Victory for Privacy as Supreme Court Rules Warrantless Phone Location Tracking Unconstitutional

This is a very important ruling that should serve as a good precedent for technologically-based privacy rights in the future.

The Supreme Court handed down a landmark opinion today in Carpenter v. United States, ruling 5-4 that the Fourth Amendment protects cell phone location information. In an opinion by Chief Justice Roberts, the Court recognized that location information, collected by cell providers like Sprint, AT&T, and Verizon, creates a “detailed chronicle of a person’s physical presence compiled every day, every moment over years.” As a result, police must now get a warrant before obtaining this data.

This is a major victory. Cell phones are essential to modern life, but the way that cell phones operate—by constantly connecting to cell towers to exchange data—makes it possible for cell providers to collect information on everywhere that each phone—and by extension, each phone’s owner—has been for years in the past. As the Court noted, not only does access to this kind of information allow the government to achieve “near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” but, because phone companies collect it for every device, the “police need not even know in advance whether they want to follow a particular individual, or when.”

[…]

Perhaps the most significant part of today’s ruling for the future is its explicit recognition that individuals can maintain an expectation of privacy in information that they provide to third parties. The Court termed that a “rare” case, but it’s clear that other invasive surveillance technologies, particularly those than can track individuals through physical space, are now ripe for challenge in light of Carpenter. Expect to see much more litigation on this subject from EFF and our friends.

Verizon and AT&T Want to Run Invasive Phone Ad-Tracking Networks

Smartphones today are essentially surveillance devices — perhaps the most intimate surveillance devices in general. If they’re left on (as is common), they know where people travel (it’s a necessity to keep a connection to phone towers and many apps track location), who they associate with (probably who they have sex with), what they do (seeing as they’re computers that people interact with on average for hours a day), and to top it all off, they can be turned into listening devices if the phone is hacked. Adding more intrusive surveillance to this (via more ad-tracking) would be horrible news for consumer privacy, and since privacy and security are so often intertwined today, it’ll end up being bad news for consumer security somehow too.

 

Snowden Interview in The Intercept

Mass surveillance is worse than five years ago, and it’s cool to think about the initial disclosures and then fast forward to this interview. Also, if you haven’t seen the documentary Citizenfour, I recommend watching it.

Mehdi Hasan: I’m Mehdi Hasan, welcome to Deconstructed.

My guest today is the NSA whistleblower Edward Snowden. Yes, the man himself, who became a global household name almost exactly five years ago.

[…]

So I started off by asking Edward Snowden: “Is privacy dead?”

ES: No, and I think this is the thing that is really taken out of context by politicians and all of these corporate powers that are working to use that as a justification to extend and further the abuses that we’ve seen in the last decade or so. When you look at the polling and all of these different issues and you ask young people, particularly, you know: Do you care about privacy? They actually seem to care more than older generations because this is affects their lives everyday. They understand what it means to make a mistake, have someone with a smartphone in the room and then have it haunt you for the rest of your time in high school or college or whatever.

There is this feeling of powerlessness that’s surrounding all of us every day on this issue, because we see that we are being abused. People openly admit that they’re abusing us. You know, Mark Zuckerberg in front of Congress is talking about this quite unashamedly.

[…]

MH: Your enemies here in the U.S. have accused you of being ultra-critical of the. U.S. government but soft on the Russian government, on President Vladimir Putin. And yet in March, I saw that you were on Twitter suggesting there had been vote-rigging in the Russian presidential election. You even called on Russians to “demand justice.” More recently you called the Russian government’s attempt to crack down on the messaging app Telegram “totalitarian.”

Now, from where I’m sitting, those were pretty bold, ballsy, principled moves by you, but were they also foolish moves? Aren’t you risking pissing off Putin and him then sending you back into the U.S. in a fit of rage?

ES: You know, yeah there’s definitely risks involved. And it’s not a smart thing to do. Every one of my lawyers tells me it’s a mistake to keep criticizing the Russian government. They say: Look, you’ve done enough. But that’s not what I’m here for, right? If I wanted to be safe, I never would have left Hawaii. I believe that this world can be better. I believe that this world should be better, but it’s not going to get better unless we make it better. And that requires risk, that requires hard work, that ultimately might require sacrifice.

[…]

MH: Where do you think you’ll be another five years from now?

