Mapping the Data Broker Economy (Blog 2): The Pelmorex Corporation
In order to shine a light on the data broker economy, we’ve filed personal information requests to take back our data, and are exploring the privacy risks of data brokers.
This is the second post in our Mapping the Data Broker Economy blog series. To go back to the first post, click here.
What is the Pelmorex Corporation?
You might be wondering what the Pelmorex Corporation is and why I would file a request with them. They’re the parent company of the Weather Network and other weather-related apps and services. The weather apps that come preinstalled on Apple’s iOS devices and Google’s Android devices use weather data sourced from Pelmorex. And in exchange, the Pelmorex Corporation is sourcing data about the users of these devices.
What kind of information does the Pelmorex Corporation collect?
The Pelmorex Corporation describes itself as undergoing a “transformation to an Information Networks and Data Solutions business.” Whenever you connect to a property that's owned by the Pelmorex Corporation, information about you is collected, combined with other information, and made available for purchase to other organizations in a real time, live bidding process.
IP address, which is the unique identification number associated with a device that’s connected to the Internet;
Location, which is recorded every time you use one of the Pelmorex Corporation’s apps, and which can be combined with postal codes, demographic data, and precise location data that the Pelmorex Corporation purchases from other third parties (in 2017, the company boasted that they were recording more than one billion locations each month);
How is this information used?
This data has immense value to advertisers and marketers who are looking for audiences in specific demographic categories and geographic areas. Companies like Environics Analytics specialize in sorting people into groups, and monetize this categorization by selling access to these groups of people. Through its Prizm program, Environics Analytics puts Canadians into 67 different groups, ranging from most to least affluent, with names like “Asian Sophisticates” for the groups at the wealthy side of the spectrum, and names like “Indigenous Families” for the least affluent groups.
This kind of categorization and targeting is one reason that special protections should exist around the use of sensitive information. Looking at how people are sorted into these groups, it becomes clear that some categories of information – like those related to ethnicity, finances, age, ability, sexuality, education – are deserving of special protections under Canada’s privacy laws because they could lead to discriminatory practices, but unfortunately these special categories have been left absent from recent legislative proposals.
According to one report, the digital advertising market was worth $189 billion in 2021. Companies get a piece of that pie by doing this kind of social sorting, and the Pelmorex Corporation is providing some of the data that fuels this discriminatory industry.
Where does this information flow?
You might be wondering what third party organizations are purchasing your data from the Pelmorex Corporation, and if this data could be used for something more than just digital advertising. According to recent reports, it absolutely could be.
In the United States, the EFF has uncovered one data broker that is making the location data of hundreds of millions of people available to law enforcement in an extrajudicial process that evades our normal legal safeguards. (And remember, the Pelmorex Corporation boasted they were recording more than one billion locations each month in 2017.) This kind of mass surveillance is fueled by many individual companies that collect and sell our location data. “[W]hen you let a weather app access your location in order to see a five-day forecast,” the EFF article warns, “you may also give it the ability to sell, share, and use that data for whatever other purposes it chooses.”
Recently, it was made known through a Canadian Parliamentary investigation that the Pelmorex Corporation was one vendor who sold user data to a company called BlueDot, who then sold it to the federal government of Canada.
This convoluted process gives us a glimpse at the secret flow of data between data brokers and their network of third parties. The secretive data flow worked something like this:
Someone checks the weather on their phone;
The Pelmorex Corporation records the unique identification number associated with their device, their location, and information about their Internet browsing habits (collected through cookies);
The Pelmorex Corporation combines this data with other data they have collected or have purchased, like precise location data sets and demographic information, and makes it available for purchase;
A third party company like BlueDot purchases the information;
BlueDot then turns around and sells that information, possibly in combination with other information, to another third party, like the federal government of Canada.
This cycle can continue in perpetuity, with our data being sold to untold amounts of third parties, and combined with other data, creating new risks for re-identification and discrimination, and further clouding our ability to exercise any meaningful control over our own information.
Taking back my data from the Pelmorex Corporation
The Pelmorex Corporation sells data about its users to many more organizations beyond BlueDot and the Government of Canada, and I was curious to know who else might have purchased my information. I filed a request under Canada's Personal Information Protection and Electronics Documents Act for access to my personal information. Unfortunately, this data access request quickly hit a roadblock.
Perhaps worst of all, my experience with the Pelmorex Corporation showed their absolute unwillingness to give users any greater control of their data, or to explain how the organization exploits the data of its customers by monetizing it in ways that a reasonable person might not expect.
I asked the Privacy Officer if they could search their system based on IP address or through location data, suggesting that I provide them with this information so that they could conduct a search and identify me within their system. If that weren’t possible, I asked if they could provide me with a list of organizations that my personal information (including my location data and IP address) could have been shared with.
On July 15th, 2022, my data access request with the Pelmorex Corporation was terminated when Privacy Officer told me that IP address and location information are not stored together and therefore “does not constitute PII [personally identifiable information] under PIPEDA” and that they would be unwilling to conduct a search using an IP address or GPS location data. We can assume that if this data had been stored together, it would constitute personal information and the Pelmorex Corporation would be forced to comply with Canadian privacy laws.
The Pelmorex Corporation keeping IP addresses separate from location data in order to avoid compliance with privacy laws is like a bully stealing your eyeglasses and breaking them in half. When you ask for your glasses back, they say that these aren’t your glasses because they’re now in two pieces, and yours were in one. Because these aren’t your glasses anymore, they’re free to use them, look through them, sell them – whatever, whenever they want. Sure, the glasses aren’t as useful in two pieces, but they can be easily recombined whenever the need serves. And if they end up selling both halves of the glasses to a third party, and that third party is the one that recombines them, that’s not the business or legal responsibility of the Pelmorex Corporation.
Decades ago, law-makers failed to anticipate that companies would split our data apart, like a bully snapping our eyeglasses in two, and now those outdated laws are enabling data brokers like the Pelmorex Corporation.
The Privacy Dilemma with De-Identified Data
How does the unique address of your device, along with the precise GPS coordinates of places like your home, NOT constitute personal information? This is the product of commercial sector privacy laws that are badly outdated and fail to anticipate the novel ways information about us could be exploited and monetized. Unfortunately, de-identified data falls outside the scope of Canada’s current privacy laws. This is not the case in the European Union, California, and under Canada’s proposed new privacy laws, which all recognize the importance of protecting data even in a de-identified form.
In response to another company not implementing strict measures to protect the de-identified location data of people in Canada after transferring it to third parties, the Office of the Privacy Commissioner of Canada recently said: “Organizations must implement robust contractual safeguards to limit service providers’ use and disclosure of their app users’ information, including in de-identified form. Failure to do so could put those users at risk of having their data used by data aggregators in ways they never envisioned, including for detailed profiling.”
In response to my second question about the list of organizations that the Pelmorex Corporation sells user data to, Privacy Officer responded to say that “insights we may provide to third parties come from anonymized, aggregated metrics […] there is no list of organizations that we can offer you.”
According to the Pelmorex Corporation, the way our personal information is monetized is none of our business, despite it being their explicit business model, and us being their explicit product. If you’re not interested in being part of this exploitative economy, you might try using a weather app that doesn’t sell any data about you, or by disabling advertising ID tracking on your digital device.
In the end, I filed a complaint with the Office of the Privacy Commissioner of Canada related to the Pelmorex Corporation’s unwillingness to grant access to my data.