Somebody Hears You, Part 2: The Data Brokers

          For all the attention that the NSA has gotten for its bulk data collection, there is a silent behemoth that has been collecting huge amounts of personal information with even less transparency, oversight or accountability.

Nothing in all of creation is hidden from data brokers.

          To reiterate from Part 1 The private data broker industry trades in nearly every type of personal FTC's 2014 Report lists many of the categories of information that the brokers use--at least those categories that the FTC was able to pry from the companies, which the report notes was difficult to the firms' strong insistence on their own privacy.
information. They have access to information just about everywhere your name has been written down (including most government records), online activity, financial transactions, etc. The

One of the slightly more transparent firms in the (pathologically secretive) industry, Acxiom stated in their 2013 Annual Report that they had in their databases "Over 3,000 propensities for nearly every U.S. consumer" and globally “Multi-sourced insight into approximately 700 million consumers”. They update the data regularly, with the same report estimating that they had updated 25 trillion elements in consumer records in the previous year alone.

Capabilities like this are why it's creepily effective to compare Acxiom to an omniscient God:

 

Brokers buy this information from the groups mentioned in Part 1 or each other. They then aggregate it, analyze it, and repackage it to be sold or leased to buyers. The amount of traffic is huge. Acxiom alone handled nearly 60 trillion transactions for over 7,000 clients in 2013 (23).

So how much money is involved in this? 

 

The most typically quoted estimate for the size of the data broker industry in the U.S. is $150 billion, which is just under 1% of the entire U.S. economy. As with most often-cited statistics, this is a grossly misapplied simplification. It originates with the report The Value of Data: Consequences for Insight, Innovation, and Efficiency in the U.S. Economy, the result of a study conducted by Dr. John Deighton of Harvard and Peter Johnson of Columbia, and funded by the Direct Marketing Association and the Data-driven Marketing Institute. This has thus far been the first and so far only in-depth analysis of a large proportion of the industry. In the report, the $150 billion figure commonly cited refers to the amount spent in the U.S. in 2012 to “buy marketing services that could not have been performed without individual-level consumer data”. The wording on this is critical. Firstly, it’s just within the U.S. Secondly, the study only deals with the data used for marketing, and doesn’t claim to include data on people finding, background screening, credit rating, insurance rating, etc., all of which would be considered part of the industry, depending upon one’s precise definition. On the other hand, the $150 billion also refers to money spent on things other than the data itself, as I’ll explain in a second.

I contacted Dr. Deighton to ask him about his study. He was very open to my questions and even sent me the spreadsheet that his team had used to perform their calculations—the first time that anyone outside of the original researchers have access to it.

Looking over the figures, the single greatest recipient of the U.S. “data-driven marketing economy” in 2012 according to the model is the U.S. Postal Service, as they received $17 billion from mailings that had been targeted through one of the other services. While the post office might certainly benefit from data brokering and it does earn about $8 million per year selling change of address forms to data brokers (29), the rest of the $17 billion isn’t really directly part of the data broker industry per se, even if the income it brings them income indirectly. Other issues like this arguably inflate the numbers.

Restricting the numbers just to the fees from selling and leasing data, we get a more modest total of $17.6 billion in revenue for the industry. That number is somewhat misleading itself though, as it largely overlooks companies that may keep the data in-house or who sell access to it indirectly through ads like Google and Facebook. If we take that into account, and consider all the revenue associated with “individual level consumer data”, we get a total of $31 billion. Even that is a rough estimate though, as Dr. Deighton admitted that there is substantial issue in verifying the activities and earnings of the companies, but suffice to say that it's substantial.

With money and knowledge come power, and as you can see, the data broker industry lacks neither. And there are heavily vested interests in ensuring that those doors stay firmly closed.

