How your personal data sells cheaper than chewing gum

If data is the new oil, then there is a gigantic oil spill all around you. Your personal data -- be it your residential address, your phone number, email id, details of what you bought online, email ids, age, marital status, age, income and profession -- is all up for sale. Most of this personal data is sold for less than a rupee per person – the cost of a chewing gum. 

Over one month, ET approached companies called ‘data brokers’ – who hawk their services on online listings and sell personal information -- posing as a prospective buyer. For anywhere between Rs 10,000-15,000, we were offered personal data of upto 1 lakh people in Bangalore, Hyderabad and Delhi. The lists up for sale are creative and granular. One data broker we contacted said he could get lists of high net worth individuals, salaried people, credit card holders, car owners, retired women in any given vicinity. Some brokers sent us free samples: excel sheets with personal data of people in Bangalore, split by address and income profiles. 

ET called a dozen people from these lists to verify their details. “It’s scary, to say the least,” said Hyderabad based Rajashekar, whose data like name, address and credit card ownership was procured from a Gurgaon-based data broker who sold ET a sample database of nearly 3,000 people who have Axis and HDFC credit cards. The price tag: Rs. 1,000. The database had details like name, address, phone number and the classification of the card (debit, credit or a premium card). The broker also said that a database of 1.7 lakh people from Delhi, NCR and Bangalore can be made available for Rs 7,000. “I believe it should be deemed as a crime. Without my permission, how can someone trade information related to me?” said Bangalore-based Nagaraj BK, who was appalled that his purchase of a gas stove on eBay was procured by ET, as a part of a free sample. 

Similarly, Bangalore-based Shruti's purchase of luggage on Amazon, along with her phone number, was part of a free list of 115 online purchases made from Bangalore. When contacted to check if the purchase listed was accurate, Shruti was offended and scared, and even wondered if her Amazon account had been breached. A Mumbai-based litigation lawyer, whose name appeared on one of these lists we got, had recently lost around Rs 70,000 through credit card fraud and was even more skeptical of how the lady who called him knew his credit card details. In response to ET's queries, eBay said it takes data security and privacy of buyers and sellers on its platform very seriously. 

An Amazon spokesperson said the company was not aware of any data leak or of any data being sold from their end, adding that any such case brought to their notice will be dealt with strictly to ensure customer data protection. HDFC Bank and Axis Bank both said they work on educating customers about the importance of protecting private or personal details, as well as safe banking practices. "We can't confirm the authenticity of the data shared with you by the Data Brokers and would urge people to highlight to us if they come across instances like this for us to take it up with the relevant authorities," an Axis Bank spokesperson said. The obvious question to ask is: where are these brokers getting their data from? “Most of the data is sold to us by mobile service providers, agents from hospitals and banks, loan agents, car dealers,” Rajesh, an executive from an NCR-based data broker told ET. To be sure, data broking isn’t illegal but it does work in a grey zone. A 2014 US Federal Trade Commission report identified data brokers as companies that “obtain and share vast amounts of consumer information, typically behind the scenes, without consumer knowledge”.

“Globally, data broking is an approximately $200 billion industry. Marketing products generate over 50% revenue, followed by risk mitigation which constitutes approximately 45% of the revenue, and finally people search constitutes the remainder,” says Kannan Sivasubramanian, EVP of research firm Aranca.

  The FTC report cited earlier said “data brokers operate with a fundamental lack of transparency,” and asked US lawmakers to consider enacting legislation to give consumers greater control over the immense amounts of personal information about them collected and shared by data brokers. India's IT Act does not specifically address the issue of data brokerage and privacy. “When you sign up for free discounts, fill out questionnaires, or your click stream in general, you are giving up all the data voluntarily and agreeing to privacy policies that allow you to do so,” said Mishi Choudhary, executive director of non-profit legal services organisation Software Freedom Law Centre. 

The most obvious kind of misuse is that of financial data. The Reserve Bank of India registered 8,689 cases of frauds involving credit cards, ATM / debit cards and internet banking up till December 2016. This number was 16,468 in 2015-16. Many of these frauds are perpetrated by scamsters by using freely available personal data to win the confidence of customers to get them to share critical data like CVVs or One Time Passwords. However, data brokerage is still at a very nascent stage in India. The market is dominated by larger international players such as Epsilon, Equifax and Experian that offer more sophisticated data sets. John Young, US-based Epsilon’s Chief Analytics Officer told ET that the data they collect is comprised of customers’ previous transactions from PoS (point-of-sale) systems, third-party data such as demographic and lifestyle information. 

“Increasingly, data from social media sites – much of it unstructured data, such as tweets – is collected for analytics that can help deepen the understanding of consumers,” Young told ET in an email response. Data collected by agencies such US-based Equifax Credit Information Company, who carry out consumer credit reporting, is an example of data contributed by banks and other financial institutions. “All the data in credit bureau is contributed to directly from our member financial institutions in a standard format. We do not collect any additional information from users directly,” Manu Sehgal, Business Development Leader, Emerging Markets told ET.