Personal Data Collection: Outsourcing Surveillance

The buying and selling of personal data means more entities are able to conduct surveillance without needing a warrant

There’s an old joke that in communism that the government represses rights, takes away liberties and makes life generally unbearable, but in capitalism that is left to the private sector. Now we see a new dynamic: The private sector collects massive amounts of data about individuals including financial information, credit information, spending and purchasing information, location data, relationship data and even biometric data; analyzes the data; and sells the information to third parties—including the government. This arrangement permits governments (good, bad and ugly ones) to conduct surveillance and investigation of citizens and others without the necessity of warrants, subpoenas or any legal process. All they need is a checkbook. Moreover, the private-sector entities are not bound by the Fourth Amendment, minimization requirements or search and seizure rules. So why send cops to collect personal data on someone when you can just buy that data—or, in the case of the Chinese military, just steal it?

ICE, ICE Baby

Everyone knows that their cell phone is constantly collecting and transmitting its location data—at least to the phone company—as long as it is turned on. But, with respect to the phone company, this data is Consumer Proprietary Network Information (CPNI) and there are rules about how this CPNI can be shared, even with law enforcement. Yet, even with these rules, phone companies had been providing this location data to aggregators for a fee, a practice they insist they are reducing or eliminating.

Not so much true for Apple, Google or any of the thousands of purveyors of apps or websites that collect and use your location data. You want to know about getting tickets to a sporting event near you? There’s an app for that—one that also will collect your location data. Some of these apps only collect the data when you are actively using the app (e.g., while you are looking for tickets) and some are constantly tracking you. The privacy of this data, unlike CPNI, is governed by the terms of service or use of the website, and they often reserve the “right” to use, analyze and sell this data. It’s a big business. Companies such as Dawex and others advertise that they collect and sell detailed location data, which can be useful for sales, marketing, fraud prevention and deciding where to put a brick-and-mortar store.

It’s also useful to find undocumented immigrants. The Wall Street Journal reported that federal agencies including ICE were purchasing databases of location data from private entities and using that data to track individuals they believed were undocumented. Now, if the government wanted to follow everyone around to make their own database of location, there would likely be a hue and cry about the invasion of privacy. If the government wanted to compel a company that had collected this data for “legitimate” purposes (well, commercial purposes) such as Google to produce the records, it would need a subpoena. But because these are commercial databases, not only can the government purchase access to the location data, it can also purchase the analytics and AI that goes along with it. So now, instead of just looking for the location of a specific individual, the government can use the same kind of AI programming used to find people likely to buy Goodyear tires to find people likely to be cheating on their taxes or overstaying a visa. No muss. No fuss. It’s all for sale.

Gotta Give Them Credit

Another source of information for the government is both investigative and consumer credit reports. Virtually every financial transaction you make—and many you don’t—are collected by some entity and then reported back to a credit reporting agency such as Equifax, TransUnion or Experian. The Fair Credit Reporting Act restricts the sale and use of this information itself, but the underlying information that makes up the report may be scooped up by data brokers and third parties that operate commercial data businesses selling this data to third parties, including governments. Conducting an investigation of some banker or broker? Just buy personal data about them from a commercial service. No need to conduct your own investigation—just buy someone else’s. That’s one reason foreign governments—China included—were so keen on collecting Equifax data on tens of millions of Americans. They can use that data to profile likely targets for espionage, determine who might have a security clearance and figure out who might have financial issues that make them ripe for the picking. Pretty cool stuff. All for sale or theft.

Face-Off

The most brazen recent example, however, is Clearview AI, which commercially scrapes websites including Twitter, Facebook, YouTube and others for images together with identifying information. Its facial recognition software then analyzes the billions of pictures and videos (with greater or lesser degrees of accuracy) and can take an unknown picture (say, from an ATM) and “match” that against its billions of pictures to determine the identity of the person pictured in the ATM picture.

Pretty cool.

Clearview sells access to this software to more than 600 U.S. law enforcement agencies but retains information about what searches the cops are doing and what the results are. The cops just fork out the cash for the access. No warrant. No probable cause. This means that like the usual suspects, your photograph—even ones in which you appear in the background that someone else posted—is being used thousands of times a day in photo lineup for people looking for criminals (or maybe just looking for the name of that cute girl the cop saw in Santa Monica). And you never agreed to that. And no court ever approved of it.

No warrant, no subpoena. Just a checkbook. Your tax dollars at work.

At the end of the day, we need to have better rules not only on government access to or purchase of these kinds of databases but also on the collection, storage, use, security and analysis of data by commercial entities. The difference between communism and capitalism? In communism, man exploits man. In capitalism, it’s the other way around.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark