Corporate Surveillance in Everyday Life

Transcript

1 Wolfie Christl CORPORATE SURVEILLANCE IN EVERYDAY LIFE How Companies Collect, Combine, Analyze, Trade, and Use Personal Data on Billions EPORT BY CRACKED LABS A R Vienna, June 2017 Author: Wolfie Christl Contributors: Katharina Kopp, Patrick Urs Riechert Illustrations: Pascale Osterwalder

2 Wolfie Christl Corporate Surveillance in Everyday Life How Companies Collect, Combine, Analyze, Trade, and Use Personal Data on Billions A Report by Cracked Labs, Vienna, June 2017 © 2017 Cracked Labs CC BY - SA 4.0 Author: Wolfie Christl Contributors: Katha rina Kopp, Patrick Urs Riechert Illustrations: Pascale Osterwalder Every effort has been made to ensure the accuracy of the t exts in this report. The author and the publisher accept no liability in the case of eventual errors. Cracked Lab – Institute for Critical Digital Culture 8/1/8 , 1010 Vienna, Austria Annagasse http://crackedlabs.org Wolfie Christl is a digital rights activist, technologist, researcher, writer and educator, based in Vienna http://twitter.com/WolfieChristl http://wolfie.cracke dlabs.org The production of this report was supported by the Open Society Foundations.

3 Table of Contents Background and Scope ... ... ... ... 4 1. Introduction ... ... ... ... 6 2. Relevant players within the business of personal data ... 3. 11 ... Businesses in all industries ... ... ... ... 13 3.1 Media organizations and digital publishers ... ... 3.2 16 ... 3.3 Telecom companies and Internet Service Providers ... ... ... 18 ... ... ... ... 20 3.4 Devices and Internet of Things Financial services and insurance ... ... 3.5 ... 21 ... 3.6 Public sector and key societal domains ... ... 23 ... 3.7 Future developments? ... ... ... ... 24 4. ... ... ... ... 27 The Risk Data Industry ... ... ... 27 4.1 Rating people in finance, insurance and employment Credit scoring based on digital behavioral data ... ... 4.2 30 ... 4.3 Identity verification and fraud prevention ... ... 32 ... 4.4 Online identity and fraud scoring in real - time ... ... ... 34 4.5 Investigating consumers based on digital records ... ... ... 38 5. The Marketing Data Industry ... ... ... 40 5.1 Sorting and ranking consumers for marketing ... ... ... 40 The rise of programmatic advertising technology ... ... ... 44 5.2 ... 5.3 Connecting offline and online data ... 47 ... ... 5.4 - time ... ... ... 49 Recording and managing behaviors in real ... ... ... 50 5.5 Collecting identities and identity resolution ... ... 5.6 ... 52 Managing consumers with CRM, CIAM and MDM Examples of Consumer Data Broker Ecosystems ... ... 54 6. 6.1 Acxiom, its services, data providers, and partners ... ... ... 54 6.2 ... ... ... .. 59 Oracle as a consumer data platform Examples of data collected by Acxiom and Oracle ... ... ... 63 6.3 7. Key Developments in Recent Years ... ... ... 65 ... 7.1 Networks of digital tracking and profiling ... ... 65 Large 7.2 ... - scale aggregation and linking of identifiers ... ... 67 7.3 ... ... ... ... 69 “Anonymous” recognition ... ... ... 70 7.4 Analyzing, categorizing, rating and ranking people Real - time monitoring of behavioral data streams ... 7.5 ... 73 ... 7.6 Mass personalization ... ... ... 75 ... 7.7 Testing and experimenting on people ... ... ... . 77 ... 7.8 – everyday life, risk assessment and marketing Mission creep ... 79 8. Conclusion ... ... ... ... 84 Figures ... ... ... ... ... 87 87 References ... ... ... ... ...

4 1. Background and Scope - hailing platform has been accused of abusing its data power to In recent months, a large ride 2 1 3 and regulators , suppliers block , and undermine rivals identify , as well as to manipulate both , 4 drivers and riders . their As Ryan Calo and Alex Rosenblat suggest in its outstanding paper on 5 be “ , such platforms may ” “ leveraging their access to info r- Uber, Information, and Power mation about users and their control over the user experience to mislead, coe rce, or otherwise disadvantage sharing economy participants ”. Generally, firms could increasingly “ use what match them to content they might prefer they know about consumers to not only “ ” ” but also to nudge consumers to pay more, to work for less, and to “ behave in other ways that advantage a firm” . encapsulates one of This key concerns that scholars, privacy activists and consumer rights the advocates have been raising for years. When a rapidly growing number of daily interactions sis and behaviors restricted digital monitoring , analy undergo un , and assess ment , corporate actors can systematically abuse their resultant unprecedented data wealth for their economic advantage. compare the relation ship between data companies Omer Tene and Jules Polonetsky dividuals to a “game of poker w here one of the players has his hand open and the other and in 6 keeps his cards close” As Calo and Rosenblat write, when a company “ can design an enviro n- ment from scratch, track consumer behavior in that environment, and change the conditions throughout that environment based on what the firm observes, the possibilities to manipulate are legion For example, they may ”. reach consumers at their most vulnerable, nudge them “ 7 he may be willing to pay ”. into overconsumption, and charge each consumer the most he or s However, surveillance. The consequences of pervasive consumer these practices are not the domain of a one connected large company. In recent years, a vast landscape of partially inter of large players such as Facebook and Google but consist s not only databases has emerged that also of thousands other companies from various industries that collect, analyz e , acquire , of 8 , trade, and utilize data on billions of people. F share urther major concerns about the possible 9 networks of corporate surveillance” implications of focus on opaque “ their potential to these 1 - - greyball - program https://www.nytimes.com/2017/03/03/technology/uber evade - authorities.html 2 uber - precipice.html - the https://mobile.nytimes.com/2017/04/23/technology/travis - kalanick - pushes - - - and to himself - 3 rival https://www.theguardian.com/technology/2017/apr/13/uber - allegedly - used - secret - program - to - cripple - - lyft 4 http://b oingboing.net/2017/03/09/weaponized - - asymmet.html information 5 Calo, Ryan and Rosenblat, Alex (2017): The Taking Economy: Uber, Information, and Power (March 9, 2017). Columbia Law Review, Vol. 117, 2017; University of Washington School of Law Research Pape r No. 2017 08. Available at : - ract=2929643 https://ssrn.com/abst 6 Tene, Omer and Jules Polonetsky (2013): Big Data for All: Privacy and User Control in the Age of Analytics. 11 Nw. J. Tech. & Intell. Prop. 239 (2013). p. 255. Available at: http://scholarlycommons.law.northwestern.edu/njtip/vol11/iss5/1 7 Calo, Ryan and Rosenblat, Alex (2017) 8 Christl, Wolfie and Sarah Spiekermann: Networks of Control. A Report on Corporate Surveillance, Digital Tracking, Big Data & Privacy. Facultas, Vienna 2016, p. 7. Available at: http://crackedlabs.org/en/networksofcontrol 9 Ibid, p. 10 4 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

