The Washington PostDemocracy Dies in Darkness

Data brokers are selling your secrets. How states are trying to stop them.

Vermont’s new data broker registry highlights the difficulties of regulating dozens of secretive firms buying and selling personal data

June 24, 2019 at 5:54 p.m. EDT
Data brokers operate in a shadowy world that is largely unregulated. Most people are unaware of the amount of data collected on them by companies without their knowledge or a clear understanding of how to opt out. Vermont and other states are moving to regulate the practice. Illustration by Zoë van Dijk for The Washington Post (Zoë van Dijk/For The Washington Post)

Until recently, Randy Koloski had never heard of Amerilist, a small business 25 miles north of Manhattan.

But for $150, Amerilist makes available a list of information on 5,000 people that includes Koloski’s name, home address, age, religion, education level and income.

Koloski, a school bus driver in Hartford, Vt., says he never agreed to turn over that data to Amerilist. “They shouldn’t have access to that,” he said upon learning of the database.

Lawmakers in Koloski’s home state are at the forefront of a national movement aiming to shine a light on companies such as Amerilist — data brokers that buy and sell the personal information of millions of Americans with whom they have no direct relationship. A state law passed last year required all businesses that trade data on Vermont’s residents to register publicly and share some basic information about how they operate.

The goal was to give residents one public database where they can find clear information about all companies that sell their data and steps they can take to delete it.

Instead, the Vermont effort showed how difficult regulating these companies can be. Dozens of firms registered, but few offered clear answers about what they do with data and whether users may remove themselves from databases.

“There are so many obviously erroneous registrations,” said Joel Reidenberg, a law professor at Fordham University who reviewed the Vermont registry.

Some data firms didn’t bother to register.

Amerilist filed its registration on June 19 — the day the company was contacted by The Washington Post, and more than four months after the state’s deadline. Ravi Backerdan, the company’s CEO, said he recalled hearing about the Vermont law, but signing up for the registry “may have fallen under the radar.”

How to stop companies from selling your data

Backerdan says Amerilist only resells data it obtains from other data companies, including Experian and Acxiom. Amerilist doesn’t sell data on users who have registered their names on a “do not mail” database, he said.

The experiment in Vermont is being closely watched at a time when regulators across the country are trying to address growing concerns over online privacy. A California law set to take effect at the beginning of next year will allow the state’s residents to opt out of having their data sold. Maine passed a law this month barring Internet service providers, including AT&T and Verizon, from selling broadband customers’ information. State legislatures in New York, Maryland and Massachusetts are all considering measures to give residents more control over data.

So far, Vermont is the only state to single out data brokers. All of the proposed measures, though, threaten to crack down on the most potent weapon in these companies’ arsenals. Third-party data, or information held by someone who didn’t obtain it directly from the user, can be mined from public records, such as DMVs, property records and voter rolls, as well as private databases filled with people’s magazine subscriptions and shopping records.

Data industry executives who have lobbied against the state laws say third-party data is vital to the businesses they serve. Among those customers are banks, which use data to detect financial fraud, and law enforcement agencies, which dig through databases to find criminals. Advertisers hone pitches to potential customers based on third-party data about their behaviors and interests.

But privacy advocates warn that the spread of data increases the risk of it being misused. A list of people who have Alzheimer’s disease could be purchased by bad actors who want to take advantage of mentally ill people. Two data brokers who advertise an Alzheimer’s patient list -- Experian and Amerilist -- say they vet the buyers of that data to make sure they are legitimate businesses.

Free websites that give anyone easy access to people’s current home addresses can be valuable tools for stalkers and abusers who are trying to locate their victims.

“Victims of domestic violence are trying to take control over their privacy,” said Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence. “But the data broker companies are doing a significant amount of work to compile information about a person.”

It’s one thing for a user to willingly turn over their data to receive targeted advertisements, experts say. But the widespread sale of data, often taken without the explicit consent of users, gives data brokers broad latitude to do whatever they want with it, said Bob Gellman, an independent privacy consultant.

“A lot of what is going on here is hidden. No one knows,” Gellman said. “The notion they are only using the information to send you a coupon isn’t that bad. But they are building profiles of people.”

The privacy campaign in Vermont and other states could pave the way for more far-reaching data protections in the United States.

The Federal Trade Commission drew attention to the problems of an opaque data industry in a 2014 report, in which the agency called on Congress to pass legislation that would establish a nationwide registry of data brokers. A bill proposed the following year by four Senate Democrats, called the “Data Broker Accountability and Transparency Act,” never gained traction.

But renewed calls for U.S. privacy protections have followed Equifax’s massive data breach in 2017 and Facebook’s recent string of privacy scandals. Congress has been criticized for falling behind Europe’s regulators, who last year adopted sweeping online privacy rules.

Earlier this month, a group of 40 state attorneys general recommended the creation of a clearinghouse for all data brokers in the country. In public comments to the FTC, the state officials said a registry could help prevent the “loss of privacy that occurs when consumers are subject to increasingly extensive monitoring without increased public awareness or oversight.”

State AGs Call for Data Regulation

Recently, even industry groups have come around to supporting federal legislation.

