The revelations about the scope and scale of the NSA’s cyber-surveillance has already been bad for business, with the biggest impact falling on U.S. technology providers and cloud data services. But one of the less-discussed disclosures — that the agency taps into commercial cookies to track individuals’ web habits — has the potential to spread the pain farther, by drawing attention, as David Meyer noted in a post on GigaOM last week, to the very thin and fuzzy line separating commercial and government surveillance.
Yesterday, the Senate Commerce Committee released a pretty scathing report on data brokers and the use of the information they gather by marketers:
Data brokers collect a huge volume of detailed information on hundreds of millions of consumers. Information data brokers collect includes consumers’ personal characteristics and preferences as well as health and financial information. Beyond publicly available information such as home addresses and phone numbers, data brokers maintain data as specific as whether consumers view a high volume of YouTube videos, the type of car they drive, ailments they may have such as depression or diabetes, whether they are a hunter, what types of pets they have; or whether they have purchased a particular shampoo product in the last six months [snip];
Data brokers operate behind a veil of secrecy. Data brokers typically amass data without direct interaction with consumers, and a number of the queried brokers perpetuate this secrecy by contractually limiting customers from disclosing their data sources. Three of the largest companies – Acxiom, Experian, and Epsilon – to date have
been similarly secretive with the Committee with respect to their practices, refusing to identify the specific sources of their data or the customers who purchase it. Further, the respondent companies’ voluntary policies vary widely regarding consumer access and correction rights regarding their own data – from virtually no rights to the more fulsome policy reflected in the new access and correction database developed by Acxiom.
In case anyone missed the connection, committee chairman Sen. Jay Rockefeller (D-WV) made it explicit at a hearing to discuss the report, calling consumer tracking by data brokers worse than what the NSA does.
“The NSA is so secure in its protection of privacy as compared to this group that we’re talking to, these data brokers,” he said. “It’s not even close.”
The way the two collect a lot of their information is pretty close, though. A story in the Washington Post last week detailing the NSA’s “piggybacking” onto commercial cookies included the following slide, taken from an NSA presentation:
Here’s how the Post describes it:
Google assigns a unique PREF cookie anytime someone’s browser makes a connection to any of the company’s Web properties or services…That PREF cookie is specifically mentioned in an internal NSA slide, which reference the NSA using GooglePREFID, their shorthand for the unique numeric identifier contained within Google’s PREF cookie. Special Source Operations (SSO) is an NSA division that works with private companies to scoop up data as it flows over the Internet’s backbone and from technology companies’ own systems. The slide indicates that SSO was sharing information containing “logins, cookies, and GooglePREFID” with another NSA division called Tailored Access Operations, which engages in offensive hacking operations. SSO also shares the information with the British intelligence agency GCHQ.
The cookie disclosure, along with the heightened sensitivity over digital surveillance brought on by the broader revelations about NSA spying, can only strengthen the hand of anyone wanting to impose new restrictions on commercial data collection, and over how those data are used and by whom. That could end up touching a lot broader swathe of the economy that merely the technology companies that have been impacted so far.