In 2012, U.S. Representative Edward Markey sent a letter to Acxiom and other data brokers asking for a list of its data sources, among other questions. Acxiom’s reply is quite telling. The 32-page response was briefly posted online at Markey’s official House site, but has since been removed, though a little digging unearthed it. The letter mentions how Acxiom “has a long history of proactively engaging with policy makers”, noting “We are in numerous policy groups, and in some cases, have been a driving force in their creation” and going on to list nine lobbying groups special interest groups policy groups with which they are involved. In response to his first question (about data sources,) the company said that they could not reveal such information for competitive reasons (though they did draw a broad outline of types of sources.) Before actually answering his questions though, the letter goes into a long PR spread about how important companies like it are to the U.S. economy, free speech, consumer choice, etc. Drawing the eye is a long, anonymous list of Acxiom’s U.S. clients, starting with “47 Fortune 100 clients” and ending with “5 of the 13 largest U.S. federal government agencies” and “Both major national political parties”. (29)

That last line in particular explains much of the reason that data brokers have faced no major push among legislators towards greater transparency, despite years of effort by the FTC and privacy advocates. Jeffrey Chester, executive director of the Center for Digital Democracy explains “There’s no political pressure on Congress, really, to act. The data-broker lobby is incredibly powerful,” as political campaigns regularly use information from data brokers to tailor their advertising, and “They’re not going to vote against their political self-interest” (22).

The politicians have good reason to be concerned about shining a spotlight on their own activities with data brokers. A 2012 survey found that the vast majority of Americans were vehemently opposed to political campaigns buying information about them and using it to send them tailored political messages, practices which have become commonplace (30).

Perhaps it’s knowing that they have such allies, which gave the brokers the confidence to brush off an investigation by the U.S. Senate Committee on Commerce, Science, and Transportation, whose report to Senator Rockefeller complains that “Three of the largest companies – Acxiom, Experian, and Epsilon – to date have been similarly secretive with the Committee with respect to their practices, refusing to identify the specific sources of their data or the customers who purchase it” (17).

Two months later in February 2014, Senator Jay Rockefeller (who had already announced that he did not intend to run for re-election (31) and thus wasn’t beholden to the brokers) introduced the Data Broker Accountability and Transparency Act, the first bill that would have required the industry to be more transparent, by mandating that they let consumers see what data the broker has about them and where it came from, as well as prohibiting data brokers from using fraud to collect data (32). He read it and referred it to a committee, where (as of this writing) it’s been stuck ever since (32). As he has since left office, the bill’s chances of being picked back up again would seem dubious.

In contrast to the U.S., many other countries are moving towards tighter restrictions on the flow of data. Claiming that it is in response to security concerns from the Snowden leaks, countries such as Russia, India, Brazil, and Germany, as well as the European Union are all considering legal measures requiring that their citizens' data cannot be stored outside of the country. It is unlikely to be a coincidence that such measures could also protect local IT firms from foreign (read U.S.) competition, or that it would make it far easier for local intelligence agencies to spy on their own citizens. (33)

In the U.S., where the companies are far less likely to face any legal restrictions, the lobbying group for the industry have been desperate to stay relevant. The Data-Driven Marketing Institute has made the hilarious attempt to portray themselves as embattled underdogs, featuring on their front page of their site the mind-bendingly backwards “What we find amazing, policymakers find alarming. What we know consumers want, they think threatens consumer privacy.” (Emphasis added.) On the same page they make a shrill proclamation worthy of the Colbert Report that “Our Data-Driven Way of Life is Under Attack.”

In their defense, our modern way of life is indeed data-driven. (See, that’s a whole 6 out of 9 words that are defensible.) I wouldn’t be able to drive anywhere without Google Maps.

I’m even willing to accept the “Under Attack” part, if they’ll compromise on the “-Driven Way of Life” part in the middle. However, the attack on our data comes not from policy makers, but hackers and scammers.

In 2011 the data broker and e-mail marketer Epsilon revealed that its servers had experienced a massive breach of its servers, involving the names and e-mail addresses for the customers of over 40 companies, only about 2% of its client base (34). While this was an embarrassing first impression for Epsilon to make to most consumers, this data wasn’t especially sensitive. Ironically, the e-mail marketing company had been the victim of an e-mail phishing attack (35). Concerningly though, the virus had been stealing data from the company for three months before the installation of a new security program discovered it (35).

The cyber-security risks associated with consolidating so much consumer information are also echoed in the data breaches of Target and Home Depot. In December 2013, Target announced that hackers had acquired extensive consumer data from their systems. Over the course of 19 days 40 million credit and debit cards were stolen, plus 70 million records that included the name, address, e-mail address, and phone numbers of customers (36). Just a few months later, Home Depot announced that it had similarly suffered a data breach of 56 million credit cards and 53 million e-mail addresses while the data-harvesting software operated undetected for five months, and then only after the Secret Service notified the company that they had found the credit card numbers up for sale on the black market and Capitol One identified Home Depot as the one retailer linking all of the stolen credit cards together (37).

