Mapping the Data Broker Economy (Blog 2): The Pelmorex Corporation

In order to shine a light on the data broker economy, we’ve filed personal information requests to take back our data, and are exploring the privacy risks of data brokers.

This is the second post in our Mapping the Data Broker Economy blog series. To go back to the first post, click here.

What is the Pelmorex Corporation?

You might be wondering what the Pelmorex Corporation is and why I would file a request with them. They’re the parent company of the Weather Network and other weather-related apps and services. The weather apps that come preinstalled on Apple’s iOS devices and Google’s Android devices use weather data sourced from Pelmorex. And in exchange, the Pelmorex Corporation is sourcing data about the users of these devices.

What kind of information does the Pelmorex Corporation collect?

The Pelmorex Corporation describes itself as undergoing a “transformation to an Information Networks and Data Solutions business.” Whenever you connect to a property that's owned by the Pelmorex Corporation, information about you is collected, combined with other information, and made available for purchase to other organizations in a real time, live bidding process.

According to the Pelmorex Corporation’s privacy policy, this is some of the information they collect about you:

• IP address, which is the unique identification number associated with a device that’s connected to the Internet;

• Location, which is recorded every time you use one of the Pelmorex Corporation’s apps, and which can be combined with postal codes, demographic data, and precise location data that the Pelmorex Corporation purchases from other third parties (in 2017, the company boasted that they were recording more than one billion locations each month);

• Web browsing history through the use of cookies, which are small files that are placed on your device, and allow the Pelmorex Corporation to follow you around as you visit different sites on the Internet. 

How is this information used?

This data has immense value to advertisers and marketers who are looking for audiences in specific demographic categories and geographic areas. Companies like Environics Analytics specialize in sorting people into groups, and monetize this categorization by selling access to these groups of people. Through its Prizm program, Environics Analytics puts Canadians into 67 different groups, ranging from most to least affluent, with names like “Asian Sophisticates” for the groups at the wealthy side of the spectrum, and names like “Indigenous Families” for the least affluent groups.

This kind of categorization and targeting is one reason that special protections should exist around the use of sensitive information. Looking at how people are sorted into these groups, it becomes clear that some categories of information – like those related to ethnicity, finances, age, ability, sexuality, education – are deserving of special protections under Canada’s privacy laws because they could lead to discriminatory practices, but unfortunately these special categories have been left absent from recent legislative proposals.

According to one report, the digital advertising market was worth $189 billion in 2021. Companies get a piece of that pie by doing this kind of social sorting, and the Pelmorex Corporation is providing some of the data that fuels this discriminatory industry.

Where does this information flow?

You might be wondering what third party organizations are purchasing your data from the Pelmorex Corporation, and if this data could be used for something more than just digital advertising. According to recent reports, it absolutely could be.

In the United States, the EFF has uncovered one data broker that is making the location data of hundreds of millions of people available to law enforcement in an extrajudicial process that evades our normal legal safeguards. (And remember, the Pelmorex Corporation boasted they were recording more than one billion locations each month in 2017.) This kind of mass surveillance is fueled by many individual companies that collect and sell our location data. “[W]hen you let a weather app access your location in order to see a five-day forecast,” the EFF article warns, “you may also give it the ability to sell, share, and use that data for whatever other purposes it chooses.”

Recently, it was made known through a Canadian Parliamentary investigation that the Pelmorex Corporation was one vendor who sold user data to a company called BlueDot, who then sold it to the federal government of Canada.

This convoluted process gives us a glimpse at the secret flow of data between data brokers and their network of third parties. The secretive data flow worked something like this:

1. Someone checks the weather on their phone;

2. The Pelmorex Corporation records the unique identification number associated with their device, their location, and information about their Internet browsing habits (collected through cookies); 

3. The Pelmorex Corporation combines this data with other data they have collected or have purchased, like precise location data sets and demographic information, and makes it available for purchase; 

4. A third party company like BlueDot purchases the information; 

5. BlueDot then turns around and sells that information, possibly in combination with other information, to another third party, like the federal government of Canada. 

This cycle can continue in perpetuity, with our data being sold to untold amounts of third parties, and combined with other data, creating new risks for re-identification and discrimination, and further clouding our ability to exercise any meaningful control over our own information.

Taking back my data from the Pelmorex Corporation

The Pelmorex Corporation sells data about its users to many more organizations beyond BlueDot and the Government of Canada, and I was curious to know who else might have purchased my information. I filed a request under Canada's Personal Information Protection and Electronics Documents Act for access to my personal information. Unfortunately, this data access request quickly hit a roadblock.

