Who Owns All the Data Collected About You? The Answer May Surprise You
Who has the right to collect and sell your data? It seems like just about anyone!
In the course of a wide-ranging discussion on the use and possible misuse of big data, a subject in which Baker is extremely well-versed, I raised the question this question: If I buy gas at my neighborhood gas station using my credit card, who owns the transaction, the gas station, my credit card company, me or all of us? The question of ownership is important as, presumably, the owner can sell the information.
We agreed that each "player" in this transaction has a vested interest in the information. The independent Shell station has to keep track of its sales in order to remit its proper payment to the oil company; my credit card company has to validate that there is a great enough balance in my account to let the sale go through and, once assured, update my balance. I am left with gas and a debt to pay.
If the gas station has an automated system, it now permanently has my credit card number in its records. Visa knows that I spent the money on gas. I will have a record of the transaction in my banking records. It is (or should be) obvious that neither the gas station nor my credit card company can reveal my name and credit card number to third parties. However, it can it sell the name and address from the credit card to a mailing list service which will, in turn, do additional processing and cross referencing with my information.
It was a very interesting discussion with Pam Baker, but it might have remained simply an academic interest until the very next day when I received an advertisement in the mail from the Danbury Mint suggesting I buy a nice-looking letter pendant for my wife, Barbara.
The advertisement, a single-page double-sided glossy that folded into three panels for mailing was both interesting and quite troubling for a number of reasons:
- It was addressed to "John McMullen" with no middle initial. I always use a middle initial!
- It was addressed to the physical address of my house. I have no mailbox at my house and have used a post office box for all mail for the last 35 years.
- My wife’s name, Barbara, was on the mailing address portion of the advertisement -"John, here’s a dazzling pendant Barbara will love," with a picture of a very nice pendant in the shape of a "B." Additionally, both our names are laced through the text on the inside of the foldout, which describes the pendant, a combination of diamonds and 14kt gold which "is affordably priced at $99 plus $7.50 shipping and service."
So, how did the Danbury Mint collect all this information? I contacted Pam Baker on Facebook and began to brainstorm the possibilities with her:
- Barbara’s name and mine appear together on two joint checking accounts, but those accounts have my complete name (with middle initial) and list our P.O. box as a mailing address.
- Pam suggested that the information linking our names could have come from real estate public records, but my wife’s maiden name is on those records.
- I then remembered that I had recently been in a local bank, the only one on which my name does not contain a middle initial, to have a document notarized. In the course of conversation, the bank officer checked my account and asked to have my physical address to update the records - it’s a Homeland Security regulation - and I gave it to him. Barbara is not a joint holder of the account, but she is an "emergency person" to call if I were, I guess, to drop dead in the bank.
Could the bank have sold this information? This was hard to believe so, before asking people at the bank, I called the Danbury Mint and complimented the polite woman who answered on the quality of the advertisement before inquiring as to how she would have come up with my information. She answered, "Oh we buy mailing lists. I’m not sure where this particular one came from."
To better understand the mechanics of mailing lists, I called Jack May, an old friend, former guest on the radio show, and ex-vice president and chief information officer of Americomm LLC, one of the most successful mailing list firms in the business. The way I now understand the process is that a customer of Americomm, a firm like the Danbury Mint, would request a mailing list of people based on some criteria. The criteria could be geographic (state, city, zip code, or even a particular neighborhood or street), or demographic (estimated income, value of home if owned, buying habits, etc.), or a combination of both. Americomm would then purchase a list of persons fitting the required criteria from firms that collect data, consolidate it as best it can to individual persons, analyze it and classify the individual where necessary.
Of the firms from which Americomm might buy the data, the largest and most well known is Acxiom. Its data-collection activities are well described in Washington Post investigative reporter Robert O’Harrow’s 2005 book "No Place To Hide." Americomm may purchase, or "rent," this data on a single-use basis or, if it thinks the information is marketable to others, on a multi-use basis. Americomm will then process this data into the form desired by the customer.
May told me that there were many ways that Acxiom or another firm could have pieced together the information about which I was inquiring from many sources. He typed in my physical address and found information about my house - some of it wrong. There is much information released by the United States Census that is usable, there are tax records, there are records of my purchases, there are my status updates on social networks, etc.
So, in a nutshell, some firm, perhaps Acxion, has collected (and continues to collect) scads of data on me and consolidated it into a profile of me. This profile, unfortunately, is not available for me to examine and correct any errors. I just spoke to the aforementioned Bob O’Harrow to verify that fact. Acxiom will not furnish me all the information that it has on me. It will, however, sell me a portion of the information it has collected about me. Note that I did not refer to it as "my information;" even though it is about me, it now seemingly belongs to Acxiom, which can do with it what it wants.
Acxiom was in the news fairly recently when a New York Times article reported that the University of Pittsburgh Hospital’s Insurance Service has been purchasing Acxiom information on its clients - without telling them. The insurance company had the clients fill out lengthy forms to be used in "predictive analysis," an attempt to plan for required care (and reduce costs). It was then supplementing this information with the Acxiom data which might, in some cases contradict the data furnished by the client.
So, we have companies collecting all the information they can possibly find about us, consolidating and analyzing it, selling to whomever they wish (including the government), while withholding much, if not most, of it from those on whom it was collected - the same people who receive all the ads based on its collection. We also have firms that we are paying for service (such as the insurance company above) who are secretly collecting information on us, their clients, and, perhaps, making judgments based on such information.
Welcome to the world of big data! It's going to be an interesting ride. (Learn more in 5 Privacy Problems That Come With Big Data.)