Mapping the Data Broker Economy: Taking Back Our Data

In order to shine a light on the data broker economy, we’ve filed personal information requests to take back our data, and are exploring the privacy risks of data brokers.

This is the first in a series of blogs that explores how we can use privacy laws to take back our data and begin to map a shadowy data broker economy. To find out what a data broker is, check out this post, and be sure to sign the petition to Stop the Harvest of your sensitive data. 

There’s a widely held belief that once our personal information is out there on the Internet, it’s gone forever. While this holds partly true, some privacy laws at least offer us a theoretical means of taking back our data. In this blog series, I’ll document the journey of trying to reclaim my data from three data brokers, while exploring the privacy risks associated with their practices.

I’m Bryan, the privacy campaigner at OpenMedia. In this blog series, I’m filing requests to reclaim my own personal information, and I’m attempting to map the paths that my information might take on the Internet. Essentially, I’m trying to exercise some measure of control over my own information through the pursuit of knowledge and the act of reclamation – even if this gesture amounts to being more symbolic than literal.

The Data Brokers

I’m in Canada and existing Canadian privacy laws give people here the right to request access to their own personal information from companies, and to find out the names of the organizations with which that information has been shared. These laws also require that companies comply with openness and access principles, like how they manage personal information, and how they facilitate access for people like me who want to reclaim their information. In theory, all of this should lead to a person being able to understand what data about them is being collected, how it’s being used, and who is using it. Yet in practice, it’s often a different story.

Privacy laws in other parts of the world offer similar legal mechanisms for requesting access to personal information. For example, General Data Protection Regulations in the European Union and the California Consumer Privacy Act in the United States offer a recourse for individuals to request access to their own data.

Using Canada’s privacy laws, I’ve filed requests for personal information through the Personal Information Protection and Electronic Documents Act with three data brokers:

1. The Pelmorex Corporation, the company that owns the Weather Network; 

2. Telus, the telecommunications company; 

3. And Thomson Reuters, the media and data company.

These requests were filed on June 24th, 2022. The law requires that the companies respond to the requests within thirty calendar days. This means the requests should have been fulfilled by July 25th, 2022.

The Big Problem with Data Brokers

One of the major issues with data brokers is that they don’t see themselves as being involved in the illicit trade of sensitive information or recognize the impact this has on our fundamental rights and values. 

In the three examples of data brokers that I’ve chosen, their data brokering activities are often a side business. In the case of Telus and Thomson Reuters, the sale of information related to identifiable people or groups of people isn’t their primary revenue source. For the Pelmorex Corporation, the sale of this kind of data isn’t what they’re known for. These companies have been compelled to exploit personal data resources for profit.

The novel exploitation of personal data resources is a perverse and negative consequence of the for-profit business model and, in the case of Telus, showcases how the pursuit of profits often runs contrary to the provision of an essential public service. 

Imagine this:

A region of the world has a publicly owned transportation system that operates on a non-profit basis and provides bus, train, and ferry services to residents and visitors. It’s a fundamental service that’s required to sustain the local economy, but slowly over time, through budget cuts and mismanagement, it begins to operate poorly and its users become frustrated. 

This becomes an opportunity for politicians, who campaign on the idea that this service would be better managed in the private sector. Eventually, supporters of the privatization model win, and the once publicly owned transportation system becomes private and  begins to operate on a for-profit basis. The consequences of this transformation has many possible consequences: maybe the cost of the services has to increase; maybe the routes available are decreased; maybe there are huge layoffs, wages are slashed, and pensions are cut; and maybe, just maybe, the for-profit model forces the formerly public transportation service provider to derive new revenue models to increase the returns for its shareholders. 

With access to all the information related to the trips that people are making in the region, the newly privatized transportation company decides to begin selling access to this dataset to other companies, capitalizing on the marketing insights that can be extracted from this data source. This new, alternative revenue stream allows retailers to learn when and where teenagers travel; it enables casinos to find that same information about senior citizens; and it also gives alcohol and tobacco companies the ability to find new customers. And maybe, just maybe, this brings down the cost of the essential transportation service, closer to what the prices were before privatization. But at what cost to the people who rely on the service? Would they be able to foresee and understand how their data is being monetized? They have no other choice but to use this transportation service that was largely funded and created through public resources before privatization occurred.

This scenario isn’t far from what’s occurring with telecommunications company Telus. Telus was originally a holding company formed by the government of Alberta in the 1990s and was created to privatize the publicly owned and operated telephone service. Eventually, it merged with BC Tel (because corporations hate that competition tends to drive prices for consumers downwards) and became western Canada’s telecommunications monopoly. And just like how the for-profit model of the hypothetical, recently privatized transportation company created a financial imperative to develop new, alternative revenue streams, Telus too was tempted by the potential profits available through data brokering. The allure of selling access to the data related to its customers was too tempting for Telus, and the company now monetizes the location information they collect through their cellular services, which rely upon technical infrastructure that was created through public funds. 

Now imagine the above scenario for a school district, a healthcare system, or a criminal justice system. The threat of privatization looms for each, along with the hazards of a for-profit model making novel uses of existing data sets in order to generate new revenue. While technology allows for the exploitation of this information, we must ask: Is the ability to be able to do something justification enough for its consequences? 

If you’re sick of being treated like a product and having your data collected, bought, and sold through a shady network of companies, take the first step and sign the petition to stop the harvest. 

The Requests

Below, I’ll outline the interactions I had with each data broker in the facilitation of my access requests. (These will become links as the subsequent blog posts in this series are published.)

• The Pelmorex Corporation: “Go away.” 

• Telus: “We hear you, we see you, your concerns don’t matter to us at all.” 

• Thomson Reuters: “Bleep, bloop – DERP.”

Image credit: geralt via Pixabay