Published by The Lawfare Institute
in Cooperation With
Data brokers create clusters of personal information to produce models that categorize people or attempt to predict how they behave. This data gathering and processing gives data brokers or their customers the power to manipulate people’s decisions in malicious ways. More specifically, data brokers are able to predict how vulnerable people—such as the elderly—might respond to deceitful requests for money.
As I described in a previous article with Justin Sherman, this scenario happened when data brokers Macromark, KBM, and Epsilon compiled lists of people profiled as naïve (including elderly Americans and people with Alzheimer’s disease). The data brokers then sold those lists of vulnerable individuals to people or companies planning to disseminate fraudulent inquiries and advertisements to deceptively solicit money. The data brokers then used feedback from those scammers to further refine the lists so that their information on vulnerable individuals likely to submit to a scheme would be more accurate.
For approximately a decade, data brokers knowingly sold this information on vulnerable people to criminal scammers. The lists of vulnerable targets were known as “suckers lists” because they serve as bait for scammers seeking easy prey, and the scammers used these lists to suck people’s finances dry. For example, data broker Macromark admitted that their victims lost at least $9,500,000 in total over 11 years.
In September 2016, the Justice Department charged Macromark with conspiracy to commit wire fraud (violation of code 18 U.S.C. § 1341). Five months later, in February 2017, the U.S. District Court for the Eastern District of New York entered into a consent decree with the data broker, following an ex parte temporary restraining order established the year before to protect people on suckers lists. The consent decree identified lists in Macromark’s possession that contained the personal information of previously scammed victims and required the broker to forfeit and then delete them from its possession. As part of the consent decree, Macromark agreed to appoint an independent compliance officer to their company leadership who is required to report to the U.S. government. This court order is an effective example of how to address the harms of compromised personal information, and it can inform further regulations on sensitive brokered data. For example, the Justice Department’s experience intervening in the transfer of data from Macromark to scammers contributed to the launch of a Justice Department initiative aimed to protect individuals who were exploited by data brokers and manipulative mailing solicitations.
The Justice Department-Macromark 2017 Consent Decree
The consent decree took urgent measures to protect victims from becoming victims of repeated scams. The injunction began in 2016 as an ex parte “temporary restraining order and order to show cause,” which is a unilateral action taken by the court to address urgent circumstances. The defendants agreed to the consent decree in 2017, when the court issued a “stipulated preliminary injunction as to the settling defendants,” which allows Macromark to make no admission of wrongdoing but cooperate with the Justice Department to avoid protracted litigation. The ex parte temporary restraining order and the consent decree are both binding and enforceable court orders that legally ensure that the defendant complies. Concerned about the threat that these suckers lists posed, and the harm that they had already caused, the judge presiding over the case ordered:
Within thirty (30) days of entry of this Consent Decree and Final Judgment, Macromark shall, using reasonable best efforts, provide to Macromark’s counsel of record in this action and to the United States’ counsel of record in this action all copies of the live mailing lists contained in Macromark’s list fulfillment system that are compiled from recipients because they have responded to any Covered Materials. Macromark’s counsel of record shall retain such lists. After Macromark has provided such lists to its counsel of record, Macromark shall delete them and confirm in writing to the government that it has done so.
The consent decree enabled the government to seize Macromark’s suckers lists. The company was also required to delete their lists of victims who had already been scammed once, ultimately limiting the exposure of victims’ personal information on future lists. The judge’s reference to respondents of “Covered Materials” specifies suckers lists as lists created to keep track of victims who responded to misleading printed materials sent to them via mail. Macromark was ordered to forfeit and delete suckers lists from their “list fulfillment system,” which stores, processes, and categorizes information on internal data cards. Data cards are hardware components that store information and track the input, output, and transfer of data. Deleting information from a data card erases the computer’s memory of any information on the card—in this case, victim information—thus removing the relevant information from the list fulfillment system. This practice ensures that victims on seized and deleted suckers lists are not reintroduced as possible targets on future lists. Obtaining copies of the suckers lists for the “United States’ counsel of record” increases transparency over exactly what data is sold by data brokers. By establishing record of Macromark’s suckers lists and requiring them to remove discriminatory data from their database, the court adopted measures to protect against the threatening exposure of personal information.
According to the consent decree, Macromack was also required to appoint an independent compliance officer who conducts due diligence vetting of potential clients, conducts internal reviews of data collected, and authorizes a certification of training for every employee. The compliance officer reports to the U.S. government for five years after the court order (until 2022), acting as an outside representative that enforces internal accountability within the company. (This is the last year that Macromark is required to have a compliance officer—so it will be interesting to observe if their compliance policies or data collection and sharing behaviors change next year.) The compliance officer exercises oversight over the transaction of data, collecting “records of the due diligence performed for each Covered List” and verifying that each list does not profile individuals or potentially expose them to threats. Covered Lists refer to the contents of the data sold, “including the data card, all available solicitations whose respondents’ names and/or demographic information appear within the Covered List[.]” The data card contains all the stored information, and the modifications made to the data, enabling the officer to inspect how the data is processed to target specific demographics. Analyzing data cards provides insight into how data is modified and clustered to create targeted lists based on behavioral patterns, which is important to better understand the algorithmic refinement process of compiling suckers lists. Additionally, the consent decree requires the compliance officer to issue a certificate of training before any Macromark employee can “sell, offer for sale, lease, rent, broker or license a Covered List[.]” The oversight officer ensures that Macromark is held accountable for the process of generating content for their lists.
