An early test of the GDPR: taking on data brokers


SOPA Images via Getty Images

Major data brokers Acxiom and Oracle are among seven companies accused of violating GDPR laws on personal information privacy. Advocates hope the complaints will shed light on the opaque ways that personal data is traded through third parties online both in the EU and the US.

The General Data Protection Regulation is a sweeping personal data privacy law that came into force in late May in the EU. For the rest of the world, it’s viewed as a bellwether for whether Big Tech can be held in check when immense data leaks seem to happen with painful regularity.

Formal complaints to European regulators under the GDPR by UK non-profit Privacy International were also filed against ad-tech companies Criteo, Quantcast and Tapad as well as credit agencies Equifax (the subject of a massive breach just last year) and Experian.

“Our complaints target companies that, despite exploiting the data of millions of people, are not household names and therefore rarely have their practices challenged,” said Ailidh Callander, legal officer at Privacy International, in an email to Engadget. “These companies’ business models are premised on data exploitation.”

Data brokers aggregate personal information from other sources — for instance, websites you’ve visited or credit card records — to create a complex profile on who they think you are. That profile may include political leanings and income, and subsequently get sold to brands or social networks. Acxiom claims to have data on about 700 million people globally. Consumers often don’t hand data directly to these companies via their own websites — the way one would with, say, Facebook — which allows the data trading to operate in relative obscurity.

This alleged lack of consent is precisely what Privacy International is targeting. The non-profit also claims that these companies lack “legitimate interest” (in legal terms) for processing the personal data, which may infer political, ethnic and religious affiliations. The companies fail to comply, according to Privacy International, with the principles of “transparency, fairness, purpose limitation, data minimisation, accuracy and confidentiality and integrity” — in other words, nearly all of the new privacy law’s core foundations.

“The law has changed and these companies need to as well,” said Callander. “There is a gap between how [the] GDPR conceptualises data privacy and [how] these companies do and the onus is on them (if necessary, pushed by regulators) to close it.”

In public statements, Experian has said: “We have worked hard to ensure that we are compliant with GDPR and we continue to believe that our services meet its requirements.” Criteo has stated: “We have complete confidence in our privacy practices.”

Companies are still feeling out just how the law is going to be enforced, which is why test cases like this bear watching. Facebook and Google are among the other companies who have faced complaints so far. A spokesman from the Data Protection Commission in Ireland, where many American tech firms keep European headquarters, said the regulators have already received 2,500 breach notifications and 1,200 complaints related to the GDPR since May.

Let’s block ads! (Why?)

Link to original source

My digital shadow looks nothing like me

I have a shadow. There’s the Dan Cooper writing these words right now, standing at his desk in an attic in Norwich, England. There is also the Dan Cooper who has the same name and address but who only exists inside a computer sitting on a shelf. I had never heard of this man until a couple of months ago, but now I am intimately familiar with who he is, his contradictions and the terrible truth he may reflect upon me.

In the wake of Europe’s new privacy laws, I polled numerous companies to learn what they knew about me. One of them was Acxiom, a principally American marketing-data agency that collects data on individuals across the globe. Data that it has bought, or gathered, is algorithmically mashed together with public records and drained through a series of statistical models. The eventual aim of this effort is to create a series of conclusions about user behavior that can be used to create increasingly targeted advertising.

Acxiom sent me a 24-page file that covered everything it had about me. That information has been sold to a number of “respected brands,” including major names like Ford Motor Company, British Telecom and (British retailer) Tesco. The file was also passed on to companies that already know me pretty damn well: Facebook, eBay, Twitter and PayPal.

I’m sure that at some point in the past, I’ve unwittingly ticked “agree” on some box and given my consent for my data to be collected. And these companies are likely to have tried to build a complete profile of my health, economic status and purchasing profile. It’s quite possible that the data has been used to send me specific offers, suggest products I should buy and even dangle discounts in front of my face.

That’s a real problem, because the data they store on me is total bollocks.

Data retrieval
How big tech manages your personal information

Here’s the real me: I’m a 33-year-old technology journalist who is married and owns his own home — at least if you think having a 35-year mortgage qualifies as “ownership.” I have one daughter who is now a few years old and a newborn son. I drive a third- or fourth-hand, petrol-powered Lexus from the year 2000, making my car old enough to vote.

Maybe it’s egomania, but because I’m on the internet as much as I am and also because I have a semi-prominent job, I assumed these companies would know a lot about me. Like, I’m on Facebook and Twitter pretty much nonstop, and I spend 10 or 12 hours per day on the internet. How can I not be the most open book to these people?

And yet…

The Acxiom version of Dan Cooper has the same address as me, but he’s 25, not 33, and he’s cohabiting rather than married. Well, according to the documents, there’s a 37.2 percent chance he’s cohabiting and a 37.1 percent chance he’s hitched. The data also shows that he’s an “empty nester,” meaning that his kids have grown up and moved out, which is just about plausible if he fathered his first child at seven.

Acxiom’s data contradicts itself on a number of occasions, thanks to the weird, algorithmic way it was gathered. He’s childless, but at the same time his kids were born in 1983 and 1986 — clearly this alterna-Cooper blossomed early. He also somehow managed to buy a home in 1993, aged 11, which he mortgaged as a second-time buyer. I mean, I have to admit, this guy clearly has his life and priorities sorted out.

All of that time spent having kids while still in school and buying a house has, unfortunately, had a domino effect on his career. Acxiom’s statistical models think that he’s an employed individual (85.4 percent) working inside the socio-economic grade C2/D. That means he’s either a skilled or unskilled manual laborer. The data also isn’t clear about his politics: He either reads the reactionary, right-wing rag Daily Express or the center-left Guardian.


What the hell is a C2/D social grade?

Part of me is naturally delighted that this huge data brokerage has no clue who Dan Cooper really is. Through some combination of genius, trickery or luck, I have avoided becoming a cog in the Man’s Machine. I’ve hidden in plain sight, and these companies don’t know me, my lifestyle or my purchasing habits. Then again, the fact that Acxiom failed to get facts right that are a matter of public record is pretty concerning. Perhaps that’s the reason why the company declined to participate in this story.

But then, I also wonder how far this information will travel and to what ends it will be used, especially in light of what’s going on in other parts of the world. You may have heard of China’s plans for a Social Credit System that combines big data and mass surveillance. It is, of course, a way to both monitor and tightly control the population, ensuring compliance with whatever policy is currently en vogue.

Already, China has blacklists that can prevent people from traveling, blocking job offers and making people’s children ineligible to attend top schools. And there was even an attempt at letting the private sector run parts of the scheme: In 2015, Alibaba and Tencent were asked to test their own systems. Two years later, regulators realized that companies that have a profit motive might charge folks to bolster their score.

The point is that even now companies and governments are working out ways of using this sort of aggregated data for their ends. I’m reminded of the movie Brazil, in which a vast bureaucracy would rather assassinate its own citizens than rectify errors in its records. Scoff all you want, but it’s entirely plausible that a government would simply poll ad-agency data, credit scores and social media information to begin profiling its citizens.

That leaves me at something of a crossroads: Do I kick up a fuss and demand greater accuracy in the surveillance? Or is it better to try, as best possible, to obfuscate the system in the hopes of making it unusable by any future government?

Credits:
Writer: Daniel Cooper
Features editor: Aaron Souppouris
Lead reporter: Chris Ip
Copy editor: Megan Giller
Illustration: Koren Shadmi

Let’s block ads! (Why?)

Link to original source