Data brokerage: All your personal data up for sale for less than a rupee

If data is the new oil, then there is a gigantic oil spill all around you. Your personal data — be it your residential address, your phone number, email id, details of what you bought online, age, marital status, income and profession — is all up for sale. Most of this personal data is sold for less than a rupee per person — the cost of a chewing gum.

‘Data Brokers’ hawk their services on online listings and sell personal information. For anywhere between Rs 10,000 and Rs 15,000,data of up to 1 lakh people.

The lists up for sale are creative and granular. One data broker said he could get lists of high net worth individuals, salaried people, credit card holders, car owners and retired women in any given vicinity.

Some brokers sent free samples: excel sheets with personal data of people in Bengaluru, split by address and income profiles.

eBay said it takes data security and privacy of buyers and sellers on its platform very seriously. An Amazon spokesperson said the company was not aware of any data leak or any data being sold from their end, adding that any such case brought to their notice will be dealt with strictly to ensure customer data protection.

HDFC Bank and Axis Bank both said they work on educating customers about the importance of protecting private or personal details, as well as safe banking practices. “We can’t confirm the authenticity of the data shared with you by the data brokers and would urge people to highlight to us if they come across instances like this for us to take it up with the relevant authorities,” an Axis Bank spokesperson said.

The obvious question to ask is: where are these brokers getting the data from? “Most of the data is sold to us by mobile service providers, agents from hospitals and banks, loan agents, car dealers,” an executive from an NCR-based data broker said.

To be sure, data broking isn’t illegal but it does work in a grey zone. A 2014 US Federal Trade Commission report identified data brokers as companies that “obtain and share vast amount of consumer information, typically behind the scenes, without consumer knowledge.”

“Globally, data broking is an approximately $200-billion industry. Marketing products generate over 50% revenue, followed by risk mitigation, which constitutes approximately 45% of the revenue, and, finally, people search constitutes the remainder.”

The FTC report cited earlier said “data brokers operate with a fundamental lack of transparency,” and asked US lawmakers to consider enacting legislation to give consumers greater control over the immense amount of personal information about them collected and shared by data brokers. India’s IT Act does not specifically address the issue of data brokerage and privacy.

“When you sign up for free discounts, fill out questionnaires, or your clickstream in general, you are giving up all the data voluntarily and agreeing to privacy policies that allow you to do so,” said Mishi Choudhary, executive director of non-profit legal services organisation Software Freedom Law Centre.

The most obvious kind of misuse is of financial data. The Reserve Bank of India registered 8,689 cases of frauds involving credit cards, ATM/debit cards and internet banking up till December 2016. This number was 16,468 in 2015-16. Many of these frauds are perpetrated by scamsters by using freely available personal data to win the confidence of customers to get them to share critical data like CVVs or one-time passwords (OTPs).

However, data brokerage is still at a very nascent stage in India. The market is dominated by larger international players such as Epsilon, Equifax and Experian that offer more sophisticated data sets.

“Increasingly, data from social media sites – much of it unstructured data, such as tweets – is collected for analytics that can help deepen the understanding of consumers.”

Data collected by agencies such US-based Equifax Credit Information Company, who carry out consumer credit reporting, is an example of data contributed by banks and other financial institutions.