When the data industry is talking about sharing 'anonymized' profile data:
They do indeed not share email addresses, for example. But they share hashed versions of it, and they all use THE SAME hash function, and can thus still monitor and act on people across the digital world.
Calling this kind of personal data sharing 'anonymized' is corporate misinformation. A whole industry has been built on this lie.
Many still don't understand that.
Also, the question of whether or not you can reverse the hash is irrelevant, if everyone uses the same function.
Of course, hashed IDs can also be based on phone numbers or other data.
There are more complex versions of this, e.g. hashing the hashes, using temporary IDs and later match it to persistent ones, linking/matching chains of identifiers, using salted hashes for sub-purposes etc.
Remember the debate about eBay port scanning visitors?
Turns out this was about ThreatMetrix, a fraud/identity analytics firm. The CIA was an early investor. Now owned by a massive data broker. FB and thousands of other companies are sending data to them. blog.nem.ec/2020/05/24/eba…
ThreatMetrix is owned by LexisNexis Risk Solutions / RELX.
Together, they claim to have data on hundreds of millions of people including names, addresses, phone numbers, email addresses, insurance records, criminal records and data on 4.5 billion devices. relx.com/~/media/Files/…
If you visit 450 pages on 15 major health, education and news sites, 1121 third parties set 891772 cookies. Visiting health sites first maximizes the chance that data brokers can track you across sites.
"This report is best used to get a full picture of the movements of a device through a given time period"
UberMedia, a location data broker who claims to have 6.5 years of historical data on 800 million mobile devices, is selling very specific data access ubermedia.com/wp-content/upl…
So, you can send UberMedia a list of device IDs referring to persons and they return a 'device history report' on the past movements of those persons.
You can also ask them about the device IDs observed at a certain place, and about where those people went before and afterwards.
How do they obtain location data?
From 62 mobile apps that embed UberMedia's data harvesting software, 400 apps that embed data harvesting software operated by other firms, and from 100,000 apps that constantly leak location data while displaying ads.
The UK competition and markets authority's new report on 'online platforms and digital advertising' suggests that large shady platforms should share all kinds of personal data with smaller shady data firms via a linkable personal ID to increase competition.
So, do the @EU_EDPB's new guidelines on consent approve/endorse an interpretation of the GDPR that permits the 'consent to data harvesting or pay' model? Or don't they? edpb.europa.eu/sites/edpb/fil…
If yes, wouldn't this mean that every website, mobile app, shop, streaming platform, ISP, airline, scooter rental firm and makers of TV devices, cars, coffee brewers, loudspeakers, vacuum cleaners, light bulbs and door locks could charge additional € for tracking-free versions?
Yes, personal data processing has additional requirements under the GDPR anyway, but still.
I mean, I'm fine with publishers using an 'ads or pay' model.
I'm not okay with personal data exploitation remaining the default, while a minority is paying a hundred times to avoid it.
3) Everything related to how governments implement them, e.g. making them (de-facto) compulsory
4) Mission creep
The Google/Apple approach *may* largely prevent (1) by governments.
G/A probably have still access to some data. They must amend their ToS with legally binding statements that STRICTLY prohibit them from exploiting any of it. In this case, (1) is perhaps largely resolved.
They used personal data on website visits and app/device usage recorded from unaware users over 6 weeks, including 1.2bn Google/Apple 'Advertising' IDs and pseudonymous IDs stored in cookies, in combination with IPs and timestamps.
In another paper published by a similar team in 2018, also based on comScore data, they additionally included device/browser fingerprints (based on e.g. screen size, user agent) and behavioral fingerprints (apps used and domains of the websites visited): pages.cs.wisc.edu/~pb/kdd18b_fin…
I have LONG suspected that governments buy commercial location data gathered from all kinds of mobile apps, from games to weather, and of course, it's happening.
WSJ reports that DHS, ICE and CBP bought access to data that maps the movements of millions: wsj.com/articles/feder…
According to the WSJ, this data:
- has been used to track immigrants and even to 'help identify immigrants who were later arrested' by DHS+ICE
- comes from a company that seems to be closely related to Gravy Analytics, a major player in digital marketing and mobile advertising
"According to federal spending contracts, a division of DHS ... began buying location data in 2017 from Venntel Inc. of Herndon, Va., a small company that shares several executives and patents with Gravy Analytics"
This is what we observed. It's not about detailed profile data, yet Kochava still receives data about the fact that someone uses the app, when and for how long ('uptime'), plus device metadata, linked to personal identifiers such as Google's 'Advertising ID' and a proprietary ID.
Kochava openly sells data to other companies, for example, they 'deliver' access to 'mobile device IDs and accompanying data elements', including but not limited to data on interests, behaviors and devices: kochava.com/data-marketpla…
I helped with the investigation, led by the Norwegian Consumer Council. It took several months and also involved @thezedwards, technical analysis by security firm Mnemonic and legal expertise by @NOYBeu.
25 orgs in the EU/US are urging authorities to act:
@thezedwards@NOYBeu We observed 8 data companies receiving detailed GPS location info, in combination with unique personal IDs, when using the gay/bi dating app Grindr, including MoPub (owned by Twitter), Bucksense, PubNative, OpenX, AdColony, Braze, Smaato and Vungle.
All this data being exposed is only the final stage of the drama. The real scandal is that this company has been selling extensive data on hundreds of millions to anyone already before, largely without their knowledge.
People Data Labs has a page with detailed stats on 'their' database. It includes 91m birth dates, 413m educational records, 783m email addresses, 678m phone numbers, 809m records on work experience, 2,362m names, plus inferred salary, skills, interests etc docs.peopledatalabs.com/docs/stats
Die Financial Times hat gestern darüber berichtet, wie globale Gesundheits-Websites sensible Daten an Dritte weiterleiten. Wie sieht das in AT aus?
Ich hab die netdoktor.at-Seite über Brustkrebs aufgerufen. Im Hintergrund wurden 26 Drittparteien über meinen Besuch informiert.
Jetzt mal abgesehen von Google, wer sind diese Drittparteien? Großteils Firmen, die digitale Profile über (hunderte) Millionen Menschen sammeln und damit handeln.
BlueKai/Oracle (US), Neustar (US), Weborama (FR) und Cleverdata (RU) sind etwa ganz klar Datenhandelsfirmen.
Aber auch Online-Werbefirmen wie Adform, AppNexus (AT&T), Dataxu (Roku), MediaMath, Pubmatic, Teads (Altice), The Trade Desk, Turn (Singtel), Brightcove und Virtual Minds (mehrheitlich im Eigentum von ProSiebenSat1) verarbeiten umfassende Daten über den Großteil der Bevölkerung.
What do airlines such as United and AA, hotel chains such as Hyatt and Marriott, and car rentals such as Hertz and Avis have in common?
They provide data to a firm who says it has traveler profiles on 750 million people, on their searches, purchases, devices, passenger records.
The Adara 'data co-op' states to collect 'real-time search, purchase and loyalty data from 200+ of the world’s most recognized travel brands', with 'more than 30 data points per traveler profile', all based on personal identifiers.
Adara calculates 'traveler value scores' based on 'customers’ behaviors and needs across the global travel ecosystem, over time', and it provides personalized offers/treatment 'pre-purchase, booking, post-purchase, check-in, in-airport, or in-destination'. adara.com/traveler-intel…