ES: I don’t know. I honestly don’t know. There have been so many times, over the last five years, where I’ve been sure that things were going to change, that people understood, there were days I was sure that nothing was ever going to change, and it’s status quo forever. But it’s that uncertainty that actually gives me optimism, that gives me hope.

So many people look at the world today, they look at how broken and ruined things are, and they are just disempowered and lost. But what I want people to focus on is the fact that things changed, right. And if they can change for the worse, they can change for the better. And the only reason the world is changing for the worse is because bad people are working to make it happen that way. And if more good people are organizing, if we’re talking about this stuff, if we’re willing to draw lines that we will not allow people to cross without moving us out of the way, the pendulum will swing, and I’ll be home sooner than you think.

NSA Expands Mass Surveillance to Triple Its Collection of U.S. Phone Records

Mass surveillance is damaging to privacy generally and ineffective at preventing stateless terror attacks — its main effect is to increase repressive control.

The National Security Agency (NSA) collected over 530 million phone records of Americans in 2017—that’s three times the amount the spy agency sucked up in 2016.

The figures were released Friday in an annual report from the Office of the Director of National Intelligence (ODNI).

It shows that the number of “call detail records” the agency collected from telecommunications providers during Trump’s first year in office was 534 million, compared to 151 million the year prior.

“The intelligence community’s transparency has yet to extend to explaining dramatic increases in their collection,” said Robyn Greene, policy counsel at the Open Technology Institute.

The content of the calls itself is not collected but so-called “metadata,” which, as Gizmodo notes, “is supposedly anonymous, but it can easily be used to identify an individual. The information can also be paired with other publicly available information from social media and other sources to paint a surprisingly detailed picture of a person’s life.”

The report also revealed that the agency, using its controversial Section 702 authority, increased the number of foreign targets of warrantless surveillance. It was 129,080 in 2017 compared to 106,469 in 2016.

As digital rights group EFF noted earlier this year,

Under Section 702, the NSA collects billions of communications, including those belonging to innocent Americans who are not actually targeted. These communications are then placed in databases that other intelligence and law enforcement agencies can access—for purposes unrelated to national security—without a warrant or any judicial review.

“Overall,” Jake Laperruque, senior counsel at the Project On Government Oversight, said to ZDNet, “the numbers show that the scale of warrantless surveillance is growing at a significant rate, but ODNI still won’t tell Americans how much it affects them.”

Disturbing: Surveillance Database of Journalists Being Built in the U.S.

A large threat to press freedom with Orwellian undertones — more mass surveillance means more repression. It also means an attempted suppression of effective activism due to what’s known as the “chilling effect” of mass surveillance, where people generally take different actions (such as not visiting the Wikipedia pages on terrorism as much) due to being aware that they’re under intrusive surveillance.

Donald Trump is not known for being a friend of the media. Now he seems to be taking up new methods to control unfavorable journalists. The Department of Homeland Security wants to create a database of journalists and bloggers from around the world that can be filtered by location, content and sentiment. While the DHS claims this is standard PR practice, the alarm bells must ring. After all, surveillance is what upcoming autocrats commonly use to undermine democracy.

The Department of Homeland Security (DHS) is looking for contractors to build up a Media Monitoring Service. Details seem to be based on instructions by George Orwell: The DHS asks for the ability to scan more than 290.000 news sources within and outside the US, and store “journalists, editors, correspondents, social media influencers, bloggers etc.” in a database that must be searchable for “content” and “sentiment”.

[…]

The current development in the US is very worrisome, particularly as the freedom of the press is under attack worldwide.

Reporters without Borders state: “Once taken for granted, media freedom is proving to be increasingly fragile in democracies as well. In sickening statements, draconian laws, conflicts of interest, and even the use of physical violence, democratic governments are trampling on a freedom that should, in principle, be one of their leading performance indicators.”

The Freedom of the Press Report 2017 by Freedom House concludes that global media freedom has reached its lowest level in the past 13 year. This is not only down to “further crackdowns on independent media in authoritarian countries like Russia and China.” The report also blames “new threats to journalists and media outlets in major democracies”.

Some Swedes Beginning to Realize the Danger of Being in a Cashless Society

Allowing largely unaccountable corporations to track the overall financial activities and flow of resources among an entire population presents a power imbalance that will inevitably lead to problems. The anonymous ability to pay with cash — and soon hopefully a legitimately privacy-focused cryptocurrency — is an imperative function in maintaining stability in today’s world.

