Jun 4, 2013

Developing IoT Privacy as a Value Proposition

Companies offering services based on connected devices will increasingly have access to significant amounts of highly granular data about consumers and their connected devices. This trend is heightening privacy-related concerns about the way that such data might be used and the potential for consumers to be harmed.

The U.S. Federal Trade Commission’s recently launched an inquiry into privacy and security implications of the Internet of Things. In the commentary below, I outline my views of the key issues from a business perspective. One key consideration is to demonstrate the economic value that companies are currently capturing by combining consumer data from multiple sources.

I also highlight the fact that there will be beneficial as well as harmful uses of private data. While consumers should be protected against harmful scenarios, policy makers and business organizations that have an interest in the long-term viability of the IoT market also need to ensure that consumers are not ruthlessly exploited under apparently beneficial situations. Through this perspective, concepts of trust and stewardship related to the use of private data can be developed into new and appealing value propositions.

Privacy Implications of the Internet of Things
Submission to the U.S. Federal Trade Commission (http://www.ftc.gov/opa/2013/04/internetthings.shtm)

Historically, the term ‘Internet of Things’ (IoT) has been linked with the application of RFID[1] technologies. RFID tags have long been used to track manufactured goods in supply chains and to manage stock inventories, for example.

Nowadays, the IoT term is used more broadly and belongs to a family of terms that include M2M, connected devices, Internet of People and Internet of Everything. Collectively, these terms encompass a wide variety of connected industrial and consumer devices that employ different forms of wired- and wireless technologies to transmit electronic data.

Affordable connectivity has significant improved prospects for the IoT

Connectivity has increased the range of sources and also the amount of data available for new service concepts. Now, data can be used to monitor and model the behaviors of machines and individuals. Such models act as a stepping stone to the implementation of predictive analytics. In the case of connected machines, for example, it is possible to forecast when a machine might be on the verge failing so that timely maintenance can be scheduled. Similarly, inventory data from vending machines can be used to organize replenishment schedules and even to fine-tune each vending machine’s product mix based on local patterns of consumption. A third example is where consumers are targeted with promotional sales offers based on demographic, behavioral and location data derived from mobile phones and other connected devices.

The increased availability of data, collected at frequent and regular intervals, also lends itself to time series analysis as well as closed-loop business strategies. While closed-loop control is a well-established discipline for industrial control systems its application in the consumer arena is gradually starting to take hold. This has been made possible by the advent of remotely connected devices, new functionality due to higher performing microprocessors in connected devices, and ease of control through Smartphone and Tablet interfaces.

The mobile industry has had a significant influence in the resurgence of IoT. The following three characteristics stand out:

  • consumer ease-of-use which has led to a wider acceptance of connectivity technologies across virtually all demographic groups,

  • economies of scale which have fostered affordable products and services across the income spectrum,

  • and, ubiquity of coverage which has increased the degree of reliance businesses and consumers place on communications and information services.
These trends have helped to propel the IoT market by building on the momentum around M2M (machine to machine, primarily for industrial applications) and Connected Devices (primarily involving consumer electronics types of device for entertainment, personal wellness monitoring, home automation etc.).

The IoT market has also gained impetus from advances in the capabilities and increasingly affordable price-points of short-range wireless technologies such as Bluetooth, Wi-Fi and ZigBee.

New business roles will emerge in the IoT eco-system and value-chain

Several entities are involved in delivering a connected device service to end-users through the following type of value chain.

Figure 1: Simplified representation of M2M value chain

The organizations involved in this value chain are wireless module technology and wide-area connectivity providers. These two entities allow a device provider, such as a vehicle, vending machine or health-sensor manufacturer, to create a connected device. The connected device provider, or some other entity, then creates and supports an application based on the connected device to deliver a service to an end-user.

