J. Elizabeth Hill, a nurse living in San Diego, recently received a Gmail message from her nephew. Pasted inside was an article about soldiers in Afghanistan and the discrepancies regarding the ammunition they use.
Nine days later, Hill received via snail mail at her home address a catalog for a company that sells magnum semi-automatic air pistol revolvers, border patrol survival knives, self-cocking crossbows, armor-piercing "performance ballistic alloy" ammunition rounds, Israeli-issue gas masks, plus lots of other survival gear and military surplus items.
"I have never owned, fired, or even handled any type of weapon," Hill says, "And I have never visited a website connected to the military, war, or weapons of any kind. In addition, this is the first and only email I have ever received that mentioned these types of keywords. Does this mean my name will start showing up on lists of potential terrorists?''
Hill has good reason to be concerned. There are nearly 200 companies out there that collect and sell your personal information. And there's very little you can do if that information is flat-out wrong or gives a false impression of who you are.
In fact, it's perfectly legal for online data brokers to collect information about you from any number of sources and then to aggregate and sell that information. The Interactive Advertising Bureau says personal information on Internet users is worth $31 billion a year, up 22% from last year.
However, there is a glimmer of hope.
Last month, for the first time ever, the Federal Trade Commission stepped in and spanked a data broker, in this case it was Spokeo, to the tune of an $800,000 fine for selling personal information to employers and job recruiters without taking steps to protect consumers under the Fair Credit Reporting Act.
The FTC also sent warning letters to six unidentified mobile app makers notifying them that their background screening apps may be violating federal statutes. The collecting of personal information is not at issue in these cases, it's the use of that information for employment screening, housing, credit or other purposes that fall under the Fair Credit Reporting Act.
Where Spokeo crossed the line, according to the FTC, is that it failed to maintain reasonable procedures to verify who its users are and that the information would be used for a permissible purpose; that it failed to ensure the accuracy of consumer reports and that it failed to provide proper user notice. Also, Spokeo was posting endorsements of its service on news and tech websites, but those endorsements were written by Spokeo employees, according to the FTC.
Spokeo has agreed to change its practices and the FTC settlement should have a ripple effect throughout the industry. But the fact remains that these companies can legally gather whatever information they can about you, and there's not much you can do about it.
Who Are These People?
"Most of these broker sites are actually search engines that scatter little Pac Man bots through cyberspace collecting every scrap of data that's ever been recorded anywhere in the world. They justify this privacy intrusion by labeling it as a safety measure; that is, a way to check out your babysitters to ensure that no secret child corrupters are watching your children. Others claim it's a fast way to connect with old friends," says Jack Stratton, independent IT consultant and former Novell systems analyst.
For example, a Spokeo.com ad says, "Find a lost relative or contact an old school chum." USA People Search's marketing materials say, "Some people do people searches to try and reconnect with an old friend or family member. Others may be looking for criminal, marriage or other types of public records. Fortunately for users of USA-People-Search.com, information from bankruptcy records to divorce records, and everything in between, is easily accessible with a click of the mouse.''
Alexandra Senoner, head of corporate communications & public affairs at 123people.com puts it this way: "123people is a vertical search engine dedicated to people search. Based on a proprietary technology, it empowers users to find information on themselves, friends, relatives, or people of public interest by searching across more than 200 international, regional, and local data sources such as Facebook, LinkedIn, Twitter; news sites, blogs, company websites, local sources such as white pages, videos, email addresses, Wikipedia results, and many more."
According to Sarah A. Downey, an attorney at Abine, an online privacy company, "There are over 180 different data brokers and that doesn't include those companies that sell criminal records and employment history for employment background checks. Many of these brokers are co-owned or affiliated and share databases. For example, Intelius owns the information and controls the opt-out requests for about 70% of the data broker industry. And Confi-Chek owns Veromi.com, CriminalSearches.com, PrivateEye.com, EnformionUSA-People-Search.com, PublicBackgroundChecks.com, and PeopleFinders.com, among others."
Three of the largest data brokers are Acxiom (claims 32 billion data records), Lexis Nexis (boasts 500 million unique consumer identities), and Intelius (advertises millions of customers).
Where Do They Get This Information?
"Information comes from a variety of sources," Downey says. "Some are voluntary submissions such as warranties, rebates, sweepstakes, online accounts, and social networks; but some of these sources are unavoidable because they're part of everyday life; for example, voter registrations, marriage and business licenses, birth and death certificates, property and title records, bankruptcies, liens, judgments, criminal records, apartment leasing information, mortgages, and utility company bills. And then, some data brokers get your information from other data brokers, which just perpetuates the exploitation. It's like that game of gossip: one incorrect piece of information can end up on a lot of different websites."
