Data Broker On The Hook For $5 Million After Abusing Its Access To North Carolina DMV Data

from the but-why-did-it-have-access-in-the-first-place? dept

The government demands a lot of data from its citizens. In exchange for the privilege of operating a car, the government wants to know a lot about you. It then takes this data and locks it up tight, ensuring only the agency demanding the info has access to it.

Oh, wait. It does exactly the opposite of that. It shares it with tons of other government agencies that might find that information useful. Then it sells this data to whoever it wants, profiting off information citizens are obligated to give to the government.

Late last year, Karl Bode covered the state of California's routine abuse of driver and vehicle data. The state's DMV raked in $50 million selling this data to data brokers like LexisNexis and a host of other private entities, like Experian and an untold number of private investigators.

A lawsuit against LexisNexis filed in North Carolina has just paid off for the plaintiffs, as Joseph Cox reports for Vice.

On Tuesday the massive data broker LexisNexis reached a settlement of over $5 million in response to a class action lawsuit that alleged the company sold DMV data to law firms, which then used it for their own business purposes.

[...]

"Defendants will make payment of the amount of service awards, attorneys' fees, and other expenses approved by the Court up to and not more than $5,150,000.00, in the aggregate, by wire transfer to the agent identified by Class Counsel," the proposed settlement agreement reads. Law360 first reported the settlement.

LexisNexis was just taking advantage of lax privacy laws in North Carolina. So were the government agencies that sold the data to LexisNexis in the first place. The lawsuit alleged LexisNexis sold motor vehicle records in a way that violated the state's Drivers' Privacy Protection Act. The Act doesn't appear to have provided much protection. LexisNexis and other customers weren't actually following the law, which supposedly requires private entities to detail their planned use of the data before obtaining it. This doesn't appear to have happened in this case.

And the law still allows private investigators to access the data, despite a private investigator's careless handling of purchased data having prompted the creation of the law.

Ironically, the permissible uses also include for private investigators; the DPPA was created in the first place after a private investigator working for a stalker obtained the address of actress Rebecca Schaeffer from the DMV. The stalker then murdered Schaeffer.

This settlement is a drop in the cash flow bucket for LexisNexis, which likely won't be deterred from misusing this information in the future. The solution isn't lawsuits. It's legislation that forbids state agencies from selling the data it forces residents to hand over in exchange for public goods and services. Until that happens, abusive uses of this data will still be a regular occurrence.

Filed Under: data brokers, dmv, north carolina, privacy, selling data
Companies: lexisnexis

Congressional Reps Want To Know Why The California DMV Is Making $50 Million A Year Selling Driver Data

from the time-to-start-cutting-the-public-in-on-the-scam dept

Congressional legislators -- apparently caught off guard by one state's revenue stream -- are asking the California Department of Motor Vehicles a $50 million question: why the hell are you selling residents' personal data?

A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers' information.

As Karl Bode noted last year when covering this revelation, this sale of data is codified. The Driver's Privacy Protection Act doesn't do much to protect drivers' privacy. It may prevent abuse of this data by government employees but none of that affects private sector access where the real money is made.

The data from the California DMV is sold to a variety of data brokers. The public records request that resulted in this windfall of transparency about the DMV's windfall of actual money didn't name any of its customers. But did show a steady increase in revenue over the five years the records covered.

The letter [PDF] signed by nine members of Congress -- including California Congressional rep Ted Lieu -- asks the DMV a lot of pointed questions about its practice of profiting off data Californians are forced to hand over in exchange for licenses. It asks the questions the records obtained by Motherboard left unanswered. First off, the legislators want to know who this data is being sold to.

What types of organizations has the DMV disclosed drivers’ data to in the past three years? In particular, has the DMV sold or otherwise disclosed data to debt collection agencies, private investigators, data brokers, or law enforcement agencies?

Has the DMV ever disclosed drivers’ photos to federal, state, or local law enforcement agencies or given such agencies access to a database of drivers’ photos?