In practice, the illustrative value chain above varies from one application to another for a variety of reasons related to application specific requirements, distribution channel models and the size of the total addressable market. As a result, M2M and Connected Devices markets tend to exist as silo or single-application markets. For example, a fleet telematics application could be provided by an applications developer on behalf a road haulage operator seeking to track its vehicles and to optimize its route network. This solution and value chain would not necessarily be the same in another enterprise sector or a consumer applications example.

In the case of IoT applications the service permutations are considerably greater and the value-chain correspondingly more complex. This is because IoT service applications make use of data from multiple sensors and connected devices that may initially have been deployed for separate and unrelated purposes.

To illustrate this point, the following illustration shows the case of a set of services delivered in a home. These services – home automation, smart metering and assisted living – would each be deployed for a specific application purpose by businesses in three separate value chains. The ability to combine data across the three vertical services in this example could result in a higher quality of services (through improved information integrity) as well as new service opportunities (e.g. home security, wellness monitoring)

Figure 2: IoT value chains will create opportunities for new service and data providers

In contrast to the M2M value chain, the emerging IoT service delivery model will create new entry points in between component value chains. Typically, there will be new roles for organizations that aggregate end-user and sensor data from connected devices that belong to or are associated with individuals.

Such organizations will operate across horizontal layers along different application specific value chains. This will be simplified if data gathering and reporting capabilities are designed into modules, connectivity management platforms, and devices by default. Two examples illustrate how this might occur at different points in the value chain.

  1. In-the-Middle (ITM) IoT data brokerage – at the network connectivity layer, tracking of a driver’s mobile phone and other in-vehicle connected devices (navigation device, vehicle telematics device etc.) can be used to measure traffic patterns and route congestion. This data can be monetized in traffic alert and route optimization services.
  2. Over-the-top (OTT) IoT data brokerage – this example applies at the end-user layer in the service value chain. Here, data from credit cards, smart payment cards and mobile wallets can be analyzed for purchase information and used to inform consumers about location specific prices for fuel and other consumables. 

These examples illustrate the types of opportunity that will emerge for new organizations in the value chain to collect, aggregate and distribute customer data.

In some situations users will grant permission to an entity to gather data on their behalf. This opens up the possibility for data managers to operate as data repositories and guardians of an individual’s data.

More data means more value 

The economic rationale for combining data from multiple silos is powerfully illustrated by a product briefing from Acxiom [2]. Specifically, Acxiom illustrates the performance improvement from untargeted marketing to three single-strategy approaches – contextual targeting, demographic targeting and behavioral targeting.

Figure 3: Combining data from multiple sources significantly improves performance

Crucially, none of the individual strategies comes close to matching the performance of a multivariate approach.

When applied to an IoT scenario, the key insight from this example is akin to combining data across several single-purpose applications. The value that is created provides the basis for cross-application data brokers to emerge in the IoT eco-system.

Businesses, consumers and public-sector agencies will all benefit from IoT data sharing

Acxiom’s experience is indicative of the many business benefits for IoT service providers from new data sources. In the case of consumers, there will be benefits in terms of new services. More data should also allow for a higher quality of individually tailored services.

Consumers as a group also stand to gain from wider societal benefits through services provided by public-sector agencies. This is possible when IoT data combinations are used to improve transport management for example. Specifically, sensor data from private vehicles, public modes of transport, roadway infrastructure (traffic lights, CCTV, environmental sensors, tool gates etc.) can be used to reduce transport congestion, to alert individuals with allergy and respiratory conditions, to help travelers to optimize their route and journey times. However, for this vision to be attainable, public sector agencies and individuals will have to be willing to share data about themselves and their connected devices.

Although by no means universal, there is at present a degree of consumer acceptance about the principle of sharing personal data. This is typically associated with sharing data in exchange for personal email (Google, Yahoo etc.), productivity and social networking tools that are provided at no monetary cost.

Consumers are also prepared to share data for services as in the case of shopping recommendations (Amazon and other e-tailers), advertising (retailer loyalty scheme or location-based) and professional networking (LinkedIn).

A common feature of all these ‘free service’ models is that consumers have no means to quantify the value of the data they are sharing. Their terms of trade are therefore opaque and not necessarily to their advantage. Contrast this to usage-based auto-insurance services, for example. Here, individual drivers choose to disclose defined attributes about their driving behaviors in exchange for quantifiable reductions in their insurance charges.

As the IoT market develops, the data shared by individuals, intentionally or inadvertently, will become more valuable. This is a direct consequence of the combinatorial power to generate better and more accurate personal insights from larger quantities of more granular measurements. However, the manner in which the value of IoT data will be shared more likely to favor the collectors - businesses and public authorities – over the providers in the form of individual consumers and their connected devices. Privacy principles are a means of ensuring that consumers are not placed at a competitive disadvantage while generating a framework of trust to encourage their longer term participation in valuable IoT services.

Privacy principles for the IoT future 

Principles of privacy need to acknowledge the spectrum of consumer willingness to bargain away the data relating to themselves, the connected devices they own and third-party devices that they use. While the exposure of such data poses unknown risks with potentially harmful consequences it is equally important to acknowledge that there will also be benefits from service innovation.

The range of possibilities can be simplified into four scenarios as tabulated below which describes beneficial and harmful outcomes that may affect an individual either directly or indirectly.
Submission to FTC - Privacy Implications of the Internet of Things


In this case, an individual’s data is used to provide a new service or to improve the quality of a service. The commercial basis may comprise a trade involving personal data for services provided. Within this scenario, it is also conceivable that an individual supplies data for direct, monetary gain e.g. by participating in a survey panel
Unauthorized use of data about an individual could be directly harmful and lead to an outcome such as identity theft. In terms of personal, connected devices tampering with a connected device could disable a home or car security system as a precursor to theft, for example

This situation corresponds to societal services in areas such as public health care, public transport systems and management of the environment. In this case, data for a population of inhabitants is used in aggregate form to improve the provision of health services (similar to the prediction of flu by analyzing search patterns on Google) or to improve transport efficiency, for example
This scenario applies to situations where a business offers a service to a consumer on the basis of third-party data about the consumer. The potential for a harmful outcome arises if the third-party data is false or inaccurate. Taken out of context such data could adversely affect the reputation of an individual. An illustration of this is data that jeopardizes an individual’s credit score or incorrectly characterizes an individual’s tastes or preferences.

Data privacy principles can alleviate concerns with the outcomes highlighted in these different scenarios.

  • As the industry for IoT data matures, there should be an established set of principles and clarity about data ownership as well as the terms of trade that underpin the exchange of data, whether this is for services or monetary reward. Mechanisms to value data, similar to the principles that apply to frequent flyer and member rewards schemes, will help businesses and consumers to quantify their terms of trade. Such a development could be triggered if businesses and regulators determine that data records and profiles need to be valued and reported in company financial statements.

  • In the case of indirectly beneficial data sharing, consumer trust will depend on transparency of data appropriation. In other words, the users of aggregated and anonymized data must be able to demonstrate that adequate safeguards are being applied in all aspects of the gathering, analytical and intervention processes surrounding public-good initiatives.

  • In all scenarios, and especially the ones relating to harmful outcomes, individuals should have a right to data accountability. This would allow an individual to query a particular action from a service provider. For example, if an individual’s credit score is lowered that individual should be able to find out the basis for this. Data accountability also applies in beneficial scenarios. If an individual receives a coupon to purchase a given product or service, it should be possible to query the logic for receiving the offer. Was the offer made on the basis of the individual’s travel patterns, usage behavior as measured by a connected device or by because of being classified into a certain group due to ownership of particular connected devices? This type of “track-back” capability is technically feasible as it lends itself to the rule- and classification-based approaches that are commonly employed in analyzing IoT data.
The goal of these principles is to empower users about the value of their data and to encourage their contribution of personal data to new IoT services. They form a basis for trust which should lead to a greater level of participation in the IoT economy.

The process of institutionalizing privacy principles will entail a significant effort in educating consumers and businesses about the benefits of IoT services, attendant risks and measures to protect their privacy rights and reputations.

The cost and complexity of implementing these privacy principles are not to be underestimated. Service providers in the IoT eco-system will need to deal with issues such as operational scale, granularity of data for accountability and monetization purposes, and jurisdictional obligations.

Privacy principles should nevertheless be viewed as a necessary investment to promote a well-functioning and trusted market. Such an approach will lower the incidence of companies “experimenting first and asking for forgiveness later” as this threatens the long term prospects and credibility of a highly promising sector. Rogue practices should not be allowed to ruin the benefits attainable by a responsible majority.

In conclusion, concrete action to promote privacy in the IoT market needs to take the form of:
  • Consumer education initiatives about responsible management of personal data and associated measures of value.

  • Development of industry guidelines about data ownership, data appropriation and data accountability.

  • Promotion of privacy best practices for data management by businesses and public-sector agencies potentially involving the creation of a privacy-standards related brand or trademark

[1] RFID (radio-frequency identification) involves the use of tags that contain electronically stored information. These tags are used to transfer data using a non-contact, wireless approach for the purposes of automatically identifying and tracking tags attached to objects.

[2] Acxiom is a US based customer data analytics company that provides business and market intelligence services. It claims to have a base of about 500m active consumer profiles.


  1. 13 Nov 2016 Update

    Telefónica to create personal data bank for customers, expose “unfair” apps

    Telefónica is to create a personal data bank for each of its 350 million customers to store, manage and sell their own data.

    The Spain-based operator said it wanted to give customers back control of the data they generate on its networks.

    A simple traffic-light tool will expose how third party internet applications and services propose to use data, while customers will be able to choose to cash-in personal data by selling it to third parties, and to port their private data stores to other network operators should they choose to switch providers.


  2. 14 Mar 2017 update

    Some more news about Telefonica's Aura service


  3. 18 Sep 2017 update

    Financial Times article (Big Tech makes vast gains at our expense) on the value of data and need to provide consumers with tools to understand what trades they are making in the case of 'free' services.


  4. 16 Oct 2017 update

    Privacy is a competitive advantage - Technology companies may have to say whether they are data peddlers or data stewards


  5. 20 Dec 2017 update

    Preliminary assessment in Facebook proceeding: Facebook's collection and use of data from third-party sources is abusive.

    Germany's Bundeskartellamt (Federal Cartel Office) has informed the company Facebook in writing of its preliminary legal assessment in the abuse of dominance proceeding which the authority is conducting against Facebook.


  6. 5 March 2018 update

    FTC Testifies on Data Brokers Before Senate Committee on Commerce, Science and Transportation


  7. 21 Mar 2018 update

    One of the aims of the EU's D-CENT project: Own your data - to say no to surveillance and give back citizens control and ownership of data


  8. 5 April 2018

    On the topic of a "framework of rights" for personal data.


  9. 9 April 2018 update

    Link to FTC web site comments from 2013 proceeding


  10. 8 June 2018 update

    Beginning with Vermont and the EU's GDPR, new laws are emerging to improve transparency in the data broker industry.


  11. 21 June 2018 update

    The very public investigations by Senator Ron Wyden of Oregan have seemingly forced US telcos to back out of location-sharing partnerships with data brokers as privacy policies of the world’s largest companies continues to be questioned.

    The practice itself surrounds the selling of geo-location data from the telcos customers onto third parties, who in turn aggregate the data before reselling onto other organizations. While the concept of selling personal data, whether it is location, interests or professional information, is relatively common throughout the digital economy, the cloak and dagger means of conducting business here is starting to face greater levels of scrutiny.


  12. 3 August update

    New report from the UK's NESTA about Project DECODE in the context of Smart Cities

    But unlike, say, open data, personal data generates tensions that can be difficult to reconcile. While personal data needs to be shared, aggregated and analysed to provide value, there are considerable risks to sharing it too. These include data falling into the wrong hands, or revealing more about us than we are comfortable with. DECODE responds to this challenge by creating tools that allow people to set fine-grained terms of use for data, flipping the current terms and conditions model on its head. By giving users the confidence that the data they share will only be used by the people they intended it to, DECODE aims to enable a whole ecosystem of value to be built on top of this data, which the project calls the ‘data commons’.


  13. 27 Oct 2018 update

    How smartphone apps track users and share data

    “De-anonymisation”, the practice of linking data to a user, is prohibited by the EU’s General Data Protection Regulation.

    But Frederike Kaltheuner, head of the data exploitation practice at campaign group Privacy International, said an industry of data brokers such as Acxiom operate in a legal grey area, offering services to link data together, matching offline data such as spending with online data from smartphones. “In practice we know it’s very easy to link data back together,” she said.


  14. 9 Jan 2019 update

    Useful discussion about new issues and players in the data brokerage industry, in light of new data sources (e.g. IoT, personal mobile devices etc.) and GDPR.

    Data brokers: regulators try to rein in the ‘privacy deathstars’

    https://www.ft.com/content/f1590694-fe68-11e8-aebf-99e208d3e521 (paywall)

  15. 14 Jan 2019 update

    Data-brokers co-opetition


  16. 17 Jan 2019 update

    Apple Inc. Chief Executive Officer Tim Cook called on the Federal Trade Commission to track data brokers and monitor how they use people’s digital information, the latest privacy push by the iPhone maker.


  17. 13 February 2019 update

    California data dividend sounds nice but shows digital economy ignorance

    In his ‘State of the State’ speech this week, California Governor Gavin Newsom proposed a new ‘data dividend’ which would see internet players who monetise user’s personal information have to pay those users for the privilege.


  18. 16 Feb 2019 update

    The Wired Guide to Your Personal Data (and Who Is Using It)


  19. 8 April 2019 update

    Big Tech must pay for access to America’s ‘digital oil’. In an era of data harvesting big web platforms are the new Saudi Aramco or ExxonMobil


  20. 25 April 2019 update

    Useful development, from Finland, in relation to transparency of processing personal data.

    Two cases concerning Svea Ekonomi, a financial credit company, have been processed at the Office of the Data Protection Ombudsman. As a result, the Data Protection Ombudsman has ordered the company to correct its practices in the processing of personal data related to the assessment of creditworthiness, the right of inspect one’s own personal data and notification practices.


  21. 20 May 2019 update

    Return on Data

    Consumers routinely supply personal data to technology companies in exchange for services. Yet, the relationship between the utility (U) consumers gain and the data (D) they supply -- "return on data" (ROD) -- remains largely unexplored. Expressed as a ratio, ROD = U / D.

    While lawmakers strongly advocate protecting consumer privacy, they tend to overlook ROD. Are the benefits of the services enjoyed by consumers, such as social networking and predictive search, commensurate with the value of the data extracted from them?

    How can consumers compare competing data-for-services deals?


  22. 23 May 2019 update

    Keeping track of personal user data is challenging

    Europe’s lead data watchdog opens Google GDPR investigation

    DoubleClick/Authorized Buyers advertising system is active on 8.4 million websites, allowing the search giant to track users as they scour the web. This information is then broadcast to more than 2,000 companies who bid on the traffic to deliver more targeted and personalised ads.

    This information can potentially be incredibly personal. Google has various different categories which internet users are neatly filed into, including ‘eating disorders’, ‘left-wing politics’, ‘Judaism’ and ‘male impotence’. The companies bidding on this data will also have access to geo-location information and the type of device which the user is on.

    Under Article 5 (1)(f) of the GDPR, companies are only permitted to process personal information if it is tightly controlled. Brave suggests Google has no control over the data once it is broadcast and is therefore violating GDPR.


  23. 24 June 2019 update

    US Senators want public disclosures on the value of personal data

    Senators Mark Warner and Josh Hawley are reportedly readying themselves to introduce the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data Act, or DASHBOARD for short. This bill will attempt to force companies into disclosing the financial value of the data which they collect, analyse and action, to the SEC once a quarter.

    Facebook is a company which directly monetizes user data, suggesting it is worth in the region of $20 a month per user.


  24. 18 July 2019

    Markets for Information

    We survey a recent and growing literature on markets for information. We offer a comprehensive view of information markets through an integrated model of consumers, information intermediaries, and firms. The model embeds a large set of applications ranging from sponsored search advertising to credit scores to information sharing among competitors. We then review a mechanism design approach to selling information in greater detail. We distinguish between ex ante sales of information (the buyer acquires an information structure) and ex post sales (the buyer pays for specific realizations). We relate this distinction to the different products that brokers, advertisers, and publishers use to trade consumer information online. We discuss the endogenous limits to the trade of information that derive from its potential adverse use for consumers. Finally we revisit the role of recommender systems and artificial intelligence systems as markets for indirect information.


  25. 29 October 2019 update

    Extract from "Opinion of the Data Ethics Commission" in Germany

    Data are often generated with contributions from different parties who are acting in different roles – be it as the data subject, be it as the owner of a data-generating device or be it in yet another role. In the opinion of the Data Ethics Commission such contributions to the generation of data should not lead to exclusive ownership rights in data, but rather to data-specific rights of co- determination and participation, which in turn may lead to corresponding obligations on the part of other parties. The extent to which an individual should be entitled to data rights of this kind, and the shape they should take, depends on the following general factors:

    a) the nature and scope of that party’s contribution to data generation,

    b) the weight of that party’s legitimate interest in being granted the data right,

    c) the weight of any possibly conflicting interests on the part of the other party or of third parties, taking into account any potential compensation arrangements (e. g. protective measures, remuneration),

    d) the interests of the general public, and

    e) the balance of power between the parties involved.


  26. 30 April 2020 update

    The value of personal data can also be estimated through
    contingent valuation. The figures this generates depends
    on the question asked. For example, a survey of American
    consumers showed they would be willing to pay $5/month to
    use a privacy-preserving service, but would charge $80/month
    to allow access to personal data.5 Consumers say they would
    need to be compensated by about $48 to give up Facebook
    for a month.

    Other values for personal data can be derived from the profits
    of companies that rely on it. In 2018, Facebook generated
    about $10/year income per active daily user.7 On the dark
    web, login details can fetch between £1 and £280.8
    issued by data protection authorities give figures that
    are skewed by legal limits on fines:
    � The US Federal Trade Commission fined Equifax $575m
    – $4 per person – for its 2019 data breach; people
    affected could also claim up to $20k in compensation.9
    � The UK Information Commissioner’s Office fined Facebook
    £500k in 2018 (the maximum allowable fine at the time)
    for allowing access to data: 0.6p per person affected.10

    Regardless of these figures, privacy is a human right and
    many argue it should not be negotiable.


  27. 30 April 2020

    Understanding "mydata" operators


  28. 20 May 2020

    Data Broker Co-opetition

    Data brokers collect, manage, and sell customer data. We propose a simple model, in which data brokers sell data to downstream firms. We characterise the optimal strategy of data brokers and highlight the role played by the data structure for co-opetition. If data are “sub-additive”, with the combined value lower than the sum of the values of the two datasets, data brokers share data and sell them jointly. When data are “additive” or “supra- additive”, with the combined value
    equal to or greater than the sum of the two datasets, data brokers compete. Results are robust to several extensions.


  29. 1 July 2020 update

    Privacy is not the problem with the Apple-Google contact-tracing app

    In all the global crises, pandemics and social upheavals that may yet come, those in control of the computers, not those with the largest datasets, have the best visibility and the best – and perhaps the scariest — ability to change the world.

    Law should be puncturing and distributing this power, and giving it to individuals, communities and, with appropriate and improved human-rights protections, to governments. To do so, we need new digital rights. Data protection and privacy laws are easily dodged or circumvented by technical assurances of confidentiality: we need something more ambitious to escape the giants’ walled gardens.


  30. 9 Nov 2020 update

    Inrupt’s Solid (social linked data) technology, developed by Sir Tim and a team of computer scientists at the Massachusetts Institute of Technology, empowers users to create their own Pods (personal online data stores). This enables them to control their own data and grant access to third-party apps at their discretion. 

    Via Fiancial Times - https://www.ft.com/content/01480644-3ca3-486e-907d-4abf8aac1719

  31. 23 Jan 2021 update

    Emerging models of data governance in the age of datafication

    The article examines four models of data governance emerging in the current platform society. While major attention is currently given to the dominant model of corporate platforms collecting and economically exploiting massive amounts of personal data, other actors, such as small businesses, public bodies and civic society, take also part in data governance.

    The article sheds light on four models emerging from the practices of these actors: data sharing pools, data cooperatives, public data trusts and personal data sovereignty. We propose a social science-informed conceptualisation of data governance. Drawing from the notion of data infrastructure we identify the models as a function of the stakeholders’ roles, their interrelationships, articulations of value, and governance principles. Addressing the politics of data, we considered the actors’ competitive struggles for governing data. This conceptualisation brings to the forefront the power relations and multifaceted economic and social interactions within data governance models emerging in an environment mainly dominated by corporate actors. These models highlight that civic society and public bodies are key actors for democratising data governance and redistributing value produced through data. Through the discussion of the models, their underpinning principles and limitations, the article wishes to inform future investigations of sociotechnical imaginaries for the governance of data, particularly now that the policy debate around data governance is very active in Europe.

    Four Models identified:
    i) Data sharing pools
    ii) Data cooperatives
    iii) Public data trusts
    iv) Personal data sovereignty


  32. 10 Dec 2021 update

    One way that Medicare Advantage plans find those who might need help is by secretly analyzing members’ detailed information ranging from their credit scores and shopping habits to how often they vote.

    One leading vendor, Carrot Health, sells analytics that contain “up to 5,000 individually certified variables for every adult in America.” These are said to be based on “clinical, social, economic, behavioral and environmental data” from more than 80 sources.


  33. 23 August 2022 update

    Oracle’s 5bn-consumer identity graph ‘violates privacy of billions’: Dr Johnny Ryan, privacy campaigners say in new lawsuit

    Oracle is in the crosshairs of global privacy advocates, with a trio of powerful campaigners – including the Irish Council for Civil Liberties’ Dr Johnny Ryan – filing a class action lawsuit in California alleging violations of privacy on behalf of all internet users. Oracle has “hidden dossiers” on 5 billion people, the lawsuit says, and coordinates a global trade of data through its Data Marketplace.


  34. 1 September 2022 update

    Tech tool offers police ‘mass surveillance on a budget’

    (The tool) ... relies on advertising identification numbers, which Fog officials say are culled from popular cellphone apps such as Waze, Starbucks and hundreds of others that target ads based on a person’s movements and interests, according to police emails. That information is then sold to companies like Fog.

    What distinguishes Fog Reveal from other cellphone location technologies used by police is that it follows the devices through their advertising IDs, unique numbers assigned to each device. These numbers do not contain the name of the phone’s user, but can be traced to homes and workplaces to help police establish pattern-of-life analyses.


  35. 20 January 2024 update

    We’re only a few weeks into 2024, and violations of people’s privacy are already making some big headlines! First we had the continued drama with the 23andMe data breach; then a major financial software company was shut down for inappropriately using private information; and then this week, the FTC took an unprecedented step and banned a data broker from selling people’s location data.


    So on Tuesday, the FTC announced that it was banning Outlogic, formerly X-Mode Social, from sharing and selling users’ sensitive information—particularly, precise location data that tracked people’s visits to places like medical clinics—and required that it delete all the previous location data it collected.
    “The FTC’s action is significant because of the prohibitions—barring the company from selling data about sensitive locations, rather than just paying fines,” says Justin Sherman, an adjunct professor at Duke’s Sanford School of Public Policy. In other words, it’s more than a slap on the wrist.