5 10 driven decisions about people that are inaccurate, arbitrary , or biased. make data This may - exclusion discrimination and social limit the chances and choices of individuals and lead to the 11 reinforce Algorithmic decisions based on digital profiles may of whole population groups. 12 fulfilling prophecies. existing biases and social inequalities become self - and even Furthe r- more , much of corporate data collection and utilization happens invisibly , often with neither 13 the subjects . knowledge consent of When people know that they are being constantly nor monitored, this can produce chilling effects on forms of act ion or express ion . Finally , refus ing 14 to participate in today’s digital tracking can have negative consequences, too. onsumers can C “hardly avoid privacy contracts ” because almost all banks, software and hardware vendors, “ grams o and telecommunic a- social networking sites, digital content services, retail loyalty pr , 15 , . As Maciej Cegłowski summarizes tions “opting out of surveillance providers employ them” — you are free to do it in theory ” ; i n capitalism is like opting out of electricity, or cooked foods 16 “opting out of much of modern life” . s practice, it mean Online advert ising : a major driver but minor problem? In crucial areas of life such as f i- nance, insurance, housing, healthcare, welfare, law enforcement and employment, many , would agree that inaccurate, biased or disc riminatory automated decisions based on digital pro files about consumers can harm individuals an d vulnerable population groups. Similarly, interactions with when a single large company possesses fine - grained data on and control over consumers the danger of abusive nudging and manipulation In contrast, . appears apparent , today’s online advertising ecosystem one of the major drivers of ubiquitous corporate digital – – a large number of tech companies constantly aggregat ing , tracking and profiling features ining , shar ing , and trad ing profiles about people. M any people consider the intrusive data comb a posing merely minor problem. Yet collection for online advertising as the inner workings of today’s advertising technology are barely understood outside of this business , and even fewer people grasp its social, ec onomic and ethical consequences . T he pervasive real - time surveillance machine that has been developed for online advertising is rapid ly expanding into other fields , from pricing to political communication to credit scoring aggregated to risk management . Many companies have already enormous, extensive databases of of r- for any pu use sensitive behavioral data on billions of people, which they free ly make pose that fit their economic interests. In addition, online advertising itself has a l- happens to other than what has, until recently, been understood under ready morphed into something 10 Ibid, p. 126, 127 11 Lyon, Dav id (2010): Surveillance, Power and Everyday Life. In: Kalantzis - Cope, Phillip; Gherab - Martín, Karim (eds): Emer g- 120 ing Digital Spaces in Contemporary Society: Properties of Technology, Palgrave 2010 , p. 107 - 12 Christl and Spiekermann (2016), p. 125 13 , p. 121 - 123 Ibid. 14 Ibid., p. 127 15 Rhoen, Michiel (2016): Beyond consent: improving data protection through consumer protection law. Internet Policy R e- - view, 5(1) . Available at: http://policyreview.info/articles/analysis/beyond - consent , p2 improving - data - protection - - throughconsumer - protection law 16 , Maciej (2016): The Moral Economy of Tech. Text version of remarks, SASE conference, Berkeley, June 26, 2016. Cegłowski http://idlewords.com/talks/sase_panel.htm Available at: 5 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

6 “ ” ; today’s online marketing technolog ies go far beyond simply display ing ads. advertising Based on driven predictive analytics, personalization, measurement, and testing , - they data aim to influence behavior at scale. In the background, c onsumers are constantly evaluated , sorted, categorized , and ranked in order to treat them on a case - by - case basis as best fits a company’s business interests Yet as individuals are made ever more transparent, corporate . practices remain largely opaque . T his report examines today’s corporate networks of digital tracking and profiling and the i m- that plications u- extensive collection and utilization of personal information ha ve for individ , als and society at large . It examines how companies record, combine, , groups of individuals today’s personal data ecosy trade personal data on , , and aims to better map and s- share billions . Based on previous research on corporate surveillance and privacy undertaken by the a u- tem 17 thor together with Sarah Spiekermann , it further investigates and summarizes the structure business and scope of today’s personal data ecosystem , as well as of other relevant indu stries , models, platforms, services, devices, technologies , and data flows . On a broader level, this r e- to fundamental rights port is part of a larger effort that aims to identify key issues relevant to encourage furt , as well as and social justice i- and other crit , her work by civil society, media cal voices. The key question is h - driven algorithmic ow commercial digital profiling and data equality, freedom, autonomy, democracy , and human dignity on both indivi d- decisions affect With this in mind, this report focuses on the actual practices and inner . ual and societal levels data industry workings of today’s personal and explores relevant recent developments. 2. Intro duction It is not easy to gain an overview of how information about individuals is collected, analyzed, shared , and utilized in the commercial sphere today – and not only because of the industry’s 18 non transparency . Previou s reports and investigations on today’s personal data ecosystem - 19 have focused on specif and its societal implications or vo t- ic practices (such as credit scoring 22 20 21 ), devices (such as smart TVs or activity trackers er targeting ), technologies (such as face 17 Christl, Wolfie and Sarah Sp iekermann (2016): Networks of Control. A Report on Corporate Surveillance, Digital Tracking, http://crackedlabs.org/en/networksofcontrol Big Data & Privacy. Facultas, 2016. Available at: 18 p. 121 Ibid., 19 E.g. Ferretti, F. (2009): The credit scoring pandemic and the European vaccine: Making sense of EU data protection legisl a- ation, Law & Technology, 2009. Available at: tion. Journal of Inform http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2009_1/ferretti 20 E.g. Bennett, Colin (2016): Is Your Neighbor and Democrat or a Republican? Lateral Voter Surveillance and the Political Culture of Modern Election Campaigns (April 20, 2016). Available at: https://ssrn.com/abstract=2776308 21 E.g. Irion, Kristina and Natali Helberger (2016): Smart TV and the online media sector: User privacy in view of changing market realities. Telecommunications Policy, Volume 41, Issue 3, April 2017, Pages 170 – 184. Available at: http://doi.org/10.1016/j.telpol.2016.12.013 22 E.g. Norwegian Consumer Council (2016): Consumer protection in fitness wearables. November, 2016. Available at: - https://fil.forbrukerradet.no/wp - content/uploads/2016/11/2016 - 10 - 26 - vedlegg - 2 - consumer - protection - in - fitness - final - forbrukerradet - wearables version.pdf 6 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

