Risk Mitigation" products, and - of course - targeted advertising.

Congressional representatives have just released official responses from their inquiry into nine data dealers regarding the companies' closed-door operational practices of collecting and selling consumer data and personal information.

According to the responses, one of the companies obtain data directly from consumers.

data brokers

It is all obtained through front-facing entities - such as websites and businesses with "permissioned data" such as applications.

If you're wondering what permissioned data is, Facebook has neatly streamlined its permissioned data process for developers, especially when an app asks for permissions to private data, or friends' data.

UPDATE: FICO has responded with a statement, see bottom of page.

Each of the data brokers (AcxiomEpsilon, EquifaxExperianHarte-HanksInteliusFICOMerkle and Meredith Corprefused to specifically name information sources, citing non-disclosure agreements with companies and the protection of trade secrets.

Acxiom cannot provide a list of each entity that has provided data from, or about, consumers to us. [-Acxiom response, .pdf]

In October, Senator John D. Rockefeller IV (D-West Virginia) opened a separate Senate investigation of nine leading information brokers (including Silicon Valley startup Rapleaf) that closed on November 2.

Even though vague and riddled with propaganda, the data brokers' just-released responses to the Congressional inquiry reveals plenty about what's happening right now in the hidden world of commercial data brokers.

Over 500 million consumers are being collected and sold without their consent

Each company that responded to the Congressional letters stated that they do notify the public about the fact their data is being collected by these companies.

Which is great if everyone knows who the middlemen broker are: the notification is on the brokers' company websites.

According to the responses, a number of these companies are in bed together. For instance, we learned that Epsilon bought Equifax's marketing database and that business arm, and FICO said licenses a database from Epsilon.

Each responded in similar generalities that they get data on people from government, public, corporate, private and so-called "self-reported" sources.

Acxiom says it receives, "(...) various lists from the federal government, such as the Social Security Administration’s Deceased Master file, the State Department Terrorist Exclusion list, and the Office of Foreign Assets Control list."

Experian Marketing Servicessays it gets its data from public sources, under which it includes, "Private entities" with "permissioned data" opt-ins and, "Websites that have permission to share information about their visitors."

Not reassuringly, Epsilon's vague data source list ended with "Marketers, and other information brokers."

These companies have created secret dossiers about you

In August 2011, we exposed middleman data brokers such as Intelius, and other companies on the Congressional inquiry list (including Axicom, whose revenues exceed $1 billion annually) in the article How To Remove Yourself From People Search Websites.

Intelius stated it obtains its data from sources that:

(...) include publicly available information from civil court records, Internet Domain Registration records, publicly available social media profiles, phone number histories, address histories, email addresses, property records, voter registration records, local and state criminal records, date of birth, workplace history, education history, federal criminal records, and business records.

Acxiom disclosed that its information dossiers on individuals can include date of birth/age, race, ethnicity, religious affiliation, language preference, length of residence, home value, home characteristics, marital status, presence of children and number of residents in the household, education, occupation and political party.

The data can get used against you

"The other side of the coin is that important decisions are being made about you, the real you, based on the virtual 'you' that's made up of all this data," said Sarah Downey, privacy analyst with Abine.com, an online privacy company based in Boston.

Downey wrote in a blog post,

Recently, a Massachusetts woman wasn’t hired for a pharmacy job after a background check had incorrectly reported that she had 14 felony convictions. Her record was clean, but the data broker providing the report messed up and linked someone else’s name to hers. 

It’s a major problem when employers are judging people based on these background checks, yet people can’t respond to or even see the content of their own files.

Intelius conceded in a 2008 SEC filing that the information that it and similar companies sell is often inaccurate and out of date. According to Intelius in its response to the inquiry (item #6) and its own Terms, consumers can not correct their own data if it is incorrect.

Acxiom's response explained that consumers can't correct their information, they can only opt-out of Acxiom's databases. 

Data broker defense: better advertising, plus it's all legal

What are these brokers, collectors and compilers doing with the profiles they're making about you?

According to responses provided to the inquiry letters, brokers like Acxicom are gleaning much of their revenue from "information services."

Acxicom's information services include: list sales to clients for prospecting purposes (finding new markets for clients), database access, "Identity Verification and "Risk Mitigation" products, and - of course - targeted advertising. Which everyone seems to keep trying to convince consumers is something they really want, and is totally worth trading user privacy for.

Acxiom Chief Executive Officer Scott Howe told CNN in a television interview this last August,

Companies like Acxiom are trying to get intelligent about what you might be interested in and who you are.

Such that we can deliver more relevant advertising to you, and we can deliver offers and products and services in which you might have interest.

Last week, mobile security researchers at Juniper Networks reviewed 1.7 million mobile apps, and revealed the claim that data collection is being used for advertising is a lie.

The researchers found that the percentage of apps with the top 5 ad networks was much less than the total number of apps tracking location - meaning that most phone apps are tracking your location but are not using it for ad partners.

Juniper stated,

This leads us to believe there are several apps collecting information for reasons less apparent than advertising.

Jay Stanley, Senior Policy Analyst at the ACLU had these wise words about the data brokers claims of consumer benefit:

Acxiom also argues that “Consumers Benefit from Appropriate Use of Information in Numerous Ways.”

Putting aside the loaded qualifier “appropriate,” it is a bit… spooky to tout the supposed benefits to consumers of dossier creation when individuals have not knowingly consented to those dossiers.

(If the benefits are so great, let individuals opt-in.)

Acxicom's Howe also told CNN in August, "All the information we collect and utilize is secure, appropriate, and legal."

Maybe it's legal because there are no laws against what they're doing.

Currently, there is no comprehensive federal regulation for data brokers or permissioned data collection.

Privacy laws have not truly been updated since people had to actually walk into a government building and request to see files in person.

If companies like Axiom had to do it the old fashioned way, their businesses would not be possible today.

UPDATE: FICO has responded with the following statement - they do not define themselves as data brokers; keep in mind their statement to Congress does state it acquires data (section #1) and license databases to clients (section #4):

FICO is not in the data broker business. It does not collect, collate, aggregate and sell information about consumers offline, online and mobile activities for marketing and other purposes. 

FICO sells analytics software, not consumer data, that drive smarter decisions using mathematics to predict consumer behavior.

Editorial standards