#databrokers

danie10@squeet.me

US FTC bans data broker from selling Americans’ location data – Only Americans?

Top part of the curvature of the Earth, with a number of gold coloured location pins hovering above various places
“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship,” said FTC Chair Lina M. Khan.

It’s a reminder again why so many are very sensitive about their metadata. Geolocation is only one form of metadata, and it is not about where you are right now. It’s about all the places you visit and what the associations are with those places. When matched with other people’s geolocation data, it shows who your friends are, who you work with, when you go to what religious institutions, where and when you shop, and it goes on and on.

These data brokers specialise though in putting lots of different metadata together to form the fuller picture. That information is worth a lot of money.

“As AI models further incentivize firms to vacuum up people’s personal data, placing limits on how firms can track and use sensitive information is paramount,” FTC Chair Lina Khan said.

I get that the FTC only has jurisdiction over US companies, but if these brokers are on US soil, or are owned by US companies, then the ban should extend to everyone’s data not being sold in this manner?

As of October 2023, Outlogic (formerly X-Mode Social) no longer exists as a separate company. It was acquired by Vertafore, a United States-based insurance technology company, in March 2023. However, Vertafore’s headquarters are located in Denver, Colorado, making the US the effective “country” of the data broker, albeit indirectly through its parent company.

It appears then to be a US owned company that is gathering and selling this data. The big question then is why is it being implied that they can still sell non-Americans data?

See https://www.bleepingcomputer.com/news/security/ftc-bans-data-broker-from-selling-americans-location-data/
#Blog, #databrokers, #privacy, #technology

danie10@squeet.me

Data broker’s “staggering” sale of sensitive info exposed in unsealed US FTC filing: Major value in users’ data

A blue coloured map display of the Eastern half of the USA, with each State outlined in a neon red colour line.
One of the world’s largest mobile data brokers, Kochava, has lost its battle to stop the Federal Trade Commission from revealing what the FTC has alleged is a disturbing, widespread pattern of unfair use and sale of sensitive data without consent from hundreds of millions of people.

The FTC has accused Kochava of violating the FTC Act by amassing and disclosing “a staggering amount of sensitive and identifying information about consumers,” alleging that Kochava’s database includes products seemingly capable of identifying nearly every person in the United States.

According to the FTC, Kochava’s customers, ostensibly advertisers, can access this data to trace individuals’ movements—including to sensitive locations like hospitals, temporary shelters, and places of worship, with a promised accuracy within “a few meters”—over a day, a week, a month, or a year. Kochava’s products can also provide a “360-degree perspective” on individuals, unveiling personally identifying information like their names, home addresses, phone numbers, as well as sensitive information like their race, gender, ethnicity, annual income, political affiliations, or religion, the FTC alleged.

These data brokers handle really massive amounts of private data. It costs time and money to obtain, and it seems there is a market of buyers willing to pay for it too. If we look at the types of data then it is also easy to see this is not just about advertising at all.

We know that even law enforcement agencies pay these types of 3rd parties to collect the data that they are prohibited from doing so (for example, recently the NYT 15 Nov 2013 report re CIA collecting global data on transfers of money).

Then there are also the criminals who can purchase this information for blackmail and extortion. Most hackers will admit that their attempts start out with getting to know more about an organisation and its employees, with a view to exploiting social engineering. Even phishing e-mails are way more likely to succeed if they are personalised towards a target.

Data brokers are a serious threat to everyone, and the way that data is collected, means that one person who does not care, can end up exposing family and friends’ private data. The data is not collected in isolation from everyone else… effort goes into tying up all the data points with locations, times, other people, behaviours, and related information. The real value comes once all the individual pixels form a larger, clear picture.

In years past this type of business was very labour, and later computer intensive, and was as a result quite delayed in terms of its value. With the computing power and analysis available today, combined with rich and varied data sources, it’s been taken to a whole new level. And of course, there are now online markets that even trade this data on the Dark Web.

It is also getting more and more difficult for people to effectively stay offline as social services, banking, booking a flight, etc all involve being registered and having interaction with online systems.

The clock also never travels backwards (unless you live in a daylight-saving region) as societal “innovations” keep moving forward.

See https://arstechnica.com/tech-policy/2023/11/data-brokers-staggering-sale-of-sensitive-info-exposed-in-unsealed-ftc-filing/
#Blog, #databrokers, #privacy, #technology

danie10@squeet.me

Big Ass Data Broker Opt-Out List that can Guide Opting out from Data Broker Databases

GitHub project title screen saying yaelwrites/Big-Ass-Data-Broker-Opt-Out-List and 8 contributors, one open issue, 3000 stars and 101 forks.
This list, also known as BADBOOL, was started on September 29, 2017 and was most recently updated in October 2023 to add PimEyes and to remove TruePeopleSearch and Cyber Background Checks, since those sites will automatically remove your data if you successfully opt out of Intelius and BeenVerified.

Some of these opt-outs take a long time to go through. Sometimes, information is pulled from other sources, and you’ll need to opt out multiple times for the same site. Data brokers come and go (and are bought out by others), and they also often change their opt-out pages.

In many US states, real estate data and voter registration information is public (or easy to obtain). And, of course, location data can be found by physical means (e.g. following you home) and through other people who know it (i.e., social engineering). That said, removing your home address from data broker sites can significantly lower your attack surface and make it harder for people to find it.

This is mostly US focussed, but does give some idea of all the data brokers tracking users’ data and behaviour, and that it is not easy to just opt out. The list is being managed as an open source project that it has community participation as well. So, it may also be possible to suggest adding resources for other countries too.

Unfortunately, if you’re on the Internet, you do leave many traces. Very few normal users actually boot clean from a Tails Linux on a USB stick in read-only mode, and use Tor Browser without any saved logins etc. Most users also carry a mobile phone with apps installed (no more needs to be said about that).

Your best defence is though to do some basics like using a privacy based browser with fingerprint protection, script bocking, unique secure passwords per site, sandboxing (or not using) Facebook and Instagram type sites, etc.

Just yesterday, I received a phishing mail that had spoofed my own private domain e-mail address (to imply they had hacked my e-mail). I realised that, although I had activated DMARC and SPF on my e-mail service, I had made one copy-and-paste mistake in the DNS records, and no error was shown. I’d not properly checked that the DMARC indicator was showing as verified green on my service. Doing it, and actually checking it, are two separate actions one needs to do. It’s the little things that trip you up.

So why are data brokers a threat to you? Well because they also collect a lot of related information which is often used to verify your identity to a call centre to have your password reset (one example).

See https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List
#Blog, #databrokers, #privacy, #technology