In February, the head of Sweden’s central bank warned that Sweden could soon face a situation where all payments were controlled by private sector banks.

The Riksbank governor, Stefan Ingves, called for new legislation to secure public control over the payments system, arguing that being able to make and receive payments is a “collective good” like defence, the courts, or public statistics.

“Most citizens would feel uncomfortable to surrender these social functions to private companies,” he said.

“It should be obvious that Sweden’s preparedness would be weakened if, in a serious crisis or war, we had not decided in advance how households and companies would pay for fuel, supplies and other necessities.”

[…]

The central bank governor’s remarks are helping to bring other concerns about a cash-free society into the mainstream, says Björn Eriksson, 72, a former national police commissioner and the leader of a group called the Cash Rebellion, or Kontantupproret.

[…]

In this sense, Sweden is far from its famous concept oflagom – “just the right amount” – but instead is “100% extreme”, Eriksson says, by investing so much faith in the banks. “This is a political question. We are leaving these decisions to four major banks who form a monopoly in Sweden.”

[…]

No system based on technology is invulnerable to glitches and fraud, says Mattias Skarec, 29, a digital security consultant. Yet Sweden is divided into two camps: the first says “we love the new technology”, while the other just can’t be bothered, Skarec says. “We are naive to think we can abandon cash completely and rely on technology instead.”

Skarec points to problems with card payments experienced by two Swedish banks just during the past year, and by Bank ID, the digital authorisation system that allows people to identify themselves for payment purposes using their phones.

Fraudsters have already learned to exploit the system’s idiosyncrasies to trick people out of large sums of money, even their pensions.

[…]

But an opinion poll this month revealed unease among Swedes, with almost seven out of 10 saying they wanted to keep the option to use cash, while just 25% wanted a completely cashless society. MPs from left and right expressed concerns at a recent parliamentary hearing. Parliament is conducting a cross-party review of central bank legislation that will also investigate the issues surrounding cash.

The Pirate Party – which made its name in Sweden for its opposition to state and private sector surveillance – welcomes a higher political profile for these issues.
Look at Ireland, Christian Engström says, where abortion is illegal. It is much easier for authorities to identify Irish women who have had an abortion if the state can track all digital financial transactions, he says. And while Sweden’s government might be relatively benign, a quick look at Europe suggests there is no guarantee how things might develop in the future.

“If you have control of the servers belonging to Visa or MasterCard, you have control of Sweden,” Engström says.

Also a relevant entry: Pitfalls of a Cashless Society.

Dangerous Cloud Act Legislation Appears in Congress

The Cloud Act would allow for dangerous violations of consumer privacy rights through abusing the stored data corporations have on people. U.S. citizens, I encourage you to oppose this type of legislation. Privacy rights are going to become much more important in the next several years ahead as more and more of society is effused with technological infrastructure.

Civil libertarians and digital rights advocates are alarmed about an “insidious” and “dangerous” piece of federal legislation that the ACLU warns “threatens activists abroad, individuals here in the U.S., and would empower Attorney General Sessions in new disturbing ways.”

The Clarifying Lawful Overseas Use of Data or CLOUD Act (S. 2383 and H.R. 4943), as David Ruiz at Electronic Fronteir Foundation (EFF) explains, would establish a “new backdoor for cross-border data [that] mirrors another backdoor under Section 702 of the FISA Amendments Act, an invasive NSA surveillance authority for foreign intelligence gathering” recently reauthorized by Congress.

Ruiz outlines how the legislation would enable U.S. authorities to bypass Fourth Amendment rights to obtain Americans’ data and use it against them:

The CLOUD Act allows the president to enter an executive agreement with a foreign nation known for human rights abuses. Using its CLOUD Act powers, police from that nation inevitably will collect Americans’ communications. They can share the content of those communications with the U.S. government under the flawed “significant harm” test. The U.S. government can use that content against these Americans. A judge need not approve the data collection before it is carried out. At no point need probable cause be shown. At no point need a search warrant be obtained.

The EFF and ACLU are among two dozen groups that banded together earlier this month to pen a letter to Congress to express alarm that the bill “fails to protect the rights of Americans and individuals abroad, and would put too much authority in the hands of the executive branch with few mechanisms to prevent abuse.”

[…]

“This controversial legislation would be a poison pill for the omnibus spending bill,” declared Fight for the Future’s deputy director, Evan Greer. “Decisions like this requires rigorous examination and public debate, now more than ever, and should not be made behind closed doors as part of back room Congressional deals.”

The group also pointed out that big tech companies such as Apple, Facebook, and Google are among those lobbying lawmakers to include the CLOUD Act in the spending bill:

DYgig4bX0AEOjsI5

Polisis AI Developed to Help People Understand Privacy Policies

It looks as though this AI development could be quite useful in helping people avoid the exploitation of their personal information. Someone reading this may also want to look into a resource called Terms of Service; Didn’t Read, which “aims at creating a transparent and peer-reviewed process to rate and analyse Terms of Service and Privacy Policies in order to create a rating from Class A to Class E.”

But one group of academics has proposed a way to make those virtually illegible privacy policies into the actual tool of consumer protection they pretend to be: an artificial intelligence that’s fluent in fine print. Today, researchers at Switzerland’s Federal Institute of Technology at Lausanne (EPFL), the University of Wisconsin and the University of Michigan announced the release of Polisis—short for “privacy policy analysis”—a new website and browser extension that uses their machine-learning-trained app to automatically read and make sense of any online service’s privacy policy, so you don’t have to.

In about 30 seconds, Polisis can read a privacy policy it’s never seen before and extract a readable summary, displayed in a graphic flow chart, of what kind of data a service collects, where that data could be sent, and whether a user can opt out of that collection or sharing. Polisis’ creators have also built a chat interface they call Pribot that’s designed to answer questions about any privacy policy, intended as a sort of privacy-focused paralegal advisor. Together, the researchers hope those tools can unlock the secrets of how tech firms use your data that have long been hidden in plain sight.

[…]

Polisis isn’t actually the first attempt to use machine learning to pull human-readable information out of privacy policies. Both Carnegie Mellon University and Columbia have made their own attempts at similar projects in recent years, points out NYU Law Professor Florencia Marotta-Wurgler, who has focused her own research on user interactions with terms of service contracts online. (One of her own studies showed that only .07 percent of users actually click on a terms of service link before clicking “agree.”) The Usable Privacy Policy Project, a collaboration that includes both Columbia and CMU, released its own automated tool to annotate privacy policies just last month. But Marotta-Wurgler notes that Polisis’ visual and chat-bot interfaces haven’t been tried before, and says the latest project is also more detailed in how it defines different kinds of data. “The granularity is really nice,” Marotta-Wurgler says. “It’s a way of communicating this information that’s more interactive.”

[…]

The researchers’ legalese-interpretation apps do still have some kinks to work out. Their conversational bot, in particular, seemed to misinterpret plenty of questions in WIRED’s testing. And for the moment, that bot still answers queries by flagging an intimidatingly large chunk of the original privacy policy; a feature to automatically simplify that excerpt into a short sentence or two remains “experimental,” the researchers warn.

But the researchers see their AI engine in part as the groundwork for future tools. They suggest that future apps could use their trained AI to automatically flag data practices that a user asks to be warned about, or to automate comparisons between different services’ policies that rank how aggressively each one siphons up and share your sensitive data.

“Caring about your privacy shouldn’t mean you have to read paragraphs and paragraphs of text,” says Michigan’s Schaub. But with more eyes on companies’ privacy practices—even automated ones—perhaps those information stewards will think twice before trying to bury their data collection bad habits under a mountain of legal minutiae.

U.S. Federal Government Set to Further Expand Mass Surveillance

It’s striking that the same congressional Democrats who verbally denounce the current president as a tyrant then vote to grant the executive branch extremely unjust surveillance authority. U.S. citizens, I encourage you to call the Senate and tell them to vote no on this mass surveillance bill. The Capitol Switchboard number is (202) 804-3305.

With the Senate set to cast its first votes on a bill that reauthorizes and expands the government’s already vast warrantless spying program in a matter of hours, civil libertarians on Tuesday launched a last-ditch effort to rally opposition to the legislation and demand that lawmakers protect Americans’ constitutional right to privacy.

Fight for the Future (FTF), one of many advocacy groups pressuring lawmakers to stop the mass surveillance bill in its tracks, notes that “just 41 senators can stop” the bill from passing.

“In the age of federal misconduct, every member of Congress must move right now to stop the government’s abuse of the internet to monitor everyone; they must safeguard our freedom and the U.S. Constitution,” FTF urged.

