Steve Kroft’s segment on CBS’s March 9 installment of 60 Minutes, “The Data Brokers: Selling your personal information,” was a noteworthy chapter in the escalating confrontation between the data-driven marketing industry and popular press initiatives to expose the alarming aspects of our emerging surveillance society. (Also see the Direct Marketing Association’s response.)
The introduction framed the problem with a hint of irony:
“Over the past six months or so, a huge amount of attention has been paid to government snooping, and the bulk collection and storage of vast amounts of raw data in the name of national security. What most of you don’t know, or are just beginning to realize, is that a much greater and more immediate threat to your privacy is coming from thousands of companies you’ve probably never heard of, in the name of commerce.”
The exposé format demands a clear moral indictment of the culprits – and Steve isn’t shy about naming names – but there’s irony in the suggestion that new government regulations are needed to reign in these companies – despite the reference to “government snooping” and other evidence that Americans trust their government even less than commercial enterprise. Epsilon President Bryan Kennedy tries to play this point but seems to fall into an apologist trap:
“Steve Kroft: You’re saying that any kind of regulation on this could cripple the economy?
Bryan Kennedy: I am.
Steve Kroft: And this should be left to industry groups? To self-enforce?
Bryan Kennedy: We think that self-regulation has been very effective. What we’re hearing today is a lot of discussion in Washington. We’re not hearing a lot of discussion, frankly, from consumers. It’s one of the odd things. So, consumers are rushing to the Internet to provide more information about themselves than, you know, we would’ve ever imagined.”
Kroft briefly references the proposed legislation of Senate Commerce Committee chairman Jay Rockefeller, but avoids the snarls of discussing the technical and political challenges of regulatory remedies, except near the end when he refers to the Direct Marketing Association as “one of the most powerful lobbying groups in Washington.”
I will say that, to an outsider, there was plenty of highly damning testimony. The worst came from Tim Sparapani, identified as a former privacy lawyer for the American Civil Liberties Union, then Facebook’s first director of public policy. (This, too, might seem ironic, although Facebook and Google were both spared direct indictment in this segment, “because they don’t sell the information they gather about us. They keep it all to themselves.” Try to parse the irony in that.)
“Steve Kroft: What about medications?
Tim Sparapani: Certainly. You can buy from any number of data brokers, by malady, the lists of individuals in America who are afflicted with a particular disease or condition.”
Anyone who has heard of HIPAA should know this is illegal in the U.S., as are most of the other practices Sparapani mentions. That doesn’t mean they don’t happen – although their alleged prevalence would seem to be as much an indictment of law enforcement as anything, given the claim that “the evidence is there if you know where to look.” More insidious, however, is the implied guilt-by-association this assigns to the mainstream data marketing companies the piece identifies. Although Kroft stops short of criminal accusations, there’s no attempt to distinguish among data practices – especially when it comes to the particularly sensitive area of personally identifiable information – and he doesn’t hold back on shady insinuations against mainstream data brokers.
Federal Trade Commissioner Julie Brill is a bit more careful about this. Watch her tiptoe around the PII issue:
“Steve Kroft: Are people putting this together and making dossiers?
Julie Brill: Absolutely.
Steve Kroft: With names attached to it? With personal identification?
Julie Brill: The dossiers are about individuals. That’s the whole point of these dossiers. It is information that is individually identified to an individual or linked to an individual.”
Any insider will immediately recognize this language as an attempt to avoid getting dragged into a discussion of the technical nuances of PII. But the cost of avoiding that discussion is that we remained trapped at the level of innuendo. Marketers use third-party data of the sort that most “data brokers” provide not so much to identify individuals, but to reach a specific audience. The individuals who comprise that audience don’t need to be uniquely identified…until they reveal themselves to the marketer in the context of a commercial relationship. Otherwise they can remain anonymous. But the segment doesn’t delve into how mainstream marketers use data.
