You're being watched.
Someone is behind your screen watching every move you make: taking notes on your interests, spending habits, browsing history, where you go in the real world and anything else they can gather to fully understand who you are. Their file on you is long, detailed, and it's for sale to the highest bidder.
You don't have a stalker – this someone is actually a multibillion-dollar industry, and they're watching everyone.
So who are these surveillants? They're called data brokers.
Data brokers are the reason we've all had a moment scrolling online and coming across an advertisement so specifically targeted to your interests it seems almost eerie, if not downright creepy. They profit off gathering your personal information and then packaging and selling it. That data can be purchased by pretty much anyone, including government agencies, such as the Illinois Department of Transportation and the Springfield Police Department.
It probably doesn't surprise you that you're tracked online – a 2019 report from the Pew Research Center shows that 62% of Americans believe they can't get through daily life without corporate and government entities collecting data about them. Notably, that same report suggests only 6% of Americans feel they understand what's being done with their data. The truth is that data brokers know far more about you and do more with that information than you probably know.
How does it work?
Anytime you use the internet, you leave breadcrumbs behind that data brokers collect, aggregate and sell. They scrape the web using tools like online trackers and phone apps to gather your personal information.
Peter Hanna, a recognized expert in the realm of data privacy, is the legal adviser to the Illinois American Civil Liberties Union (ACLU) on privacy and technology. He is also a professor at Chicago-Kent College of Law teaching privacy law.
"When you think about data brokers, what you should be thinking about is an entity that is vacuuming up as much information as possible at all times, using whatever tools are available in its arsenal," explained Hanna. "They then slice up and categorize that data into packages – either linking it to specific people or linking it to categories of people."
These different demographic categories can range from personal activities to life preferences: political preferences, travel preferences, where you do your banking, what sort of products and services you buy – but also demographic information like your age, race, where you live, how much money you make and so on. Lists can get even more targeted, even down to names and addresses of people with certain medical conditions or sexual preferences.
Often, data brokers will claim that this information is anonymous. However, Hanna explained that it can be surprisingly easy to directly link data back to specific people. If data was truly anonymized, it would be impossible to reverse-engineer that data back to a specific person. However, this de-identified data can often be traced back to an individual by combining it with a few other pieces of data.
How your personal data is used
Data brokering is an extremely lucrative market, generating $200 billion in revenue every year in the U.S. Advertisers use this data to feed consumers with targeted ads.
January Spring is a Denver-based advertising agency that works with businesses nationwide, including Illinois Times. In digital advertising campaigns, they utilize data acquired from third-party brokers, website cookies and geofences, which are basically detectors keeping track of every unique mobile device that comes into a specific area. Walking into a business with a phone in your pocket or purse leaves a digital footprint of where you've been.
"Our goal is to put the right message in front of the right person, at the right time. For example, we can target pet people based on where they shop, the dog parks they visit or the types of content they read online," said January Spring CEO Charity Huff. "That said, we can do that based on publicly available data without identifying individuals."
January Spring emphasizes there are important benefits with this niche-audience approach to digital advertising by way of data collecting: "The benefit to the consumer is that we aren't wasting your time with things you aren't interested in," said marketing coordinator Shannon Livick.
Hanna says that it starts to raise more serious privacy concerns when this data is purchased and utilized by government entities like law enforcement; these agencies are rapidly becoming major buyers. The ACLU has been warning about this for years, citing concerns about the Fourth Amendment.
The Fourth Amendment protects Americans from government intrusions into their reasonable expectation of privacy. However, it does not provide protection from private or commercial intrusions. According to the ACLU, this leaves a loophole for the government to purchase the same information from third parties they could not constitutionally acquire themselves.
"If the government can sidestep or end run completely around the Fourth Amendment just by buying data that would be unconstitutional for them to collect," said Hanna, "our constitutional protections are rendered meaningless."
In the wake of the U.S. Supreme Court overturning Roe v. Wade, anxieties have come to the surface regarding this very issue. U.S. Sen. Dick Durbin, D-Illinois, and U.S. Sen. Tammy Duckworth, D-Illinois, recently signed a letter to the Federal Trade Commission with concerns after an investigative reporter for Vice revealed data broker SafeGraph was selling location data for everyone that visited over 600 Planned Parenthood locations within a week's time for $160 total.
"If I told you that the Springfield police were making a list of everyone that visited an abortion clinic on the border of Illinois and Missouri, that would be scandalous," said Hanna. "That would be a big deal, but they could just go to a data broker and try to buy a list of everyone who has searched or bought abortion-related services or sought information about abortion care with no Fourth Amendment concerns whatsoever. It's really problematic," Hanna said.
Springfield Assistant Police Chief Joshua Stuenkel says that SPD has never purchased any data broker lists, to his knowledge. However, he said SPD does have contracts with TLOxp, a Chicago-based company that compiles information obtained from data brokers to "support and enhance investigations."
