Cisco Blogs


Cisco Blog > Security

Spokeo: Abusing Privacy or Making Sense of What’s Public?

As individual datasets appear on the public Internet, they add to the ability for interested parties to identify individuals through correlation with other datasets. As more and more information becomes accessible, anonymity quickly degrades and actionable intelligence about an individual increases. But correlation of this information is a major challenge, and one that is quickly being filled by data brokers that aim to solve this challenge for their customers. As our culture dives deeper into social media and how it can enrich user experiences, the value of this correlation effort increases.

Can the law keep up with the personal information that is aggregated at sites like Spokeo.com? This is one glaring side effect of the ability to extract intelligence from such a dataset. Technology has outpaced existing laws and failure to balance legal protection with technological advancement could do harm to both consumers and those who seek to use this information to make better decisions.

Law and technology will continue to experience some interesting, and at times confusing, intersections for the foreseeable future. But at this point, the Center for Democracy and Technology (CDT) has taken aim at Spokeo.com, a data broker that the CDT alleges is running afoul of the Fair Credit Reporting Act (FCRA). The CDT says that Spokeo’s actions should be regulated under Federal law, because the FCRA ensures that credit ratings made about individuals should be accessible and accountable to those individuals.

The CDT has asked the Federal Trade Commission to make a ruling about Spokeo.com, and potentially — by extension — other online data brokers that provide some estimate on a subject’s wealth or creditworthiness, based upon public information. The CDT is concerned that if data brokers are not classified as Credit Reporting Agencies (CRAs), then customers relying upon these brokers’ services will be able to avoid providing the consumer protections afforded to individuals by the FCRA. Spokeo denies that it is a CRA, and maintains that the site does not guarantee the accuracy of information presented on its site, all of which is publicly available elsewhere.

At issue are two primary problems:

  • Should Spokeo, or any data broker, be classified as a CRA and held accountable to the FCRA
  • Will classification as a CRA help or hurt consumers, given today’s proliferation of information

 

Data Brokers and the Fair Credit Reporting Act

Regarding the first problem, it appears that the FTC has weighed in on the topic of public information in the past, saying that it is more relevant what is done with the information than where the information comes from:

“Section 603(f) defines a “consumer reporting agency” as any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information … for the purpose of furnishing consumer reports to third parties”

While I’m not a lawyer, it would seem that if the FTC agrees with the CDT that Spokeo intends to aggregate this information for the purpose of furnishing consumer reports to third parties, then they would be classified as a CRA. According to Spokeo’s blog response to the complaint, such a classification would “put us out of business.”

 

Are We Helped or Harmed By Data Brokers’ Innovations?

This presents, then, the second problem, which is perhaps a little more subjective. There are many things that have changed technologically since 1970, when the FCRA was enacted — things which could significantly affect the context in which the FTC makes its decision. Personal data has moved out of the filing cabinet and onto the Web, and some suspect that their personal data is being gleaned from social networks for business uses, such as fraud prevention. And if for that purpose, then perhaps for many other uses as well. Should consumers have to answer questions about their identities that have been gleaned from social network information? Shouldn’t consumers also be protected from misuse of this data, even though the information that is collected is not used to propose creditworthiness?

Spokeo and other data brokers are innovating in the area of data aggregation and correlation in the face of this online explosion of personal information. This is the other side of the privacy coin — if the information is public, they hope to find a use for it. As the public comes to grips with how much of their personal data is readily available, perhaps they will (continue to) choose to leave it out there. Perhaps there is some great individual benefit to having everything about oneself easily searched from one location. If it’s public anyway, why not make it easy to use? These concepts are still new, and certainly weren’t considered in 1970 when the FCRA came into effect.

The EU’s Data Privacy Directive takes a different stance than the U.S. HIPAA regulations do regarding privacy and anonymity, for example. Laws are certainly not the only method through which consumer protection can be achieved. But the information is public, and through its use individuals can be helped or harmed. As a society, we must ask ourselves whether or not we should be protecting each other from the misuse of this information. And in light of the data being available, is it more helpful or harmful to be able to find out for ourselves what is being said about us, even if we can’t have it changed? Or do we need to be afforded the chance to seek to have misinformation corrected, no matter how that information will eventually be used?

Comments Are Closed