from the doing-nothing-helpful dept
That’s a particular problem when it comes to user location data, which has been repeatedly abused by everybody from stalkers to law enforcement. The data, which is collected by wireless companies, app makers and others, is routinely bought and sold up and down a major chain of different companies and data brokers providing layers of deniability. Often with very little disclosure to or control by the user (though companies certainly like to pretend they’re being transparent and providing user control of what data is traded and sold).
For example, last year a company named Veraset handed over billions of location data records to the DC government as part of a COVID tracking effort, something revealed courtesy of a FOIA request by the EFF. While there’s no evidence the data was abused in this instance, EFF technologist Bennett Cyphers told the Washington Post Veraset is one of countless companies allowed to operate so non-transparently. Nobody even knows where the datasets they’re selling and trading are coming from:
“A lot of these data brokers? existence depends on people not knowing too much about them because they?re universally unpopular,? Cyphers said. ?Veraset refuses to reveal even how they get their data or which apps they purchase it from, and I think that?s because if anyone realized the app you?re using ? also opts you into having your location data sold on the open market, people would be angry and creeped out.”
While a long list of companies continue to insist that the massive scale this data is bought and sold at is no big deal because the data is “anonymous,” experts (with mixed success) keep pointing out that’s not really true:
“If you look at a map of where a device spends its time, you can learn a lot: where you sleep at night, where you work, where you eat lunch, what bars and parks you go to,? Cyphers said. Because of that, he added, it?s extremely simple ?to associate one of these location traces to a real person.”
After major location data scandals at both Securus and wireless carriers, it looked like we might see actual reform on this front, but those efforts have largely stalled. Bills specifically targeting location data have gone nowhere. The occasional fines levied against such companies are a tiny fraction of the revenues made from the data in the first place. And our 20-year effort to have anything even vaguely resembling a useful federal privacy law for the internet era remains mired in gridlock thanks to a massive coalition of cross industry lobbying opposition with a near-unlimited budget.
Which means most of these companies are going to keep collecting and selling access to this data, while pretending they don’t sell access, that the data they collect is anonymous and harmless, and that absolutely any oversight or transparency requirements are unnecessary. And the parade of scandals, breaches, and abuse of this data will continue, until eventually there’s a scandal so large that the problem can no longer be cavalierly brushed aside.