The data thieves are not always independent hackers. The data breach of the health insurance company Anthem Inc. of “tens of millions” of stolen records (38) is (according to Bloomberg) believed by investigators to be part of a state-sponsored Chinese campaign of acquiring information on millions of Americans, perhaps to identify intelligence targets (39).

The hackers who steal this data can themselves suffer having the data stolen by someone else—especially dishonorable thieves I suppose. In the summer of 2013, the black market data site ssndob[dot]ms. (presumably that stands for “Social Security number” and “date of birth,” both of which the site claimed to have for every U.S. resident, available to any purchaser for $.50 to $2.50 per record,) had its own database hacked, offering a lucky opportunity for investigators to glimpse behind the scenes of its operations. The most immediate finding of interest was that black market customers had purchased the records of over four million Americans (though to clarify, that’s just the number purchased, not the number available.) However, even after a thorough analysis of the plundered database by KrebsOnSecurity, it wasn’t immediately clear as to what the sources of the data were, as the sources were only designated by a code number. Fortunately for investigators, the database wasn’t the only part of the site that was hacked, and they had the opportunity to review the network activity of the site’s administrators. Digging into this revealed that ssndob’s operators had been running a botnet that was collecting data from the data brokers LexisNexis (the botnet had been collecting its data undetected for at least five months,) Dun & Bradstreet (at least six months,) and Kroll Background America (at least three months.) To be fair to these companies, the program used in the botnet was quite sophisticated, appearing benign to all 46 of the top anti-malware tools on the market at the time. (40)

Having access to the ssndob’s back-end server was an extremely lucky break for investigators in terms of linking the data back to its source. Normally it is impossible to connect SSNs and most other data back to a specific leak, as the data can be held by so many different companies (41). In contrast, credit companies can review the purchase histories of credit cards that show up on the black market and find the common thread. Understandably, when databases of some types of data are breached, such as healthcare information, the companies are required by U.S. federal law to announce it (38). However, no federal law requires companies to announce that they’ve had a breach of many other types of data (though some state laws do.)

One effort to require all data brokers to announce that they’ve suffered a breach was The Data Security and Breach Notification Act of 2014, introduced by our old friend Senator Rockefeller just one month before the Data Broker Accountability and Transparency Act. It suffered exactly the same fate, sitting in a subcommittee collecting dust (42), as did the Data Security and Breach Notification Act of 2013 (43), 2012 (44), 2011 (45), 2010 (46), and the original in 2009 (47)--oh and the most recent one in 2105, by a mix of different senators. (In case you’re convinced that this is somehow a partisan issue, the bills have been introduced by both Democrats and Republicans.)

To make a point to lawmakers about just how absurdly easy it is to obtain leaked data, Brian Krebs performed an ad hoc experiment to see if he could find for sale in the online black market the personal information of the members of the Senate Commerce Committee’s Subcommittee on Consumer Protection, Product Safety and Insurance. Not only was he able to find the Social Security numbers, phone numbers, and current and previous addresses for all 13 subcommittee members just by looking at two ID theft sites, but while he was there he found the same information for the heads of the Federal Trade Commission and the Consumer Financial Protection Bureau (41). And remember, that was just two websites. He didn’t have to go far to find them.

Krebs’ December 2014 proposal for introducing some accountability was to include unique dummy ID’s into data brokers’ databases as tracers, so that when the dummy’s showed up for illicit sale, investigators could identify the broker from which it originated (41).

Whether this proposal receives any traction remains to be seen, but historically the industry has argued for self-regulation, claiming that no oversight or further transparency is necessary. When the FTC proposed forming a centralized online list of data brokers so that consumers could conveniently learn about the brokers and the data that each of them had on the consumer, Experian replied that the FTC had defined “data broker” vaguely and that the creation of such a list would have the effect of “confusing customers and eroding trust in e-commerce” (48).

One has to wonder why Experian believes that giving consumers more information about the industry’s practices would harm public trust of the means of data collection. Personally, I can’t ever recall losing trust in someone when I found out that they were acting honestly and benevolently. Indeed, the company even acknowledges in the same statement that there are “literally dozens and dozens of smaller data providers with long histories of questionable practices”, which is where Experian says the FTC needs to focus its efforts (48).

Experian knows first-hand about these smaller brokers with long histories of questionable practices. It owns one.

