Facebook Partners With Shadowy ‘Data Brokers’ To Farm Your Information

“It’s not a bug, it’s a feature”

Last month, researchers with the Belgian Privacy Commission conducted a comprehensive analysis of Facebook’s new Data Use Policy and Terms of Service and concluded that the company is in violation of European law: it has authorized itself to continuously collect users’ location information, sell users’ photos for advertising purposes, and track both users’ and non-users’ browsing habits across the internet — while failing to educate users on the true extent of this ‘tracking,’ and making it prohibitively difficult for them to ‘opt-out.’ The researchers detailed many troubling aspects of Facebook’s data collection practices, including evidence that one of Facebook’s cookies is stored in every browser that visits a site with a ‘Social Plugin‘ (the embedded ‘Like’ and ‘Share’ buttons), regardless of whether or not they are a Facebook user. Last week, Facebook’s VP of European Policy responded with a blog laying out his criticisms of the report. In the post, he admitted that a ‘bug‘ may have been storing tracking cookies on non-users’ browsers, but insisted that “this was not our intention,” and “a fix… is already under way.” But ‘buggy’ cookies for ‘Social Plugins’ are just a small part of Facebook’s tracking of ‘non-users’ — Facebook is no longer just a social media website, it is a massive advertising business invested in tracking everyone’s consumer spending habits, on the internet and off.

In the past few years, Facebook has made some major moves in the web advertising business. In 2013, Facebook purchased Atlas, a huge internet ad server (previously owned by Microsoft) responsible for hosting somewhere between ten and fifteen percent of all internet ads. Atlas is second only to Google’s DoubleClick, and the acquisition made Facebook the second biggest web advertiser in the world. After the deal, Mark Zuckerberg boasted: “We believe the Atlas platform will help us demonstrate even more clearly the connection between ad impressions and purchases. We could help marketers measure the effectiveness of their ad impressions better not just on Facebook, but across the entire internet.” The Atlas acquisition gives Facebook a huge slice of the web advertising pie. Facebook can use Atlas to correlate purchases with browsing behavior on other (non-Facebook) sites — then, advertisers who are already working with Facebook can pay a small premium to get a more holistic view of their marketing campaigns’ effectiveness across the internet. The goal is to develop an effective “monetization engine” for the social network: a smooth track between monitoring browsing behavior, delivering pertinent advertisements, and securing purchases.

In a meeting with Wall Street analysts two years ago, Zuckerberg explained: “As people have looked more holistically at all the ad spending they are doing, what they find is that it’s not just the last click that matters but it’s all the impressions leading up to that click.” The ‘last click’ (before purchasing something online) gives very little information about why a customer made a purchase, because most people research and compare multiple products before deciding to buy something; knowing the ‘context’ for the decision helps marketers to establish accurate ‘attribution’ — Atlas’ goal is to achieve better ‘multitouch attribution,’ methods of analyzing how repeated exposures to ads influence purchasing decisions over time (using multiple cookies or other unique identifiers to track your browsing history). Zuckerberg continued: “Importantly, we also drive sales offline. And offline people aren’t clicking through the purchase at all but they are actually walking into a store. So in some sense there is no last click… Our focus with Atlas is to take that technology and enable us to improve our ability to connect ad impressions to purchase behavior both offline and online, and not just on clicks but across different ad purchases people do.” The Facebook of the future will have a bit less to do with sharing content with your friends and increasingly more to do with targeted advertising everywhere.

The data brokers

News coverage about mass surveillance today generally focuses on the issue of bulk data collection — but Facebook’s ventures in the advertising business reveal an equally pressing issue: data correlation, combining massive, disparate datasets to create detailed profiles of individuals’ behaviors. Around the same time as the Atlas acquisition, Facebook began partnerships with four major ‘data broker’ firms: Datalogix, Epsilon, BlueKai, and Acxiom. The ‘data brokers’ have a history that long precedes the internet, and it is important to make sense of their backstory to understand where we’re headed. In his book Data and Goliath, information security expert Bruce Schneier broke down the pre-internet ‘consumer surveillance’ streams into four categories:

1. Consumer records. Manufacturers keep records of what their customers order (clothing stores remember their customers’ sizes and preferred styles, airlines and hotels keep track of their frequent customers, etc.) and today this information is stored in electronic databases. ‘Retail loyalty’ cards streamline the process: they offer discounts to ‘loyal’ customers, to create detailed consumer profiles.

2. Direct marketing. Companies that send paper mail want to make sure they’re not wasting postage on people who aren’t interested in their products, so advertising firms assemble lists of people who are more likely to want the mail. This is accomplished by doing demographic research and by checking customer lists from other, related businesses (magazine subscriptions, for example).

