Monthly Archives: June 2014

Snowden is sexy, but this privacy issue is more important

BobHow do you think the big computers in the sky see you?   Are you “Rural Everlasting” or a “Mobile Mixer?” Are you a “Married Sophisticate,” a “Senior Product Buyer,” a “dog owner,” and “winter activity enthusiast,” “Bible Lifestyle” or an “Affluent Baby Boomer?” Maybe you are “Financially Challenged,” or “Plus size apparel,” or maybe “Exercise- spotty living.”  Heaven forbid, you might be have a “Diabetes Interest,” or a “Cholesterol Focus.”

Data brokers with names you’ve never heard have decided which of these categories you fit into, and they use that information for everything from targeted online ads to denying purchases over fraud concerns to helping suspicious relatives check up on you.

How would these firms know all this about you?  The stores you shop at tell on you.  Not just the websites – the brick and mortar stores. Swipe your credit card at a department store, and you’ve become a profitable data point for retailers to sell and resell to the highest bidder.  Buy an organic pepper, and you might be dumped into “New Age/Organic Lifestyle.”  And who knows what other conclusions the Cloud might come to about you.

While America remains wrapped up in the personal story of NSA leaker Edward Snowden, more critical and personal privacy invasions go on every day, millions of times each day, without any seeming limitations. Even as NBC was drumming up attention for its (impressive) interview with Snowden, the Federal Trade Commission released a crucial report: “Data Brokers: A Call for Transparency and Accountability.” America yawned when it should have gasped.

Americans are obsessed with their credit scores, which is obvious from the number of advertisements you see from firms selling them. People understand that a simple mistake in a credit report might one day cost them the ability to buy a home, and they’ve fought credit report secrecy since at least the 1970s.  The Fair Credit Reporting Act, and its updates, are hardly perfect, but the law at least creates a good amount of tension between credit reporting firms and consumers

But there is another class of firms that log intimate details about our behavior. Basically any firm that’s not covered by the Fair Credit Reporting Act is known, not as a credit reporting agency, but rather, as a “data broker.” And among data brokers, virtually anything goes.

In the data world, it’s California in 1849. Lawless prospectors aren’t mining for gold, they are mining you.

Last year, the FTC sent records requests to nine of the more important data brokers in an attempt to get a grasp on the industry.  The assertions above and below are based entirely on what these nine firms told the FTC.  These are all actions these firms, among the more reputable, have admitted during a government investigation. Heaven knows what other data brokers are up to.

Imagine a database with information on 700 millions consumers worldwide. How much information?  Something near 3,000 data points on each person.  In other words, the data broker Cloud knows 3,000 things about you.  Check that: Axciom, just one of the nine firms the FTC consulted, knows 3,000 things about you.  The other 8 have similar rap sheets on you.

For some time, most consumers have held on to the naïve idea that offline shopping and online shopping are relatively distinct.  We might be very careful which websites we shop at, for example, but don’t think much about the brick and mortar stores where we swipe our plastic. Those days are over. Through a process called “onboarding,” data brokers are increasingly matching “real world” data with virtual data. They are linking in-store purchases with social media accounts, for example, and then changing the ads you see on Facebook based on stores you’ve shopped at recently.

If credit scores worry you, I have news for you. Credit scores are just the tip of the iceberg.  Data brokers are inventing all kinds of scores used to categorize you and, on occasion, punish you. Fraud prevention is big business for brokers. Based on your real-life shopping activity, they create scores to predict the likelihood your online purchase will result in a chargeback.  You might be surprised to find a transaction rejected and – remember, this is the Wild West – you’ll never know why. You have no right to dispute incorrect facts in the data broker cloud. You don’t even have a right to know what’s there.

Meanwhile, the categorization of people into groups should make you feel immediately queasy.  “Urban scramble,” and “Everlasting Rural” can easily be seen as code words for poor minorities and poor whites; the FTC found these categories were over-representative of those groups. Is it fair for certain groups to never receive offers that Married Sophisticates do? Or to face other, so far hidden, consequences?

That’s the main concern with all this data collection: it’s incredibly invisible. The FTC report does not pull punches:

“Many of these findings point to a fundamental lack of transparency about data broker industry practices,” it says. “Data brokers acquire a vast array of detailed and specific information about consumers; analyze it to make inferences about consumers, some of which may be considered sensitive; and share the information with clients in a range of industries. All of this activity takes place behind the scenes, without consumers’ knowledge.”

Sure, a couple of the firms involved offer scant access to the raw data they collect on consumers – sometimes for free, sometimes for a fee.  But raw data isn’t all that interesting.  A few past addresses, maybe an age or an affiliation. The gold is hiding in how this data is assembled and used for informed conjecture about you. The inferences firms make are of most value to the companies that want to know if you are an “expectant parent” or have a “diabetes interest” or you are a “resolute renter” or you are “handling single parenthood and the stresses of urban life on a small budget.”   Nobody’s telling you that.

