Yesterday Reps. Ed Markey (D, Mass.) and Joe Barton (R, Texas) released a batch of important details about the operation of the nation’s largest data broker companies. The information came in responses from nine data broker companies to a list of questions posed by a group of Members led by Markey and Barton seeking details of their operation in light of the privacy sensitivity of what they do. The responses released yesterday provide a good snapshot and reminder of what it is these companies are doing.

The most thorough response was provided by what is probably the biggest data broker, Acxiom. The company’s response contains a wealth of details about their gathering, buying, and selling of information about individuals (though it’s hard to know what they’re leaving out or smoothing over). But let me cover some highlights.

Acxiom takes the opportunity of the letter to engage in a lot of defensive propaganda about how “information services fuel the global economy and infrastructure” (which is not true; advertising may partly fuel the internet—though some key sites such as Wikipedia are ad-free—but personal information need not necessarily be involved). Acxiom also argues that “Consumers Benefit from Appropriate Use of Information in Numerous Ways.” Putting aside the loaded qualifier “appropriate,” it is a bit… spooky to tout the supposed benefits to consumers of dossier creation when individuals have not knowingly consented to those dossiers. (If the benefits are so great, let individuals opt-in.)

Acxiom also refused to respond to the members’ request that they list their sources of information, citing trade secrets. Instead the company responded generally that it received information from corporate, government and “self-reported” sources, the latter meaning primarily consumer surveys and product registration forms.

On the government side, Acxiom says it receives

“various lists from the federal government, such as the Social Security Administration’s Deceased Master file, the State Department Terrorist Exclusion list, and the Office of Foreign Assets Control list.”

State and local government records “such as” real estate assessor records, motor vehicle records, driver’s license data, professional licenses and other licenses such as hunting, voter records, and court records “including bankruptcies, liens, judgments and criminal convictions.”

On the corporate side, in the nonstop merry-go-round of data trading, much of Acxiom’s data is apparently fourth-hand: “Acxiom regularly procures data from other data compilers, like Acxiom, that compile data from hundreds of other sources. These commercial entities typically compile information from companies that collect the data directly from individuals.” In other cases, the company says, it “acquires data directly from the consumer-facing company without going through an intermediary.”

Acxiom says none of its corporate sources of data “provide complete purchase transaction data, detailed financial information, credit information, financial account numbers, or protected health information.” The company also states that it “also screens all businesses and data compilers from which we receive data to ensure the data has been legally and ethically obtained.” That’s great, though I wonder how effective that can be when much of the data it’s receiving is fourth-hand? The company also says it screens companies to “ensure that it can legally and ethically provide the data to a third party, such as Acxiom.” Legally I do not doubt they do so, but the ethics of any company dumping its customer information into the hands of a third-party data aggregator are questionable at best.

As for the types of information the corporate giant is compiling on us, it lists

“Identifying and contact information”

“Court & public record information”

Financial “indicators”

Health “interests”

Demographic information

“Lifestyle and interest indicators”

The health “interests” (funny word, that) collected by the company include “interests in diabetes, arthritis, homeopathic, organic and senior needs.” Diabetes and arthritis are listed, but they don’t state what and how many other medical conditions are tracked. Financial indicators include “estimated net worth, estimated income, and type of credit card.” The demographic information collected includes:

date of birth/age, race, ethnicity, religious affiliation, language preference, length of residence, home value, home characteristics, marital status, presence of children in the household, number of members in the household, education, occupation, and political party.

The lifestyle and interest indicators include:

cooking, sports, reading, computers, fashion, travel, exercise, crafts, movies, online shopper, retail purchase frequency and type of retail purchase (e.g., electronics, groceries, gas travel), media channel usage (e.g., Internet, TV, yellow pages, radio), type of social media user (e.g., Twitter, Facebook, LinkedIn, YouTube), license and registration data (e.g. professional, hunting, fishing, boaters, firearms, ATV, snowmobiles, aircraft) and Acxiom’s life-stage cluster.

Acxiom says its data products make up 15% of its revenue, with the rest coming from “information services,” which primarily seems to mean helping organizations make use of data they already possess. Its data products include:

Enhancement: “Acxiom offers our clients access to a database of [the collected data], which is used to enhance their customer or constituent file to better understand consumer interests, needs and changing life-stages.”

Lists: The company also sells lists of customers based on the above categories to businesses for “prospecting purposes.” Clients can send Acxiom a list of their best customers and have Acxiom “identify similar households of potential new customers, supporters, or constituents,” and the company also says it “licenses our list database to … to other list providers for resale.”

Online advertising: the company offers organizations “the ability to target online advertising” using its data. It says that it does this in anonymous ways, but Acxiom also says, “in some instances we enhance our publishing partner’s file of registered users with Acxiom enhancement data.” It is not clear to me how that procedure would be anonymous. On its web site the company also tells clients, “Use what you already know about your audience in the offline world, combine it with the gigabytes of data available in the anonymous online world, and apply it with scale across emerging, addressable media channels.” Axiom says it “does not collect online browsing or search activity on consumers,” and “We do not collect specific activity from social media sites such as individual postings, lists of friends or any data that is not public.” That is good, but I do not understand how all these statements can be reconciled. It does seem clear the company is playing a key role in bridging online and offline data, which is a major threat to privacy.

Risk Mitigation

I was very interested to read about the company’s “Identity Verification” and “Risk Mitigation” products. “Risk mitigation” is a term that often means “using data analysis to blacklist some individuals from access to certain things.” This is where we get into due process questions over the algorithms used to create a score and how that may affect different people and groups.

The Identity Verification product, Acxiom says, simply “verifies a potential customer’s identity by comparing the data supplied by the consumer against Acxiom’s database.” As for the Risk Mitigation product, Acxiom says it:

provides information for the fraud department and other risk management departments, including the collections department, in businesses, non-profit organizations and government agencies to help them identify, investigate and prevent fraudulent transactions.

This is quite vague. What information is provided? Presumably the raw data includes nothing outside of what they list above, but the big question here is, does Acxiom do any risk scoring?

Which brings us to a related issue, that of access and correction by consumers. Acxiom’s policy is that consumers “are not able to access the individual information we have in our marketing product line.” Instead of access, we publish a booklet ‘Understanding Acxiom’s Marketing Products.’” They may, however, opt out of receiving marketing (that can be done here). And consumers may access and correct the information in Acxiom’s identity verification and risk mitigation products. The company says many people are steered to do so when faulty information results in them failing an identity check. Of course we don’t know how many people suffer some silent sanction because of errors in either of these products, and never know to correct it.

If some random guy on the street, or some company I’d never heard of, asked me to fill out a form listing all of the above information about me, I, and most people I think, would feel like they were filling out quite an intrusive questionnaire. The fact that these datasets are being bought and sold largely without the knowledge of the American people is a testament to how thoroughly profit-seeking companies will intrude upon our privacy when we don’t pass protections into law preserving our oldest traditions of privacy.