What specific fields of personal information have been sold or disclosed to third parties by the DMV in the past three years?

Have Social Security numbers or driver’s license photos ever been disclosed?

The legislators also want to know if this data is being shared with ICE and other federal agencies for the purposes of locating undocumented immigrants. It also asks if Californians can ask to opt out of the data sales/sharing and whether the agency would honor any of these requests.

The legislators note that they're concerned about this practice they probably should have already been aware of -- especially the two California assembly members who also signed the letter.

[W]e’re troubled by press reports about the California DMV’s disclosure of vast quantities of data which could enable invasive biometric policing and be a symptom of a deeper privacy malady. [...] What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear.

The DMV has already answered some of these questions... sort of. In a statement to Motherboard, the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program." It denies selling information to marketers. It did not deny selling info to data brokers or other common customers for DMV data, like credit reporting agencies.

"The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program," the statement added.

"Only released according to California law." That's the problem. The law allows the DMV to sell data to private companies. It takes a few purchases to add up to $50 million. Handing out info to car manufacturers for recalls is probably something the DMV does for a minimal cost, if it even charges anything for it. The DMV's statement sounds good but really says nothing. No one will really know what happens to the data the DMV collects until it starts handing over detailed answers to these questions from Congress.

Filed Under: anna eshoo, california, data, dmv, privacy, selling data, ted lieu

How Most Of The Anti-Internet Crew Misread The News That The NY Times Is Getting Rid Of 3rd Party Advertisers

from the now-they're-doing-the-same-thing-as-facebook dept

One of the most frustrating aspects of discussing the internet, business models, and privacy is how many otherwise intelligent people continue to insist that Google and Facebook are "selling your data." It's a concept that is widely considered accurate, but has never been true. It's so ridiculous that it leads to silly Congressional exchanges between elected officials who are sure the tech companies are selling data, and the people from those companies themselves. Doing targeted advertising is not selling data. There are many, many things you can reasonably and accurately complain about regarding big internet companies and their use of data, but "selling" the data is not one of them.

As a refresher: the way targeted advertising works is that an advertiser agrees to place an ad and uses whatever system to target those ads to particular groupings of people, as set up by the ad platform. So, if you want to advertise to grumpy bloggers in their mid-40s, you can find a way to have those ads show to that demographic. But the advertiser doesn't get any data from the platform about anyone. The companies are selling access to highly targeted demographics, but it's never been selling data.

That doesn't mean there aren't other companies that do sell private data. There are. Lots of them. Data brokers, telcos, some ISPs, and even your local DMV have been caught selling your actual data. But for some reason, everyone wants to keep insisting that Google and Facebook also sell data, when they never have, and have always only sold targeted advertising in which the data only goes in one direction, and not back to the advertiser.

Now, that's all background to the very interesting news that the NY Times is now moving away from using 3rd party advertising services.

The New York Times will no longer use 3rd-party data to target ads come 2021, executives tell Axios, and it is building out a proprietary first-party data platform.

However, it is building out its own targeting platform:

Beginning in July, The Times will begin to offer clients 45 new proprietary first-party audience segments to target ads.

• Those segments are broken up into 6 categories: age (age ranges, generation), income (HHI, investable assets, etc.), business (level, industry, retirement, etc.), demo (gender, education, marital status, etc.) and interest (fashion, etc.)
• By the second half of the year, The Times plans to introduce at least 30 more interest segments.

Now, if you understand the ad market, what's happening here is that the NY Times is building its own version of what Facebook and Google do. This is probably smart for them, because it makes them less reliant on various partners. And, one of the reasons the NY Times is able to do that is because it's such a large player in the space:

"This can only work because we have 6 million subscribers and millions more registered users that we can identify and because we have a breadth of content," says Allison Murphy, Senior Vice President of Ad Innovation.