It probably wouldn’t matter much if they did.  The vast majority of consumers have never heard of CoreLogic or DataLogix or eBureau or RapLeaf or PeekYou or Recorded Future.  All of them could make records available for free on their websites and it would do no good at all.  Heck, you’d have to tell them all sorts of things about you just so they could find you in their databases. I don’t want to tell RapLeaf about myself, do you?

No matter. It’s crazy how much they already know about you. Of course they have devoured everything Google knows about you, and everything you’ve put on your Facebook page, ever.  Most of them keep it forever, despite the obvious hacker concerns this raises. But even if you’ve kept your online profile low, that probably hasn’t accomplished much. Here’s what the FTC says brokers learn from your offline shopping:

“Data brokers obtain detailed, transaction-specific data about purchases from retailers and catalog companies. Such information can include the types of purchases (e.g., high-end shoes, natural food, toothpaste, items related to disabilities or orthopedic conditions), the dollar amount of the purchase, the date of the purchase, and the type of payment used.”

The data broker report ends with some important suggestions, such as legislation that creates some legal framework for data brokers. There’s even a call for a single web portal that lets consumers find out what all these various companies know. Great, so it’ll be California in 1860 then.   It would be a start, but it’s going to be really, really hard to shove all that data back into Pandora’s Box.

Here’s the most depressing finding in the report: Even if individual brokers allowed you to delete your data from their Cloud, that wouldn’t accomplish anything. Layers and layers of providers are constantly populating their clouds with new scrapes of data. And of course the brokers all sell data back and forth to each other. Whatever was deleted would almost certainly be replaced immediately with the next upload or “onboard.”  The Cloud might be too big already.

It’s important to note what an outlier America is in the world of data brokers.  Europe is right now wrestling with its new legal privacy regime, which includes a consumer “Right to be Forgotten.”  The right is murky and how it will be implemented is a very open question. But the highest EU court just ruled Google must honor requests that data about individuals be removed from its search engine on request. A Spaniard who was annoyed that a 1988 debt kept popping up in Google results about him had brought the case, and he won.

In America, we don’t even have the right to know what they know about us. When it comes to privacy rights, America is on Mars.

“Forget worrying about loyalty cards or programs: it’s the everyday purchases you make tied to your name with a debit or credit card that can land you on data brokers’ lists,” wrote the World Privacy Forum in an analysis of the FTC report. It called on Congress to go much further than the legislation suggested by the FTC, however.  While the FTC rightly talks about brokers coming out of the shadows and requiring consumer consent, it’s almost unfathomable how these firms could go about gaining meaningful, informed consent. After all, there’s a reason they operate so quietly: if we knew what they were doing, we’d try like holy Hell to stop it.

Or to use the language of the industry, consumers have not yet been persuaded about the value proposition of trading your privacy for…….for what again? At least the NSA can claim it’s trying to keep us safe from terrorists. Data brokers are just trying to get money for nothing.



The Snowden effect: Insider threat protection remains elusive


Larry Ponemon

Larry Ponemon

Well-publicized disclosures of highly sensitive information by wiki leaks and former NSA employee Edward Snowden have drawn attention and concern about the insider threat caused by privileged users. We originally conducted a study on this topic in 2011 and decided it was time to see if the risk of privileged user abuse has increased, decreased or stayed the same.  Unfortunately companies have not made much progress in stopping this threat since then. Our latest study commissioned by Raytheon, “Privileged User Abuse & The Insider Threat,” looks at what companies are doing right and the vulnerabilities that need to be addressed with policies and technologies. One area that is a big problem is the difficulty in actually knowing if an action taken by an insider is truly a threat. Sixty-nine percent of respondents say they don’t have enough contextual information from security tools to make this assessment and 56 percent say security tools yield too many false positive.  Here are a few other highlights from the report. (You can obtain a full report by clicking here)

Despite the risks posed by insiders, 49 percent of respondents do not have policies for assigning privileged user access. However, slightly more organizations do use well-defined  policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011).

Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. The biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents).

What’s most at risk? While respondents believe general business and customer information is most at risk in their organizations due to the lack of proper access controls over privileged users (56 percent and 49 percent), fears about abuse to corporate intellectual property increased dramatically from 12 percent of respondents to 33 percent of respondents.

While the establishment of privileged user access policies is lacking, processes are improving. The findings show a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014 in granting user access privilege. The use of manual processes such as by phone or email also increased from 22 percent of respondents in 2011 to 40 percent of respondents in 2014.

Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. Fifty-one percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in 2011.

(You can obtain a full report by clicking here)