Up Close and Personal Data for Sale

The usual stream of shocking stories about data brokers selling dangerously sensitive data continues.

One data broker might be in trouble, as the Federal Trade Commission (FTC) is continuing to pursue a case against them.

A federal judge in Idaho had dismissed the case last year. What could be harmful in selling the geolocation data of 35 million people who might go to Planned Parenthood, a domestic violence shelter, a mosque, an LGBTQ club or an AA meeting?

Apparently nothing to the Idaho federal judge or Kochava, the data broker.

Of course exposing legitimately public data seems to be a more dangerous game today if you target the famous and powerful.

Welcome to the new normal.

Kindly let us know any stories about sensitive data not being resold.

Two things really shout out from this and similar happenings with Kochava and other data brokers you’ve never heard of.

First, this is a clear case where my concept of "reductive security" can mitigate some impact on individuals.

Focus on decreasing that digital footprint. Practice reductive security and not additive security. Lessen the amount of data exposed to digital devices. Don’t “initiate” your new devices with more applications. Start with uninstalling, deleting and restricting as much as feasible.

The point is simple: the less systems, the less data available, the safer you are. The security surface area to defend decreases, and is more manageable. It's not the ultimate elixir to solve the world's problems, but it's a good starting point in the never-ending war to enhance privacy and security.

Yes, a lot of data has already left the barn. There’s not much you can do about that. And more data will inevitably continue to leave the barn with any sane implemented mitigations.

There is also an enterprise approach for reductive security, but that’s another longer blog post. An easy start is reducing the third parties on your web site. Determine if all that collected PII or PHI data is really necessary.

The end result can be less time wasted on security questionnaires and buyer due diligence. If you use the ClearOPS platform, of course, assessments are still a breeze.

The less data available to the data brokers, the safer you are.

Then there’s the really disturbing angle. It’s not just that data brokers are reselling this data. The horror-show reality begins when one realizes that the data brokers are actually downstream in this dystopian ecosystem.

Most of these data brokers aren't doing the data collection. Who actually enables the data brokers? It's usually the providers and product manufacturers, from internet service providers to cell phone companies and beyond who collect, package and sell your data.

How does Kochava get this data? The last line in the CEO’s profile makes the case clear:

It’s those “networks and publishers” who collect and sell that data which oddly escape scrutiny. Downstream data brokers are the bottom feeders, and a very logical product of this ecosystem.

Thank you for reading ClearOPS Bridging the Gap between Privacy and Security. This post is public so feel free to share it.

Yet this upstream incessantly collects more and more sensitive data, sometimes under the auspices of “security.”

They collect for the mere sake of collecting. Nothing is too sensitive and personal for their intrusive quest.

From web sites with dozens of third-party data miners to idiotic and NIST-contradicting security questions about mothers’ maiden names and first-grade teachers for authentication, the first-party collectors should not be feigning shock when cases like this happen.

I don't know if the FTC, FCC or anything short of another Big Bang can end this game where the actual perpetrators quietly pose as innocent bystanders. It does look like the FTC is finally on the offensive against some of the bottom feeders. But if you get nausea from reading stories like the Kochava one, it shouldn't be just because it happened. The nausea should be because it can happen, and that it's facilitated from the upstream.

About the author George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.

About ClearOPS ClearOPS revolutionizes third-party risk with its support for both buy-side and sell-side vendor management, powered by Generative A.I. Take your vendor management to the next level and fix your internal workflows for maximum efficiency. Inquiries: [email protected]