But what was odd is that the usual crew of people who regularly like to slam Facebook and Google... seemed to celebrate this move as if it was somehow antagonistic to Facebook and Google's practices, and "more privacy protective."

Yet, again, the NY Times is now doing the same thing that Facebook and Google have done. It's collecting data on its users, and then using that data to sell access to advertisers. Why is that evil "selling data" when it comes to those other companies by "good" when it's the NY Times? Look at the segmenting the NY Times already says it's doing: how exactly is it getting "marital status"? Or income levels? Is that the sort of info you give up to get a NY Times subscription (and if so, who is actually giving that info away?) or is the NY Times collecting that information through other means?

Now, there are some reasonable arguments to be made that in making this move the NY Times will be sending less data back to 3rd party advertisers, but even that is only narrowly true. First of all, the data that flows back to ad networks via publishing partners is already a lot less significant than you might think. It's just not that much -- and unless the NY Times is also going to pull other things like the URL tracking it includes in its "share on Facebook" links, it's still going to be sending data back to companies like Facebook.

None of this is to say what the NY Times is doing is bad. I think it is a good thing, but it's more a statement on the terrible state of ad networks today than it is on any big "privacy" effort. Frankly, we've been discussing ditching 3rd party ads entirely ourselves over the last few months, but unlike the NY Times, we can't then set up our own "targeting" operation (nor would we want to), and tragically, very few advertisers are left who will sponsor sites directly based on topic, and without targeting (trust us, we've tried for years to find them).

But it is quite silly for the people who have been hating on Facebook to now cheer on the NY Times doing the same thing that Facebook has done as if it's somehow different.

Filed Under: 1st party advertising, 3rd party advertising, ads, market segmentation, privacy, selling data, targeting
Companies: facebook, google, ny times

The DMV Is Selling Your Data To Vast Array Of Third Parties

from the dysfunction-junction dept

Another day, another data privacy scandal. This time the focus is on the Department of Motor Vehicles, which has been busted selling DMV user data to a laundry list of third parties, without always making such financial relationships or data transfers clear to patrons. Some of the data wound up being sold to the usual suspects (auto insurance companies being the most obvious), but much of it is routinely sold to more dubious third-party outfits and private investigators. And while some of the data is in bulk and "anonymized," we've long noted that doesn't mean what you think it does.

The collection and sale of sensitive user data is particularly problematic for those dealing with stalkers or other jackasses:

"The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking," Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. "For survivors, their safety may depend on their ability to keep this type of information private."

Granted all of this is perfectly legal due to the Driver's Privacy Protection Act (DPPA), a 90's law that critics say is in dire need of an update. That law was created in response to a series of abuses of DMV data, including the 1989 murder of actress Rebecca Schaeffer, after her killer obtained her home address from the DMV. And while the law was intended to stop the abuse of DMV data, it contained (surprise!) plenty of loopholes making it okay to sell this data to a wide variety of individuals, including PIs, bail bondsmen, and consumer credit reporting agencies.

While the data sold can vary from state to state, it generally includes names, addresses, zip codes, dates of birth, phone numbers, and email addresses. The documents obtained by Motherboard show that the Wisconsin DMV, for example, has personal data sales relationships with more than 3,100 different entities. The practice is, unsurprisingly, hugely profitable:

"DMVs are making a lot of money from the sale of this data. The Rhode Island DMV made at least $384,000 selling personal data between 2015 and this year, according to a spreadsheet obtained by Motherboard. When asked how much the Wisconsin DMV made from selling driver records, a spokesperson wrote in an email "Per these 2018 DMV Facts and Figures, $17,140,914 was collected in FY18 for driver abstract fees." Examining that document shows that Wisconsin's revenue for selling driver records has shot up dramatically since 2015, when the sale drew in $1.1 million. The Florida Department of Highway Safety and Motor Vehicles made $77 million in 2017 by selling data, a local outlet found."

