The rise of information brokers: Unveiling the underbelly of data accessibility
The rise of information brokers: Unveiling the underbelly of data accessibility
Uncovering how information brokers facilitate easy access to segmented data in Israel
How did spam come into existence? Who shared your phone number with charitable organizations, or your contact details with "instant loan" providers? Periodically, when a surge of telephone nuisances inundates Israel's residents, theories proliferate across social media. Nevertheless, there's no need for excessive speculation, as detailed and segmented target lists for targeted advertisements are readily available in Israel. Today, information brokers offer access to substantial quantities of data—lists containing 2,000, 5,000, or more email addresses, phone numbers, and related information—categorized based on various demographic criteria.
In Israel, legislation prohibits the use of information gathered for one purpose in another context. Consequently, information brokers don't technically own the information; rather, they've developed "methods for internet scanning." What's their focus? They peruse the numerous databases that have been leaked onto the internet. The sheer abundance of these databases is such that one doesn't even need to resort to the dark web to acquire them.
But the easy access to information is not only due to leaks, but also due to the consent we casually give. Take for example the popular channel on social networks "Israel in Entertainment". At the end of 2022, it announced its "Artist of the Year" survey, and asked the general public to participate, rate and influence. The terms of use included the following agreement: "Participants hereby give their irrevocable consent to the use of their details, including place of residence, age, year of birth, the answers they answered in the survey, etc. in any activity or for any other need at the sole discretion of the organizer of the activity, including saving their details in the database, without time limit and without any compensation. The participants hereby waive any claim and/or demand and/or claim in connection with the publication and/or use of their details as stated, and they will not have any claim against the organizer of the activity or anyone on her behalf in connection therewith. The consent mentioned in this section is a condition for participation in the activity."
These are such extensive terms of use that it seems as if the survey was created to build a database, and not the other way around. But who cares? You mark it with an X and move on to rate the singer of the year.
In Israel, everything is hacked, leaking and exuding a general aroma of irresponsibility, lack of care, a reality where it seems as if those who collect information have no obligations, and the information holders have no rights. A more fundamental question arises from this - why and how does this happen? What shaped the general approach to information, its sensitivity, the way it is guarded and monitored?
The method: anyone who can get their hands on information collects it. There is no one to supervise
From time to time and upon demand, a certain resource is crowned as new "gold". Once the panic was around metal itself, then it was the oil, at times they crowned coffee this way, then cocoa, in times of shortages also fertilizers, or lithium. This is a dynamic list that today is dominated by one resource above all - data. These are collected, sorted, stored and sold after processing and polishing to the highest bidder. The centrality of data was clear very quickly with the development of the computer age. Already in 1985, Robert Mercer, then a computer scientist at IBM, said that "There's no data like more data". Today, those who collect or desire data, in Israel and elsewhere in the world, act according to the simple dynamic: "If there is data - I will collect it; if I collected it - it is mine; if it is mine - I will do with it as I wish."
These days there is a special interest in artificial intelligence and we are at the watershed: a moment when the state needs to think not only how it "leads in the AI race" but also protects its residents from an industry that knows no insatiability or limits in data collection.
Israel has a particularly difficult challenge because at this crucial moment, 40 years since the onset of the digital revolution, it is clear that the data regime that has developed in the country is a resounding failure, an example of the irrelevance into which regulators and legislators can sink.
The direct way to examine how the state takes care of the interests of its residents in this matter is through the existing legislation. This unfortunately takes us far back to 1981 and the Privacy Protection Law, where it is defined that anyone who wishes to have a database must by law register it in the database register. "When the obligation to register was created in the 1980s, the rationale was that we are in an analog world where things are saved in tabs and folders, and if you start putting things into a computerized system, an additional risk is created," says attorney Rivki Dvash, who headed the database registration department at the Privacy Protection Authority at the beginning 2000s, and today serves as a senior fellow at the Israel Tech Policy Institute.
"Back then there were 400 databases and the assumption was that people didn't necessarily know that information was being collected about them. But the default has changed, the assumption today is that almost every small, medium or large business has a database. You have to remember that it grew from there."
The current state of shame is the product of multiple and unsuccessful efforts to bring about a change. The Shufman report from 2007 was the first to put forward a series of necessary amendments, of which only one significant update was made. In the last two years there have been discussions on "Amendment 14" which reached the honorable achievement of being passed in the first reading, but since then the government has changed.
"By and large, they took the recommendations of the Shufman report regarding the registration obligation," says Davash, "It's insulting. 15 years have passed. It's hard for me to see the benefit of the registration and you can also see it in the scope of the registered repositories."
Dvash says that even during her time it was clear that the registration obligation did not produce real benefit. "In 2007, even before the iPhone, we submitted the Shufman report and already recommended reducing the registration obligation," says Dvash. "I saw the extent of the resources that are being directed for registration, during my time there was a pool of approximately 17,000 in the register, and if I look at them, I don't really get a mapping of which there are, what their quality is or what risk they create. I saw how many resources we invest in registration when the benefit is not very high."
This is how we reached this point in time where nothing is fixed, and everyone can do whatever they want. After all, the registration does not create any protection, the authority does not enforce, the legislation is not updated, and everyone does as they please.
What can we do? In order to restore to the state the ability to monitor databases, it is first necessary to define what is allowed and what is not allowed
What are the moves that will allow some kind of control over the databases? According to Dvash, "The first thing should be transparency regarding what information is collected, what uses are made of it, to whom it is transferred, etc. We also need to talk about which uses are allowed and which are not, that is, what is allowed to be done with the information. The right of inspection must also be realized in a much more meaningful way." Dvash adds that there are of course other things that are not necessarily just legislative amendments "like for example I would invest much more in education and encouraging technology companies to build products that incorporate privacy engineering. I would expect that there would also be encouragement of the State for this, such as dedicated funds that will encourage the issue, because in the end the solution is essentially technological."
First published: 08:11, 22.08.23