Oxford University recently conducted a survey on over one million Android apps and the results revealed significant harvesting of user data. In fact, over 90% of the app’s transferred user data back to Google.

In this study, approximately a third of the apps available in Google’s Play Store were examined and it was found that the average app could transfer information to 10 third parties, with one in five apps able to share data with more than 20 data brokers.

When we take a deep dive into the shadowy world of data brokers and examine what kind of information they collect it paints a scary picture.

Data Broker Industry

The data broker industry is generally divided into three categories. There are people search sites, where users can input a piece of personal information, such as a person’s name (or a phone number, city/state, email address, social security number, etc.) and get personal information on that person either for free or for a small fee. Information can include aliases, birthdates, interests and affiliations, addresses and address history, education information, employment details, information on marriage, divorce, bankruptcy, etc., social media profiles, property records, and details on relatives. These people search sites include places like Spokeo, PeekYou, PeopleSmart, Pipl, and many more. These sites can be used to research people and find old friends to send them postcards as they give access to addresses, court records, and other information people would rather keep private, they can also be used for doxing.

There are data brokers that focus on marketing, such as Datalogix (owned by Oracle), or divisions or subsidiaries of companies like Experian and Equifax. They develop dossiers on individuals which can be used to tailor marketing. Data brokers typically place consumers in categories based on their age, ethnicity, education level, income, number of children, and interests. Companies purchase lists of names, email addresses, interests and offline activity to assist in soliciting or marketing to those individuals. These sites can be used to better tailor marketing, offering consumers great deals or personally tailored discounts or coupons.

But the information can also be used to put people in high-risk classifications based on their search history or to advertise high-interest loans to them rather than low-interest ones for which they’d qualify. For example, searching for specific medical conditions such as heart disease or diabetes could be added to your digital biography. Even seemingly innocuous information, like looking at motorcycles or researching diabetes for oneself or a friend—might mean that insurance companies would consider you more likely to engage in risky behaviour,  In some cases, these classifications may be based on inaccurate information—and there’s no easy process for consumers to access information, correct it, or remove it.

Lastly, there are data brokers such as ID Analytics that offer risk mitigation products to verify identities and help detect fraud. These are typically the least troublesome to consumers, unless, of course, the information is inaccurate—in which case, it may be difficult to correct. For example, a lender might use a risk mitigation product to determine whether a Social Security number is associated with a deceased person, or whether a mailing address used has been associated with fraud. This can be useful for detecting fraud, but can also stop consumers who happen to have a matching address but are not committing fraud from being able to complete a transaction.

Other threats

In addition to the threats listed above, the information collected on individuals can be used in various other nefarious ways, such as to facilitate identity theft. Additionally, companies scooping up tons of data on individuals are vulnerable to security breaches, so the information they’re collecting has ended up in the wrong hands. In addition to the Equifax breach, which affected more than 145 million people we have recently seen the massive breach on Starwood Hotels with over 500 million peoples personal data stolen.

So – Where is the Data going? 

The researchers at Oxford looked at the code in apps that indicates information is being transferred and showed both how widely this information is shared, and how that data often flow upwards to a handful of companies, notably Google’s parent company Alphabet, as well as Facebook, Twitter, Verizon, Microsoft and Amazon.

The concentration of data in the hands of the world’s biggest tech companies is often masked by a network of subsidiaries that collect data from smartphone apps. The analysis showed that as of January last year 88 per cent of apps could transfer data to third parties ultimately owned by Alphabet, while 43 per cent could transfer data to businesses ultimately owned by Facebook.

Because data are ultimately transferred to the same businesses, it can be used to create detailed profiles. If information from a dating app, for example, were shared with the same parent company as data from a banking app, it could be possible to deduce the sexuality of a bank’s customers.

News apps, games and apps targeting children were among those with the ability to transfer data to the most third parties, the research found, despite regulations in the US and Europe that limit how children’s data can be processed.

Unfortunately, most smartphone users often do not realise the extent to which their data are passed to third parties, or repackaged and passed on again.