7 24 25 23 ), types of data (such as health ), environments (such as mobile apps or location recognition 26 27 28 ), harms (such as or manipulation exclusion ), groups of people affected (such as m i- data 30 29 31 32 , or data brokers ) or students or the dom i- norities ), industries (such as telecom providers 33 34 and Google companies (such as Facebook nant ). While on different compo nents is urgently needed to shed light on the such a detailed focus opaque methods of data exploitation and its implications, one runs the risk of losing sight of , quickly developing , the bigger picture. Today’s personal data ecosystem is diverse, fragmented various , often conflicting , interests. Some players, such as Facebook and Google, and driven by are very visible for consumers ; many others , though, operat e behind the scene s and away from the public’s attention. The rise of social networks, mobile communication, govern ment mass , on privacy. It has surveillance and regular data breaches has precipitated an ongoing debate attention on previously less known industries, such as consumer r e- even focused the public’s 35 And yet, porting agencies and marketing data brokers. annot properly evaluate the data one c ecosystem without understanding all the players, large and small, visible and hidden. To u n- derstand the societal implications of today’s personal data ecosystem, it is essential to look at it from both a distance and up clo se. 23 United States Government Accountability Office (2015): Facial Recognition Technology. Commercial Uses, Privacy E.g. Issues, and Applicable Federal Law. Report to the Ranking Member, Subcommittee on Privacy, Technology and the Law, Committee on the Judiciary, U .S. Senate, July 2015. Available at: http://www.gao.gov/assets/680/671764.pdf 24 E.g. Zang, Jinyan, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney (2015): Who Knows What About Me? A Su rvey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps. Technology Science, 2015103001, 30.10.2015. : http://techscience.org/a/2015103001 Available at 25 E.g. Tanner, Adam (2017): Our Bodies, Our Data. How companies make billions selling our medical records. Beacon Press, Jan 10, 2017 26 Nutzung auf - Aktuelle Fragen der Geodaten : Lamina, Jaro; Peissl, Walter; Čas, Johann (2012) - Rothmann, Robert; Sterbik E.g. mobilen Geräten – ht. Bericht - Nr. ITA - PB A63; Institut für Technikfolgen - Abschätzung (ITA): Vienna . Available at: Endberic - - of - geodata - on - mobile - devices/overview/ https://www.oeaw.ac.at/itaen/projects/the use 27 E.g. - 7 May 2012. Seeta Peña Gangadharan (2012): Digital inclusion and data profiling. First Monday, Volume 17, Number 5 http://firstmonday.org/ojs/index.php/fm/article/view/3821/3199 Available at: 28 Calo, Ryan (2013): Digital Market Manipulation. 82 George Washington Law Review 995 (2014); University of Washin g- E.g. h Paper No. 2013 https://ssrn.com/abstract=2309703 27, August 15, 2013. Available at: ton School of Law Researc - 29 E.g. Angwin, Julia; Jeff Larson; Lauren Kirchne; Surya Mattu (2017): Minority Neighborhoods Pay Higher Car Insurance Premiums Than White Areas With the Same Risk. ProPublica, April 5, 2017. Available at: https://www.propublica.org/article/minority - neighborhoods - higher - car - insurance - premiums - white - areas - same - risk 30 E.g. Frida Alim, Nate Cardozo, Gennie Gebhart, Karen Gullo, and Amul Kalia (2017): Spying on Students: School - Issued Devices and Student Privacy. Electronic Frontier Foundation, April 13 , 2017. Available at: - https://www.eff.org/wp/school privacy - and - student - - issued devices 31 E.g. Mobile Tracking Headers: How Telcos Ammari, Nader; Gustaf Björksten; Peter Micek; Deji Olukotun (2015): The Rise of Around the World Are Threatening Your Privacy. Access Now, August 2015. Available at: ive/AIBT - Report.pdf https://www.accessnow.org/cms/assets/uploads/arch 32 E.g. Rieke, Aaron; Harlan Yu; David Robinson; Joris von Hoboken (2016): Data Brokers in an Open Society. An Upturn R e- port, prepared for the Open Soc iety Foundations. November 2016. Available at: open https://www.opensocietyfoundations.org/sites/default/files/data - in - an - brokers - society - 20161121.pdf - 33 E.g. Lee, Newton (2014): Facebook Nation. Total Information Awareness. Springer, 2014. 34 E.g. Tene, Omer (2007): What Google Knows: Privacy and Internet Search Engines (October 1, 2007). Utah Law Review. Available at SSRN: https://ssrn.com/abstract=1021490 35 E.g. S inger, Natasha (2012): Mapping, and Sharing, the Consumer Genome. New York Times, June 16, 2012. Available at: marketing.htm - database - ofconsumer - - giant http://www.nytimes.com/2012 /06/17/technology/acxiom - the - quiet 7 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