In March 2012, just two years prior to making the statement, Experian acquired the public records aggregator firm Court Ventures (49). Experian’s VP of Government Affairs Tony Hadley says that nine months after the acquisition the Secret Service notified them that Court Ventures was suspected of illegal activity (50). Specifically, Court Ventures had been selling sensitive data (including SSNs and bank information) on U.S. citizens to the identity theft market Superget.info (51). Though it’s not clear exactly how many identities were stolen via the database of 200 million Americans, Superget’s criminal clientele made 3.1 million queries on Americans in the 18 months prior to February 2013 (52).

“We were a victim, and scammed by this person.”

You might think that those were the words of someone who had their identities stolen through the service. They’re actually from Experian’s Tony Hadley again, explaining to Congress why their due diligence hadn’t detected the transactions with Superget, either before acquisition of Court Ventures or in the nine months afterwards while Superget continued to purchasing information from them via a Singapore wire transfer (52). As a true master of paradox, Hadley had just testified a few minutes earlier about how rigorous Experian’s safeguards are, stating “Experian shares data responsibly—by carefully safeguarding compliance with all privacy and consumer protection laws and industry self-regulatory standards, advancing and observing industry best practices, and establishing and monitoring adherence to our own corporate policies and practices” (53). The fact that their apparent strict adherence to these same standards had failed to prevent Experian’s subsidiary from selling data to a market for identity thieves doesn’t seem to temper Hadley’s insistence that self-regulation is working just fine. Just four months later he would pen the Experian public statement that transparency issues could be resolved as long as companies adhered to the voluntary ethical guidelines of the not-lobbying firm the Direct Marketing Association (48).

. For its own part, the Direct Marketing Association is dismissive of government regulation. In response to an FTC report urging greater industry transparency, the DMA’s general counsel Stuart P. Ingis was even quoted in the Washington Post in late May 2014 saying that the FTC had failed to find any clear instances of abuse in the industry and “‘You’d think if there was a real problem, they’d be able to talk about something other than potential’ abuses” (22).

Either Mr. Ingis is so poorly informed about the industry he represents that he was unaware of the issue with Court Ventures (or the earlier mentioned cases like infoUSA selling lists of Alzheimer’s sufferers to telemarketing scammers,) or he doesn’t consider them to be abuses.

That aside, one might ask Ingis how exactly he expects the FTC to find abuses when the industry is so intent on concealing the details of its practices that it’s willing to defy a request from a Congressional committee about them?

Even in the best circumstances, the FTC is so hamstrung by its broad responsibilities, small budget, understaffing, and limited investigative authority that it’s not unusual for amateurs to find major privacy violations (everyone has a hobby, I suppose) before they do (53).

Perhaps spurred on by Ingis’ taunt, the FTC overcame these hurdles, and stepped up to the plate. They had already been prosecuting the company Ideal Financial Solutions, who purchased the data of 2.2 million consumers to steal millions of dollars directly from the victims’ bank accounts. In December 2014,charged data broker LeapLab with selling the personal information of hundreds of thousands of consumers (including SSN and bank account numbers) to Ideal, providing the data on “at least 16 percent these victims.” LeapLab obtained the data from loan applications, and yet it only sold 5% of these applications to lenders. The remaining 95% were sold at $.50 each to “third parties who were not online lenders and had no legitimate need for this financial information”, including other data brokers, marketers making unsolicited calls, and scammers like Ideal Financial Solutions. It’s rather difficult to argue that LeapLab was unaware of how Idea was using the data, as the two companies were so close that LeapLab hired one of Ideal’s executives as its Chief Marketing Officer. In what sounds like a retort to Ingis, FTC Director of Consumer Protection Jessica Rich specifically stated in the announcement that “This case shows that the illegitimate use of sensitive financial information causes real harm to consumers”. (54)

Once again, though, the opportunity to tie the misuse of data back to a specific broker might have been merely a lucky coincidence. The FTC was prosecuting one blatantly illegal operation, and it happened to have close managerial ties to one of the companies from whom it was purchasing data, making it unusually hard for them to claim ignorance.

Remember, this is the same industry in which Experian could simultaneously receive money through one of its subsidiaries from an identity-stealing market for the majority of a year and claim ignorance of where the data was going, so the bar to prove complicity is quite high, and apparently gross negligence is insufficient for prosecution.

Whether this will have any real effect remains to be seen, but in the U.S. those who would preserve the secrecy of the industry have the substantial weight of the status quo on their side.

