Steve Kroft’s segment on CBS’s March 9 installment of 60 Minutes, “The Data Brokers: Selling your personal information,” was a noteworthy chapter in the escalating confrontation between the data-driven marketing industry and popular press initiatives to expose the alarming aspects of our emerging surveillance society. (Also see the Direct Marketing Association’s response.)
The introduction framed the problem with a hint of irony:
“Over the past six months or so, a huge amount of attention has been paid to government snooping, and the bulk collection and storage of vast amounts of raw data in the name of national security. What most of you don’t know, or are just beginning to realize, is that a much greater and more immediate threat to your privacy is coming from thousands of companies you’ve probably never heard of, in the name of commerce.”
The exposé format demands a clear moral indictment of the culprits – and Steve isn’t shy about naming names – but there’s irony in the suggestion that new government regulations are needed to reign in these companies – despite the reference to “government snooping” and other evidence that Americans trust their government even less than commercial enterprise. Epsilon President Bryan Kennedy tries to play this point but seems to fall into an apologist trap:
“Steve Kroft: You’re saying that any kind of regulation on this could cripple the economy?
Bryan Kennedy: I am.
Steve Kroft: And this should be left to industry groups? To self-enforce?
Bryan Kennedy: We think that self-regulation has been very effective. What we’re hearing today is a lot of discussion in Washington. We’re not hearing a lot of discussion, frankly, from consumers. It’s one of the odd things. So, consumers are rushing to the Internet to provide more information about themselves than, you know, we would’ve ever imagined.”
Kroft briefly references the proposed legislation of Senate Commerce Committee chairman Jay Rockefeller, but avoids the snarls of discussing the technical and political challenges of regulatory remedies, except near the end when he refers to the Direct Marketing Association as “one of the most powerful lobbying groups in Washington.”
I will say that, to an outsider, there was plenty of highly damning testimony. The worst came from Tim Sparapani, identified as a former privacy lawyer for the American Civil Liberties Union, then Facebook’s first director of public policy. (This, too, might seem ironic, although Facebook and Google were both spared direct indictment in this segment, “because they don’t sell the information they gather about us. They keep it all to themselves.” Try to parse the irony in that.)
“Steve Kroft: What about medications?
Tim Sparapani: Certainly. You can buy from any number of data brokers, by malady, the lists of individuals in America who are afflicted with a particular disease or condition.”
Anyone who has heard of HIPAA should know this is illegal in the U.S., as are most of the other practices Sparapani mentions. That doesn’t mean they don’t happen – although their alleged prevalence would seem to be as much an indictment of law enforcement as anything, given the claim that “the evidence is there if you know where to look.” More insidious, however, is the implied guilt-by-association this assigns to the mainstream data marketing companies the piece identifies. Although Kroft stops short of criminal accusations, there’s no attempt to distinguish among data practices – especially when it comes to the particularly sensitive area of personally identifiable information – and he doesn’t hold back on shady insinuations against mainstream data brokers.
Federal Trade Commissioner Julie Brill is a bit more careful about this. Watch her tiptoe around the PII issue:
“Steve Kroft: Are people putting this together and making dossiers?
Julie Brill: Absolutely.
Steve Kroft: With names attached to it? With personal identification?
Julie Brill: The dossiers are about individuals. That’s the whole point of these dossiers. It is information that is individually identified to an individual or linked to an individual.”
Any insider will immediately recognize this language as an attempt to avoid getting dragged into a discussion of the technical nuances of PII. But the cost of avoiding that discussion is that we remained trapped at the level of innuendo. Marketers use third-party data of the sort that most “data brokers” provide not so much to identify individuals, but to reach a specific audience. The individuals who comprise that audience don’t need to be uniquely identified…until they reveal themselves to the marketer in the context of a commercial relationship. Otherwise they can remain anonymous. But the segment doesn’t delve into how mainstream marketers use data.
When it comes to identifying the harm inherent in this kind of marketing surveillance, journalists seem to have two choices:
Kroft avoids the simplicity of the first and leaves us with the second, which, to my mind, is a real long-term social problem. But it’s not a problem that can be easily addressed by the remedies that reactive legislation can provide. Nor can the industry unilaterally address it through self-regulation and cryptographic technology – although their extensive attempts to do so might have merited at least a passing mention. Consumers need a partner in this.
“Commissioner Brill is pushing for more oversight and transparency. She says people should be able to see the information the companies have on them, be able to challenge it if it’s incorrect, and opt out of the system if they don’t want personal data collected.”
Amen. Maybe she’s talking about Acxiom’s aboutthedata.com – or a more-comprehensive future version. In any case, superficial consumer controls and notifications can’t replace an actual understanding of the highly complex forces and technologies at work here. There are certainly better technical solutions to consumer empowerment (think agents), and a number of entities in a position to deploy them (banks, CSPs, the data brokers themselves) but without market demand they will not materialize. The identity theft protection industry struggles to get people to pay for a more concrete value proposition. Privacy is an economic puzzle that most marketers want to solve as much as anyone.
So, maybe just scaring people is the right place to start. If so, I guess Steve Kroft and CBS have done their duty. But I’d watch that line between illumination and vilification.