Security news that informs and inspires
Decipher treatment on an aerial image of a maze.

Lab Presents: What Data Brokers Know About Users

The California Consumer Privacy Act allows consumers to opt-out of having their data shared with third-parties, and to also request to see the data the company has about them. However, the complex web of data sharing and partnerships makes it very difficult for consumers to know who has their data, let alone what is being collected.

Much of the discussion about data collection tend to focus on how the websites and applications the user is interacting with handles data. But all of this gets packaged up—the user-provided information, user activity, and device data such as location—and sold to data brokers. Since data brokers collect information aross many apps, sites, and other brokers, they are able to create comprehensive profiles of individuals, with details about where they have been and their activities. This kind of data is highly valuable for market analytics, advertisers, and other organizations—the data broker industry is estimated to be worth $200 billion—and there is very little transparency or accountability over what happens once user information reaches data brokers.

California's privacy law’s reach is very limited regarding the gold mine of information the data brokers are sitting on, Jordan Wright, a senior security architect at Duo Security at Cisco, found when he tried to find out what information they had about him.

Requesting the Data

Wright submitted CCPA data access requests to 14 different brokers that specialized in location data. Only one approved his request and sent him a year’s worth of location data. Three said they did not have information that could be tied to Wright’s device.

The company that gave Wright his data provided 1,200 records, or one year’s worth of location data. Each record had the time the data was collected, the MAID, the device operating system and IP address, and location in the form of longitude and latitude. Wright plotted the records and could see when he moved to a new house further north, and when he started staying home.

It’s worth reiterating that Wright didn’t provide any of his data to Reveal Mobile, the sole company that approved Wright’s request. Everything Reveal Mobile had about Wright came from other apps and sites Wright used, but there’s no easy way to figure out which of those apps and sites shared his information. That makes it harder for Wright to go back to the offending app and opt-out of having his information shared with Reveal Mobile.

He will have to opt-out in every app and service he uses. Easier said than done, since each company has a specific way to submit the request. There is no consistency in how to submit these requests, making this a time-consuming process for the individual consumer.

The three brokers that didn’t have Wright’s data? It just meant that Wright hadn’t used any of the apps or sites that partner with those brokers.

The location data being collected could have been user-provided, say in the case of a user giving the weather app the zip code to get local weather forecasts, or device-based, if the user granted the app permission to access the device's location.

Wright plotted all the records he received. In the resulting visualization, he could see how he moved around his community throughout the year. The animation can be found on the Duo Labs site.

Californians Only

Three of the brokers declined to fulfill Wright’s request because he lived in Texas and CCPA covers only California residents. While a perfectly legal response, it was a little surprising since the company clearly has the mechanism to process the request. CCPA is expected to have a trickle-effect because many companies will honor requests regardless of the state of residence because the process exists. One reason why a company may not fulfill an out-of-state resident’s data rights request is if the company is relying on a manual process, as that could theoretically take a lot of time, said Heather Federman, vice-president of privacy and policy at BigID.

“From a public relations standpoint, it would look good for businesses to open up data rights to all consumers,” Federman said. “Whether or not they decide to focus solely on California or take a ‘wait and see’ approach is a business decision.”

All the people who don't live in California who want control over their data have to rely on the goodwill of individual companies.

"I didn’t have any meaningful other options than making these requests under the CCPA and hoping that companies would be willing to fulfill them out of a sense of transparency beyond what the law requires," Wright said.

Two brokers haven’t responded, nearly two months later. There are several potential explanations, such as they may have ignored the request because it came from an out-of-state resident, or because they didn’t have Wright’s information at all. Another possibility is that the brokers didn’t have to respond because whatever data they did have didn’t come directly from Wright. The text of the law is a little murky as to how it views data brokers. The regulations released by the state attorney general back in March carved out some exceptions for data brokers, such as not having to notify consumers they have information about them.

Those exceptions may make it harder to hold brokers accountable for the information they have.

CCPA's Loophole

That's nine data brokers. The remaining five took advantage of a loophole in the law and told Wright they couldn't fulfill his request because they couldn't verify his identity according to the requirements outlined in the CCPA. Wright had provided his Mobile Advertiser ID, a unique identifier which is generated on the device and included with device data that is being collected.

One explanation was that the company stored the MAID and not “personally identifiable information,” so they couldn’t verify that the data associated with the MAID actually belonged to him.

"While this seems somewhat nutty, it's also a fair way to suss out any fraud/identity theft implications," Federman said.

Some brokers allow requesters to verify their identities. Some may require a screenshot of the device’s MAID, presumably to prove that the device is in the requester’s possession. Some asked users to provide three unique recently-visited locations. Providing three locations is a bit difficult if the person has been homebound due to recent stay-at-home orders.

“The data itself is personal to the extent that it can accurately track my location at points throughout the day, roughly pinpointing where I live and work,” Wright said. “So it’s frustrating to be told that my identity cannot be verified, and as a result I cannot determine what precise data a company is collecting about me.”

The law’s actual text says the business is not obligated to fulfill the request unless the “business can reasonably verify” the person requesting the data is the the consumer about whom the business has collected personal information. The word "reasonably" is open to interpretation.

It feels a bit contrary to the law's intent if a company can duck its responsibilities because it is hard to verify the user. In this case, the balance is tipped in favor of the business and not the consumer.

Wright wanted to know what kind of information about him had been collected and was stymied by the fact that regulations looked at where he lived and that different companies applied the law differently.

"The average person doesn’t stand a fighting chance to know how their data is being collected and used,” Wright said.