Most DMVs say that they inform customers (in fine print) that their data may be sold, and that they've cut off access to data by firms that they've found to have abused the access. But given the wild west nature of US privacy law (read: we don't have many and the ones we do have are riddled with issues and loopholes), there's not much of a mechanism to confirm this data isn't being abused, or that DMVs are doing a particularly good job of dealing with issues when the data is being access by malicious parties. In response to the investigation, Presidential hopeful Bernie Sanders demanded more comprehensive oversight:

"The DMV should not use its trove of personal information as a tool to make money. While the internet has been an enormous source for good, all that convenience and connection has come with a price: our privacy has been invaded in an unprecedented way, in a manner that would have been unthinkable even 20 years ago. Nobody—from agencies like the DMV to large corporations like Facebook and Google—should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans.

Granted it's hard to reform US privacy law when a broad coalition of industries are using every lobbying trick in the book to prevent said reform from taking place. And while a lot of companies publicly state they want a new privacy law, what they really mean is for Congress to pass another flimsy, loophole-filled law their lawyers wrote, that will primarily serve to pre-empt more comprehensive state and federal privacy proposals.

Filed Under: data, dmv, privacy, selling data

Another Day, Another Massive Cellular Location Data Privacy Scandal We'll Probably Do Nothing About

from the ill-communication dept

We've noted a few times now that while Facebook gets a lot of justified heat for its privacy scandals, the stuff going on in the cellular data and app market in regards to location data makes many of Facebook's privacy issues seem like a grade-school picnic. That's something that was pretty well highlighted by the recent Securus and LocationSmart scandals, which showcased perfectly how cellular carriers and location data brokers routinely buy and sell your daily travel habits with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards.

This week, Joseph Cox at Motherboard dropped yet another bombshell report on this subject, noting how he was easily able to pay a bounty hunter $300 to obtain the (supposedly) private location data collected by his cellular provider (T-Mobile). Much like the Securus scandal, the problem once again is the countless location data brokers and third party vendors which are being sold this data, then doing pretty much whatever they'd like with it. In this instance, his data was collected by T-Mobile, shared with brokers and aggregators like Microbilt and Zumingo, then in turn shared with bail bond outfits and private investigators:

"Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt’s “Mobile Device Verify” product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service."

Cellular carriers make a small fortune collecting and selling this data, and there's virtually no oversight of the practice. Consumers often sign one privacy agreement with their cellular provider, which in turn is then broadly interpreted as a green light down a long road of companies which then collect and sell that data in turn. As we saw with the Securus scandal (when a local Sheriff was busted snooping on the private cellular location data of Judges and fellow law enforcement officers), everybody in this chain of dysfunction likes to play stupid when the problem repeatedly comes to light. The same thing occurred here:

“We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” A T-Mobile spokesperson told Motherboard in an emailed statement. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.”

When the NY Times broke the Securus scandal story last year, cellular carriers all played stupid, insisted they'd ceased the sale of such data, and breathlessly assured everybody that this behavior wouldn't happen again. When Senator Ron Wyden complained, you might recall that T-Mobile CEO John Legere took to Twitter at the time to insist he'd learned the error of his ways:

Apparently not.

Needless to say, Wyden, who has been pushing new privacy legislation, isn't particularly impressed:

If you were an industry hoping to avoid government regulation of your business, you'd think you'd be a little more cautious in the way you treat private data. But as we've noted countless times, this kind of cavalier treatment of private data is the norm for telecom. From hoovering up your clickstream data to covertly modifying data packets to track you around the internet, telecom has long played fast and loose with consumers' private data. Some have even flirted with the idea of only seriously respecting your privacy if you pay an additional fee, effectively making consumer privacy a luxury feature.

So while broadband giants will surely whine incessantly during the looming quest to pass some meaningful rules of the road, it's worth remembering they had ample opportunities, over decades, to avoid stricter government intervention by adopting better, more ethical business practices. It's also worth reminding folks that ISPs lobbied furiously to convince the GOP to kill some fairly basic privacy protections at the FCC that would have required ISPs clearly inform users who is buying and selling this data, giving users a little more control over how it was shared.

