from the and-now-we'll-wait-for-the-law-enforcement-pushback dept
Another one of ICE’s (Immigration and Customs Enforcement) data spigots has been shut off. Don’t cry too many tears for poor old ICE. It still has plenty of options. It’s still hoovering up location data from app developers who either don’t know or don’t care that this data is buyable through data brokers. It also still has plenty of privileges, thanks to laws and judicial decisions that say most constitutional rights are null and void within 100 miles of our nation’s ports of entry (borders, coasts, and — making this far more concerning — any domestic airport offering international flights).
Plenty of data can still be had (and plenty of brokers willing to sell it), but ICE has just lost access to one source of data it uses to track down immigrants: utility bill information gathered, packaged, and sold to government agencies by third parties like Equifax and Reuters.
Equifax gathers this information ostensibly to assess the creditworthiness of United States residents. (It also leaks this information on occasion.) Thomson Reuters uses the same information (called “utility header data”) in its CLEAR database, which contains “billions of data points” and “leverages cutting-edge public records technology.” Its potent combination of bulk data and profit-seeking is sold to whoever wants access, which includes US law enforcement agencies.
ICE no longer has access to this data through CLEAR. At least the “utility header data” part of it. So have the nation’s law enforcement agencies. Following pressure from Senator Ron Wyden, utility companies will no longer allow this data to be resold by Equifax to private entities like Reuters. (Possible paywall ahead. Alternate link.)
A nationwide group of utility companies that provided sensitive data from millions of Americans’ cable, phone and power bills to U.S. Immigration and Customs Enforcement and other government agencies has agreed to end the practice in response to concerns the information was being misused to track the general public.
Wyden’s pressure on the National Consumer Telecom & Utilities Exchange (NCTUE) prompted change. The NCTUE told Equifax to stop selling this data. This means the data no longer flows to Reuters’ CLEAR database, which means agencies like ICE no longer have access to it.
But Reuters isn’t the only player in the data market. There are plenty of third parties purchasing data and selling it to government agencies and other third parties. That’s why Wyden is now demanding the Consumer Finance Protection Board start doing its job and start regulating the sale of Americans’ data.
Wyden, a longtime critic of government surveillance, called on the CFPB to further rein in a data-broker industry that he said had spun “out of control” due in part to “vague and undefined regulations.” He urged the agency to aggressively investigate how data gathered for commercial purposes was ending up in the hands of law enforcement without court approval or oversight.
“Selling personal information that people provide to sign up for power, water and other necessities of life, and giving them no choice in the matter, is an egregious abuse of consumers’ privacy,” Wyden wrote. “The personal privacy of hundreds of millions of people should not depend upon the goodwill of corporations worried about negative headlines.”
Currently, it’s third parties on top of third parties, buying data from wherever it can be purchased and repackaging it for sale to others. This has led to consumers being misled about everything, from the data being collected to how the data is being used. Boilerplate about sales or licensing to third parties doesn’t make it clear information collected to open and maintain necessities of life (like utility services) will ultimately be part of “billions of data points” accessible without a warrant by law enforcement.
As of right now, the data Wyden is concerned about is bought and sold in a gray market — one not directly affected by regulation. That’s what Wyden hopes to change.
The sale of credit payment histories and related data is closely regulated under federal law. But government agencies can access credit header data because the regulations do not clearly outline how the revealing information can be used. Wyden urged CFPB to clarify the law and investigate how the data is sold.
Government agencies and data brokers have long preyed on the disconnect between public perception and the far uglier reality of data harvesting. Customers and consumers understand utility companies need to collect information to provide service and collect payment. They may also make the small logical leap that payment histories will be forwarded to companies that assess credit ratings. What they almost never assume is that all this data — which includes names, addresses, social security numbers, and plenty of contact info — can be accessed at will by US law enforcement agencies.
Many data fire hoses are still in operation. But this move slows one form of data to a drip — one that travels to Equifax but goes no further. It’s a start, but as Sen. Wyden clearly realizes, there’s a long way to go before Americans can trust the entities that collect data from us.