The Security Implications of Data Brokerage
An Interview with Justin Sherman
What is data brokerage? What methods and practices do data brokers employ to gather and share our data?
Data brokerage is a term that we use to broadly refer to any entity buying and selling someone’s information. That could be a company whose entire business model is collecting and purchasing data on people from different sources, aggregating it, and selling it in packages. It could be a company whose primary business is not selling data but engages in this buying and selling of data on the side. This is a multi billion-dollar industry. There are hundreds and hundreds of US companies involved in this ecosystem, as well as many companies in Canada. Its a huge part of the modern data collection and sharing machine that we often overlook—particularly when we tend to focus on just a few large social media platforms.
There are good reasons to be concerned about various kinds of espionage. Several months ago, Bloomberg covered a story about investigations in Australia and the extent to which Huawei has been trying to, and successfully hacking into their telecommunications grid. When you’re looking at intelligence collection in general, you must think about what vectors of collection are available to a state, which ones are the most cost effective, and which ones are going to provide uniquely valuable information. Just because valuable information might be stolen from a system through hacking doesn’t mean that you can’t get it on the open market. It might actually cost less for a state with a lack of regulations to set up a front company for the Russian or Chinese governments and buy tons of data completely legally on members of the US military or on elected officials.
How does data collected on military personnel impact national security? How could malicious actors possibly exploit user data in the context of military exercise?
There are many ways that data on military personnel can be used to undermine a country’s security. The same goes for data on diplomats, government employees, and key decision makers in the private sector—for example, in the defense space, or in emerging scientific and technology areas like semiconductors. There is a lot of military data out there on the open market for sale. You can go by GPS location histories, internet search histories, history of credit card purchases, and so on. This data enables you to profile military personnel, so if you just want to understand better, what a country’s fighting force looks like, you can do that.
It’s easy to profile, and then from there, to blackmail, target, or coerce people with that information. It’s also useful generally, for counterintelligence and other purposes, because if you can buy people’s GPS location histories, you can watch as military personnel move on or off base in a foreign country. You can watch as military intelligence analysts are going to and from an unmarked facility. When all this information is out there and available, without regulation, it enables these security threats to become realized much more easily.
Globally, what measures have been taken to address the security concerns associated with data brokerage?
There are some provisions in the EU’s General Data Protection Regulation (GDPR) that can relate to data brokers, nothing really calls them out specifically. But part of the issue there is part of the issue with GDPR, in general, which is that a lot of GDPR is about notifying people that you’re collecting information on them—putting security controls in place on the information that you do collect. It doesn’t fundamentally constrain the collection of data in the first place. Two states in the US set up a registry where, if you’re a narrowly defined data broker, you must list your company name on the state website essentially. That’s it though, there is no control on what companies can collect, or sell. That is one of the most concerning things. A lot of the companies have data sets on millions of US military personnel, on everyone in the US with a mental illness, data on people who visited a certain building at a certain time last month. This lack of regulation on collection and controls that the companies have in place, have really combined to create this huge problem here.
Some believe data from Cambridge Analytica may have helped facilitate Russian interference in the 2016 election. How can data obtained by malicious actors become a tool for disinformation campaigns? Does data brokerage pose challenges to our democracies?
It’s a huge problem for democracies. Data brokerage is a threat to democratic electoral systems. Foreign states can use or buy data on citizens to target disinformation campaigns. In a report I published through Duke, I found large datasets advertised online that you can go by, for example, on millions of Americans’ political beliefs. This is not a hypothetical situation where, let’s say, the Russians have to jump through 30 hoops to get it—the stuff is sitting there, and you can go buy Excel spreadsheets with this information. It’s absolutely a threat to democracy in that sense. You can also use this for voter suppression in a democracy and use it to intimidate people who are going to the polls. We have to ask the question—do we want these companies to be able to buy up, aggregate, and then sell all of this data on citizens to enable civil rights abuses, consumer exploitation, and threaten national security? Is that something we want in a democracy? And I think on all fronts, the answer is clearly no.
How can the average person better protect themselves from data brokerage? What do you think individuals need to know about their data that maybe they don’t understand?
The average person can do some things to protect themselves against data brokers, but they can only do so much. Some companies and some jurisdictions will let you file a request to have your information removed from a database or to request that they stop collecting information on you. Some of these companies make billions of dollars a year from buying and selling, as many as 10s of 1000s of data points on a single person—which is insane, right? If you asked me to name ten fun facts about myself, I could do that, but 10,000? But that’s what they have. It is a scale of surveillance that is on the government to regulate—not individuals.
These big companies know who you are. Even if they say they don’t have your name. They probably do have your name, but they also have all of this other information that enables them to pinpoint you. They can collect and buy 24/7 GPS logs to watch as you go to your kid’s school, as you go to a bar, a medical facility, or a divorce attorney. They can buy your entire internet search history, all kinds of information about your race, religion, your sexual orientation, and how much money you make. They can use all of that to pinpoint you.
This data is already used to harm people even if we don’t realize it. Health insurance companies will buy up this data to figure out how much they can charge people for coverage, predatory loan companies will buy this information so they can target people, scammers and criminals will buy this to steal from senior citizens or veterans. Governments will use data to track their own citizens without going through court orders and other legal protections. This is a huge problem, and it does affect everyone.
Justin Sherman Justin Sherman is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative. He is also an op-ed contributor at WIRED and researches at the Tech, Law, & Security Program at American University Washington College of Law and at Lawfare’s Trustworthy Hardware and Software Working Group. His work at the Atlantic Council focuses on the geopolitics, governance, and security of the global internet.