8 focusing on the wide range of players within the , takes a big picture view hapter 3 Therefore, c business of personal data, including key industries such as media, retail, telecom and financial e- companies in the fields of credit r services. Beside the large online platforms and other data porting, direct marketing, analytics and online advertising, businesses in all industries are i n- creasingly involved in today’s digital tracking and profiling landscapes. Without a thriving , the data giants ecosystem of companies collecting extensive amounts of data on consumers and sell their extensive amounts of pe r- , would not be able to aggregate, combine, analyze, rent However, many of these businesses and organizations are even more secretive sonal data. about their data collecting and sharing than the data and analytics industry itself, which, after all, has to promote and advertise its services to its clients. apter Subsequently, ch 4 examines companies, services , and technologies within the risk data credit and consumer reporting agencies use data to industry, starting with a summary of how Even as rate people. pertaining traditional methods of credit scoring still raise many questions and accountability, companies are , accuracy, fairness, equit y, transparency, explainability to expanding the types of data they use to predict the creditworthiness of individuals. Some have started to incorporate behavioral data derived from e.g. web searches, social media , . Traditional identity verif i- e usage and , other sources in their scoring mechanisms smartphon e cation and fraud prevention vendors now monitor and evaluat how people surf the web and use data with the link digital behavioral . Furthermore, they have started to their mobile devices have been collecting for decades. Google’s vast amounts of offline identity information they captcha service is now able to identify whether someone is a legitimate human being or not without any explicit user interaction, such as a quiz or a based only on the click on a checkbox, - reaching behavioral monitoring capabilities. company’s far turns to the marketing data industry and shows how long established practices of Chapter 5 - and database marketing join forces with the consumer segmentation pervasive tracking and profiling embedded in online advertising . Companies can now find and target users today’s - time, regardless with specific characteristics and behaviors in real which service or device is of used, which activity is pursued, or where the user is located at a given moment. Within mill i- seconds, d igital profiles about consumers are auctioned and sold to the highest bidder. Large consumer data brokers have started to part ner with hundreds of advertising technology firms as well with platforms such as Google and Facebook. They data about offline purcha s- combine that allow other companies to , es with online behaviors and provide services recognize, link and match people acros s different corporate databases. Businesses in all industries can use the services of data companies to seamlessly collect rich data about consumers, add additional i n- formation on them, and utilize the enriched digital profiles across a wide range of techn ology platforms. After chapter 6 presents two case studies that examine the data services, providers, and par t- ners of the consumer data brokers Acxiom and Oracle as illustrative examples of wider pra c- summarizes chapter 7 recent years: om fr key developments relevant tices , 8 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

9  Established commercial practices of data collection on consumers have rapidly evolved i n- a complex and vast to pervasive that exist in networks of digital tracking and profiling landscape of corporate players who continuously monitor the li ves of billions of people. Companies are now able to identify and address consumers on an individual level in a growing number of everyday . situations  aggregate and link personal identifiers such as email a d- For this purpose, businesses dresses, phone numbers, smartphone IDs , and platform user account IDs and use them to recognize people , as well as to link and combine profiles about them across different se r- Since identifying vices, platforms, devices , and life contexts. names are not very useful for pe ople in the digital world, data brokers have introduced globally unique corporate IDs for consumers. All of t hese identifiers can be connected to digital profiles distributed across multiple companies , which are continuously updated based on large - scale da ta collection classification and prediction and advanced methods .  Hundreds of large companies, including online platforms, data brokers and advertising technology firms, sort consumers into tens of thousands of categories . D igital profiles about individual s include attributes and scores about education, employment, political views, ethnicity, religion, health interests, media usage, purchases, income, economic st a- and personality. Myriads of behavioral data categories refer to website visits, video , bility v iews, app usage, movements such as for including sensitive “interests” and web searches, , abortion, legalizing drugs, gay marriage, military ba and more . , heart failure ses, protests, Based on the sophisticated ways of linking and combining data across different sources,  ubiquitous behavioral data streams from myriad services companies can utilize today’s all activities and behaviors of consumers that might be rel to monitor and analyze evant to their business interests. With the help of data vendors, companies try to capture and measure every interaction with a consumer in real - time , including on websites, pla t- , and devices that they do not control themselves. forms ot only to display ads on websites or within mobile apps, but also to  D ata can now be used n , for and choices offered to consumers , on dynamically personalize the contents, options example, . Companies can define complex sets of business rules that a company’s website define to automatically react to certain kinds of consumer activities across the digital how world and beyond ; for instance, t hey can personalize prices in online shops by predicting how valuabl e someone might be as customer in the long term or how much someone is pr obably willing to pay in a specific moment. Similarly, politicians can target voters with personality and political views on certain issues messages to a voter ’s personalized .  Personalization based on rich profile information and pervasive real - time monitoring has become a powerful tool set to influence people’s behavior visit a consumers , to make e.g. website, click on an ad, register for a service, subscribe to a newsletter, download an app, have started to continuously or purchase a product. To further improve this, companies . They conduct tests with different variations of functionalities, experiment on people , website designs, user interface elements, headlines, button texts, images or even different 9 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

10 discounts and prices, and then carefully r and measure how different groups of u s- monito . In this way, companies systematically optimize ers interact their with these variations modes of - driven persuasion . data Mission creep. No t at the least, i nformation about people’s behaviors, social relationships , a nd most private moments is increasingly used in contexts or for purposes completely different in crucial ar e- from those in which it was recorded – for instance, to make automated decisions , and law enforcement. Conversely, data ployment as such as finance, insurance, healthcare, em credit scoring, identity verification, fraud prevention, that has been collected in the context s of payment processing , or even healthcare is increasingly used for customer relationship ma n- agement, online targeting , a nd other marketing purposes . Furthermore , data and analytics companies that make eligibility decisions and perform risk assessments of individuals have data services that integrate and unify data for risk ma n- started to provide their clients with and marketing , ustomer relationship management agement, c . h- Perh gital fraud detection services use incredibly invasive tec di aps most concerning, today’s to evaluate billions of online transactions and to collect nologies vast amounts of information in order to identi fy devices, individuals , and suspicious behaviors . They combine and link d ata financial collected for online fraud with offline identity records, information about someone’s t purposes used for his is then other than pure fraud situation , and many other types of data ; for example, to decide which payment options someone gets in an online shop. In – detection addition, there is some evidence that the extensive data collected for digital fraud detection is also used to recognize consumers and link information about them for marketing purposes , 36 When the two that online advertising and vice - versa . faces of pervasive digital tracking – constantly evaluates each individual’ s economic potential and fraud detection that gauges a information society moves significantly fu r- ied together, given person’s risk potential – are t ther toward surveillance society . 36 See chapter 5 and section 7.8 10 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

