In our latest Privacy Protectors Spotlight, we are excited to feature Justin Sherman, a prominent cybersecurity policy expert and data privacy advocate. Justin has been at the forefront of the battle against data brokers, tirelessly working to educate lawmakers and the public about the significant and highly dangerous threats posed by these entities. His comprehensive research, testimonies, and proposed solutions have made him a key figure in the fight for privacy rights.
Background
Justin Sherman is an expert on cybersecurity and data privacy, technology and internet policy, and geopolitics. According to his full bio, he has consulted for and advised everyone from CEOs and government officials to investors, attorneys, product managers, communications strategists, and threat intelligence teams, including in volatile, complex, and high-risk scenarios. He is the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm, where he helps clients navigate complex technological, policy, and geopolitical issues.
Justin is also a senior fellow at Duke Universityâs Sanford School of Public Policy, where he runs its research project on data brokerage; a nonresident fellow at the Atlantic Councilâs Cyber Statecraft Initiative; and a contributing editor at Lawfare.
Justin has testified before Congress; spoken at the White House, the United Nations, and NATO; and briefed White House officials, members of European Parliament, and many other policymakers around the world on topics ranging from cybersecurity risk to the open data market to Russian cyber and information strategy. He has written hundreds of articles for well-known publications and numerous reports, book chapters, journal articles, and privately commissioned assessments; been interviewed on major networks, and many other national and international programs; and had his work featured on HBOâs âLast Week Tonight with John Oliver.â
He earned his M.A. in Security Studies from Georgetown University and his B.S. in Computer Science and his B.A. in Political Science from Duke University.
Work on Data Brokers
Justin Sherman has been a prominent voice in educating lawmakers and the public about the multifaceted dangers posed by data brokers. Through his extensive research, writings, interviews, and congressional testimonies, Justin has highlighted the extent of the information being collected by the data brokerage ecosystem, how that info is collected, and the numerous ways in which it can be misused. He has emphasized the urgent need for regulatory oversight to address the problem of data brokerage effectively.
Justinâs advocacy has driven legislative momentum, encouraging lawmakers to consider stricter regulations on data brokerage practices.
Below we highlight some of the critical information that has come to light through Justinâs research and testimonies.
Data Brokers and Sensitive Data on US Individuals
In 2021, Justin released a report entitled âData Brokers and Sensitive Data on US Individuals.â The report examined 10 major data brokers and the highly sensitive data they hold on U.S. individuals. Among its key findings, the report found that âdata brokers are openly and explicitly advertising data for sale on U.S. individualsâ sensitive demographic information, on U.S. individualsâ political preferences and beliefs, on U.S. individualsâ whereabouts and even real-time GPS locations, on current and former U.S. military personnel, and on current U.S. government employees.â
Moreover, âall 10 surveyed data brokers openly and explicitly advertise data on millions of U.S. individuals, oftentimes advertising thousands or tens of thousands of sub-attributes on each of those individuals, ranging from demographic information to personal activities and life preferences (e.g., politics, travel, banking, healthcare, consumer goods and services).â
Thousands or tens of thousands of sub-attributes on individuals is an astonishing amount of information.
The report also found that all this info is collected and sold with little to no transparency with regard to data broker transactions and that âthe data advertised by these brokersâspanning everything from financial transaction histories and internet browsing patterns to travel interests and support for political causes and organizationsâcould be used by foreign entities for a range of national security-damaging activities.â
The report concludes by noting that federal enforcement agencies like the Federal Trade Commission âdo not have a strong federal privacy law to point to as grounds to investigate unfair and exploitative practices by data brokers and by firms using data broker data.â As a result, all the harms that come from data brokerageââto Americansâ civil rights, to U.S. national security, and to U.S. democracy writ largeâwill only persist without further regulation.â
Revelations on Data Brokers
In his testimonies before various lawmakers, Justin Sherman has outlined in detail how data brokers operate. Because most of the public is not in a position to understand how the data brokerage ecosystem works, Justinâs testimonies are crucial for bringing this info to light.
On April 19th, 2023, Justin delivered a testimony entitled âData Brokerage, the Sale of Individualsâ Data, and Risks to Americansâ Privacy, Personal Safety, and National Securityâ to the U.S. House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations. In his written statement, Justin described how data brokers collect personal data, the kind of data they collect, how they work to keep their activities hidden and uninterrupted, and the myriad of threats they pose both to individuals and the nation at large.
Because of the serious nature of the information Justin provided, along with the importance of it being widely disseminated, we have provided a summary of some of the revelations from this testimony below.
How Data Brokers Collect Data
In his statement, Justin outlined three main ways in which data brokers acquire our personal information.
- The first is directly. In this method data brokers buy up companies and services such as apps and websites and pay app developers to include the data brokerâs software development kit (SDK) in the developerâs app, which siphons data on users.
- The second method is indirectly, when data brokers scrape public records, gather data from other online sources, and pay app developers to transmit data they have collected on app users.