And it's also worth noting that even without legislation or those rules, the FCC still has Section 222 authority to police this kind of behavior. While the FCC's privacy rules were killed, mobile carriers are still subject to CPNI rules for voice calls, which were expanded in 2005 to include subscriber location information. The bottom line is that the Ajit Pai FCC could easily address this problem using the authority it has now, they've just chosen not to because it might just hurt telecom revenues. The FTC could also probably ding T-Mobile for being "unfair and deceptive" under Section 5 of the FTC act, yet has been similarly mute as carriers bullshit their way around their failures on this front.

All of that said, there's countless folks who think they're taking meaningful steps to protect their privacy by deleting Facebook (or on-phone apps), yet are oblivious to the perils of walking around with a stock carrier phone in their pocket. It might be time to stop being quite so collectively naive about US privacy practices if we're going to have a serious (and undeniably difficult) adult conversation on what privacy rules of the road should look like. One thing we can probably mostly agree upon: this practice of hoovering up your every move and selling it to an ocean of companies with little to no real attempt to protect it is behavior we need to change, one way or another.

Filed Under: bounty hunters, john legere, location data, mobile operators, privacy, ron wyden, selling data
Companies: at&t, microbilt, sprint, t-mobile, verizon, zumingo

Facebook Has Many Sins To Atone For, But 'Selling Data' To Cambridge Analytica Is Not One Of Them

from the let's-at-least-be-accurate dept

Obviously, over the past few days there's been plenty of talk about the big mess concerning Cambridge Analytica using data on 50 million Facebook users. And, with that talk has come all sorts of hot takes and ideas and demands -- not all of which make sense. Indeed, it appears that there's such a rush to condemn bad behavior that many are not taking the time to figure out exactly what bad behavior is worth condemning. And that's a problem. Because if you don't understand the actual bad behavior, then your "solutions" will be misplaced. Indeed, they could make problems worse. And... because I know that some are going to read this post as a defense of Facebook, let me be clear (as the title of this post notes): Facebook has many problems, and has done a lot of bad things (some of which we'll discuss below). But if you mischaracterize those "bad" things, then your "solutions" will not actually solve them.

One theme that I've seen over and over again in discussions about what happened with Facebook and Cambridge Analytica is the idea that Facebook "sold" the data it had on users to Cambridge Analytica (alternatively that Cambridge Analytica "stole" that data). Neither is accurate, and I'm somewhat surprised to see people who are normally careful about these things -- such as Edward Snowden -- harping on the "selling data" concept. What Facebook actually does is sell access to individuals based on their data and, as part of that, open up the possibility for users to give some data to companies, but often unwittingly. There's a lot of nuance in that sentence, and many will argue that for all reasonable purposes "selling data" and my much longer version are the same thing. But they are not.

So before we dig into why they're so different, let's point out one thing that Facebook deserves to be yelled at over: it does not make this clear to users in any reasonable way. Now, perhaps that's because it's not easy to make this point, but, really, Facebook could at least do a better job of explaining how all of this works. Now, let's dig in a bit on why this is not selling data. And for that, we need to talk about three separate entities on Facebook. First are advertisers. Second are app developers. Third are users.

The users (all of us) supply a bunch of data to Facebook. Facebook, over the years, has done a piss poor job of explaining to users what data it actually keeps and what it does with that data. Despite some pretty horrendous practices on this front early on, the company has tried to improve greatly over the years. And, in some sense, it has succeeded -- in that users have a lot more granular control and ability to dig into what Facebook is doing with their data. But, it does take a fair bit of digging and it's not that easy to understand -- or to understand the consequences of blocking some aspects of it.