The seizure of suckers lists, according to the consent decree, helped the Justice Department to adopt an initiative against “mass mailing fraud schemes” that target “elderly and vulnerable victims.” The consent decree authorized the United States Postal Inspection Service “to open any and all United States Mail that was detained by the United States Postal Inspection Service pursuant to the Temporary Restraining Order or Preliminary Injunction in this matter[,]” stopping the transfer of payments to scammers and the delivery of scams to victims. The Justice Department coordinated with the U.S. Postal Inspection Service and the Department of the Treasury’s Office of Foreign Assets Control to dismantle the network of perpetrators involved in mail fraud. After the court order identified the individuals listed as potential targets on Macromark’s predatory lists, the Justice Department’s Mail Fraud Team sent a letter to victims, informing them that they were falsely promised “a large cash prize or other valuable prize in return for a payment in the range of $50 to $55.” The letter sent to victims also returned any funds belonging to a scammed victim that the Justice Department could recover. Further, the Justice Department assisted the Iowa attorney general in suing two mass mailing operations and attaining a Assurance of Voluntary Compliance form that required Macromark to pay $30,000 into a fund for protecting elderly Iowans against consumer fraud. Legally obligating Macromark to turn over their lists of victims ensured that further action could be taken to protect personal information and hold Macromark accountable for their predatory data-collection and data-selling practices.
The proactive approach taken by the consent decree is more effective than responses that fail to change the process of generating targeted lists. Algorithms constantly adapt to the data entered into them, so regulating collection of data is important to reduce the predatory inclinations of certain algorithms. Since the three aforementioned Justice Department investigations demonstrate that data brokers have targeted the elderly and vulnerable, Congress should pass legislation to protect the identity of victims who are profiled as exploitable by marketing campaigns. Additionally, the Federal Trade Commission should issue consent orders against data brokers that verify data cards and exercise oversight over the algorithmic profiling of individuals. The only way to stop this discriminatory categorization of people as susceptible to manipulation is to erase collections of data on seniors, those with mental health issues, and other vulnerable populations, and regulate how future data is collected and exchanged.
Although Epsilon and KBM, the other two data brokers charged by the Justice Department for similar practices, are also required to appoint a third-party compliance officer, there is less transparency about the role of the compliance officer or the efficacy of internal reviews that are submitted annually to the Justice Department. More leeway was granted to Epsilon and KBM to internally regulate their data management and compliance programs, despite these companies also having created algorithms with feedback loops to target people who had already been scammed once. Epsilon, in particular, brokers data on “250 million U.S. consumers[,]” and there is no publicly accessible evidence that Epsilon has made meaningful changes to their procedures for managing and processing data. Once a data broker is caught violating their internal compliance policies, structural change within the company is necessary to ensure that indifference toward protocol does not recur. The same suckers lists that Epsilon was prosecuted for selling to scammers may well be incorporated into present datasets. The court order in the Macromark case is unique because it recognized the potential for danger created by these suckers lists and acted urgently to have the data erased.
Collecting lists of people who were previously scammed is inherently threatening because it enables scammers to target victims in more insidious and coercive ways. As described in “The Future of Violence,” exposure of your personal data mosaic makes individuals vulnerable to harm from people who can leverage that information against their selected targets. Personal details are assorted to model people’s behavior, revealing people’s pressure points—which are topics that cause misguided trust or compel people to act irrationally—such as family, health, legal, romantic, and employment matters. Imposter scams, for example, are the most popular form of fraud in the United States and are enabled by data brokers selling sensitive details to scammers who use that information to deceive and blackmail people. Predation on the exploited populations can be remedied only by protecting victims’ identities.
Right to Anonymity
Without enforced regulations, victims who are marked as easy targets for manipulation will inevitably be taken advantage of consecutively. To prevent this, their identities should be protected from being shared by data brokers. Protecting the anonymity of people who have already been targeted by data brokers is pivotal to stop the cascading effect that repeated scams have on someone’s financial and emotional livelihood. Establishing anonymity of vulnerable populations involves not merely removing certain identifiers; it requires deleting the whole array of information that data brokers have collected on someone from a data card. If someone can still legally purchase data from a data broker about elderly Americans and people with Alzheimer’s—even after these data brokers were charged with facilitating fraud—companies or individuals could harm those victims again. It is currently legal to collect information on elders, and mailing lists containing information on senior citizens can be bought, making this information still accessible to scammers.
Policies addressing fraud enabled by data brokers should support measures that regulate data brokers’ access to, and ability to profile, the personal information of individuals. Exposure of personal information enables scammers to deceitfully tailor their approaches to specific audiences. People who have been defrauded from lists supplied by data brokers should be guaranteed that their information is removed from circulation. Since there are many different data brokers selling lists of personal information, protecting the identity of people requires restricting the omnipresence of commercial surveillance. Controls should be in place to process and verify data cards before lists are sold. If citizens are to be protected from online manipulation, there should be credible oversight to notify people when their information is sold and what information is getting shared about them. People should be updated on the exposure of personal information to scammers so that they are not caught off-guard by deceptive solicitations. Since the insecurity of personal information online results in more people facing the threat of getting scammed, increasing the oversight and accountability of the data broker industry will protect American citizens.
Despite the consent decree’s protection of victims’ information, deleting suckers lists cannot prevent malicious scamming of vulnerable populations from happening in the first place. Addressing the harms of unprotected sensitive information retroactively does not protect victims from exposure to threats until detrimental consequences have already happened. The consent decree provides redress for victims of scams, but it needs to be supplemented with regulations to ensure that suckers lists are not created to begin with. Preemptively authorizing what data can be collected on people, flagging when people are repeatedly featured on similar lists, and verifying data cards to oversee how data is managed are some measures that can reduce the malicious use of sensitive information.