"There are some law enforcement agencies that use people-finder sites. We have contracts with companies that assist us with investigations. For example, if I were to type your name in, it would give us as much as they can find open-source on you," said Stuenkel.
TLOxp describes its database service as helping to build a profile on suspects "from basic information like names, phones, emails and addresses to detailed data on employment, aliases, assets, criminal history, bankruptcies and much more." In addition to public documents, the service scrapes social media profiles and web data. TLOxp's website boasts that "in a single search, you can discover more about a subject's digital identity through information not readily accessible via other forms of public records data – helping you gather information and assess risk more effectively."
TLOxp isn't the only third party SPD utilizes for data in their investigative police work. They have other partnerships with companies like Shotspotter and the phone app Neighbors by Ring, which allows department access to Ring doorbell footage residents upload.
Project Safe Neighborhoods encourages residents and businesses to register the locations of their outdoor video surveillance systems with the SPD. When an incident occurs, police will then be able to identify the locations of nearby video cameras and residents will be asked to upload footage via a secure link provided by a third party vendor so that SPD can review it.
The city also entered into contracts last year with Flock Safety to install automated license plate readers in various parts of the city. The motion-activated cameras capture and store data about vehicles for 30 days and allow police to search by vehicle make, color, type, license plate and unique details like roof racks, bumper stickers and more.
Privacy concerns have been raised in Springfield regarding the Flock cameras, including from the Illinois Chapter of the ACLU, but Stuenkel says that these surveillance tools are valuable to residents.
"All this technology, while maybe there are some privacy concerns, is worth it," said Stuenkel. "Just wait for the first time one of these finds a missing kid. If there's an Amber Alert situation where we're able to enter that vehicle and be able to save someone quickly – it's one thing to be able to solve a crime quicker and be more efficient, but if you can save a life... how is that not worth it? Is your privacy driving on a public road in a car that's registered by the government with a license plate you buy from the government worth saving someone's life?"
SPISec is a Springfield group of local cybersecurity experts. Its founder, Michael, has worked in cybersecurity for the last decade and has gone to great lengths to protect his identity and privacy online, which is why he asked to be referenced only by his first name. He has major concerns with increased use of surveillance technology.
"Today it's for safety, but my concern is that we are building the infrastructure that can easily be used for oppression in the future. If you look at what they're doing in surveillance states like China, the technology they are using is really no different than what we have here with Flock Safety, Ring doorbells, the trackers we have on mobile platforms and websites – it's all the same thing. In my mind, there's a huge iceberg of danger with so much power and information out there on individuals that can so easily be tracked and cataloged forever with our technology today," said Michael.
IDOT purchased precise geolocation data of Illinois residents
In a contract that ended last June, the Illinois Department of Transportation (IDOT) purchased access to precise geolocation data from 2018-2019 for over 40% of the state's population – more than 5 million people. The device-specific location data was acquired from Denver-based data broker SafeGraph for just $49,500.
Guy Tridgell, IDOT's director of communications, told Illinois Times the data was purchased to assist in the development of IDOT's first statewide, comprehensive travel demand model, which predicts future travel behavior and traffic patterns to understand the state's transportation needs.
SafeGraph, which was banned from the Google Play Store last year for unethical practices, collected this location data from users of seemingly innocuous apps, like a weather app. The public was made aware that IDOT purchased this data thanks to an investigation by the Electronic Frontier Foundation, a nonprofit digital rights advocacy organization.
The ACLU's Hanna believes the lack of transparency with this data is a huge concern: "This is just one alarming example of many unknown possible examples of the government directly purchasing very sensitive information about state residents," said Hanna. "Every time a government entity buys this type of information, the public should be informed, at minimum. At least then we can be informed and begin to open our eyes to the volume of this sort of data gathering."
Tridgell stressed that IDOT followed federal guidelines in developing the model at all times and that "all personal information was strictly excluded from the data used by the department."
Though the data IDOT acquired was de-identified, Hanna said this shouldn't bring comfort: "If I had your location data for just a couple of days, I could tell you a lot about your life. I could tell you about where you go to school, where you work, who your friends are, if you have a significant other, your parents, your family, if you have a pet, where you shop. You can get a lot of that information with great ease. Geolocation data is so sensitive and important," said Hanna.
Legal protections for personal data
Illinoisans actually enjoy far more protections for their personal data than most of the country, thanks to some first-of-their-kind-laws in this realm.
Hanna says there are three key Illinois laws on the books in regards to data protection: the Personal Information Protection Act (PIPA), the Protecting Household Privacy Act (PHPA) and the Biometric Information Privacy Act (BIPA).
The first and most popular Illinois data protection law is PIPA, with a few key components. First, it requires that a company with our personal data on its servers notify us if it's been compromised. PIPA also requires our data to be disposed of when it's no longer needed for ongoing business operations and has security requirements for protection of our personal data to a certain level.
