Let's face it, over the next few years, it's going to become increasingly difficult to protect your privacy online and in your day-to-day life.
From smartphone apps that spy on you to wearables and fitness trackers, corporations mining your social network likes and connections, as well as online searches, more and more forms of personal data are gathered, cross-referenced and stored in massive databases.
Just this year, Microsoft admitted Windows 10 is harvesting more user data than any of its predecessors, fitness trackers have been used in court cases and the FCC fined Verizon Wireless for its hidden tracking technology known as "supercookies."
Who collects and aggregates this data? Data brokers. These murky intermediaries track all aspects of our lives and sell the data to any number of marketers and advertising firms, who may then re-sell it to other parties as well. The government doesn't regulate these brokers, and it's unclear how secure they are from hackers.
Who are the Data Brokers?
Here is a list of 50 prominent data brokers, as compiled by StopDataMining.me.
But these are just the tip of the iceberg. The data broker business is extremely complex and murky, with multiple layers of companies helping to track various components of our lives, from what we search for or visit online to social media, mobile devices, the websites themselves like Facebook and Google, loyalty cards, publicly available records (e.g. voter registration, taxes, home ownership), credit histories, employment records, medical conditions and so much more.
In fact, the Federal Trade Commission (FTC), the government agency tasked with regulating this industry, admitted it doesn't even know how many of them there actually are.
Senator Al Franken pointed out one of the risks in a 2015 Senate subcommittee hearing, following the Experian breach: "We know beyond a doubt that the threats data brokers' large databases pose to consumer privacy are real; plainly, they are attractive targets for cybercriminals."
What is the Risk to Consumers?
During the January 2016 blizzard in the northeast, the pornography website PornHub released statistics showing which cities were the most active porn watchers before, during and after the blizzard. They also noted that PC viewing was higher than mobile device viewing.
How did they do that?
Because PornHub, like other pornography sites, dating sites, cheating sites, shopping sites, medical sites and every other type of site out there, tracks its online users and - at least temporarily - stores that data.
Hackers can exploit the trove of sensitive information held by data brokers for a wide range of criminal purposes, with money typically the primary motive.
Cyber extortion and blackmail are popular schemes, particularly for sensitive types of information (just ask the victims of the Ashley Madison breach). However, identity theft is also a big risk - this may include bank account, credit card, new account or wire fraud, as well as tax fraud and insurance fraud.
This information could also be used as leverage against government or corporate employees for the purpose of espionage.
Public shaming without the extortion is also possible.
How Vulnerable is the Data to Hackers?
It's unclear how seriously these companies take security, because they're not regulated. However, there's no question that data brokers can be breached - trust me, no company is 100% safe. And given the vastness of this field, all it takes is one weak link to unravel millions of records.
Data brokers and websites could be targeted by hackers in any number of ways, but the most likely scenarios are social engineering attacks on their employees (e.g., phishing emails and 'vishing' phone calls), malware, web application vulnerabilities and insider threats. All of these could lead to data theft and, in some cases, they already have.
A number of data brokers have already been hacked, including Experian in 2015; LexisNexis, Kroll Background America, Inc. and Dun & Bradstreet in 2013; Epsilon in 2011; and Acxiom in 2003. Over 1.5 billion records were taken in the Acxiom breach, but luckily at the time, the cybercrime industry wasn't particularly sophisticated and the data was only used for a spam service. Today, that type of breach would be catastrophic, leading to a whole host of nightmares for those affected.
The real question is, how are these companies that perform big data analytics protecting the data they have on us? Strong encryption and information security standards similar to PCI DSS are vital and should be mandated by law.
How to Protect Yourself
While you can reduce the amount of data they collect, there's not a lot the average person can do to completely stop it. Remember, data brokers aren't just on the web - they're middlemen in almost everything, from credit checks, background checks, car and home purchases, insurance, tax records, telephone records, government service, voting, etc.
Basically, everything we do these days is recorded, and either tracked by data brokers or purchasable by them.
A few basic ways to protect your privacy online:
- Opt out of as many data brokers that collect your personal information.
- Consider using a live Linux image like Tails. It's a practical method to avoid being tracked online.
- Install a browser extension like Disconnect or Ghostery, which will monitor and attempt to block tracking firms.
- Switch to private search engines like DuckDuckGo and stay logged out of online services such as Gmail, Facebook, etc. to make it harder for them to track your searches.
- Limit who gets your real email address. Use disposable email accounts such as 20 minute mail or 10 minute mail when registering for online accounts or services.
- Use a virtual private network (VPN) to encrypt your data. This will make it more difficult for data brokers to track who you are.
- Make online purchases with a gift card or disposable credit card especially for sensitive or embarrassing purchases.