“Clearly there was a market failure,” Randall Rothenberg, CEO of the Interactive Advertising Bureau. “We tried to do it ourselves. We tried to do it through self regulation. There’s a problem with that: We cannot enforce compliance.”

Data assembly line

Vermont’s new registry offers a peek inside the data broker economy. The more than 100 companies in the registry range in size from a one-man junk mail business operated out of a northern Vermont residence to Oracle, the 140,000-person software giant that sells some of the world’s most sophisticated data marketing services.

Many of the businesses work together in a kind of digital data assembly line.

Edvisors operates a collection of websites for college-bound students, including PrivateStudentLoans.com, HowToGetIn.com and GradLoans.com. Students who visit these sites are asked to enter their personal information on surveys for the chance to win scholarships of up to $10,000. The company’s privacy policy says it may sell data “to third parties whose products and services we think may be of interest to you.”

ALC, a data reseller, takes data from Edvisors and repackages it for marketers, according to an advertisement on ALC’s website.

ALC advertised a “College Bound Student MasterFile,” which includes the names and home addresses of up to three million students for a rate of $95 per 1,000 names. For a few extra dollars, marketers could also buy the name of the college each student plans to attend and his or her expected field of study.

Hackers breach admissions files at three private colleges

ALC told marketers it used data from two additional companies to “overlay” the student data with more details about them: Experian and Ethnic Technologies.

Experian, one of the largest collectors of third-party data, compiles thousands of data points on each consumer and uses them to predict which products and services they will buy. When Experian can’t find a source of verified data, it uses statistical models to guess personal attributes, including political preferences, financial health and which types of products someone is likely to buy, according to a marketing brochure on the company’s website.

Experian uses these models to place consumers into 71 different marketing segments, including “American royalty,” “kids and cabernet” and “small town shallow pockets,” according to its site.

Ethnic Technologies, a Hackensack, N.J.-based start-up, says it uses an algorithm to automatically determine someone’s ethnicity based on first, middle and last names and the neighborhood where they live. For example, the company’s website says it would guess that Pablo Garcia is a Spanish speaker while Pablo Ferrera speaks Portuguese.

By matching the Edvisors names with Experian’s database, ALC said it could determine the household income level of each student. By pulling in data from Ethnic Technologies, it says it could add their ethnicity and religion.

Data brokers are selling your secrets. How states are trying to stop them

Sherry Booles, ALC’s chief marketing officer, said the company has changed some of its practices around what types of data it sells since ALC was acquired by private equity firm CIP last year and a new management team took over. For example, she said ALC has recently ended relationships with partners who sell data on people under the age of 18.

ALC removed information about some of its data lists — including its college-bound student mailing list — after being contacted by The Post.

In a statement, a spokesman for Experian said the company is “committed to transparent data practices” and gives consumers the ability to opt out of data collection.

Zachary Wilhoit, Ethnic Technologies’ CEO, says the company did not register with Vermont because it does not retain information on anyone. Its computer software predicts ethnicity and religion as soon as a customer enters a list of names, and Ethnic Technologies does not hold onto any of those records.

Edvisors, a subsidiary of the College Loan Corporation, did not respond to multiple requests for comment.

Wrong predictions

As they rely more on statistical predictions, data brokers are more likely to buy and sell information that is wrong.

In interviews with six of the people on the Amerilist list bought by The Post, four of them said at least some of the information Amerilist had in their database was wrong or misleading. The Post bought the list only for the purpose of conducting journalistic interviews with people on it.

Koloski, the school bus driver, said his profile was correct about everything except his age — he’s 66, not 65 — and his ethnicity. Amerilist incorrectly said he was Finnish.

“Koloski? It’s Polish!” he said.

Amerilist accurately predicted Hans Ohanian, another Vermonter, was of partial Armenian descent, but erroneously assumed he practiced Eastern Orthodox religion. The company’s estimate for his household income was wrong, he said, but he refused to tell a journalist what the real number was.

“I regard that as private information,” he said. “Nobody could say what it is without having access to my income tax records.”

Is your pregnancy app sharing your intimate data with your boss?

Another Vermont resident who appeared on the list — which The Post bought from Amerilist in June — died in January.

Backerdan, Amerilist’s CEO, said the company only resells data compiled by its partners. In this case, Amerilist resold data from Natimark, a Phoenix data compiler, he said. Backerdan said Natimark’s ethnicity and religion data was probably inferred from people’s names. The household income data was probably estimated using each person’s Zip code and the average income for their neighborhood in the last U.S. census, he said.

Typically, a list of data contains about 85 percent to 90 percent accurate information, Backerdan said.

Representatives of Natimark didn’t respond to multiple requests for comment.

‘Toe in the water’

Vermont Assistant Attorney General Ryan Kriger said the state may go after companies that don’t comply with the registry, including issuing fines of up to $10,000 a year for companies failing to register. State officials may not penalize some companies for late submission, he said, because the registry is still so new.

“I describe this as a toe in the water, not a cannonball,” Kriger said.

Ohanian, one of the Vermonters in the Amerilist database, said he believes more rules around data brokers should be enforced.

“Putting a registration on these kind of [companies] and giving Vermonters, and Americans in general, an easy way to opt out of it seems like a good idea,” Ohanian said. “It does not destroy the American economy if this information isn’t available.”

Emma Brown contributed to this story.