The second law is the PHPA, which went into effect on Jan. 1, 2022, and is the first and only of its kind anywhere in the nation. It expressly limits law enforcement access to household digital device data, like Ring doorbells and Amazon Alexa devices. Prior to the act's passage, law enforcement could simply get this data from a third-party company, like Amazon, without needing a warrant.
"The PHPA says that if the police want to get information from internet-connected devices in the home, they need a warrant – plain and simple. It recognizes that we have a reasonable expectation of privacy inside the home, regardless if it is a piece of paper or an electronic record like a digital recording," Hanna explained.
The final core legislation is the reason many Illinoisans received a few hundred dollars from a Facebook and Clearview AI settlement earlier this year. BIPA protects our biometric data, or the measurements of physiological characteristics that can be used to identify an individual.
"One of the most important privacy laws in the country is BIPA, which states that any entity that wants to collect biometric information from Illinois residents has to get written consent first. The reason it's so important is because you can't change your biometric identifiers – you can't change your iris, fingerprint, voiceprint or the scan of your hand. So, we want to be sure that if someone is taking that information from you, you are giving it to them with informed and explicit consent," said Hanna.
Outside of these three main areas, regulations on collecting and selling data don't go much farther in Illinois. Currently, there is no comprehensive federal data protection law, either.
American Data Privacy Protection Act
U.S. Rep. Jan Schakowsky, D-Chicago, is the chair of the Consumer Protection and Commerce Subcommittee, which deals with data privacy issues. She has introduced the American Data Privacy Protection Act into the House that, if passed, would provide the most protections for consumers from data brokers to date.
"This legislation will finally offer consumers some safety and privacy online, because we know the vast majority of Americans are feeling absolutely helpless when it comes to controlling their own data," Schakowsky told Illinois Times.
Highlights of the ADPPA include protections for minors, a data broker registry and, perhaps most notably, a mechanism for consumers to opt out of data collection and requirements for affirmative consent before collecting sensitive data like geolocation, genetic and biometric information and browsing histories.
"The idea is to put the power back in the consumer's hand," said Shakowsky. "Under this law, all data brokers will be required to register with the Federal Trade Commission. Consumers will then be able to skirt this database and have their data permanently deleted by data brokers. The FTC would set up a central mechanism for consumers to have their data deleted everywhere at once. I think that is an option a lot of consumers will take," she said.
Some groups, including the ACLU, have raised concerns about the ADPPA's ability to hold companies accountable while lacking a strong private right-of-action, which allows private citizens to bring a lawsuit against a company for breaking the law. Schakowsky says she agrees with those concerns, but ultimately the bill "was a very delicate negotiation with all stakeholders."
"There are some concerns, but to get bipartisan support for a very strong data privacy bill was to delay actual action on private right-of-action for four years. It isn't something that I love, but to get the votes to pass the bill, that is what we needed to do," said Schakowsky.
The ADPPA is one of only a few privacy bills to even be considered on Capitol Hill, largely because lobbying by the data broker industry rivals that of Facebook and Google. Additionally, many politicians now rely on information on voters from data brokers in political campaigns.
Schakowsky hopes to see the bill voted on in the House before the August recess, but in the meantime, those interested in protecting their data may need to take matters into their own hands.
How to protect your data
There are steps individuals can take to protect their data, such as using a virtual private network (VPN), secure web browsers and reading privacy policies. If you have an iPhone, you can go to your privacy menu and turn off "allow apps to request to track you."
Most people are familiar with cookies, which allow websites to remember you. Data brokers use third-party cookies that plant a bit of code in your browser that allow these companies to track your activity across the web. Hanna suggests paying attention to your cookie settings: "Instead of having settings set to opt out, have it set to opt in. That way, whatever cookies you accept are cookies you are aware of from trusted services."
There are more advanced options out there as well, but Hanna says at the end of the day, citizens must hold lawmakers accountable: "Unfortunately, many people don't have all the technical know-how necessary to adequately protect their personal data from misuse. Most people have to rely on personal data protections in the law, so people need to be informed advocates for themselves and their privacy rights to make sure the law meets their needs," said Hanna.
However, SPISec founder Michael thinks average citizens don't fully comprehend the problem because it happens in the shadows: "If someone tells you they don't care about privacy, ask them to unlock their phone and let you look through it. People really do care about privacy, but I don't think society recognizes what's going on. We think it's OK because it's commercially done and we get some free benefit out of it usually, but it just leaves that dangerous door open for abuse," said Michael.
"For me, because I'm so deep into technology, I can see the writing on the wall. At some point, there will be a privacy meltdown. Then it will make more sense in people's eyes that they don't want every aspect of their life to be tracked and surveilled forever, but that just hasn't happened yet."
Annie Fulgenzi is a Springfield-area native and student at Southern Illinois University Edwardsville, majoring in mass communications and political science. She is completing a summer internship at Illinois Times.