<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="-webkit-text-size-adjust: auto; "><br><span style="font-family: '.HelveticaNeueUI'; font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-text-size-adjust: none; "><a href="http://blog.varonis.com/data-brokers-too-much-information/">http://blog.varonis.com/data-brokers-too-much-information/</a></span><br>...,...</div><h2 class="entry-title" style="margin: 0px 0px 10px; padding: 0px 0px 0px 37px; border: 0px; font: inherit; vertical-align: baseline; background-image: url(http://blog.varonis.com/wp-content/themes/Varonis/images/arrow-header.jpg); background-position: 0px 4px; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Data Brokers: Too Much Information</span></h2><div class="entry-meta" style="margin: 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><span class="meta-prep meta-prep-author" style="margin: 0px; padding: 0px; border: 0px; font-size: 11px; font: inherit; vertical-align: baseline; ">Posted on</span> <a href="http://blog.varonis.com/data-brokers-too-much-information/" title="2:04 pm" rel="bookmark"><span class="entry-date" style="margin: 0px; padding: 0px; border: 0px; font-size: 11px; font: inherit; vertical-align: baseline; ">December 28, 2012</span></a> by <a href="http://blog.varonis.com/author/agreen/" rel="author">Andy Green</a></span></div><div class="entry-content" style="margin: 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><a id="dd_start" style="float: left; clear: both; "></a><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><img class="alignright size-full wp-image-2038" title="security-check" alt="" src="http://blog.varonis.com/wp-content/uploads/2012/12/800px-1912_Birth_Certificate_Ken_Baker.jpg" width="250" height="143" style="margin: 5px 0px 20px 20px; padding: 0px; border: 0px; font-size: 13px; font: inherit; vertical-align: baseline; float: right; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">I keep coming back to the FTC’s <a href="http://blog.varonis.com/shift-in-ftc-consumer-privacy-policy-may-signal-new-laws-in-us/">report </a>on new consumer privacy guidelines issued early in the year. Not only do the guidelines give a sense of the agency’s view on online data protection, but it also suggests what new legislation may eventually look like.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">I bring up the FTC report yet again, because earlier this month, as an end-of-year surprise, it issued an <a href="http://www.ftc.gov/opa/2012/12/databrokers.shtm">order</a> to several major US information brokers to learn more about their business practices.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">In the FTC words, information or data brokers, are “companies that collect personal information about consumers from a variety of public and non-public sources and resell the information to other companies.” Sent to nine data brokers, the FTC order requested specific information on the source of their data, how the data is maintained, and consumer’s ability to access and correct inaccurate information.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">It’s no secret that the FTC has its own ideas about how these brokers should be doing their job. In their guidelines, the FTC calls for a <i style="margin: 0px; padding: 0px; border: 0px; font-size: 13px; font: inherit; vertical-align: baseline; ">voluntary</i> privacy framework that would support several “substantive” principles, which include data security, reasonable collection limits, sound retention practices, and data accuracy.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">While these principles apply to all companies that handle consumer data, the FTC sees something special about data brokers. The key point is that consumers don’t have a direct relationship with these companies, and the broker is in the business of selling this data to others.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">So what’s at issue here?</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Data brokers are good at connecting online public records to quasi-private information trawled from multiple online sources, including website interactions, cookies, and mobile activity, with the goal of creating detailed profiles.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">From voter rolls, campaign contribution lists, “anonymous” hospital data, housing sales, mortgage files, and now, apparently registered gun ownership <a href="http://www.lohud.com/interactive/article/20121223/NEWS01/121221011/Map-Where-gun-permits-your-neighborhood-?gcheck=1">records</a>, publicly available data alone provides a good starting point in creating a rough sketch. By the way many of these public records started life as paper documents held in a town hall and then were subsequently digitized. More on this implicit loss of privacy later.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">With not too much difficulty, though, depending on the data and the computing resources, it’s then possible to combine it with other de-identified information and link it, with high likelihood, back to an individual or group, thereby filling in finer details of the consumer portrait.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">For example, at least one of the data brokers to which the FTC sent its request had done just <a href="http://gigaom.com/2010/10/18/rapleaf-facebook-privacy/">that</a>: tying personal data it had collected in Facebook to identifiable data stored in its databases. The broker has since changed its Facebook data gathering policy.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Ideally, the FTC would like to give consumers the right to access the data mined by the brokers, correct it when it’s invalid, and opt-out if necessary. For those following my posts, this approach should appear familiar—it’s very much in the spirit of the EU’s <a href="http://blog.varonis.com/cloud-data-protection-in-the-eu-the-road-back-from-serfdom/">Data Protection Directive</a>.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">If we accept the fact that we’ll all have an online profile that is continually extended as more information is made public, then the FTC’s privacy policies are reasonable.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">On the other hand, if we want to put the genie partially back in the bottle, we may have to rethink the easy availability of public and governmental records, or at least give more choice to consumers about opting in.</span></p><p style="margin: 14px 0px; padding: 0px; border: 0px; font: inherit; vertical-align: baseline; "><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Public records created before the Internet-era required a visit to a physical location to view, and it would seem that the intention was not to make the data widely and instantly accessible. From what I’ve read about the gun-ownership map controversy in particular, the public data privacy question has actually united people on both sides of the debate on gun laws: with many agreeing that perhaps we shouldn’t too hastily webify public records.</span></p></div></body></html>