Experts Call on Senate to Regulate Data Brokers

     WASHINGTON (CN) – Companies that collect and sell massive amounts of consumer data need to be regulated, experts told members of the Senate Judiciary Committee on Tuesday.
     The Subcommittee on Privacy, Technology and the Law heard testimony on the security risks posed by the multibillion-dollar data-broker industry that mines, analyzes and sells consumer information.
     “In the last few years we’ve seen data breach after data breach, affecting both public and private networks,” Sen. Al Franken, D-Minnesota, said in opening remarks. “It has become all too clear that we need to be doing more to ensure the security of Americans’ personal information. The cost of complacency is simply too high.”
     Data-broker companies, the scope of the personal information they collect, and the unregulated space in which they operate remain largely unknown to the average American, Franken added.
     Data brokers mine consumer information mostly for marketing and identity verification. The information they collect includes online user names, email addresses, Social Security numbers, credit card information, political leanings, charitable giving histories, purchases, Internet search histories and medical conditions, among others, Franken said.
     In the age of big data, all Americans have some of it attached to them, Pam Dixon, executive director for the World Privacy Forum, testified. The danger is that “what data doesn’t exist can be inferred. It creates an extraordinary network of information flows about ordinary consumers,” she said.
     Dixon said data brokers also hold information about the make and model of people’s cars, their children’s ages, their exact income, and debts.
     “It is reckless and downright dangerous to not protect this vast store of information,” Dixon said. She added that data brokers can store and sell medical information that the Health Insurance Portability and Accountability Act prohibits disclosure of, noting that this also applies to the education, government and financial sectors.
     Dixon called on the Senate to pass minimum national security-standard legislation to better protect consumers’ personal and private information in the hands of data broker companies.
     In March, Franken and Sens. Richard Blumenthal, D-Connecticut, Sheldon Whitehouse, D-Rhode Island, and Edward J. Markey, D-Massachusetts, introduced the Data Broker Accountability and Transparency Act . The legislation would allow consumers to view and correct their information, and stop data brokers from using their personal information for marketing purposes.
     However, Justin Harvey, chief security officer of Fidelis CyberSecurity, testified that legislation itself is not enough, and cautioned against setting a low bar for national standards.
     Cyber threats, including state-sponsored espionage and the possibility of massive data breaches require a more rigorous approach, he said, adding that mandatory encryption of all private data is a better approach.
     “Imagine a breach where every American’s name, Social Security number, address, email, phone number and mother’s maiden name was leaked to the Internet,” Harvey said.
     He compared that scenario to the recent leak of personal information of 36 million American users of infidelity-purveying website Ashley Madison. Noting recent census figures placing the U.S. population at just over 320 million, “a whole country’s worth of personally identifiable information could therefore be compressed into 100 gigabytes,” – an amount that could fit on a thumb drive or iPhone, he said.
     In the new landscape, actors of state-sponsored espionage do not need to steal the data when they can simply purchase it, not to mention what U.S. intelligence agencies could do with this data, he told the committee.
     None of the senators took his bait, but Harvey elaborated after the hearing in an interview.
     Prior to the Edward Snowden leaks about the National Security Agency’s spying on Americans and the recent restrictions placed on the agency, it had to infer the context of people’s behavior from listening on the wire, Harvey said.
     The data held by data brokers contains a lot more context, and the NSA “would have to have been listening in on all of these different areas to rival the metadata that is being collected and analyzed today,” he added.
     “There’s very little difference between the metadata that was collected by the NSA on the network, and the metadata that is being held in the data brokers data stores.”
     Harvey said that hypothetically, the NSA could access these data sets and profile for “threats.”
     “It’s definitely a concern for abuse, particularly since they can’t survey the networks anymore without permission,” he added.
     Legislating this is “tricky,” he said, but added that he hoped any legislation would also include prohibitions on the use of consumer data by U.S. intelligence agencies.

%d bloggers like this: