To regular folks with some basic computer skills the Dark Web seems like Enemy #1.
People talk about it like it’s the Internet Demogorgon. And the media doesn’t help either, not to mention InfoSec marketing departments. As far as they’re concerned, if you don’t say the name of your password manager 7 times before bed the Dark Web will haunt your closet.
And sure—the Dark Web can be…well, dark. There are actual people selling personal data, credit card data, etc. And some people really go there to steal identities, buy things in your name, and all those cybercrime things you’ve heard about. Plus there are marketplaces for other bad stuff, like drugs, guns, and worse.
So it’s not nothing, and it can definitely be seedy.
But for me, and most of the other security professionals I know, the Dark Web is insignificant compared to its corporate counterparts. There are thousands of companies that legally, professionally, and efficiently collect, organize, and sell your data—and they do so as completely legal businesses.
The biggest US data brokers include Acxiom, Oracle Data Cloud, LexisNexis, and Intelius. Among those, Acxiom is particularly interesting.
According to Wikipedia, Acxiom was founded in 1969 as Demographics Inc., and in 2012 the New York Times said they had the largest commercial database on customers.
Acxiom collects, analyzes and sells customer and business information used for targeted advertising campaigns.
But the best way to see how powerful they are is to list some of the data they collect and maintain on a given person.
There’s a popular story about privacy where a father saw his high-school-aged daughter had received an offer from Target for something pregnancy-related, and he became extremely irate and complained about it. A short time later his daughter told him that, actually, she was pregnant.
This is the magic that makes it possible for advertisers to show you the exact right thing at the exact right time. They simply collect as much as they can about you and keep that information updated in as near to realtime as possible—all so that they can sell it.
In 2012 they had tens of thousands of servers doing this, 24/7, comprising over 50 trillion transactions per year. Those numbers are surely far higher now.
While everyone is looking at cybercriminals and the Dark Web, Data Brokers are doing far more damage to people’s privacy in plain sight.
And to be clear, I’m not saying every iteration of collecting and selling data is bad, always and forever. It’s pretty cool to have high-quality ads when you want them, i.e. ads that are customized for your preferences. It’s part of a future promise of having the world tailored for us.
That’s all great, and positive, and optimistic. We could imagine an implementation of these technologies that was benign—or even beneficial—where people would know the privacy tradeoffs involved, and they would be making them transparently from a position of education.
But we’re not in that timeline right now. Not even close.
Right now most people don’t even know this is happening. They think the real danger to their privacy comes from hackers in basements, when it actually comes from big companies with parking lots, coffee budgets, and health benefits for their employees.
As I wrote about recently, any tool can become a weapon, and right now that tool is personalization. The answer is not to proclaim that all personalization is bad, but that its weaponization is—especially when most of the public is completely unaware.
Fixing this has to start with awareness of these companies, and the tradeoffs we’re making by letting them operate without oversight.