3. Credit bureaus. These companies collect detailed credit information and sell it to banks trying to determine whether to give out loans, and at what rates. This is a very resource-intensive method of surveillance, so it’s only used when a lot of money is at stake — issuing credit cards, or approving an apartment lease, and so on.

4. Government records. Birth and death certificates, driver’s license records, voter registration cards, marriage certificates, divorce papers, property records, arrest reports, and other official documents are all part of public record. Companies are increasingly able to download this information for free, or purchase it from the government for a small fee.

In the past two decades, credit bureaus and direct marketing companies began to combine these four streams to become ‘data brokers.’ These firms purchase your personal data from the companies you’ve done business with, combine it with all the other information they can find about you, and sell it to companies that want to know more about you. The amount of detail contained in these consumer ‘dossiers’ is astonishing — in Schneier’s words: “They collect demographic information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, presence and ages of children in household, education level, profession, income level, political affiliation, cars driven, and information about homes and other property. They collect lists of things you’ve purchased, when you’ve purchased them, and how you paid for them. They keep track of deaths, divorces, and diseases in your family. They collect everything about what you do on the Internet.” And they collect it on nearly everyone they can: Epsilon has a database of almost every American household, Acxiom adds another 700 million individuals worldwide, and Datalogix tops it off with records of “more than $1 trillion” in offline purchases.

Sample of list segments for sale by Experian.

It’s a big business: billions of data points equals billions of dollars. Paramount Lists sells the names of people with alcohol and gambling addictions, and targets individuals based on drugs they’ve reported taking, like Zoloft or Prozac. Response Solutions sells lists of people suffering from bipolar disorder, perhaps based on the appearance of ‘depression-related’ words in their search histories (this kind of data is very valuable to pharmaceutical companies). Statlistics has lists of ‘gay and lesbian adults,’ possibly by making inferences from bars or clubs where they’ve used a credit card. InfoUSA can tell you who is a ‘suffering senior,’ or a ‘gullible’ one, and its clients have been implicated in various telemarketing scams targeting the elderly. Teletrack was fined by the Federal Trade Commission for selling profiles of people who applied for payday loans to companies offering risky financial deals (selling financial information is illegal; everything else is fair game). Equifax was also fined for selling lists of people who were late on their mortgage payments to a discount lender; the same company sells detailed dossiers documenting “whether a consumer purchased a particular soft drink or shampoo product in the last six months, uses laxatives or yeast infection products, OB/GYN doctor visits within the last 12 months, miles traveled in the last 4 weeks, and the number of whiskey drinks consumed in the past 30 days.”

The data brokers’ profiles are extremely thorough and provide penetrating insights into individuals’ lives. In an interview with 60 Minutes, Federal Trade Commissioner Julie Brill said: “The dossiers are about individuals. That’s the whole point of these dossiers. It is information that is individually identified to an individual… I think most people have no idea that it’s being collected and sold… and that the information is basically a profile of them.” With the resources it receives from Acxiom and other ‘data brokers,’ Facebook could hypothetically serve soda ads to teenagers who recently purchased a soft drink at a convenience store, or diaper ads to parents who bought baby food at a department store. A ‘note’ on the ‘Facebook and Privacy’ page attempts to comfort users by insisting that “the process is designed so that no personal information is exchanged between Facebook and marketers (or the third parties those marketers work with).” But the truth of the situation is that the ‘data brokers’ already own your personal information — and their collaboration with the social network may allow them to assemble even more detailed profiles of your health and habits in the future. As a writer at Business Insider commented on Zuckerberg’s ‘strategic vision’: “Most ordinary Facebook users don’t realize how ambitious these plans are. If you bought something with a credit or debit card in the last couple of years, you’re probably in Facebook’s data pool right now.”

Acxiom: a case study

One of Facebook’s largest ‘data broker’ partners, Acxiom, brags that it has (on average) fifteen hundred unique data points on more than half a billion individuals worldwide. To serve advertisements, Facebook creates “Partner Categories,” ‘targeting clusters’ that combine information collected by the social network (your posts, photos, geo-location data, etc.) with the data brokers’ record of “off-Facebook activity.”

Facebook’s ad targeting interface

Here’s how it works. First, a company approaches Acxiom and asks for a particular market ‘segment’ (e.g., a list of parents who are likely to buy a family car soon), and Acxiom trawls its database for the e-mail addresses of every individual who falls into that category. Acxiom feeds these e-mail addresses through a hash algorithm, obscuring and anonymizing the information, and these hashed e-mail addresses are sent to Facebook. Facebook then uses the same algorithm to hash the e-mail address of every Facebook user — wherever a hash Facebook creates matches up with the hash Acxiom created, Facebook places that user into the target ‘segment.’ Finally, Facebook displays the advertisement to all the targeted users, and returns a report describing the ad’s performance (how many people clicked it, their location, age, gender, etc.). BlueKai has a similar process for reaching target ‘segments,’ using tracking cookies and an HTML pixel web bug to create profiles based on users’ browsing history.