When it comes to identifying the harm inherent in this kind of marketing surveillance, journalists seem to have two choices:
- Invoke a direct connection with crimes such as identity theft and blackmail
- Invoke more intangible and sinister consequences such as covert discrimination and subtle forms of coercion and manipulation
Kroft avoids the simplicity of the first and leaves us with the second, which, to my mind, is a real long-term social problem. But it’s not a problem that can be easily addressed by the remedies that reactive legislation can provide. Nor can the industry unilaterally address it through self-regulation and cryptographic technology – although their extensive attempts to do so might have merited at least a passing mention. Consumers need a partner in this.
“Commissioner Brill is pushing for more oversight and transparency. She says people should be able to see the information the companies have on them, be able to challenge it if it’s incorrect, and opt out of the system if they don’t want personal data collected.”
Amen. Maybe she’s talking about Acxiom’s aboutthedata.com – or a more-comprehensive future version. In any case, superficial consumer controls and notifications can’t replace an actual understanding of the highly complex forces and technologies at work here. There are certainly better technical solutions to consumer empowerment (think agents), and a number of entities in a position to deploy them (banks, CSPs, the data brokers themselves) but without market demand they will not materialize. The identity theft protection industry struggles to get people to pay for a more concrete value proposition. Privacy is an economic puzzle that most marketers want to solve as much as anyone.
So, maybe just scaring people is the right place to start. If so, I guess Steve Kroft and CBS have done their duty. But I’d watch that line between illumination and vilification.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Can you talk a bit more about the agents you mention when looking at better technical solutions to customer empowerment?
Agree that consumer market demand would need to drive this but I think you’d agree there would need to be a education process around that such things are an option. Such as, “What are they” and “How do they work?”
Hi Bill – thanks for the comment!
Agents, in this context, would be cloud-based proxy services (or something similar) that can manage the complexities of privacy options – particularly cookie suppression – on a case-by-case basis on a user’s behalf based on inferred and expressed preferences, across devices and contexts.
While I agree in principle with your second point about education, in practice I see a widening gap between the way these data systems work – which involves complex concepts like one-way cryptographic hash functions and statistical identification algorithms – and what we can reasonably expect consumers to grapple with and make informed choices about on a daily basis. Hence the need for intelligent software to intermediate and translate consumer interests into complicated actions.
Information is changing social, political and economic structures in ways that nobody can foresee. Rules will be made that affect, sometimes define, our lives. Those rules are being made by governments and companies that keep people in the dark about their data practices. People have good cause for anxiety. In terms of information, government and business are not separate. The government already relies on information from private enterprise (e.g., airlines). Companies already gather information about us from public sources, and of course lobby the government for favorable treatment. So when the rules are made, it’s perfectly possible that people will be sacrificed to the needs of government and business. I read a case about a woman who resold some medical equipment from hospitals that didn’t want it anymore. She was prosecuted for theft. The government used a law designed to combat organized crime and terrorism to freeze all her family’s financial assets on the grounds that it was ill-gotten (even though only a fraction was in dispute). That meant she couldn’t afford to pay the lawyer of her choice to defend her. The seizure of assets was upheld on appeal. That’s what rules can do.
Thanks for the comment Eric.
It’s interesting that you focus on the danger of rules, since the need for new rules seems to be a common theme of privacy advocates. I also noted in the commentary following the broadcast an unchallenged consensus that self-regulation can’t possibly work:
“It has been shown over and over again that NO industry is capable of self-regulating.” – LFTD4966 March 11, 2014 1:1PM
But this is a naive view – most media students would credit the Advertising Self-Regulatory Council (formerly known as the National Advertising Review Council, but nobody liked NARC as an acronym) with doing a reasonably good job at enforcing the truth and accuracy of advertising claims and restricting children’s advertising by setting standards and guidelines and enforcing compliance, with little need for government intervention, for decades.
Its sibling in the Council of Better Business Bureaus focusing on privacy is the Digital Advertising Alliance (see aboutads.info), which has had a tougher time satisfying critics of data-driven marketing practices. But Kroft’s implied assertion that there are no rules here is not an accurate summary of the situation.