Be careful what you agree to online

One force that has characterised today’s epoch is undoubtedly globalisation. But it is not just trade, money, humans or ideas which are moving fast from place to place. Our personal data too is incredibly fluid, and is arguably one of the fastest moving commodities today.

It passes almost seamlessly from one data processor to another. At the same time, individuals can’t seem to stop sharing their data online, be it to access necessary services like Spotify, Amazon or ASOS or to simply share what their favourite movie or book is on Facebook. One consequence of this sharing has been the rise of the data broker, who sits on a goldmine in today’s marketplace where data is more valuable than ever.

Data brokers are firms that essentially trade data – they may buy data from many sources and merge it with other data they gather from the internet. They may assemble it into profiles and categories. They will then sell this data to other firms who will use it for marketing or analytics, or even consumers. Both the existence of such an industry, and the implications of its existence, should make us sit up and take notice (quite literally).

What risks do data brokers pose? To understand the gravity of the situation, consider the story of Mr Thomas Robins. He looked himself up on Spokeo, which is a company that calls itself a “people search engine”, selling profiles of people drawn from available online data. He was surprised to find that it had a detailed and extensive profile: that he was in his 50s, married with children, holding a graduate degree and a professional job. The best part: nothing in his profile was true. Mr Robins is currently suing the company.

But in the first place, how is it possible for a company to amass such detailed information about anyone? Why is this happening largely unchecked?

Well for starters it is staggering just how much data these data brokers have. Numerous articles have covered how much access these shadowy companies have to even our personality quirks. A couple of statistics are particularly telling: one, that Rapleaf – a data aggregator – has amassed at least one data point (a piece of information, like the fact that you bought a pair of trainers from Urban Outfitters and hence are interested in shoes) tied to 80% of all American email addresses; two, that Acxiom – another data broker – has amassed some 3000 data points for every U.S. consumer. There are similarly astounding statistics about data associated with property transactions, consumer transactions and mortgage applications here.

In the eyes of the individual, this is a lot to wrap your head around. Here you are, simply going about your day, providing information to firms and websites that ask for it depending on the service they provide. But, somehow, your profile ends up on a data broker’s database, combining your shopping habits, interests, financial preferences, social media presence and contact information. Surely, you’d think, this shouldn’t be happening?

The problem here is twofold: first, the existing statutory data protection laws place unrealistic expectations at the feet of the individual. Learning where data brokers get their data is insightful in this regard. As an extremely informative Federal Trade Commission report makes clear, data brokers get data from numerous sources. Most of these sources are not even primary collectors of data. Instead, data may be scraped off websites, bought from other data brokers, or inferred, based on the information individuals have already revealed. For example, people who purchase a Netflix subscription may be assumed to be interested in movies. Often time individuals are not even remotely aware that their data is being collected or sold to 3rd parties.

Statutory compliance means organisations need to provide notice to and seek consent from the individual. This stacks the odds against the individual – you are met with a deluge of unintelligible jargon and indemnity clauses simply to use the service in question. What realistically can you do? Lacking both time and expertise, we usually just search for the box at the end of the page and tick it. There is little doubt that the consent we give is usually far from informed; individuals rarely bother to read the terms and conditions that they agree to, let alone understand it.

This is compounded by the possibility of aggregation and secondary use. Individuals are probably oblivious to the fact that the data they share with one processor may be shared or sold multiple times to other firms. These data brokers may aggregate data from disparate sources to form an intricate mosaic about that individual. The end result: our data, perhaps even our personal data, is travelling the world, from one company’s databases to another. It’s being repackaged and sold to yet more companies, to use to market products and services to you. And you don’t know you consented to it.

Now of course, data brokers are not unequivocally evil. They allow firms to target advertisements to you, so you actually see things you may be interested in. While searching for flight tickets to return home to Singapore from India last year, I was struck by how many good offers I saw from what seemed like dodgy internet adverts. Whatever site I browsed on the internet, I kept seeing ads from numerous airlines about promotional fares for the exact route I had searched for. I eventually bought a ticket from one such advert, and for a good fare too I might add.
But what concerns me is how the data we consent to sharing at one point and ostensibly for one purpose, may be used against us in other situations. One example of such “unanticipated uses of data” cited by the FTC is where “for example, a category like “Biker Enthusiasts” could be used to offer discounts on motorcycles to a consumer, but could also be used by an insurance provider as a sign of risky behaviour”. Insurance providers who buy these profiles from data brokers, may use such information in determining eligibility for certain kinds of insurance. Especially with the prevalence of automated decision-making algorithms in many online services today, sometimes individuals may be harmed without even knowing it. The key takeaway is this: our information migrating through sections of society and industry without our knowledge.

The main problem here stems from the dearth of regulation of the data broker industry. In the meantime, perhaps we should start taking a dip into that 73 page end user license agreement you usually click “I agree” to without so much as a peek. Or at least read the summarized, user-friendly version. If our personal data is running young wild and free, we should at least have some idea where it’s going and how it’ll be used.

With a name like Rohan Eapen George, comprised of a Lord of the Rings reference, a really common British name and a slightly less common Indian one, one could be forgiven for wondering what to call him. For in truth his identity is equally interesting. Rohan is an Australian citizen, born in India who calls Singapore his home. Yet somehow he finds himself in none of these places, as he begins studying Law at LSE. He is interested in how the law can be used to make a difference in society. Outside of academic life, he relishes in a good meal and the company that comes along with it: dessert. He’s also an avid sports fan.