Citations

23. Acxiom Corporation. Annual Report 2013.

24. Duhigg, Charles. Bilking the Elderly, With a Corporate Assist. The New York Times. [Online] May 20, 2007. http://www.nytimes.com/2007/05/20/business/20tele.html?pagewanted=all.

25. Dixon, Pam. Testimony of Pam Dixon Executive Director, World Privacy Forum Before the Senate Committee on Commerce, Science, and Transportation. [Online] December 18, 2013.

26. Experian Marketing Services. List Services Catalog. Fall 2011-2012.

27. Merrick, Amy. A Death in the Database. The New Yorker. [Online] January 23, 2014. http://www.newyorker.com/business/currency/a-death-in-the-database.

28. Hill, Kashmir. OfficeMax Blames Data Broker For 'Daughter Killed in Car Crash' Letter. Forbes. [Online] January 22, 2014. http://www.forbes.com/sites/kashmirhill/2014/01/22/officemax-blames-data-broker-for-daughter-killed-in-car-crash-letter/.

29. Tanner, Adam. How The Post Office Sells Your Address Update To Anyone Who Pays (And The Little-Known Loophole To Opt Out). Forbes. [Online] July 8, 2013. http://www.forbes.com/sites/adamtanner/2013/07/08/how-the-post-office-sells-your-new-address-with-anyone-who-pays-and-the-little-known-loophole-to-opt-out/.

30. BookStats. US PUBLISHING INDUSTRY ANNUAL SURVEY REPORTS $27 BILLION IN NET REVENUE,. BookStats. [Online] http://www.bookstats.org/pdf/BOOKSTATS_2013_GENERAL_PUBLIC_WEBSITE_HIGHLIGHTS.pdf.

31. Acxiom Corporation. Reply to Representative Edward Markey. [Online] August 15, 2012. https://web.archive.org/web/20130302024214/http://markey.house.gov/sites/markey.house.gov/files/documents/Acxiom.pdf.

32. Turow, Joseph, et al. Americans Roundly Reject Tailored Political Advertising. s.l. : Annenberg School for Communication, 2012.

33. Weiner, Rachel. Jay Rockefeller won’t run in 2014. The Washington Post. [Online] January 11, 2013. http://www.washingtonpost.com/blogs/post-politics/wp/2013/01/11/jay-rockefeller-wont-run-in-2014/.

34. U.S. Library of Congress. S.2025 - Data Broker Accountability and Transparency Act. [Online] https://www.congress.gov/bill/113th-congress/senate-bill/2025.

35. Hill, Jonah Force. The Growth of Data Localization Post-Snowden: Analysi and Recommendations for U.S. Policymakers and Industry Leaders. Lawfare Research Paper Series. 2014, Vol. 2, 3.

36. Worthen, Ben. Breach Brings Scrutiny: Incident Spark Concern Over Outsourcing of Email Marketing. The Wall Street Journal. [Online] April 5, 2011. http://www.wsj.com/articles/SB10001424052748704587004576245131531712342.

37. Schwartz, Matthew J. Epsilon Fell To Spear-Phishing Attack. DARKReading. [Online] April 11, 2011. http://www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear-phishing-attack/d/d-id/1097119?.

38. Krebs, Brian. The Target Breach, By the Numbers. KrebsOnSecurity. [Online] May 6, 2014. http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/.

39. Banjo, Shelly. Home Depot Hackers Exposed 53 Million Email Addresses: Hackers Used Password Stolen From Vendor to Gain Access to Retailer’s Systems. Wall Street Journal. [Online] November 6, 2014. http://www.wsj.com/articles/home-depot-hackers-used-password-stolen-from-vendor-1415309282.

40. Matthews, Anna Wilde and Yadron, Danny. Health Insurer Anthem Hit by Hackers: Breach Gets Away With Names, Social Security Numbers of Customers, Employees. [Online] February 4, 2015. http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720.

41. Riley, Michael A. and Robertson, Jordan. Chinese State-Sponsored Hackers Suspected in Anthem Attack. Bloomberg Business. [Online] February 5, 2015. http://www.bloomberg.com/news/articles/2015-02-05/signs-of-china-sponsored-hackers-seen-in-anthem-attack.

42. Krebs, Brian. Data Broker Giants Hacked by ID Theft Service. KrebsOnSecurity. [Online] September 25, 2013. http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/.

