Data Brokers Know Where You Are—and Want to Sell That Intel

At the end of July, a Catholic priest resigned from the church, after Catholic news site The Pillar outed him by purchasing location data from a data broker on his usage of Grindr. The incident didn’t just illustrate how people can wield Grindr data against members of the LGBTQ community. It also highlighted the dangers of the large, shadowy, and unregulated data brokerage industry selling Americans’ real-time locations to the highest bidder.

In a new report for the Cyber Policy Program at Duke University’s Sanford School of Public Policy, I surveyed 10 major data brokers and the sensitive data they advertise. They openly and explicitly promulgate data on individuals’ demographic characteristics (from race to gender to income level) and political preferences and beliefs (including support for the NAACP, ACLU, Planned Parenthood, and the National LGBTQ Task Force), and on current US government and military personnel. Several of these firms also market another disturbing product: Americans’ geo-locations.

Acxiom, one of the largest brokers with data on billions of people worldwide, advertises “location-based device data” on individuals. Need to know if someone has visited a location multiple times in the past 30 days, like a church, their therapist’s office, or their ex’s house? They’ve got you covered, according to a company marketing document. What about other insights based on individuals’ locations? Check out data from marketing firm NinthDecimal, according to a 2018 fact sheet, an Acxiom “partner” that provides “mobile device location and location context insights.” Military personnel, Acxiom says, can be located too: It offers “verification and location of military servicemen (deployed but missing from base)” as part of commercial work for credit card issuers and retail banks.

LexisNexis, another behemoth, advertises the ability to “determine a person’s current whereabouts” using recent driver license records. Experian outright advertises mobile location data. Oracle, which took a notable turn toward data brokerage in the past decade, advertises marketing services based on a user’s real-time location. In 2019, Oracle partnered with location data provider Bluedot (one of many such partners), who claimed that its data would provide a twentyfold improvement in pinpointing an individual’s location. Among other factors, Bluedot claimed to track the number of times an individual visited a location and how long they were there. A few years earlier, Oracle added PlaceIQ to its data marketplace, a company which then had data “from 475 million location points, 100 million unique users, and more than 10 billion daily location-enabled device movements.”

Then, of course, there are people-search or “white pages” sites, which allow internet users to search for data on anyone by entering their name. Scraping property records, tax filings, voting records, and more, these data brokers aggregate government and other publicly available documents and make them publicly searchable, for a small fee or at no cost whatsoever. While they don’t advertise individuals’ real-time geo-locations, they do provide relatively up-to-date information on where people live.

Perhaps none of this is surprising—data breach after data privacy scandal have spotlighted just how intimately private companies track Americans’ daily lives. However much these companies wish to normalize their surveillance, down to the exact sidewalk you stand on or restaurant you sit in, we can’t forget that data brokers selling this location data threaten civil rights, national security, and democracy.

On the civil rights front, federal agencies from the FBI to US Immigration and Customs Enforcement purchase data from data brokers—without warrants, public disclosures, or robust oversight—to carry out everything from criminal investigations to deportations. In doing so, data brokers circumvent limits on companies directly handing data to law enforcement (e.g., a cellular company can sell user data to a data broker which can then sell the data to the FBI). The federal government agencies using the data may then also circumvent a variety of legal restrictions in place around searches and seizures as well as federal controls which aren’t applied to “open source” or “commercially obtained” data, even if the data is on US individuals.

In this context, real-time location data presents a real opportunity for abuse, particularly where law enforcement is conducting operations against individuals or groups from historically marginalized communities. In August 2020, four members of Congress penned a letter to the firm Mobilewalla for just this reason, after the company advertised that it identified characteristics of Black Lives Matter protesters using their phone location data.

Private companies buy such data all the time, and it’s likely all too tempting to hoover information to discriminately target ads: tracking an unwitting American as they leave a police station, an abortion clinic, or the office of a cash lender, for example. Individuals also use this kind of information to discriminate against others. The Pillar’s outing of a priest is hardly the first and won't be the last time an individual’s real-time location data will be acquired by a third party intent on inflicting harm. Research from my colleagues at Duke’s Cyber Policy and Gender Violence Initiative has identified numerous ways in which abusive individuals can use people-search websites to obtain data broker data for stalking, harassment, and physical violence against intimate partners—violence which is overwhelmingly directed at women and members of the LGBTQ community. Anyone with the means to buy this data could similarly obtain location data on activists, political organizers, and other people for violent or harmful ends.

On top of all this, foreign intelligence or security organizations could buy up data broker data, with virtually no restrictions, to conduct intelligence operations or identify the real-time locations of diplomats, government, or military personnel. (Think of how FitBit data exposed the real-time locations of service members on military bases—except where a foreign organization can buy the data, legally, directly from an American data broker.) All of this harms national security, as companies aggregate and sell highly sensitive data on US individuals with no public visibility into what kind of vetting, if any, is done of potential buyers.

The only way to mitigate these companies’ threat to democracy—through their extraordinary and unchecked surveillance power—is regulation. Congress must integrate the data brokerage ecosystem into a strong federal privacy law, restricting the constant buying and selling of Americans’ sensitive data. It must also consider giving the executive branch export control authorities to limit the sale of this kind of sensitive data to certain foreign entities, and it must consider giving the Federal Trade Commission greater authority to investigate data brokers’ many unfair and exploitative practices. While the country waits for that full-force policy response, meanwhile, Americans’ real-time locations are up for sale on the open market.

WIRED Opinion publishes articles by outside contributors representing a wide range of viewpoints. Read more opinions here, and see our submission guidelines here. Submit an op-ed at opinion@wired.com.