11 3. Relevant players within the business of personal data 37 large online platforms Today’s such as Google and Facebook , have extensive information , about the everyday li ves of billions of people around the globe. They are the most visible, perv a- – sive, and aside from online advertisers and intelligence contractors – perhaps the most a d- vanced players in the personal data business. However, in contrast to popular belief, th ey do not directly, for the most part, their detailed digital consumer profiles to third sell and share 38 Instead, the large online platforms mostly parties, at least not in the form of unified dossiers. their data without utilize them fully transferring it , and t hey let let other companies use their t- infrastructure to collect more data, to the benefit of both the client companies and the pla 39 users The data the platforms have about their u- is, after all, their most val forms themselves . 40 able asset, h, one that they do not want to give it away. T heir dominance allows and, as suc them to control how anyone – consumers and third party companies alike – can use the data they have collected. Of course, the large online platforms are not the only ones that collect e x- tensive information about people and let others utilize it to take advantage ; however, i n co n- trast to , which is currently dominated by only a few actors, the ecosystem space the platform a greater number of players . of players sharing and selling consumer data consists of m- Before the Internet, four basic consumer surveillance streams existed, as Bruce Schneier su 41 in his book “ Data and Goliath ”. records on s The first came from companies that kept marize loyalty programs. The second was direct marketing , a sector which customer s , e.g. through trading included the of lists about consumers with certain characteristics. The third flowed from that collect ed detailed credit information on people. T he fourth consumer credit bureaus surveillance stream originated f rom publicly available records about citizens such as birth ce r- tificates and various licenses, which companies were increasingly able to download or pu r- chase. Today’s data and analytics companies often combine information from all four of ome these streams. ile s Wh data companies focus more on personal information for marketing, including customer data management and online advertising which are usually r e- , others, ferred to as consumer reporting agencies, focus on different aspects of risk management such as credit and insurance scoring, identity verification , and fraud detection. S ome , such as E x- perian, cover almost all major areas of consumer data . 37 Evans, Peter C. and Annabelle Gawer (2016): The Rise of the Platform Ente Regarding the concept of “platforms” see e.g.: r- prise. A Global Survey. T a- Avail he Emerging Platform Economy Series No. 1, The Center for Global Enterprise, January 2016. Survey_01_12.pdf ble at: - content/uploads/2016/01/PDF - WEB - Pla tform - http://thecge.net/wp 38 The data industry often r efers to Facebook and Google's “ walled gardens of data ”, consisting of their “ tremendous fi rst - party data assets and reach” . See e.g. http://www.businessinsider.com/luma - partners media state - of - digital - - 2016 - presentation 2016 - 5 - 39 For example, by embedding Facebook and Google’s data - gathering software into their websites and ads, including embe d- ded videos and Like buttons, ad and analytics tags, and other many other services. 40 - walled - bringing - back See e.g. https://adexchanger.com/data - driven - thinking/facebook - and - google - are - gardens 41 Schneier, Bruce (2015): Data and Goliath. The Hidden Battles to Collect Your Data and Control Your World. W. W. Norton & Company 11 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

12 Beside the large platforms and the consumer data and analytics industry , which later cha p- s ex in e in further detail ters will t he following section s take a big picture view on am other key , industries in this space, including retail, media, , telecom , device providers , digital publishers and financial services . B usinesses in many industries are increasingly in volved in today’s pe r- vasive digital tracking and profiling landscape. Without a thriving of companies multitude , the data giants would not be able to aggr e- collecting extensive amounts of data on consumers gate, combine, analyze, rent , and sell extensive amounts of personal data that they have amassed Therefore, the next sections focus on the role of corporate players in different sectors . of today’s personal data ecosystem . After a quick domains such of how crucial societal review affected in or involved be already by the as p olitics , healthcare , and national security might commercial tracking and profiling landscape , possible future developments are discussed. shows a rough map of today’s commercial digital tracking and profil ing landscape. Figure 1 Which industries are relevant in the context of the large - scale commercial collection and util i- 42 ? Which key societal domains are affected? zation of consumer data 42 Since man y companies operate across industries, and industries are often related, this chart is far from perfect. For exa m- ple, Google and Facebook could also be seen as the largest players in ad technology. In addition, regarding data protection, egulatory environments differ widely between different world regions, as well as with regards to society the societal and r and economy at large. However, the mapping can hopefully support the further exploration of the structure and scope of today's personal data ecosystem. The chart is based on previous own research (see Christl and Spiekermann 2016), previous attempts to map the personal data ecosystem, and an extensive literature review considering academic work, as well as many industry reports, including, but not limite d to: FTC "Personal Data Ecosystem", 2012 https://www.ftc.gov/sites/default/files/documents/public_events/explori roundtable - privacy - ( - ng series/personaldataecosystem.pdf ), FTC "Data Brokers", 2014 ( https://www.ftc.gov/system/files/documents/reports/data - brokers - call - transparency - accountability - report - federal - trade - commission - may - 2014/140527databrokerreport.pdf ), D - CENT Research on Identity Ecosystem, 2015 ( - https://dcentproject.eu/wp content/uploads/2015/10/research_on_digital_identity_ecosystems.pdf ), European Data Market studies by IDC and Open Evide nce, 2016 2017 ( http://www.datalandscape.eu/study - reports ), works by Kaliya "Identity Woman" Young (see e.g. - ), LUMA Partners' sector lan https://www.slideshare.net/Kaliya/ethical - market - models - in - the - personal - data - ecosystem d- http://www.lumapartners.com/resource scapes, 2017 ( ) 2/ - nter/lumascapes ce - 12 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

13 and profiling landscape commercial digital tracking : Mapping the 1 Figure Businesses in all industries 3.1 usinesses in e.g. the retail, travel, consumer goods, media, telecommunication, banking, and B insurance sectors that sell consumer products or services have all been collecting, using , and partly also sharing , information about prospects and customers for decades. Database marke t- the amount and detail of collected data ing and loyalty programs have intensified not only , but on and data informati also companies’ ability use to make use of it. Companies learned how to identify, acquire, and retain profitable customers, to calculate a person’s mining techniques to 43 “ most , and to “ effectively allocate resources ” only to the future “customer lifetime value” 43 Christl and Spiekermann (2016), p.79 , 2017 | A REPORT BY CRACKED LABS SURVEILLANCE IN EVERYDAY LIFE CORPORATE 13