The FISA Amendments Reauthorization Act of 2017 (S.139)—passed by the House last week with the revealing but not surprising help of 65 Democrats—would renew Section 702 of FISA, set to expire this Friday.

As The Intercept‘s Glenn Greenwald notes, “numerous Senate Democrats are poised” to join their House colleagues in voting to re-up Section 702, thus violating “the privacy rights of everyone in the United States” and handing President Donald Trump and Attorney General Jeff Sessions sprawling spying powers.

The Senate’s first procedural vote on a cloture motion is expected at 5:30pm ET. If the motion is approved, the path will be clear for the bill to hit the Senate floor.

“Every member of Congress is going to have to decide whether to protect Americans’ privacy, and shield vulnerable communities from unconstitutional targeting, or to leave unconstitutional spying authority in Trump’s—and Jeff Sessions’—hands,” the advocacy group Indivisible notes.

EU Privacy Shield Standard Should be Adopted by More Countries

Online privacy isn’t as appreciated as it should be, but that may change as exponentially more devices are connected to the Internet over the next several years.

If you’re ever expecting a child, Target wants to be one of the first to know. The company has invested in research to identify pregnant customers early on, based upon their purchasing behavior. Then, it targets them with ads for baby gear.

While companies such as Target mine data about products their customers purchase from them (like prenatal vitamins) to send them personalized ads, many also rely on information gathered about us on the web — like what we search for on Google or email our friends. That lets them realize we’re planning a vacation to the Grand Canyon, for instance, and send us ads for local hotels.

 Many people think that it’s an invasion of privacy for companies to gather sensitive data — such as information about our relationships and medical history — and exploit it for commercial purposes. It could also widen social divisions. For example, Facebook determines our political beliefs based upon the pages we like and preferences we list on our profiles. If algorithms peg us as conservative or liberal and we’re targeted with ads accordingly, we may end up never understanding what people of other political persuasions think. Internet activist and author Eli Pariser has argued that America is so politically polarized in part because social media sites leave us in “filter bubbles.” Targeted political advertising could have the same effect.

That’s part of the reason why, in May, a new regulation will go into effect into the European Union giving citizens the “right to object” to “processing of personal data” about them for marketing and other purposes. As Andrus Ansip, the European Commission vice president for the digital single market, tweeted, “Should I not be asked before my emails are accessed and used? Don’t you think the same?” The new law overcame serious opposition from the advertising industry, whose representatives argue that it will disrupt ad revenues needed by the media. Experts say that websites will have to provide more valuable content to users as an incentive for readers to allow them to use their data.

Here in the U.S., most ads are bought through exchanges that allow advertisers to target people based upon data about them. Companies can choose to buy ads that will be seen, for example, by women who live in a particular ZIP code and graduated from a certain school. But according to guidance established by the Digital Advertising Alliance — a consortium of industry trade associations including the American Association of Advertising Agencies, the Association of National Advertisers, and the Better Business Bureau — consumers should have “the ability to exercise choice with respect to the collection and use of data.” Two members of the alliance accept consumer complaints and do their own research to identify violations of the rule. They work with companies to help them fix problems and report violations to regulators. 1  

While the principle behind the new EU law could justify wide-ranging new regulations and restrictions on how companies throughout the world do business, James Ryseff, a former Google engineer, says it’s likely that initially it will simply allow users to opt out of the “cookies” that track internet users as they surf the web. Although this will reduce the amount of data that tech companies can collect, it doesn’t truly allow users to opt out of targeted advertising, since businesses can still use the information they gather through other techniques — such as in-store purchases — to classify and reach customers. That’s why, Ryseff says, Americans should have more sophisticated ways to determine exactly what advertisers learn about us.

First, for example, we should be able to decide whether companies are able to gather generic data about who we are (such as our age, gender and location) or information about what we’re doing (such as researching a medical condition) — or neither, or both. “In general, I think ‘What I do’ information has a greater ability to freak people out,” Ryseff says. “Used incorrectly, it makes you feel like Google is stalking you.”

