Skip to content

Privacy Protectors Spotlight: Justin Sherman

Feature image

In our latest Privacy Protectors Spotlight, we are excited to feature Justin Sherman, a prominent cybersecurity policy expert and data privacy advocate. Justin has been at the forefront of the battle against data brokers, tirelessly working to educate lawmakers and the public about the significant and highly dangerous threats posed by these entities. His comprehensive research, testimonies, and proposed solutions have made him a key figure in the fight for privacy rights.

Background

Justin Sherman is an expert on cybersecurity and data privacy, technology and internet policy, and geopolitics. According to his full bio, he has consulted for and advised everyone from CEOs and government officials to investors, attorneys, product managers, communications strategists, and threat intelligence teams, including in volatile, complex, and high-risk scenarios. He is the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm, where he helps clients navigate complex technological, policy, and geopolitical issues.

Justin is also a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative; and a contributing editor at Lawfare.

Justin has testified before Congress; spoken at the White House, the United Nations, and NATO; and briefed White House officials, members of European Parliament, and many other policymakers around the world on topics ranging from cybersecurity risk to the open data market to Russian cyber and information strategy. He has written hundreds of articles for well-known publications and numerous reports, book chapters, journal articles, and privately commissioned assessments; been interviewed on major networks, and many other national and international programs; and had his work featured on HBO’s “Last Week Tonight with John Oliver.”

Data Brokers: Last Week Tonight with John Oliver (HBO)

He earned his M.A. in Security Studies from Georgetown University and his B.S. in Computer Science and his B.A. in Political Science from Duke University.

Work on Data Brokers

Justin Sherman has been a prominent voice in educating lawmakers and the public about the multifaceted dangers posed by data brokers. Through his extensive research, writings, interviews, and congressional testimonies, Justin has highlighted the extent of the information being collected by the data brokerage ecosystem, how that info is collected, and the numerous ways in which it can be misused. He has emphasized the urgent need for regulatory oversight to address the problem of data brokerage effectively.

Justin’s advocacy has driven legislative momentum, encouraging lawmakers to consider stricter regulations on data brokerage practices. 

Below we highlight some of the critical information that has come to light through Justin’s research and testimonies.

Data Brokers and Sensitive Data on US Individuals

In 2021, Justin released a report entitled “Data Brokers and Sensitive Data on US Individuals.” The report examined 10 major data brokers and the highly sensitive data they hold on U.S. individuals. Among its key findings, the report found that “data brokers are openly and explicitly advertising data for sale on U.S. individuals’ sensitive demographic information, on U.S. individuals’ political preferences and beliefs, on U.S. individuals’ whereabouts and even real-time GPS locations, on current and former U.S. military personnel, and on current U.S. government employees.” 

Moreover, “all 10 surveyed data brokers openly and explicitly advertise data on millions of U.S. individuals, oftentimes advertising thousands or tens of thousands of sub-attributes on each of those individuals, ranging from demographic information to personal activities and life preferences (e.g., politics, travel, banking, healthcare, consumer goods and services).”

Thousands or tens of thousands of sub-attributes on individuals is an astonishing amount of information.

The report also found that all this info is collected and sold with little to no transparency with regard to data broker transactions and that ‘the data advertised by these brokers—spanning everything from financial transaction histories and internet browsing patterns to travel interests and support for political causes and organizations—could be used by foreign entities for a range of national security-damaging activities.”

The report concludes by noting that federal enforcement agencies like the Federal Trade Commission “do not have a strong federal privacy law to point to as grounds to investigate unfair and exploitative practices by data brokers and by firms using data broker data.” As a result, all the harms that come from data brokerage—”to Americans’ civil rights, to U.S. national security, and to U.S. democracy writ large—will only persist without further regulation.”

Revelations on Data Brokers 

In his testimonies before various lawmakers, Justin Sherman has outlined in detail how data brokers operate. Because most of the public is not in a position to understand how the data brokerage ecosystem works, Justin’s testimonies are crucial for bringing this info to light.

On April 19th, 2023, Justin delivered a testimony entitled “Data Brokerage, the Sale of Individuals’ Data, and Risks to Americans’ Privacy, Personal Safety, and National Security” to the U.S. House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations. In his written statement, Justin described how data brokers collect personal data, the kind of data they collect, how they work to keep their activities hidden and uninterrupted, and the myriad of threats they pose both to individuals and the nation at large. 

Because of the serious nature of the information Justin provided, along with the importance of it being widely disseminated, we have provided a summary of some of the revelations from this testimony below.

How Data Brokers Collect Data

In his statement, Justin outlined three main ways in which data brokers acquire our personal information. 

  • The first is directly. In this method data brokers buy up companies and services such as apps and websites and pay app developers to include the data broker’s software development kit (SDK) in the developer’s app, which siphons data on users.
  • The second method is indirectly, when data brokers scrape public records, gather data from other online sources, and pay app developers to transmit data they have collected on app users. 
  • The third method is “inference,” or prediction. According to Justin, this is when data brokers use “algorithms and other techniques to make predictions about individuals’ characteristics.” 

The Info Data Brokers Collect

Citing his team’s research at Duke University, Justin noted that the data brokerage industry advertises sensitive data on hundreds of millions of Americans and “collects, infers, and sells data on your race, religion, gender, sexual orientation, marital status, income level, credit rating, children, home address, geolocation, political preferences, health conditions, mental health conditions, device usage, and much, much more.”