14 44 profitable group of customers They began analyzing the interests, needs , and weaknesses of ”. , then ing , categorizing , rank ing consumers and and treat ing them accordingly. They sort learned how to include or exclude groups of customers from certain efforts, how to better i n- 45 fluence their behaviors based on data , and how to measure and optimize the outcomes. After airlines and hotels started loyalty programs in the 1980s, retailers followed suit in the early 1990s , and the financial services industry in the late 1990s ; today companies in virtually 46 all industries run such programs. In 2015/2016, consumers in the US had 3.3 billion loyalty 47 seven active memberships per person, and a program members hips total, with an average of vices to travel, pharmacy chains, grocery broad range of sectors, ranging from financial ser 48 , offer loyalty programs. stores, and other consumer brand retail outlets ing Coalition loyalty programs operated by more than one company or by independent vendors 49 often include sharing customer data among several companies. ompanies with related, C complementary target groups have been sharing certain customer data with each generally other . In this sense , retailers would share with consumer brands, car dealers for many years 50 with auto manufacturers, and, of course , publishers with advertisers. They also traded lists of names and addresses of people with specific interests, both with each other and with consumer Such lists included information on newspaper and magazine subscribers, book data brokers. and movie club members, catalog and mail order buyers, travel agency bookers, seminar and conference participants, and about consumers filling out warranty card product registr a- 51 52 tions. umer purchase e- et r Many retailers sell more or less aggregated forms of co ns data to mark 53 c- a based company IRI - For example, the US search companies and consumer data brokers. data from cesses 85,000 grocery, mass merchandise , drug, club, dollar, con venience, more than 54 ase transactions pet stores . , Oracle claims to have data on billions of purch and from liquor 44 Ngai, E. W. T., Li Xiu, and D. C. K. Chau (2009): Review: Application of data mining techniques in customer relationship plications 36, 2 (March 2009), 2592 - 2602. management: A literature review and classification. Expert Systems with Ap http://dx.doi.org/10.1016/j.eswa.2008.02.021 45 Christl and Spiekermann (2016), p. 125; 127 - 129 46 gies to Increase Profits and Build Loyalty. FT Press, p. 13 Kumar, V. (2008): Managing Customers for Profit: Strate 47 loyalty news/2015 - colloquy - - - census/ https://www.colloquy.com/latest 48 http://info.bondbrandloyalty.com/hubfs/Resources/2016_Bond_Loyalty_Report_Executive_Summary_US_Launch_Edition.p df 49 - first century . Journal of Consumer Marketing, Capizzi, Michael T. and Rick Ferguson (2005): Loyalty trends for the twenty - 22/2, 72 80 50 https://www.signal.co/blog/data - sharing - secon d party - data [28.04.2017] - 51 CIPPIC (2006): On the data trail: How detailed information about you gets into the hands of organizations with whom you have no relationship. A report on the Canadian data brokerage industry, April 2006. Available at: https://idtrail.org/files/DatabrokerReport.pdf 52 Allenby, Greg M (2010): Perspectives on Promotion and Database Marketing: The Collected Works by Robert C Blattberg. World Scientific, 2010. 53 http://www.cpgdatainsights.com/get - started - with - nielsen - iri/what - is - syndicated - data 54 [25.04.2017] data/ - audience - partner/iri - grid/data https://www.quantcast.com/audience - 14 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

15 55 Nielsen claims to collect sales information from worldwide 900,000 “1500 leading retailers”. 56 According to the retail analytics expert Emmett Cox, only stores in more than 100 countries. “ participating in the data selling ” – one notable US retailer, Walmart, has stopped and only 57 “ because they felt that their business was so significantly larger than anyone else’s ”. Of course, large retailers have also created their own data and analytics departments, or they a c- quir fields. The large Britis h retailer Tesco, for example, outsourced its e e companies in thes and data activities into a subsidiary company, Dunnhumby , whose slogan is “t ran s- Clubcard 58 ”. forming customer data into customer delight In 2014, Dunnhumby acquired the German online ad vertising technology firm Sociomantic. According to a press release, Dunnhumby will “ ” with combine its extensive insights on the shopping preferences of 400 million consumers Sociomantic’s “ - time data from more than 700 million online consumers ” to pla n, perso n- real 59 It is not clear which data about the shopping preferences of alize and evaluate advertising. Clubcard pr o- 400 million consumers they use, but it is safe to assume that data from Tesco’s gram is included. Types of data collected. Personal informati on collected by companies is generally grouped into a variety of types . “ Volunteered ” (or “declared”) data denotes data explicitly shared by i n- . dividuals “observed” data is captured through recording their activities ; conversely, While “actual” data refers to factual information about individuals, “inferred” (or “modeled”) data results from drawing inferences about characteristics or predicted behaviors of consumers based on actual data. Furthermore, data companies often provide “s egments” grouping co n- sumers with shared characteristics or predicted behaviors, as well as “scores” indicating the likelihood that an individual exhibits certain characteristics or predicted behaviors. While data signifies party data” - “first ompanies who have a direct relationship with collected by c consumers, “third - party data” is either processed on behalf of other companies or collected, 60 s . acquired, purchased or licensed from other , Online advertising per industry , w hich largely depends . When it comes to online advertising share of spending on digital ad s might be a good i n- on tracking and profiling consumers, the dicator of how different industries are to the advertising data ecosystem. In 2016, connected ll digital ad spending in the US. Consumer the retail industry had a share of about 20% of a o- product manufacturers, including consumer electronics, had a share of about 16%; the aut , and financial services industries each motive, travel, telecom about 10%, and accounted for 61 out 5%. without the This also means that media and entertainment each ab se industries bu y- 55 Oracle (2015): Oracle Data Cloud Data Directory 56 - measurement.html [3.5.2017] http://www.nielsen.com/us/en/solutions/measurement/retail 57 Cox, Emmett (2011): Retail Analytics: The Secret Weapon. Wiley, November 2011, p. 93 58 https://www.dunn humby.com/solutions/capabilities [28.04.2017] 59 advertising - acquires - sociomantic - revolutionise - digital - https://www.dunnhumby.com/dunnhumby [28.04.201 7] 60 Christl and Spiekermann (2016), p. 84 - 85 61 of - - 2016 - Industry total/190798 - http://www.emarketer.com/Chart/US - Digital - Ad - Spending - Share - by 15 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