The advertisers don't (as is all too commonly believed) "buy" data from Facebook. Instead, the buy the ability to put ads into the feeds of users who match certain profiles. Again, some will argue this is the same thing. It is not. From merely buying ads, the advertiser gets no data in return about the users. It just knows what sort of profile info it asked for the ads to appear against, and it knows some very, very basic info about how many people saw or interacted with the ads. Now, if the ad includes some sort of call to action, the advertiser might then gain some information directly from the user, but that's still at the user's choice.

The app developer ecosystem is a bit more complicated. Back in April of 2010, Facebook introduced the Open Graph API, which allowed app developers to hook into the data that users were giving to Facebook. Here's where "things look different in retrospect" comes into play. The original Graph API allowed developers to access a ton of information. In retrospect, many will argue that this created a privacy nightmare (which, it kinda did!), but at the same time, it also allowed lots of others to build interesting apps and services, leveraging that data that users themselves were sharing (though, not always realizing they were sharing it). It was actually a move towards openness in a manner that many considered benefited the open web by allowing other services to build on top of the Facebook social graph.

There is one aspect of the original API that does still seem problematic -- and really should have been obviously problematic right from the beginning. And this is another thing that it's entirely appropriate to slam Facebook for not comprehending at the time. As part of the API, developers could not only get access to all this information about you... but also about your friends. Like... everything. From the original Facebook page, you can see all the "friend permissions" that were available. These are better summarized in the following chart from a recent paper analyzing the "collateral damage of Facebook apps."

If you can't read that... it's basically a ton of info from friends, including their likes, birthdays, activities, religion, status updates, interests, etc. You can kind of understand how Facebook ended up thinking this was a good idea. If an app developer was designing an app to provide you a better Facebook experience, it might be nice for that app to have access to all that information so it could display it to you as if you were using Facebook. But (1) that's not how this ever worked (and, indeed, Facebook went legal against services that tried to provide a better Facebook experience) and (2) none of this was made clear to end-users -- especially the idea that in sharing your data with your friends, they might cough up literally all of it to some shady dude pushing a silly "personality test" game.

But, of course, as I noted in my original post, in some cases, this set up was celebrated. When the Obama campaign used the app API this way to reach more and more people and collect all the same basic data, it was celebrated as being a clever "voter outreach" strategy. Of course, the transparency levels were different there. Users of the Obama app knew what they were supporting -- though didn't perhaps realize they were revealing a lot of friend data at the same time. Users of Cambridge Analytica's app... just thought they were taking a personality quiz.

And that brings us to the final point here: Cambridge Analytica, like many others, used this setup to suck up a ton of data, much of it from friends of people who agreed to install a personality test app (and, a bunch of those users were actually paid via Mechanical Turk to basically cough up all their friends' data). There are reasonable questions about why Facebook set up its API this way (though, as noted above, there were defensible, if short-sighted, reasons). There are reasonable questions about why Facebook wasn't more careful about watching what apps were doing with the data they had access to. And, most importantly, there are reasonable questions about how transparent Facebook was to its end users through all of this (hint: it was not at all transparent).

So there are plenty of things that Facebook clearly did wrong, but it wasn't about selling data to Cambridge Analytica and it wasn't Cambridge Analytica "stealing" data. The real problem was in how all of this was hidden. It comes back to transparency. Facebook could argue that this information was all "public" -- which, uh, okay, it was, but it was not public in a way that the average Facebook user (or even most "expert" Facebook users) truly understood. So if we're going to bash Facebook here, it should be for the fact that none of this was clear to users.

Indeed, even though Facebook shut down this API in April of 2015 (after deprecating it in April of 2014), most users still had no idea just how much information Facebook apps had about them and their friends. Today, the new API still coughs up a lot more info than people realize about themselves (and, again, that's bad and Facebook should improve that), but no longer your friends' data as well.

So slam Facebook all your want for failing to make this clear. Slam Facebook for not warning users about the data they were sharing -- or that their friends could share. Slam Facebook for not recognizing how apps were sucking up this data and the privacy implications related to that. But don't slam Facebook for "selling your data" to advertisers, because that's not what happened.

