Pixel Envy

Written by Nick Heer.

Meet BIGDBM and FullContact, Two Companies in the De‍-‍Anonymization Industry

Joseph Cox, Vice:

Tech companies have repeatedly reassured the public that trackers used to follow smartphone users through apps are anonymous or at least pseudonymous, not directly identifying the person using the phone. But what they don’t mention is that an entire overlooked industry exists to purposefully and explicitly shatter that anonymity.

They do this by linking mobile advertising IDs (MAIDs) collected by apps to a person’s full name, physical address, and other personal identifiable information (PII). Motherboard confirmed this by posing as a potential customer to a company that offers linking MAIDs to PII.

While American lawmakers have been focused on allegations of criminally anticompetitive practices by bigger tech companies and American media has extensively covered Facebook and Google’s creepy tracking practices, the data “enrichment” industry has skated by with little attention outside of the tech-centric press. Its practices cannot be ignored.

A couple of years ago, records of over one billion people were found on an unprotected server, sourced from two different data enrichment companies. American cellular providers share subscriber information with advertisers and enrichment companies. This entire industry matches identifiers in different data sets to produce more comprehensive, more detailed, and more individualized profiles on people, which it sells back to the advertising industry, other data companies, resellers, and government agencies, according to the privacy policy of one of the two companies in this report.

I thought it might be useful to look at ways to opt out of this kind of associative data collection, so let’s examine those two companies.

FullContact cares so much about privacy that it provides a process for removing your data from its systems — but that is helpful only if you know the company exists. I followed the process and saw that FullContact had linked two of my email addresses and my phone number against a scraped copy of the LinkedIn profile I deleted many years ago, various social media profiles — remember FourSquare? — and my city. If you are familiar with the APIs provided by social media companies, this is probably an unsurprising data set. I sent a request to delete my data and, within an hour, I received an email confirming it was completed.

BIGDBM is much less transparent. On its Data Market page, it brags that it offers:

[…] a secure, cloud-based, self-service data platform that enables users to quickly and easily select data from billions of records. All BIGBDM records contain a persistent individual ID that keeps track of individuals in both online and offline data environments, allowing our customers for marketing to individuals using digital ads, or offline using phones and direct mail.

People seemingly have little control over whether BIGDBM has their identifier. On its privacy page, California users are able to request a copy of their data by completing a PDF form — which, as of writing, returns an error stating that the HTTPS certificate expired last year — and emailing them a copy. Then, BIGDBM may grant access to its California-specific database tool, at which point it appears that users may be allowed to delete their information. Apparently, this only applies to users in California; if you live elsewhere in the United States, BIGDBM may process your request if you nicely ask a sympathetic company representative.

It is unclear how the company treats information about non-Americans. Its privacy policy says that it does not collect information about people in the European Union “as a matter of course”, but how can it guarantee that? And what about people elsewhere?

Of course, all of this is only relevant if you have heard of BIGDBM. Companies like these are often unnamed in the user agreements and privacy policies most users do not read before registering for a service. In many cases, they fall under a generic term, like “vendors”, “partners”, or “other parties”.

It is onerous to require that individual users understand the full consequences of privacy policies like these. They grant most companies the freedom to share whatever information they feel like with whichever third-parties they deem relevant to their business practices. Those parties might re-share it, or mix it with other records to increase its granularity. All of this is permitted under U.S. law. And, because many technology products and services are based in the U.S., it often means that non-Americans are subject to the same policies due to the jurisdiction clause in the user agreement.