This data on Americans is also sold in packages, which allows buyers to use the compiled and pre-packaged datasets to profile or target individuals. Justin testified that his team had found “data brokers advertising packages of data for sale on the open market on students, teenagers, active-duty U.S. military personnel, veterans, U.S. government employees, elderly Americans, people with Alzheimer’s, adults with cancer, individuals suffering from depression, and more.”

Justin noted that all this data is collected without the fully informed consent of individuals and that these kinds of pre-packaged datasets can be and have been exploited by malicious actors.

Other Revelations 

Justin also brought to public attention some of the practices of data brokers, such as making buyers sign non-disclosure agreements (NDAs), which serve to keep their activities hidden from the public. He further pointed out other disturbing practices, such as cases where data brokers have knowingly sold data to scammers and continued doing so even after their clients were caught. This is on top of the widespread pattern of data brokers failing to adequately vet their customers that Justin and his team observed. 

In his testimony, Justin undercut the common data broker argument that the datasets they collect are ‘anonymized’ by citing decades of computer science and a recent study which showed that “with only 15 specific demographic attributes, it would be possible to “re-identify” 99.98% of Americans in a dataset.” He also noted that data brokers’ “claims of “anonymization” obscure the fact that many data brokers are selling datasets that do include individuals’ names.”

Threats Posed by Data Brokers

Justin’s testimony described all the various ways in which the data compiled by brokers has been misused and could be misused in the future without any new laws or regulations in place. 

He pointed out the fact that scammers have already stolen millions of dollars from vulnerable consumers using brokered data, either through phishing or through setting up fraudulent companies, purchasing debit card information, and simply withdrawing funds.

Other examples of misuse he cited include people search sites enabling domestic and intimate partner violence, the targeting of a New Jersey federal judge using brokered data which resulted in the murder of her son, the tracking of Americans by threat actors through brokered data datasets (through which other sensitive data can be obtained), several documented cases where data brokers knowingly sold data to criminals, the use of Americans’ data by foreign governments for malicious activities, brokered data being used for discriminatory practices by companies, sensitive personal data being exposed through data broker hacking, and numerous others.

So long as data brokers continue to collect highly sensitive personal information on millions of Americans, fail to vet their customers properly so that scammers and malicious entities can easily purchase this data, and successfully lobby to prevent regulations that would curb their activities, such threats will persist.

Proposed Solutions

“Data brokerage is a threat to Americans’ civil rights, consumers’ privacy and well-being, and U.S. national security. The entire data brokerage ecosystem—from companies whose entire business model is data brokerage, to the thousands of other apps, advertisers, tech giants, and companies that collect, buy, sell, and share Americans’ personal data—profits from unregulated surveillance of every American, particularly the most vulnerable. While I support a strong, comprehensive consumer privacy law, Congress should act now to regulate the data brokerage ecosystem.”  â€” Justin Sherman, in testimony to the U.S. House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, April 19, 2023.

In response to the threats data brokers pose to civil rights, privacy, personal safety, and national security, Justin Sherman has advocated for a robust federal privacy legislation to provide systematic protection against data brokerage practices. Until we have such a comprehensive federal law, he has proposed three steps that Congress should take now. 

The first step Justin proposed is to strictly control the sale of data to foreign companies, citizens, and governments. Justin testified that “currently, there is virtually nothing in U.S. law preventing American companies from selling citizens’ personal data—from real-time GPS locations and health information to data on military personnel and government employees—to foreign entities, including those entities which pose risks to U.S. national security. Congress should also consider areas in which outright bans on the sale of certain types of sensitive data would best protect national security.”

The second step proposed is for Congress to ban the sale of data completely in some sensitive categories, such as with health and location data, and any data on children, and strictly control the sale of data in other categories. Justin stated that “while many kinds of data can be used in harmful ways, some categories are arguably more sensitive than others. Congress should develop a list of sensitive data categories that each correspond to bans on sale or other strong controls.”

The third step needed is to stop data brokers from circumventing restrictions by “inferring” data. Justin testified that “if data brokers are prevented from collecting, aggregating, buying, selling, and sharing certain kinds of data and/or selling it to and sharing it with certain entities, they may still get data using their third vector—analyzing data and making “inferences” from it. For instance, if data brokers were prohibited specifically from buying and selling Americans’ GPS location histories, a company could still, in line with current practice, mine individuals’ purchase information, Wi-Fi connection histories, Bluetooth device links, and other information to derive the data that is supposed to be controlled in the first place, without technically “collecting” GPS location itself.” Stopping this practice “will tackle the third main way data brokers currently get their data—and prevent companies from circumventing controls to keep exploiting Americans.”

Conclusion

Justin Sherman’s extensive research and rigorous advocacy has illuminated the otherwise opaque workings of data brokers and paved the way for informed public discourse and legislative action to safeguard personal privacy, safety, and national security.

At Optery, we are greatly inspired by Justin’s dedication and are happy to spotlight him for his outstanding service in the fight for privacy protection. 

Join us in recognizing Justin Sherman’s critical work. You can follow Justin on X @jshermcyber. You can also find his articles, testimonies, and interviews here and here

Stay tuned for more features in our Privacy Protectors Spotlight series and be sure to follow Optery’s blog for more insights and to learn how you can protect your personal information from data brokers.

Ready to Remove Your Info from the Internet?

Free Tools + Paid Plans starting at $3.99/mo. 320 sites covered. 30-Day Money Back Guarantee!

Get Free Scan

Ready to safeguard your personal data?

Join the movement of people strengthening their privacy
Sign Up Free