The Big Data Privacy Paradox

big data

Before technology took over our lives and data started growing exponentially, the U.S. Postal Service was “the” Big Data processor and repository in North America and perhaps the world. To state that it is an institution of American life is obvious to the point of absurdity. While not known for its clockwork efficiency, we all continue to rely on it in one way or another. If you’ve seen the news recently, you may have felt that gnawing pang of having your privacy yet again violated as the USPS publicly disclosed a vulnerability that allowed anyone to view, alter and store information about its 60 million users. Before you go log into your USPS account that you created to manage the delivery attempts of that important package you missed, it’s best to understand the bigger issue at hand: your data, its value and how exposure by the entities that are engrained in our lives and businesses on can expose us in ways we don’t normally contemplate….and would prefer to not have to worry about at all.

The reality is that your digital footprint are being watched—with the resulting aggregation of data providing a frightening wealth of information about our lives and businesses. Despite seeing the news, hacks, data breaches and massive data exposures, you still scroll through the Terms of Service (ToS) of the new app you just downloaded to get to the “Agree” button.  I mean, what are the alternatives, right? App creators know better than to bold anything or make anything clear — especially about how your app usage will translate into marketing metadata, sprinkling a trail behind you. They don’t want anything to stand between you and your download — or them and your personal information. You want to ignore this and spend time focus time on more productive endeavors…but there’s that little voice inside your head telling you that this will come back to you in one form or another and it is getting louder.

Your Google searches return, zombie-like, as ads. Your emails are mined for money-making opportunities. Elsewhere, your background, politics and even ethnicity are tracked. Retailers are notified, via Bluetooth and GPS, when you enter their store what your self-reported income range or demographic likely is and how much time you’ll probably spend shopping. The irony is that Americans say they care deeply about protecting their data. A recent survey shows that being in control of who can get information about us is “very important” to 74% of Americans. But if we care so much, why do we keep giving our information away? It’s the “privacy paradox”: we do it because we tell ourselves that our future self will probably suffer no consequences. We conclude that the worst that will likely happen is we feel kind of violated by all the corporate algorithms tracking us along with everyone else. Tech companies find their opening in our short-term reasoning and our future self cannot stop us from clicking on “Agree”.

A lucrative market has emerged in mining your data for presumably legitimate business reasons and for your convenience. The data broker industry alone generates around $200bn in annual revenue – which cuts out the data subjects … the data is about. ZDNet has detailed how all four major US carriers sell our mobile location data to companies you’ve never heard of, without your explicit permission. For example, Securus buys geolocation data from a location aggregator called LocationSmart, which in turn buys it from the aforementioned telecoms. All of these corporate relationships are arguably legal. That alone should be cause for concern because there’s no opt-out for any of this location sharing. Your consent automatically occurs simply by having a cell phone plan. In a very real sense, you’re powerless to prevent your location being used for profit and against you.

What is this all data collection called? You guessed it, Big Data. Big Data brings big benefits: ads focused on what you actually want to buy, smart cars that can help you avoid collisions or call for an ambulance if you happen to get in one anyway, wearable or implantable devices that can monitor your health and notify your doctor if something is going wrong. Big Data also leads to big privacy problems, especially when the corporations, which we entrust by clicking Agree, expose our data.

This not an anti-business viewpoint. If you think about it, it goes to the heart of our trusted networks and communications with one another.  If these networks and communications are compromised by our own carelessness and the carelessness of others, what does this do to our society and how we engage with one another? How much damage could this do to the potential for legitimate uses of Big Data in our lives and businesses?

Corporate Data Collection and What You Don’t Realize
How much do companies really know about you? They start with the basics, like your name, address and contact information, and add on demographics, like age, race, occupation and education.

But that’s just the beginning because companies collect lists of people experiencing “life-event triggers” so if you’re getting married, buying a home, sending a kid to college—or even getting divorced, you pop up on some company’s radar. For example, Experian, the credit reporting agency, has a separate marketing services division, which sells lists of names of expecting parents and families with newborns. Companies also collect data about your hobbies and many of the purchases you make. Enjoy reading nonfiction about World War II? Epsilon will sell a list containing your information to companies looking for potential book buyers. Another credit reporting agency, Equifax, has a subsidiary that collects detailed salary and pay stub information on roughly 40% of employed Americans. Do you enjoy the perks from your store loyalty cards? Great, but there’s a company called Datalogix, which has information on more than $1 trillion in consumer spending across 1400+ leading brands. Confused how the Internet knows about the classic car you bought in cash 5 years ago? You may be surprised to know that your state’s DMV may sell personal information— like your name, address, and vehicles you own to companies.

Despite protections around your medical records, companies like Axciom capture information about your interests in certain health conditions based on what you buy—or what you search for online. It has lists of people classified as allergy sufferers and dieters and sells lists of individuals that have a propensity to do online searches for a certain ailment or prescription.