Second, Americans should get to decide where and when our data is tracked. For example, some people might be more comfortable being tracked on a search engine that knows their buying behavior and can make recommendations accordingly, but less so on personal email which can identify private facts about their lives — or work email which might contain proprietary information. (Google previously used data from the content of users’ emails to target them with ads, but pledged in June to stop the practice.) And we might want to temporarily stop allowing search engines to track our activities when we’re looking up something private, like medical symptoms. 2

Third, we should get to decide whether we’re willing to be targeted with ads based upon our own behaviors or people algorithms have decided are like us.

Research Develops First Reliable Method for Websites to Track Users With Multiple Browsers

Either legal or technological defenses will be required to stop this tracking that so invades personal privacy.

Researchers have recently developed the first reliable technique for websites to track visitors even when they use two or more different browsers. This shatters a key defense against sites that identify visitors based on the digital fingerprint their browsers leave behind.

State-of-the-art fingerprinting techniques are highly effective at identifying users when they use browsers with default or commonly used settings. For instance, the Electronic Frontier Foundation’s privacy tool, known as Panopticlick, found that only one in about 77,691 browsers had the same characteristics as the one commonly used by this reporter. Such fingerprints are the result of specific settings and customizations found in a specific browser installation, including the list of plugins, the selected time zone, whether a “do not track” option is turned on, and whether an adblocker is being used.

Until now, however, the tracking has been limited to a single browser. This constraint made it infeasible to tie, say, the fingerprint left behind by a Firefox browser to the fingerprint from a Chrome or Edge installation running on the same machine. The new technique—outlined in a research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features—not only works across multiple browsers, it’s also more accurate than previous single-browser fingerprinting.

Fingerprinting isn’t automatically bad and, in some cases, offers potential benefits to end users. Banks, for instance, can use it to know that a person logging into an online account isn’t using the computer that has been used on every previous visit. Based on that observation, the bank could check with the account holder by phone to make sure the login was legitimate. But fingerprinting also carries sobering privacy concerns.

“From the negative perspective, people can use our cross-browser tracking to violate users’ privacy by providing customized ads,” Yinzhi Cao, the lead researcher who is an assistant professor in the Computer Science and Engineering Department at Lehigh University, told Ars. “Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. In order to defeat the privacy violation, we believe that we need to know our enemy well.”

[…]

Cross-browser fingerprinting is only the latest trick developers have come up with to track people who visit their sites. Besides traditional single-browser fingerprinting, other tracking methods include monitoring the way visitors type passwords and other text and embedding inaudible sound in TV commercials or websites. The Tor browser without an attached microphone or speakers is probably the most effective means of protection, although the researchers said running a browser inside a virtual machine may also work.

Giant Data Leak Exposes Data on 123 Million U.S. Households

This is yet another data breach that would be much less likely to happen if the NSA would primarily do its actual job and protect Americans instead of spying on them and other relatively innocent foreign citizens. Up to 90 percent of the NSA’s budget is dedicated to offense and spying when it should be dedicated to securing vital technological infrastructure and defending the public instead. Unfortunately though, the NSA today is largely an example of the government — compromised through excessive corporate control — treating its own domestic population as the enemy, and that sort of example happens far too frequently in the modern world.

Researchers revealed Tuesday that earlier this year they discovered a massive database — containing information on more than 123 million American households — that was sitting unsecured on the internet.

The cloud-based data repository from marketing analytics company Alteryx exposed a wide range of personal details about virtually every American household, according to researchers at cybersecurity company UpGuard. The leak put consumers at risk for a range of nefarious activities, from spamming to identity theft, the researchers warned.

Though no names were exposed, the data set included 248 different data fields covering a wide variety of specific personal information, including address, age, gender, education, occupation and marital status. Other fields included mortgage and financial information, phone numbers and the number of children in the household.

“From home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior, the exposed data constitutes a remarkably invasive glimpse into the lives of American consumers,” UpGuard researchers Chris Vickery and Dan O’Sullivan wrote in their analysis.

A cascade of recent database breaches has left consumers on edge about the security of their personal information. After credit monitoring company Equifax revealed in September that cybercriminals had made off with data on more than 145 million Americans, US lawmakers began efforts to hold such businesses accountable to the everyday people whose data they collect for profit.

[…]

“The data exposed in this bucket would be invaluable for unscrupulous marketers, spammers and identity thieves, for whom this data would be largely reliable and, more importantly, varied,” the researchers said. “With a large database of potential victims to survey — with such details as ‘mortgage ownership’ revealed, a common security verification question — the price could be far higher than merely bad publicity.”