- The third method is âinference,â or prediction. According to Justin, this is when data brokers use âalgorithms and other techniques to make predictions about individualsâ characteristics.â
The Info Data Brokers Collect
Citing his teamâs research at Duke University, Justin noted that the data brokerage industry advertises sensitive data on hundreds of millions of Americans and âcollects, infers, and sells data on your race, religion, gender, sexual orientation, marital status, income level, credit rating, children, home address, geolocation, political preferences, health conditions, mental health conditions, device usage, and much, much more.â
This data on Americans is also sold in packages, which allows buyers to use the compiled and pre-packaged datasets to profile or target individuals. Justin testified that his team had found âdata brokers advertising packages of data for sale on the open market on students, teenagers, active-duty U.S. military personnel, veterans, U.S. government employees, elderly Americans, people with Alzheimerâs, adults with cancer, individuals suffering from depression, and more.â
Justin noted that all this data is collected without the fully informed consent of individuals and that these kinds of pre-packaged datasets can be and have been exploited by malicious actors.
Other Revelations
Justin also brought to public attention some of the practices of data brokers, such as making buyers sign non-disclosure agreements (NDAs), which serve to keep their activities hidden from the public. He further pointed out other disturbing practices, such as cases where data brokers have knowingly sold data to scammers and continued doing so even after their clients were caught. This is on top of the widespread pattern of data brokers failing to adequately vet their customers that Justin and his team observed.
In his testimony, Justin undercut the common data broker argument that the datasets they collect are âanonymizedâ by citing decades of computer science and a recent study which showed that âwith only 15 specific demographic attributes, it would be possible to âre-identifyâ 99.98% of Americans in a dataset.â He also noted that data brokersâ âclaims of âanonymizationâ obscure the fact that many data brokers are selling datasets that do include individualsâ names.â
Threats Posed by Data Brokers
Justinâs testimony described all the various ways in which the data compiled by brokers has been misused and could be misused in the future without any new laws or regulations in place.
He pointed out the fact that scammers have already stolen millions of dollars from vulnerable consumers using brokered data, either through phishing or through setting up fraudulent companies, purchasing debit card information, and simply withdrawing funds.
Other examples of misuse he cited include people search sites enabling domestic and intimate partner violence, the targeting of a New Jersey federal judge using brokered data which resulted in the murder of her son, the tracking of Americans by threat actors through brokered data datasets (through which other sensitive data can be obtained), several documented cases where data brokers knowingly sold data to criminals, the use of Americansâ data by foreign governments for malicious activities, brokered data being used for discriminatory practices by companies, sensitive personal data being exposed through data broker hacking, and numerous others.
So long as data brokers continue to collect highly sensitive personal information on millions of Americans, fail to vet their customers properly so that scammers and malicious entities can easily purchase this data, and successfully lobby to prevent regulations that would curb their activities, such threats will persist.
Proposed Solutions
âData brokerage is a threat to Americansâ civil rights, consumersâ privacy and well-being, and U.S. national security. The entire data brokerage ecosystemâfrom companies whose entire business model is data brokerage, to the thousands of other apps, advertisers, tech giants, and companies that collect, buy, sell, and share Americansâ personal dataâprofits from unregulated surveillance of every American, particularly the most vulnerable. While I support a strong, comprehensive consumer privacy law, Congress should act now to regulate the data brokerage ecosystem.â â Justin Sherman, in testimony to the U.S. House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, April 19, 2023.
In response to the threats data brokers pose to civil rights, privacy, personal safety, and national security, Justin Sherman has advocated for a robust federal privacy legislation to provide systematic protection against data brokerage practices. Until we have such a comprehensive federal law, he has proposed three steps that Congress should take now.
Strictly regulate or ban the sale of data to foreign entities
The first step Justin proposed is to strictly control the sale of data to foreign companies, citizens, and governments. Justin testified that âcurrently, there is virtually nothing in U.S. law preventing American companies from selling citizensâ personal dataâfrom real-time GPS locations and health information to data on military personnel and government employeesâto foreign entities, including those entities which pose risks to U.S. national security. Congress should also consider areas in which outright bans on the sale of certain types of sensitive data would best protect national security.â
Ban Sensitive Data Sales
The second step proposed is for Congress to ban the sale of data completely in some sensitive categories, such as with health and location data, and any data on children, and strictly control the sale of data in other categories. Justin stated that âwhile many kinds of data can be used in harmful ways, some categories are arguably more sensitive than others. Congress should develop a list of sensitive data categories that each correspond to bans on sale or other strong controls.â
Stop Data Inference
The third step needed is to stop data brokers from circumventing restrictions by âinferringâ data. Justin testified that âif data brokers are prevented from collecting, aggregating, buying, selling, and sharing certain kinds of data and/or selling it to and sharing it with certain entities, they may still get data using their third vectorâanalyzing data and making âinferencesâ from it. For instance, if data brokers were prohibited specifically from buying and selling Americansâ GPS location histories, a company could still, in line with current practice, mine individualsâ purchase information, Wi-Fi connection histories, Bluetooth device links, and other information to derive the data that is supposed to be controlled in the first place, without technically âcollectingâ GPS location itself.â Stopping this practice âwill tackle the third main way data brokers currently get their dataâand prevent companies from circumventing controls to keep exploiting Americans.â
Conclusion
Justin Shermanâs extensive research and rigorous advocacy has illuminated the otherwise opaque workings of data brokers and paved the way for informed public discourse and legislative action to safeguard personal privacy, safety, and national security.
At Optery, we are greatly inspired by Justin’s dedication and are happy to spotlight him for his outstanding service in the fight for privacy protection.
Join us in recognizing Justin Shermanâs critical work. You can follow Justin on X @jshermcyber. You can also find his articles, testimonies, and interviews here and here.
Stay tuned for more features in our Privacy Protectors Spotlight series and be sure to follow Opteryâs blog for more insights and to learn how you can protect your personal information from data brokers.