The Request

After some back and forth with an anonymous Privacy Officer from the Pelmorex Corporation, I was told that the company can’t identify me or any of my data in their system based on my name or any of the email addresses that I provided to them. In order to dismiss my concerns, they directed me towards their “Privacy by Design validated Privacy Policy” (which, according to the WayBack Machine, was less than a month old).

This privacy policy fails to conclusively indicate whether the information that the Pelmorex Corporation collects, purchases, and sells can be used to identify an individual. Under the ‘What we do with the information collected’ section, they claim twice that the combination of this data can’t be used to identify a specific individual. Yet the policy also says that the combination of “mobile device identifiers” and location data are “generally not sufficient to identify you personally.” This ambivalence seems absolutely intentional and designed to avoid compliance with Canadian privacy law.

Despite the two conflicting statements in the Pelmorex Corporation’s privacy policy, many studies have concluded that location and mobility data alone are enough to identify a person within a large dataset, and they can’t be sufficiently anonymized to prevent individual people from being identified. Considering that location and mobility data is being combined with other identifiers (like web browsing history, device ID, and demographic information), the probability that an individual can be identified in this dataset is even more likely.

Perhaps worst of all, my experience with the Pelmorex Corporation showed their absolute unwillingness to give users any greater control of their data, or to explain how the organization exploits the data of its customers by monetizing it in ways that a reasonable person might not expect.

The Roadblock

I asked the Privacy Officer if they could search their system based on IP address or through location data, suggesting that I provide them with this information so that they could conduct a search and identify me within their system. If that weren’t possible, I asked if they could provide me with a list of organizations that my personal information (including my location data and IP address) could have been shared with.

On July 15th, 2022, my data access request with the Pelmorex Corporation was terminated when Privacy Officer told me that IP address and location information are not stored together and therefore “does not constitute PII [personally identifiable information] under PIPEDA” and that they would be unwilling to conduct a search using an IP address or GPS location data. We can assume that if this data had been stored together, it would constitute personal information and the Pelmorex Corporation would be forced to comply with Canadian privacy laws.

The Pelmorex Corporation keeping IP addresses separate from location data in order to avoid compliance with privacy laws is like a bully stealing your eyeglasses and breaking them in half. When you ask for your glasses back, they say that these aren’t your glasses because they’re now in two pieces, and yours were in one. Because these aren’t your glasses anymore, they’re free to use them, look through them, sell them – whatever, whenever they want. Sure, the glasses aren’t as useful in two pieces, but they can be easily recombined whenever the need serves. And if they end up selling both halves of the glasses to a third party, and that third party is the one that recombines them, that’s not the business or legal responsibility of the Pelmorex Corporation.

Decades ago, law-makers failed to anticipate that companies would split our data apart, like a bully snapping our eyeglasses in two, and now those outdated laws are enabling data brokers like the Pelmorex Corporation.

The Privacy Dilemma with De-Identified Data

How does the unique address of your device, along with the precise GPS coordinates of places like your home, NOT constitute personal information? This is the product of commercial sector privacy laws that are badly outdated and fail to anticipate the novel ways information about us could be exploited and monetized. Unfortunately, de-identified data falls outside the scope of Canada’s current privacy laws. This is not the case in the European Union, California, and under Canada’s proposed new privacy laws, which all recognize the importance of protecting data even in a de-identified form.

In response to another company not implementing strict measures to protect the de-identified location data of people in Canada after transferring it to third parties, the Office of the Privacy Commissioner of Canada recently said: “Organizations must implement robust contractual safeguards to limit service providers’ use and disclosure of their app users’ information, including in de-identified form. Failure to do so could put those users at risk of having their data used by data aggregators in ways they never envisioned, including for detailed profiling.”

The Pelmorex Corporation doesn’t mention anything in their privacy policy about the contractual safeguards that they employ. And without any means of learning who exactly these organizations are, users like me are left without any further information and little recourse.

In response to my second question about the list of organizations that the Pelmorex Corporation sells user data to, Privacy Officer responded to say that “insights we may provide to third parties come from anonymized, aggregated metrics […] there is no list of organizations that we can offer you.”

According to the Pelmorex Corporation, the way our personal information is monetized is none of our business, despite it being their explicit business model, and us being their explicit product. If you’re not interested in being part of this exploitative economy, you might try using a weather app that doesn’t sell any data about you, or by disabling advertising ID tracking on your digital device.

In the end, I filed a complaint with the Office of the Privacy Commissioner of Canada related to the Pelmorex Corporation’s unwillingness to grant access to my data.