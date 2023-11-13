Beyond the voracity for information of Google, Meta and other giants, there is a shadow market that trades with our personal data. The so-called data brokers. They are companies unknown to the general public that cultivate large databases with information about users and then sell it to third parties.

To gather data, these entities delve into multiple areas, public and private. They analyze social networks, access parts of a user’s online browsing history and even obtain information from demographic censuses or health records. The researcher from the cybersecurity firm Kaspersky Marc Rivero thus summarizes what the data brokers: “They are companies that seek to collect personal information about users. These have a digital identity, they have a history, their navigation is sectorized. And other companies benefit greatly when they buy this information.”

They are not just data sellers. Hicham Qaissiwho is a professor of AI for Management at the Polytechnic University of Madrid and director of IT projects at the digital transformation company Docaposte, highlights that data brokers They also offer custom analysis services. “If a company wants to open a business in the city center and wants to know where to do it, they can provide useful information,” he says. Thus, user data can be used to search for potential clients, to refine advertising deployment or to enrich market studies.

Normally, a distinction is made between data brokers and companies like Google, Facebook or X (formerly Twitter), which collect data and transfer it to third parties to serve ads. However, the border is not clear to everyone. “If you think about it, what is the difference between giving away data and collecting and selling it? For me they are both data brokers. Although due to how the concept has been defined, a data broker It is only that company that sells data,” says Rivero. But there is a distinguishing factor, as the Kaspersky researcher admits. In the transfer of data, the user is more aware that they are being traded, while the sale of their information often goes unnoticed. And the activity of these companies remains hidden from the large mass of users.

The data brokers They are not new entities on the Internet. A report dated 2007 from the United States public policy research institute, the Congressional Research Service, already noted the concern caused by “the vast amount of personal information that data brokers collect and inappropriate access to that data.” And its activity has not stopped growing. For 2021, the analyst firm Transparency Market Research estimated the global business volume of the data brokers at around 225.00 million euros. And according to its forecast, the figure will grow to 433,000 million in 2031, at an annual rate of 6.8%.

These companies operate far from the big spotlight and their names are practically unknown. The Transparency Market Research Report cites several, such as Acxiom Corporation, Experian, Equifax, CoreLogic, Epsilon or LexisNexis. EL PAÍS has tried to contact some of them to find out about their operations and has not received a response. Furthermore, CoreLogic stated that they had no information about data brokering and the Spanish subsidiary of Experian pointed out that it does not act as data broker In our country.

Comprehensive user profiles

The information these companies handle goes beyond traditional demographic profiles. These contain the first and last name, age, postal address, gender and perhaps socioeconomic factors. “What is flourishing now are psychographic analyses,” explains Qaissi. “For example, the citizens of a metropolitan area of ​​Paris are analyzed. And we know what their tastes are, where they shop, where they eat, where they spend their free time, where they play sports, at what age they get married.”

The UPM professor affirms that a bank could apply this type of analysis to offer financial products adapted to these potential clients. And how is the data obtained to create these psychographic profiles? The information comes from various sources. Rivero begins to list cases: “When you put your data in a form, when you accept some cookieswhen using the hotel WiFi”, and clarifies what happens when accessing a WiFi network with a social login (the login with Google or Facebook): “There you are already saying that you have a user on that social network, that you like to spend your summers on the Costa Brava (due to the location of the network), that you have such an age, such a gender and a mail address”.

All this data is combined with others using ETL techniques (extract, tansform and load or extract, transform and load) to create a database with uniform parameters. The result is clear and organized information, which is stored in an orderly manner and is ready to be analyzed and processed through machine learning (machine learning).

Some of this information is sold to third parties for targeted advertising, which may take the form of email marketing. Although a few years ago a case of targeted ads broke out on a social network. The bad practices led to a notorious scandal. “Cambridge Analytica is an example of the access that third-party companies have to data that may be on Facebook, now Meta,” says Rivero, referring to the controversy related to information manipulation on Facebook during the 2016 US elections. .

The term data broker It was barely mentioned in the first months that the scandal lasted. But later it was verified the involvement of these actors in the sale of data to create a microsegmentation that would fine-tune the sending of political messages as much as possible.

The false sense of privacy in the EU

The General Data Protection Regulation (GDPR) guarantees a high level of privacy to users in the European Union. And this should be enough to avoid falling into the databases of the data brokers. But this is just the theory. There are flaws through which the activity of these companies is filtered. It is true that they cannot operate from the EU. But they can do so with subsidiaries outside the borders of the Union.

Qaissi presents a worrying scenario from the point of view of privacy: “It is easy for these companies to access personal information, whether through social networks, phishing [hacerse pasar por una web legítima para intentar hacerse con los datos personales o bancarios del usuario], for intrusion, whatever,” he emphasizes. “Accessing, storing and analyzing this data is prohibited in Europe. But maybe not in Türkiye.” The UPM professor suggests that a data broker located outside the EU can collect data about European users and then easily sell it to a company operating within the EU.

“He who buys cannot buy here [dentro de la UE], but you can buy outside. We are talking about a file, an XML, a JSON, for example 5 MB, that has information about 5,000 potential clients. That’s a little file that you can send by email,” adds Qaissi. As easy as that. A 5MB file sent via email.

