Profile picture
, 20 tweets, 11 min read
My Authors
Read all threads
Remember the debate about eBay port scanning visitors?

Turns out this was about ThreatMetrix, a fraud/identity analytics firm. The CIA was an early investor. Now owned by a massive data broker. FB and thousands of other companies are sending data to them. blog.nem.ec/2020/05/24/eba…
ThreatMetrix is owned by LexisNexis Risk Solutions / RELX.

Together, they claim to have data on hundreds of millions of people including names, addresses, phone numbers, email addresses, insurance records, criminal records and data on 4.5 billion devices.
relx.com/~/media/Files/…
I wrote about LexisNexis in 2016 (crackedlabs.org/dl/Christl_Spi…), about ThreatMetrix in 2017 (crackedlabs.org/dl/CrackedLabs…).

Many companies are harvesting data for marketing and advertising. Data collection for risk/fraud/identity stuff is even more pervasive, secretive and unaccountable.
ThreatMetrix is everywhere. Most likely, you're sending data to them every day when using digital services or conducting financial transactions.

They ingest data on 1.4bn people, their devices and behaviors in 185 countries.

Basically, it's a global mass surveillance system.
Identity verification, fraud detection and cybersecurity can make sense, of course.

But they maintain incredibly powerful data, calculate opaque 'reputation' and 'trust' scores that affect people's lives every day, and they operate without oversight and very much in the dark.
In addition to maintaining a private population registry, constantly screening people in the commercial sphere, providing data, analytics and scores to insurers, landlords and employers, LexisNexis (and ThreatMetrix) are closely linked to US law enforcement and national security.
...and they are proud of it.
risk.lexisnexis.com/about-us/press…
risk.lexisnexis.com/about-us/press…
risk.lexisnexis.com/government/hom…
lexisnexisspecialservices.com/what-we-do/
lexisnexisspecialservices.com/what-we-do/cou…
lexisnexisspecialservices.com/what-we-do/inv…
...
"ThreatMetrix provides government with the ability to harness intelligence related to devices, locations, identities and past behaviors ... in order to distinguish between trusted and fraudulent behavior. It connects online and offline identities ..."
risk.lexisnexis.com/-/media/files/…
"ThreatMetrix Digital Identity Network outputs the LexID Digital identifier for each citizen (currently over 1.4 billion) by analyzing the innumerable connections between devices, locations, past behaviors..."

...a personal pseudonymous (not 'anonymous') ID for each 'citizen'.
Sometimes they claim to use 'anonymous' or 'anonymized' data, but this is not true.

They link all kinds of pseudonymous personal IDs to each other.

They used hashed IDs, but that doesn't matter. They can still link online behavior to their 'Lex ID', and thus to everything else.
Who else is sending all kinds of personal information to ThreatMetrix and LexisNexis Risk?

For example, PayPal.

"Please note that data disclosed to these agencies may be retained by the ... agency for audit and fraud prevention purposes"
paypal.com/ie/webapps/mpp…
LexisNexis Risk Solutions, owned by British RELX group, has long been focusing on data on the US population. ThreatMetrix also emerged in the US, but seems to be everywhere now.

From a EU perspective, I'm wondering whether this is GDPR compliant in every sense. I doubt it is.
The GDPR provides ways to process data based on so-called 'legitimate interests'. Purposes such as 'network security' or 'fraud prevention' make it easier to argue that those interests outweigh the violation of rights+freedoms of data subjects. But this is not at all a free pass.
"ThreatMetrix device ID is globally unique and persistent; every company will see the same device ID for the same computer"

"ThreatMetrix uses native device attributes for matching—not hashes created from attributes"

Some details about data processing:
pymnts.com/assets/Uploads…
This $1.5m contract for 'statewide personal information research databases' contains many details about the data LexisNexis sells.

LexID, a unique personal identifier for every person (which is also linked to ThreatMetrix data), can be queried+retrieved.
michigan.gov/documents/dtmb…
Oh my, and I missed that LexisNexis Risk also acquired ID Analytics in January.

...another data broker focusing on identity, fraud and credit data that claims to operate 'one of the nation’s largest networks of cross-industry consumer behavioral data': risk.lexisnexis.com/about-us/press…
Did you know that Symantec, the antivirus vendor, owned ID Analytics, a data broker and credit rating company from 2016 until 2020?

Now, LexisNexis Risk Solutions acquired it.

I wrote about ID Analytics back in 2016 and 2017, too:
crackedlabs.org/dl/Christl_Spi…
crackedlabs.org/dl/CrackedLabs…
ID Analytics claims to have data on 300m people, on "credit card and wireless phone applications ...sub-prime loans and eCommerce transactions", plus device data, names, postal/email addresses, SSNs and more.
web.archive.org/web/2017061013…
idanalytics.com/media/Fraud-ID…
idanalytics.com/media/Fraud-ID…
Oh, here's another massive data company acquired by LexisNexis in Feb 2020:

Emailage calculates risk scores for 40 million email addresses globally, 'connected to IP addresses, domain names, phone numbers' and '200+ data elements'.
emailage.com/email-risk-sco…
emailage.com/wp-content/upl…
The problem is, as soon as I start digging, it's like diving in a never-ending rabbit hole 😬

tl;tr Risk data companies are monitoring billions of digital transactions every day, often linked to offline identity/credit data, for multi-purpose use. This needs much more scrutiny.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Wolfie Christl

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @WolfieChristl see all

Profile picture
Wolfie Christl
@WolfieChristl
If you visit 450 pages on 15 major health, education and news sites, 1121 third parties set 891772 cookies. Visiting health sites first maximizes the chance that data brokers can track you across sites.

Excellent study by @idonibrasco, @HNissenbaum et al: news.cornell.edu/stories/2020/0…
Using personal identifiers stored in third-party cookies to monitor, follow and profile people across sites may have an expiration date, but it's more prevalent than ever.

I think, examining cross-context ID in this way, presented at the @FTC's #PrivacyCon today, is very useful.
Observing the same personal identifier (aka pseudonymous cookie ID) across two websites proves that both sites help a third party to recognize a user again, and thus facilitate personal data sharing.

EU data protection authorities must adopt this methodology to gather evidence.
Read 13 tweets
Profile picture
Wolfie Christl
@WolfieChristl
"This report is best used to get a full picture of the movements of a device through a given time period"

UberMedia, a location data broker who claims to have 6.5 years of historical data on 800 million mobile devices, is selling very specific data access
ubermedia.com/wp-content/upl…
So, you can send UberMedia a list of device IDs referring to persons and they return a 'device history report' on the past movements of those persons.

You can also ask them about the device IDs observed at a certain place, and about where those people went before and afterwards.
How do they obtain location data?

From 62 mobile apps that embed UberMedia's data harvesting software, 400 apps that embed data harvesting software operated by other firms, and from 100,000 apps that constantly leak location data while displaying ads.

ubermedia.com/wp-content/upl…
Read 9 tweets
Profile picture
Wolfie Christl
@WolfieChristl
The UK competition and markets authority's new report on 'online platforms and digital advertising' suggests that large shady platforms should share all kinds of personal data with smaller shady data firms via a linkable personal ID to increase competition.

This is a BAD idea.
Here's the report:
assets.publishing.service.gov.uk/media/5efc57ed…

It's not just a bad idea, it's simply unacceptable.

As I wrote months ago, when it comes to restricting platform power, perpetuating a hostile and broken personal data industry cannot be part of the solution.
Let's ask citizens.
Read 7 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!