Despite historic breach after historic breach, our personal data largely remains unprotected and up for grabs.
Late last month, WIRED reported that 1.2 billion personal records—from social media handles and email addresses to phone numbers—were left exposed in an easily accessible database. The records were discovered by security researcher Vinny Troia, who also revealed that the info was from various data brokers. It was most likely obtained legally rather than hacked.
Anouk Ruhaak (@anoukruhaak) is a Mozilla Fellow and currently pilots data trusts with the Global Center for the Digital Commons. She has a background in software development, journalism, and political economics.
The discovery would have been a shock, were it not for the fact that such breaches have become routine, unavoidable costs of a data-powered internet. Security firm Norton estimates that 4 billion records had been breached in the first half of 2019 alone. The news coverage has become just as routine: reporting, followed by the obligatory outrage, met with a tersely worded response by the company in question, usually deflecting most responsibility. Only in extreme cases do courts offer solace in the form of fines and monetary compensation for victims.
When breaches occur, we tend to focus on the hackers who exploit this information. But there’s another culprit: data brokers. They are the shadowy companies that collect everything from your medical history to your social media accounts, build profiles of you and your behavior, and then sell it all to third parties, often with little oversight or restrictions. A 2014 study by the Federal Trade Commission found individual data brokers holding as many as 1.4 billion records on US citizens. And they are here to stay: Market analytics firm Transparency Market Research expects the market to grow by 11.5 percent yearly through 2022.
Every time a data broker makes a sale, more data is released into the wild — and, consequently, the risk of future data breaches goes up. It’s critical, therefore, that data brokers understand who they sell to and guarantee that their buyers can adequately safeguard sensitive information. At the moment, that is not the case. As data broker Oxydata told WIRED: “We sign the agreements with all our clients that strictly forbids the data reselling and obliges them to ensure that all of the appropriate security measures are taken. However, there is no way for us to enforce all of our clients to follow the best data protection practices and guidelines.” The truth is that, while it is possible to audit all buyers, doing so would be expensive and, from a legal standpoint, unnecessary.
Data brokers should be held accountable for the negative externalities they inflict on society. There will always be criminals online, and new regulations will never fully deter them. But governments can deter the complicit middlemen — the data brokers with little security and fewer scruples. While data brokers are often sued for damages if data is breached when it’s in the possession of those they sell to (e.g., Equifax in 2017 and Exactis in 2018), they are not held accountable for data breached by those they sell to, nor are their executives tried for fraud. What if instead they had to answer for the consequent fraud and abuse? What if authorities like the Federal Communications Commission had a strong mandate to punish data brokers for their role in leaks and breaches?
To make companies responsible for the actions of buyers or sellers up or down the supply chain is not a new idea. The UK Modern Slavery Act was specifically designed to hold large UK manufacturers responsible for human rights violations by their contractors or subsidiaries down the chain. Similarly, anyone importing goods into the EU is responsible for the use of toxic chemicals anywhere in the production cycle, even if that part of the chain is not directly controlled by the importing company. It’s a tried and tested methodology to prevent corporations from passing the buck down the supply chain.
In a similar vein, we could hold data brokers responsible for any breaches involving data sold by them. What could such regulations look like? The least intrusive measure would be to only hold data brokers accountable after a breach occurs. The downside is that by the time a breach happens, it’s already too late: Millions of records are now exposed. Moreover, rather than incentivizing data brokers to take better care of who they sell to, they would be incentivized to make it harder to trace data sales back to them.