For data brokers, any piece of our personal information is potentially valuable. Relevance is only an algorithm — or a sales pitch — away. Getty Images

Last week, a man in a Chicago suburb received a letter from OfficeMax. It was addressed to Mike Seay; the line below his name read “Daughter Killed in Car Crash.” OfficeMax blamed an unnamed third-party data broker for mistakenly printing the information on the envelope. A distraught Seay responded with some important questions: “Why would they have that type of information? Why would they need that?” The answer is that for data brokers, any piece of personal information is potentially valuable. Relevance is only an algorithm — or a sales pitch — away. Data brokers are supposed to be the unseen cogs in the surveillance economy, collecting vast amounts of information on hundreds of millions of people and analyzing it for patterns and likely outcomes. They are devoted to extracting value from the raw information of our lives for their own gain; they sell this information to stores, insurers, banks, tech companies, HR departments and basically anyone who comes calling. Government agencies are part of the trade as well, with the DMV selling to data brokers and the TSA passing on information to debt collectors. Some brokers know everything there is to know about you, including your shopping habits, medical history and income, how much debt you have, what you read, which charities you support and where you worship. One such broker, Equifax, maintains up to 75,000 data elements per individual. The brokers categorize consumers into various groups — “Ethnic Second-City Strugglers” or “Elderly Opportunity Seekers” — that allow the buyers of this information to be more selective. Selling personal data is massively lucrative. In 2012, the data-broker industry produced $150 billion in revenue. One major player, IMS Health Holdings, claims it generated $2 billion in sales in nine months last year and has “over 85 petabytes of unique data,” including 400 million patient records from more than 100 countries. Drawing on its records of “45 billion healthcare transactions,” IMS can help pharmaceutical sales reps know which doctors are prescribing their products and which need to be hit with some salesmanship. While IMS claims that its patient records are anonymous, a number of studies have shown that it’s possible to de-anonymize data, whether by seizing on a few key data points or combining disparate data sets.

Veil of secrecy

Last month, the Senate Committee on Commerce, Science, and Transportation, led by Sen. Jay Rockefeller, D-W.Va., published a report on the data-broker industry. “Data brokers operate behind a veil of secrecy,” read the document. “Many of their practices lie outside the ambit of federal consumer protection law.” One data broker, InfoUSA, “routinely ignored rules about selling data to known fraudsters.” The data-broker industry explains its role as greasing the wheels of digital commerce — in other words, helping subsidize free services such as Gmail and Facebook, providing startups with access to new customers and connecting people with more personalized ads. (This latter point is always presented as a kind of public service, as if Internet users are clamoring for more targeted advertising.) Representatives also contend that self-regulation has worked. “Responsible data sharing” is great for economic growth and for consumers, Tony Hadley, Experian’s VP of government affairs and public policy, told the Senate committee. But “responsible data sharing” is a conveniently imprecise and flexible term. Companies don’t just use data to get shoppers to more easily part with their money. Personal data are important for any field concerned with risk management, from airport security to electrical utilities. Insurers might buy up customer information to improve actuarial models, determine coverage levels and monitor clients for adverse behavior. In the process, your personal data are turned against you, used by corporations to help influence your habits. (“We noticed that you recently bought some bigger pants and are drinking more. Is everything all right?”) Personal data can therefore be put to pernicious uses while bypassing laws, such as the Fair Credit Reporting Act or the Health Insurance Portability and Accountability Act (HIPAA), which are supposed to protect consumers by regulating banking, insurance, health care and other industries that make use of our private information. Much of the information circulated between brokers and clients comes from third parties, so that a list of people suffering from Alzheimer’s or alcoholism isn’t covered by HIPAA. Similarly, companies can use personal data — arrest records, medical prescriptions, political contributions — to discriminate against customers and potential employees, especially the most vulnerable. These laws now appear antiquated and in need of amending, a conclusion supported by a recent Government Accountability Office report, which said, “Congress should consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.”

Without significant regulatory reforms, the situation is only going to get more stacked against the millions of people who, whether they like it or not, are this industry’s product.