These companies and other companies like them aggregate and sell your online presence as well. These companies collect the information you post online, your screen names, website addresses, interests, hometown and professional history, and how many friends or followers you have. Acxiom collects information about which social media sites individual people use, whether they are a heavy or a light online user and resells it to others. To give you the massive scale of a company like Acxiom, it has information on 500 million people worldwide, including nearly every U.S. consumer.

Why does this matter to you? 
There is a refined, in depth and legitimately acquired database of sensitive information about you and your business collected by organizations both with and without your consent. Further, their use of your information and ability to share that information is largely unregulated. Since your sensitive information is collected, stored and transferred by so many different organizations, imagine the uncountable opportunities for that information to fall into the wrong hands.

As witnessed by the most recent USPS data exposure, sadly you have little control over it. If you have ever traveled for business or pleasure, you’ve probably stayed at a Marriott property. Similar to USPS, Marriott collects sensitive information about you and unsurprisingly recently discovered an  ongoing data breach that revealed over 500 million guest records…for nearly 4 years before discovery.  The malicious actors had access to guests’ names, birthdates, passport #s, reservation patterns, and payment card information. Fraudulent charges aside, this information now empowers them to take the information that they have mined to steal or mimic your identity, create more illegal opportunities to monetize personal and corporate account information and cause significant harm. How good are you feeling about clicking “Agree” now?

Do you enjoy a cup of coffee or a tasty donut from Dunkin Donuts? Even Dunkin Donuts, a company serving coffees to millions of people across the globe, had a recent data breach as well. While you may not necessarily be thinking that your coffee drinking patterns are exploitable, they are a piece of your identity that, combined with other information, form part of who you are. Still dubious? Let’s say that you are traveling out of town with a Marriott reservation and buy a coffee from Dunkin Donuts all the while expecting an important holiday season package on your doorstep. A malicious actor could use that information to craft a highly personalized narrative that might enable them to get access to accounts or to convince people within your trusted network that they are you.  These, of course, are just a few data points…think about how that data could be used coupled with social engineering or other personalized data. With all this data and advanced machine learning technologies we will soon move beyond dumb identify theft risks, but identity theft with context or highly personalized data theft. A malicious actor armed with a few socially engineered contacts might actually do as good of pulling off your identity to your trusted network as, well, you can. What does that mean? That might mean that the most familiar personal and professional relationships that you maintain – those that are so personal that additional controls seem unnecessary – might be the prime targets of identity theft.

Today, we generally give away our sensitive information knowingly and unknowingly to many organizations with very little thought. We cannot track this information…it is lost and out our control once disclosed. We permit this under the assumption that the organizations requesting this information want to serve our interests (as evidenced by associated revenues), but unfortunately, this information continues to exist in databases in perpetuity and is valuable to malicious actors, who are outsmarting the security staff at organizations you’ve entrusted…perhaps with new technologies that were not even contemplated when you first agreed to the disclosure of your information.

The proper call to action is to become more aware. Information about your life and your business is not valueless. When you give it away to a company, even one that may intend to act in your or your business’s best interests, you are giving away control…control that you may not be able to regain or manage. Guard your personal and commercial sensitive information; don’t be so quick to give it away your name, birthdate and address for that rewards program. Spend more time contemplating both the confidentiality and data security provisions of the agreements that your business enters into. Do not accept that fiction that everyone or every business must forego protections to reap benefits…that fact does little to protect sensitive information once unwittingly disclosed. While we are increasingly getting numb to notices of data breaches, the effects on our futures are real. Rest assured, if you are agreeing to release your sensitive information, whether personal or commercial, it is going to get monetized and more than once. Now ask yourself, how sure are you that it will only get monetized for legitimate reasons and how confident are you that the disclosures you make today will not be improperly exploited by either current or future technologies and malicious actors? The answers you have to those questions should guide how sensitive you are to data disclosure going forward.

 

Eric Hess
Managing Director
HLC LLC

Eric Hess has over fifteen years of experience acting as senior in-house counsel, general counsel or senior management for exchanges, broker dealers, and financial services technology providers. He has a proven track record of meeting business and legal goals, including creating legal, compliance and technology & operational risk management functions, designing compliant trading technology, advocating for regulatory change, closing transactions, navigating challenging issues, managing regulatory inquiries & investigations and facilitating company growth, both organically and through strategic transactions. Specialties: Equities, options, futures and cleared swaps regulation; hedge fund, broker dealer and markets regulation; technology and operations risk management; contract negotiation; technology transactions; regulatory examinations, inquiries & investigations; dispute resolution; corporate governance, mergers & acquisitions; intellectual property; lobbying; and financing transactions. Mr. Hess holds Series 7 and 24 licenses and is admitted to practice in the States of New York and New Jersey.

 

HLC, LLC is a strategic partner of NCS Regulatory Compliance

 

Home