Tiktok is the Least of our Concerns—A Look at Data Brokers
By Heather Wilson
The Trump Administration is waging a war against TikTok, citing national security concerns regarding TikTok’s vast amounts of data collections. As a previous blog post mentioned, the ban is short-sighted, but it does bring a vital conversation to light—how can we protect our citizens, and national security, from massive data collection? If the government is truly concerned about the potential harms of massive data collection, they should instead focus their attention on data brokers.
Data Brokers are entities that collect and compile bits of data about users to create a comprehensive, marketable, profile. These profiles include information gleaned from public records (address, name, birthdate), digital tracking (like cookies or software development kits), and financial transactions. Some digital tracking includes internet searches like “researching diabetes for oneself or a friend,” and could place you in a category like “Ailment and Prescription Online Search Propensity” that could affect your health insurance. These profiles can be used to target advertising, warn employers of disgruntled employees, and even highlight a person who returns goods too often. RetailNext, a data broker used by businesses, compiles the current weather, bluetooth/wifi data, video cameras, point-of-sale systems, and user credit-card data to offer retailers insight into consumer behavior to boost sales and prevent loss. Other data brokers are far less transparent, remaining in the shadows, scraping data and providing it to the highest bidder. These shadow brokers sell their data to the highest bidder, and one day that bidder could be a Chinese, Russian or Iranian government entity.
The Federal Trade Commission has harped on the harms of data brokers since 2014, and Congress has held multiple committee hearings on the issue, but there’s been no real federal action to mitigate these known harms. Unlike Europe, the United States does not have a comprehensive privacy law. Privacy laws that do exist are segmented, or siloed, into type categories, like the Health Information Portability and Accountability Act or the Gramm-Leach-Bliley Act. States, like Vermont and California, have been more proactive. Vermont’s 2018 law identified at least 121 data brokers who obtained data from citizens of the state. Several states have launched similar data-broker or consumer privacy protection laws, but many have failed.
Even more concerning is that these data brokers are vulnerable to hacking. In 2017, Chinese hackers, likely backed by the state, infiltrated Equifax’s databases. The hack exposed intimate details on the lives of millions of Americans; information that was perfect for blackmail. A hack of any one of the hundreds of data brokers collecting and creating profiles on American citizens could provide a bounty of blackmail opportunities, like the ones cited in the TikTok Executive Order, for any foreign adversary.
The TikTok Executive Order brings data privacy to the forefront of the conversation, but largely misses the mark. If the United States is truly concerned about potential blackmail and national security concerns of data collection, they must turn to regulate the data broker industry.