16 l- ing into the extensive data collected about consumers within the world of advertising techno ogy, today’s tracking and profiling networks would not exist. 3.2 Media organizations and digital publishers Publishers and media organizations have long been selling lists of their subscribers to marke t- 62 and listeners r- ers as well as collecting information about their readers su , viewers , through 63 the form of Today, measurement ta ke s veys and other forms of audience measurement. software embedded into websites and mobile apps that collect extensive demographic and b e- share this data with advertisers and many other companies, and a l- havioral data. P ublishers 64 , low them to utilize, combine and link it with digital profi les from other sources. 65 and their increasing dependence While a lot has been said about the decline of newspapers 66 traffic on platforms such as Facebook , not all digital publishers for . From play the same role an online advertising perspective, a publish er is simply a “ distribution system for online a d- 67 the advertiser pays for messages sent by publishers to customers ”, in which “ ”. vertising Of course t his includes traditional major media conglomerates such as Walt Disney, Bertelsmann, , CBS, Grupo Gl obo , Viacom a large variety of other actors such as blogs, online co m- but also munities, app developers, audio and video platforms , gaming vendor s , and many other digital services providers . which personal data digital kinds of Web and mobile tracking. It is widely unknown exactly use and how third parties share publishers this data. Several academic studies have tried to examine this. Although such investigations are limited to technical information accessible r evidence of some aspects of data sharing. A from outside the “black boxes”, they can show clea recent study examining one million different websites has, for example, found that there are more than 80,000 third parties that receive data about the visitors of these one million we b- 68 120 of thes e tracking services were found on more than 1% of websites. sites. A nother Around study on 200,000 different users from Germany visiting roughly 21 million web pages showed 69 that third - party trackers were present on 95% of the pages visited. Similarly, most mobile 62 Generally, see e.g. Donatello, Michael (1998): Audience research for newspapers. In: Blanchard, Margaret (eds): History of the Mass Media in the United States: An Encyclopedia, Fitzroy Dearborn Publishers, September 1998 . 63 Generally, see e.g.: Napoli, Philip M. (2011): Ratings and Audience Measurement. In: Nightingale, Virginia (eds): The Han d- book of Media Audiences, April 2011, Wiley - Blackwell. 64 2810741.pdf See e.g. Forbes in Oracle's data directory (p. 81): http://www.oracle.com/us/solutions/cloud/data - directory - [28.04 .2017] 65 E.g. https://www.nytimes.com/2008/10/28/business/media/28circ.html 66 - study E.g. https://www.theguardian.com/media/2016/jun/15/facebooks - news - publishers - reuters - institute - for - the - of - lism journa 67 McConnell, Ted (2015): The Programmatic Primer. A Marketer's Guide to t he Online Advertising Ecosystem, p. 17 68 Narayanan, Arvind; Dillon Reisman (2017): The Princeton Web Transparency and Accountability Project. Pre - published chapter.pdf book chapter. Availab le at : http://randomwalker.info/publications/webtap - 69 Yu, Zhonghao; Sam Macbeth, Konark Modi, and Josep M. Pujol (2016): Tracking the Trackers. In Proceedings of the 25th International Conference on World Wide Web (WWW '16). International World Wide Web Conferences Steering Committee, http:/ 132. Available at: - Republic and Canton of Geneva, Switzerland, 121 /www2016.net/proceedings/proceedings/p121.pdf 16 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

17 share information about their users with other companies. A 2015 study of popular apps apps , and the US found that between 85% and 95% of free apps , and in Australia, Brazil, Germany 70 connect to third parties that collect personal data. even 60% of paid ones, A prominent example of a digital publisher that sells data about its users is the streaming platform Spotify. Since 2016, it shares “ insights on their users’ mood, listening and playlist behavior, activity and location ” with the data division of the advertising giant WPP, which now 71 b- ”. Digital pu unique listening preferences and behaviors of Spotify’s 100 million users “has lishers selling data about their users are not restricted to website and mobile app providers. The marketing intelligence company SimilarWeb, for example, receives data from “h undreds 72 ” of thousands of direct measurement sources from websites and apps , but also from desktop 73 software and browser extensions. embedded in today’s tracking and profiling The large media conglomerates are also deeply ; ecosystems moreover, they have often developed or acquired data and tracking capabilities themselves. For example, Time Inc. has acquired Adelphic, a major cross device tracking and ad - 74 technology company, as we ll as Viant, a company claiming to have “ access to over 1.2 billion 75 ”. registered users 76 large online platforms Of course, the are large publishers as well. According to a report by largest media company Zenith, Alphabet (Google) was the world’s in 2016 , when measured in terms of revenue that derives from business that support advertising followed by Walt ; it was Disney, Comcast, 21st Century Fox, Facebook and Bertelsmann. The Chinese web search pla t- form Baidu ranked as the 9th largest, Yahoo (now owned b y Verizon) as the 15th largest, and 77 Microsoft as the 17th largest media company. With Comcast acquiring NBC Universal, Verizon acquiring both AOL and Yahoo, and AT&T most likely acquiring Time Warner, the large telecom o ming also giant publishers, creating a powerful bec and broadband companies in the US ar e of content, audience data, cross portfolio a- device ad delivery infrastructure, as well as data an - 78 lytics and targeting capabilities. 70 Seneviratne, Suranga; Harini Kolamunna, and Aruna Seneviratne (2015): A measurement study of tracking in paid mobile applications. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless a nd Mobile Networks (WiSec '15). ACM, New York, NY, USA, Article 7, 6 pages. Available at: n/282356703_A_measurement_study_of_tracking_in_paid_mobile_applications https://www.researchgate.net/publicatio 71 http://www.thedataalliance.com/blog/wpps - data - alliance - and - spoti fy announce - global - data - partnership/ [08.05.2017] - 72 https://www.similarweb.com/ourdata [26.04.2017] 73 https://www.similarweb.co m/downloads/our - data - methodology.pdf [26.04.2017] 74 exchange https://adexchanger.com/ad - - news/time - inc - acquire - adelphic - build - people - based - dsp/ 75 http://www.adelphic.com/2017/01/time - inc - s - viant - acquire - adelphic/ [25.04.2017] 76 Evans, Peter C. and Annabelle Gawer (2016): The Rise of the Platform Enterprise. A Global Sur vey. The Emerging Platform Economy Series No. 1, The Center for Global Enterprise, January 2016 77 http://www.zenithoptimedia.cz/en/zenith/news/detail/102 - Digital%20gi 78 position - - its advertising.html - in - http://www.cnbc.com/2016/10/24/how - atts - time - warner - deal - strengthens 17 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

