Data brokers and scammers team up to target the elderly, vulnerable
Podcast and transcript on one of the worst data crimes you've never heard of
In a crime so ugly it's hard to believe it's real, billion-dollar corporations have turned their algorithmic ray guns on elderly and vulnerable Americans -- specifically to help criminals deliver convincing lottery spam and other scams. They did it for years. And in a circle-of-algorithm-life design worthy of Marvel comics, the data brokers used feedback from the scammers to fine-tune their evil ray guns along the way — honing in on the most vulnerable people.
I've covered this topic before, but this week I dropped a Debugger podcast interview with the authors of the research behind that story. They make a persuasive argument that this kind of algorithmic attack isn't illegal yet, and that makes us all vulnerable.
You can listen to our conversation by pressing play below or clicking here, or subscribing to Debugger on your favorite podcast platform. A transcript of our conversations is below.
(Lightly edited for clarity)
Bob: Data brokers vacuum up information about all of us, then package it up and sell it to marketers -- in theory, so just the right ad pops in front of us at just the right time. Say a car ad when you're car shopping. But do data brokers enable things that are far worse? For example, do they sell profiles to scammers so they can target vulnerable populations, specifically the elderly, who then become victims of crimes? Duke University is studying just that, and to talk about what researchers have learned so far - with us today are student Alistair Simmons and data broker team lead, Justin Sherman. So Justin are data brokers targeting vulnerable populations, like the elderly?
Justin: They are. As you mentioned, data brokers, when they talk about their clients, will focus on things like selling to banks or selling to marketers who want to give you that Starbucks coupon when you walk by the store. But there's a whole range of other actors that are actually out here buying information on people from these data brokers. And so a recent article that Alastair and I published in LawFare looks at three different court cases where data brokers are each prosecuted for selling data for about a decade each to criminal scammers on millions of Americans. And many of these people were elderly and many of these people were otherwise vulnerable, including some people having cognitive health issues, like Alzheimer's. And so, these companies knew that the people buying from them were scammers that they would send fake astrology, ads and lottery scam mailers, and other things, but they made money off of the sale, so they provided that information anyway.
Bob: My understanding is then they knew these people had a proclivity for responding to certain kinds of invitations, like an invitation to respond to a lottery, and then they would sell that to other known scammers. Thinking that look, the victims would also respond to those ads. Alistair, I know when you started this project, you were just doing research. Did you expect to find this amount of court cases already involving scammers and data brokers?
Alistair: No. I was actually very surprised. By just looking through the annual report to Congress on the Department of Justice activities to combat elder fraud (I found) there's already been a litany of cases about data brokers assisting in elder fraud. And what surprised me the most is how data brokers not only would sell lists of data about people who are likely to be scammed to scammers, but they would collect feedback from the scammers on who was successfully scammed and targeted, and then use that information for future campaigns.
That was really concerning to me because it meant that the same demographics and the same population would be repeatedly targeted by these manipulative solicitations. And it made me really understand how coerced and targeted the industry is at people who've already been identified as an easy threat or an easy target. So the intentionality of data brokers making these lists specifically because they believe that the people on it are easily deceived or easy targets for these misleading solicitations made me very concerned about their interests and their intentional targeting of the elderly and vulnerable.
Bob: So they didn't just pick up elderly victims by accident while they were marketing to everyone. These were specifically targeted to vulnerable people.
Alistair: Exactly. And the refinement process of determining who is a proper victim that should be targeted again, makes it even more accurate. As these lists continue to be created and adjusted based on who has already been a victim.
Bob: Over the course of a decade, they become more and more focused at people who are likely victims.
Alistair: Exactly.
Bob: So just so people understand what's really going on here, is there an example of a particular scam that sticks out in your mind that you read as you were reading these court cases?
Alistair: Yeah, I think with the Macromark case, there were examples of executives receiving emails from the scamming clients. Describing how they would send mail solicitations to people, specifically this woman that had Alzheimer's and when they were reaching back to her, asking for the prize that they were promised, once they paid money, the scamming executive told the Macromark executive that they never offer money. These executives knew that they were pretty much pitching and selling people on these false promises. And they knew in the email, which intentionally says that this [00:07:00] woman had Alzheimer's and that her husband was reaching out, but the executive felt no remorse or had no initiative to change the clientele that he had. So that case in particular stuck in my mind because it kind of demonstrated how a lot of these data brokers will override internal protocols about who they should be selling data to, if it entails more profit for them.
Bob: And we're not talking about small mom and pop data brokers, are we, what, what kind of companies are we talking about?
Alistair: We're talking about companies that have billions of dollars of revenue a year. Epsilon, which is one of the largest data brokers, that collects a lot of credit reporting information related to banking, which of course makes it even more concerning that they're also have been proven to support fraudsters in the past because they already collect so much information about financial data, that their ability to mislead somebody is very strong. I'm trying to look more into how the data is segmented between data brokers. So if they're able to separate kind of credit reporting data other mental health data that they've been collecting. But my intuition is that this data is not segmented and they have massive registries of every specific individual containing a lot of personal information about them that can be accessible by anybody who wants to purchase it.
[00:08:48] Bob: So, listeners, you can read all about these cases that Alistair found on their LawFair blog, and I will put a link to it in the show notes. It's important to note that these companies have pled guilty and all these cases are in the past, and they now claim to be not doing this anymore. But Justin, what is your team looking into now and what do you expect to find?
Justin: . We're continuing to look into other cases like this of data brokers, selling information to scammers so that they can target vulnerable Americans. Alistair is doing some of this right now, looking at what kind of controls did these companies put or not put in place after these guilty pleas that you just mentioned. Because, you know, in, in the one instance across these three companies where someone at the firm did some due diligence, saw a scammer looking to get data and said, ‘Hey, we shouldn't sell to them,’ they were overridden by people, including people who get commission off of that sale. And so we're trying to understand -- if you were to have within a regulated data broker space some internal company controls, what would those look like?
But as you know, this is not an isolated incident. Data brokers have sold to scammers before. And so there's all kinds of questions about who else vulnerable in society might be targeted.
[00:10:21] Bob: And that was the final question I wanted to ask you. It's hard to get attention on elder fraud. Elder fraud has been a big problem for a long time.
But this isn't of course -- this doesn't just victimize one part of society. Can you put this in some broader context, Justin, and tell people why this really matters?
[00:10:40] Justin: Well, this kind of -- as has been a theme here -- this kind of data collection and selling is completely legal. Actually if I have a list of people over the age of 65 with Alzheimer's or dementia, it is completely legal for me to collect that, it is legal for me to sell it, whether that's to an insurance company or to law enforcement or even to a scammer. And it's not illegal until the scammer actually does something with it. Or if I know they're going to steal from people with it. So we have this ecosystem of buying and selling information that includes data on people who are elderly, including mental health and cognitive health issues, but also that also covers people's location information that you can buy off the market, includes how people vote, what they buy, how much money they make.
You know, there was a Politico story where a data broker said this recently -- when these companies are called out for unethical practices, the defense is usually the same, which is, ‘Well, it's not illegal.’ And so that's really kind of the space we're dealing with -- there's an unregulated system of buying and selling data, but many of these companies have the view that, well, if I'm not legally required to stop doing something, there's nothing wrong with me doing it in the first place.
Bob: And so in order to stop this, somebody has to make it not legal.
Justin: Right. Exactly. There are five states that have passed privacy laws to date. All of those state laws have provisions for people to tell companies, ‘Stop selling my data.’ But most states don't have even that law. And in general, we don't have laws in the US to control for buying and selling information. So that's exactly the kind of thing Congress really needs to get working on.