Alan Webber, principal analyst and partner at Altimeter Group, LLC. "These sites simply use information that is already publicly available, but generally difficult to obtain from a logistics perspective. I would not call it exploitation, but these sites do expose the fact that there is a lack of control in how personal information is made available and used."
"We obtain our data from public sources, some online and some offline," says Jim Adler, chief privacy officer and general manager of data systems at Intelius. "Online data comes from data that's available to search engines, but the information is only as reliable as the public records."
Is the Information Accurate, or Not?
"Accuracy is a continuum, and the information on these sites is only as accurate as the data sets they are gathered from. We know that there are inaccuracies in the underlying data so, no, they are not totally accurate. But no large data set is," Webber adds.
"As a former programmer/analyst, I can confirm that multitudes of errors occur whenever data is compiled, and the results of any search are only as reliable as the criteria the program specifies; for example, it's interesting how some of these database search algorithms associate, then subsequently pair individuals," Stratton says.
"For example, I recently read a blog by a Red Tape Chronicles (MSNBC) journalist, Robert (Bob) Sullivan. He decided to purchase a background check on himself from Intelius. His report listed an unknown person named Shawn Sullivan (who has a possible conviction for involuntary manslaughter) as his brother. Bob Sullivan points out that the Intelius program only matches the city and numeric values of addresses; thereby, disregarding street names and even states. Bob Sullivan once lived in Columbia, Mo., at 211 N. Ann St., while Shawn Sullivan had once lived at 211 Waugh St., so, naturally, Intelius listed them as related. Bob says he and Shawn are now digital brothers," adds Stratton.
"All this information amounts to a virtual you, based on the sum of your online activities (and public records). Increasingly, decisions are made based on this virtual you, decisions such as insurance rates, credit scores and rates, and even employment opportunities," adds Downey.
Is There a Way Out?
"Informally, I think that once information has been released onto the Internet, pulling that horse back into the barn is a pretty difficult task," says Ray Valdes, research director at Gartner Research.
"You can delete your online identities with Facebook, Twitter, and LinkedIn, either personally or using a technology, but this doesn't remove every trace," says Webber. "Wherever you are online, you almost always leave some sort of trace or indicator that you were there. It might be stored on a server somewhere or only on a backup disk but, given the propagation of the information on the net, it isn't likely that a person would be able to completely remove their online identities."
"Actually, permanent removal is not possible, unfortunately," Downey says. "That's why Abine developed the DeleteMe service, a subscription service that consistently monitors your information and repeatedly removes it as it repopulates. Even if you managed to remove your information from every site (which isn't possible), you're constantly generating new information that data brokers retrieve. Each new online account, home address, credit card purchase: they all lead to more data about you on the Internet."
Adler points out that Intelius offers a free opt-out. Senoner says that 123People offers a manager program, so users can "manage" their personal information on its website, because it's difficult and time consuming to remove content from these websites. "Many people are not aware that although they remove information from 123people, the information might be still publicly visible at the original source," notes Senoner.
Is There Legal Recourse?
According to Downey, currently, there isn't much legal recourse for individuals who have been adversely affected by these companies. Most of the lawsuits against these companies have failed because of an inability to prove sufficient harm. It is legal to display and sell personal data, and these brokers disclaim liability for any improper uses (such as stalking) of this information.
"Many of these websites claim that customers buying their data cannot use it for illegal purposes such as housing or employment decisions, which receive a higher level of protection. If a data broker sells information that is used for these purposes, it falls within the Fair Credit Reporting Act, which sets stricter rules on the accuracy and accessibility of data. But even though most data brokers claim that they don't fall within the FCRA, the fact remains that some of their buyers are seeking personal information for negative or unlawful purposes," Downey adds.
The bottom line is this: most of your personal information, regardless of how sensitive, is classified as "public record" under the law, which means that others can access it. Even if you want to protect your address and phone number, others have a First Amendment right to see it. Without this, single mothers could not locate ex-husbands to secure child support payments and lawsuits would be impossible without listed addresses.
If, however, you are part of a "protected class," which includes victims of domestic violence, cyber stalking, sexual assault, identity theft, or people who work in law enforcement such as judges or prosecutors, some states such as California offer victims a one-step way of removing their contact information from data brokers (called Safe at Home program). If you are a member of this protected class, check your local government's policies regarding your options.
Sartain is the author of "Data Networks 101" and a freelance journalist. She can be reached at [email protected]
Read more about wide area network in Network World's Wide Area Network section.