Although the data brokers have a lot of information about us, it is very difficult to get information about them — Acxiom routinely declines interview requests and is generally very vague about its data collection methods, citing confidentiality agreements. However, the firm does have a page called “US Consumer Choices,” which lays out some options for regulating how Acxiom handles personal information. Recently, Acxiom set up a website called AboutTheData.com, with the stated purpose of letting people “know more about the digital marketing information that Acxiom has, or to edit or opt-out of this data.” In order to use the site, you must prove your identity by providing your name, address, birthday, and the last four digits of your Social Security Number. If you choose to use the site, be careful — the privacy policy indicates that any information you provide “may be shared by Acxiom Corporation family of businesses.” In order to use the service, you permit Acxiom to “change these Terms of Use at any time, and by continuing to use the Site after [they] post a change, you will be deemed to have accepted the new Terms of Use.” On top of this, you waive the right to sue Acxiom in the future: “In any legal proceeding relating to your use of this Site, you agree to waive any right you may have to participate in any class, group, or representative proceeding and to waive any right you may have to a trial by jury. In other words, you agree that you are not allowed to file a class action or any kind of class or joint arbitration.”

For now, the “risks” may not outweigh the benefits (you can opt-out without joining the site). AboutTheData.com only allows you to see a tiny fraction of the actual data that Acxiom has collected about you, under a few broad categories (‘Characteristic Data,’ ‘Home Data,’ ‘Household Vehicle Data,’ ‘Household Economic Data,’ ‘Household Purchase Data,’ and ‘Household Interests Data’). The site invites you to ‘correct’ any erroneous or missing information; and, in fact, the website may simply be a surreptitious mechanism of collecting more information about you — Murat Kantarcioglu, a computer science professor at University of Texas-Dallas, commented: “My feeling is that this is bait to get people to clean their data without even paying them.” Kantarcioglu discovered that most of the data on the site was wrong or incomplete. When I accessed the site I found the same thing — for example, the site shared only one data point about ‘Household Vehicle Data,’ despite Acxiom’s extensive data-sharing agreements with state DMVs. Similarly, the data point for ‘Online Purchasing Activity’ was simply set to ‘True,’ providing no details whatsoever about what Acxiom has inferred from my online spending habits.

If you want to opt-out (there’s one link for digital ads and another for ‘traditional’ ads) you’ll encounter this message: “Before You Opt-Out, Consider This: Opting out… will not prevent you from receiving marketing materials. Instead of receiving ads that are relevant to your interests, you will see more generic ads with no information to tailor content. For example, instead of getting a great offer on a hotel package in your favorite vacation spot, you might see an ad for the latest, greatest weight loss solution.” All things considered, the appeal makes some sense — internet advertisements aren’t going away. By using most internet services, you are making a ‘deal’ with the internet corporations; as Bruce Schneier put it: “If you let us have all your data, we will show you advertisements you want to see and we’ll throw in free web search, e-mail, and all sorts of other services. It’s convenience, basically.” Given the norms of contemporary life, opting out of these services altogether isn’t easy for most people — it’s becoming more difficult to have a job without an e-mail address, or to keep up with childhood friends without social media. Anyway, it’s unclear how much opting out can really protect your privacy; opting out of Acxiom doesn’t reverse the fact that your data has already been sold to other companies. Furthermore, the data brokers frequently buy or license data from one another — as a writer at Ars Technica observed, “This would effectively allow them to serve as each other’s backups… If a consumer requests deletion from one, the broker can comply and then re-request what it has already shared to its fellow brokers.”

So, where do we go from here? If you want to stop Facebook’s data broker partners from collecting and sharing information about you, the Electronic Frontier Foundation has put together a helpful guide to opting out of each one. But, as we have seen, this is only a partial solution to the general problem of continuous consumer surveillance. This problem inspired the creation of Sherbit: our goal is to create a platform for you to manage your own information — what it is, who has access to it, and how it is used. If you have to give up your data, you should have the tools to draw inferences from that data yourself. Sherbit and our forthcoming PrivacyMe tool are designed to help you monitor corporations’ data collection practices, so you can be better educated about where your electronic information is going. PrivacyMe will contain detailed reviews of web services’ privacy policies — in the future, Sherbit will ‘push’ notifications whenever an app’s privacy policy has changed, along with an explanation of these changes and their consequences. The process of opting out of data collection is often needlessly difficult and complex; eventually, we want this tool to streamline and simplify the process, by guiding you through the process. Sign up for the Sherbit beta list to get an early look at our progress.

Originally published at www.sherbit.io.