I was going to use this post to also discuss why this misconception is leading to bad policy prescriptions, but this one is long enough already, so stay tuned for that one next. Update: And here's that post.

Filed Under: apps, breach, data, selling data, social media, transparency, users
Companies: cambridge analytica, facebook

Chinese Officials With Government Access To Every Kind Of Personal Data Are Selling It Online

from the with-great-power-comes-great-corruption dept

Back in 2015, Techdirt wrote about a government project in China that involves "citizen scores," a rating system that will serve as a measure of a person's political compliance. The authorities aim to do that by drawing on the huge range of personal data that we all generate in our daily use of the Internet. The data would be scooped up from various public and private services and fed into an algorithm to produce an overall citizen score that could be used to reward the obedient and punish the obstreperous. Naively, we might suppose that only authoritarian governments could ever obtain all that highly-revealing information, but an article from supchina.com reveals that is far from the case. It discusses some great journalism from Guangzhou's Southern Metropolis Daily, whose reporters documented their success in buying every kind of personal data about colleagues from "tracking" services advertised online:

For a modest fee of 700 yuan, or about 100 dollars, the reporters were able to obtain an astonishing array of information based on one colleague's personal ID number, including a full history of hotel rooms checked into, airline flights taken, internet cafes visited, border entries and exits, apartment rentals, real estate holdings -- even deposit records from the country's four major banks.

But that wasn't all. The reporters were also able to purchase live location data on another colleague's mobile phone, pinpointing their position with disturbing accuracy.

The article points out the inevitable conclusion from this journalistic investigation: officials within the government who have ready access to this personal information are happy to sell it to anyone for low prices, no questions asked. It's possible some of the databases have been hacked by outsiders, but it seems unlikely that online break-ins could make enough of them accessible, enough of the time. Corrupt officials with continuous access would be a more reliable source for these tracking services, of which there are hundreds. Supchina.com concludes:

We often imagine China as having the kind of centralized authoritarian system that might be capable of implementing a watertight and monolithic system of digital social controls. And certainly, in the digital age, there is merit in the idea that an expansive hold on big data may possess the key to political power. But as data becomes ever more precious, securing this resource could become virtually impossible -- particularly in a system like China's, which lacks adequate legal and political protections.

That's an important point that's often overlooked. As well as the immense power that mass surveillance confers on the authorities, it also creates a wonderful resource for corrupt officials to access and sell. It would be naive in the extreme to think that this is only a problem for China, and that it won't happen with the ever-widening surveillance systems that Western nations want to set up. It's yet another reason not to build them in the first place.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: china, corruption, personal data, privacy, selling data

Just As Netflix Gets In Trouble For Data Release, MySpace Begins Selling Data

from the lawsuits-a'comin? dept

So, just last week we noted that Netflix had gotten itself into a bit of hot water for its Netflix prize contest, which used real user data -- which was supposed to be anonymous. Unfortunately, as with most such data, it wasn't really anonymous, and that's illegal -- especially when it comes to movie rental data. Because of all that, Netflix has also canceled plans for a follow-up prize competition. However, just as that happened, reports were coming out that MySpace has begun selling user data. Among the data up for sale? "User playlists, mood updates, mobile updates, photos, vents, reviews, blog posts, names and zipcodes. You would have to imagine that at least some people might not be happy about that.

Now, to be fair, the info you provide MySpace is public -- while the info you provide Netflix is not. However, you could certainly see some people not being particularly thrilled that MySpace is now directly selling that information, and you have to imagine that someone will file a lawsuit before too long over this data.

Update: MySpace PR people sent over word that this content is no different than the free public real-time stream, it's just for those unable to capture it, they can now purchase it in a lump sum via this other site, for which MySpace apparently doesn't make any money...

Filed Under: selling data, social networks
Companies: myspace, netflix