43. —. Toward a Breach Canary for Data Brokers. KrebsOnSecurity. [Online] December 8, 2014. http://krebsonsecurity.com/2014/12/toward-a-breach-canary-for-data-brokers/comment-page-1/.

44. U.S. Library of Congress. S.1976 - Data Security and Breach Notification Act of 2014. [Online] https://www.congress.gov/bill/113th-congress/senate-bill/1976?q={%22search%22%3A%5B%22Data+Security+and+Breach+Notification+Act+of+2014%22%5D}.

45. —. S.1193 - Data Security and Breach Notification Act of 2013. [Online] https://www.congress.gov/bill/113th-congress/senate-bill/1193.

46. —. S.3333 - Data Security and Breach Notification Act of 2012. [Online] https://www.congress.gov/bill/112th-congress/senate-bill/3333?q={%22search%22%3A%5B%22Data+Security+and+Breach+Notification+Act+of+2012%22%5D}.

47. —. S.1207 - Data Security and Breach Notification Act of 2011. [Online] https://www.congress.gov/bill/112th-congress/senate-bill/1207?q={%22search%22%3A%5B%22Data+Security+and+Breach+Notification+Act%22%5D}.

48. —. S.3742 - Data Security and Breach Notification Act of 2010. [Online] https://www.congress.gov/bill/111th-congress/senate-bill/3742?q={%22search%22%3A%5B%22Data+Security+and+Breach+Notification+Act%22%5D}.

49. —. S.139 - Data Breach Notification Act. [Online] https://www.congress.gov/bill/111th-congress/senate-bill/139?q={%22search%22%3A%5B%22Data+Security+and+Breach+Notification+Act%22%5D}.

50. Hadley, Tony. FTC’s Proposal for a Central Website for “Data Brokers” Won’t Work…Here’s Why. Experian News Blog. [Online] March 5, 2014. http://www.experian.com/blogs/news/2014/03/05/ftc-proposal/.

51. Experian PLC. REG - Experian plc - Acquisition of Court Ventures Inc. Reuters. [Online] March 9, 2012. http://www.reuters.com/article/2012/03/09/idUS94865+09-Mar-2012+RNS20120309.

52. Krebs, Brian. Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records. KrebsOnSecurity. [Online] March 10, 2014. http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access-200-million-consumer-records/.

53. Poeter, Damon. Experian Confirms Subsidiary's Data Sold to ID Theft Operation. PC Mag. [Online] October 22, 2013. http://www.pcmag.com/article2/0,2817,2426084,00.asp.

54. Krebs, Brian. Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records. KrebsOnSecurity. [Online] March 10, 2014. http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access-200-million-consumer-records/#more-25125.

55. U.S. Senate Committee on Commerce. TESTIMONY OF TONY HADLEY SENIOR VICE PRESIDENT OF GOVERNMENT AFFAIRS AND PUBLIC POLICY, EXPERIAN BEFORE THE SENATE COMMITTEE ON COMMERCE, SCIENCE, & TRANSPORTATION HEARING ON “WHAT INFORMATION DO DATA BROKERS HAVE ON CONSUMERS, AND HOW DO THEY USE IT?". [Online] December 18, 2013. http://www.experian.com/blogs/news/about/senate-testimony/.

56. Maass, Peter and Publica, Pro. Your FTC Privacy Watchdogs: Low-Tech, Defensive, Toothless. Wired. [Online] June 28, 2012. http://www.wired.com/2012/06/ftc-fail/all/.

57. Federal Trade Commission. FTC Charges Data Broker with Facilitating the Theft of Millions of Dollars from Consumers' Accounts: Company Sold Personal Financial Information to Scammers. Federal Trade Commission. [Online] December 23, 2014. http://www.ftc.gov/news-events/press-releases/2014/12/ftc-charges-data-broker-facilitating-theft-millions-dollars?utm_source=govdelivery.

58. Deighton, John and Johnson, Peter A. The Value of Data: Consequences for Insight, Innovation & Efficiency in the U.S. Economy. 2013.

59. Timberg, Craig. Brokers use ‘billions’ of data points to profile Americans. The Washington Post. [Online] May 27, 2014. http://www.washingtonpost.com/business/technology/brokers-use-billions-of-data-points-to-profile-americans/2014/05/27/b4207b96-e5b2-11e3-a86b-362fd5443d19_story.html.