18 3.3 Telecom c ompanies and Internet Service Providers mpanies and ISPs ) play an essential role in Telecommunication co Internet Service Providers ( providing access to today’s information and communication networks, from phone to mobile - level control over the data streams of billions of co n- to broadband internet. They have deep 79 ers. sum For this reason the privacy of telecommunications has historically been subject to 80 special protection. Nevertheless , phone companies have always utilized or shared data about 81 metadat . It has been suggested that even their subscribers to some extent a pertaining to 82 numbers called and the time and duration of calls was available for sale in the US. As telephone and cable television companies evolved to mobile and broadband ISPs , they b e- gan lobbying the US government for regulation that puts them on an equal playing field with the lightly regulated Silicon Valley so that they, too, can commercially exploit cu s- big players 83 er data such as web browsing and app history data. Rather than being regulated by the tom which had reclassified broadband internet service as a , i ssion Federal Communications Comm utility and proposed strong privacy rule s , they argued against the rules and for Federal Trade roadband Commission oversight, on par with their Silicon Valley competitors. And indeed b providers, such as AT&T, Comcast , and Verizon, successfully achieved the repeal of the privacy 84 that the Federal Communications Commission had introduced only months before. rules to sell sensitive customer i in the US are now able nternet access service providers Broadband even requiring customer consent. information to the highest bidder without In Europe , by contrast, telecommunications and broadband providers have long been subject to relatively strict privacy laws on several levels. But unlike o- the upcoming EU General Data Pr tection Regulation, which has already been adopted, the additional new ePrivacy regulation 85 covering telecommunications privacy is at this stage only a proposal and as such still subject 86 In this way to lobbying. , the Europ ean telecom lobby echoes its US counterpart, warning that 79 Ammari, Nader; Gustaf Björksten; P eter Micek; Deji Olukotun (2015): The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy. Access Now, August 2015. Available at: htt ps://www.accessnow.org/cms/assets/uploads/archive/AIBT - Report.pdf 80 Ruiz, Blanca (1997): Privacy in telecommunications: a European and an American approach. The Hague, See e.g. - Rodríguez Boston, Kluwer Law International, 1997. 81 party phone directory services - red phone numbers with third For example, they have sha ends ( - number - to - avoid - t elemarketers - only - changes - up - with - more - unwanted - - https://consumerist.com/2012/04/10/man ), or account and payment histories with consumer reporting agencies calls http://files.consumerfinance.gov/f/201604_cfpb_list - of ) consumer - reporting - companies.pdf ( - 82 - See e.g. - cfc/cfc - education - f oundation/your - https://consumercal.org/about records - are - for - sale/ or cell http://www.dmnews.com/marketing - strategy/data - brokers - and - telephone - records/article/91887/ 83 See e.g. https://www.privateinternetaccess.com/blog/2017/03/telecom - lobby - fcc - web - browsing - app - usage - history - not - sensitive - information/ 84 republicans - data victory - http://www.politico.com/story/2017/03/broadband - 236760 - 85 See e.g. https://euinternetpolicy.wordpress.com/2017/04/01/us - congress - repeal - of - fcc - broadband - privacy - rul es - what - about do eu - laws - say - - - broadband - privacy/ 86 started/ - security - - communications - personal https://edri.org/massive - lobby 18 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

19 a “ restrictive and conservative policy approach would effectively exclude the European tel e- 87 coms industry from the data economy ”. teleco According to a market research company, the global market for was worth $24 m data 88 billion in 2015, growing to $79 billion in 2020. Already in 2015 telecommunication service providers all over the world aimed to profit from their customer’s data. Mobile carriers in at , Verizon and least 10 countries, including AT&T, Bell Canada, Bharti Airtel, Cricket, Telefonica , had been caught injecting special tracking mechanisms into their user’s web surfing e Vodafon r- Because they are embedded at the network level, u sers cannot block these “supe activities. g mechanisms allow for the creation of rich user data profiles and for cookies”. Such trackin 89 e- their use in advertising and tracking. T he German software corporation SAP already “ aggr gates and analyzes billions of anonymized consumer data points from mobile operator ne t- 90 ”. According to a company works ” for its mobile data analytics tool “ Consumer Insight 365 , SAP provides “interconnection services to about 1,000 mobile carriers around representative hare revenue partner with the carriers and s the world, directly or indirectly” and plans to “ 91 from its sales of the data The marketing intelligence company SimilarWeb states that it r e- ”. 92 ceives “anonymous clickstream data” from “l ocal internet service providers (ISPs) located in ”. many different countries Many large telecom companies and ISPs have acquired ad technology and data companies. For example, Millennial Media, a subsidiary of Verizon’s AOL, is a mobile ad platform collecting data from more than 65,000 apps from different developers, and claims to have ” access to a p- 93 proximately 1 billion global active unique users ”. m- Telenor, a large telecommunications co device tracking comp pany based in Norway, has acquired Tapad, one of the leading cross - a- 94 nies on 2 billion devices around the globe, is able to link desk top co m- . Tapad, which has data 95 puters, laptops, smartphones and tablets belonging to the same person. Singapore - based The 96 telecom corporation Singtel acquired Turn, an advertising and data platform that “ pulls t o- 97 gether data from all sources ” and builds a “ composite master ID of every consumer ”. It gives 98 ” 90,000 dem 4.3 billion addressable device and browser IDs o- and “ marketers access to “ 87 releases/ETNO%20GSMA%20Joint%20High - Level%20Letter%20on%20e - https://etno.eu/datas/press_corner/press - Privacy%2020.12.2016.pdf 88 Kingstone, Sheryl; Rich Karpinski; Brian Partridge (2015): Monetizing ‘Telecom Data as a Service’. Sep 2015, 451 Research. https://451research.com/report - long?i cid=3534 Executive overview available at: 89 Ammari, Nader; Gustaf Björksten; Peter Micek; Deji Olukotun (2015), p. 2 90 http://news.sap.com/mobile - data - analysis - sap - consumer - insight - 365/ [26.04.2017] 91 http://www.cio.com/article/2385645/big - data/sap - to - crunch - and - sell - carriers -- data - on - mobile - use.html 92 methodology.pdf [26.04.2017] - https://www.similarweb.com/downloads/our - data 93 http://investors.millennialmedia.c om/phoenix.zhtml?c=238412&p=irol - newsArticle&id=2085090 94 https://www.tapad.com/device - graph/ [26.04.2017] 95 strategic https://www.tapad.com/press - release/magnetic - and - tapad - forge - - alliance - to - advance - search - retargeting [26.04.2017] 96 - https:/ /adexchanger.com/online - advertising/singtels amobee - snaps - turn - 310m/ 97 [26.04.2017] https://www.turn.com/platform/products 98 https://www.turn.com/company [26.04.2017] 19 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

20 99 ic, behavioral, and psychographic attributes ”. grap In addition, large mobile network provi d- h s that use their data for credit scoring. For ers have already started to partner with companie Telefonica, Airtel (India) and Globe Telecom (Philippi nes) have partnerships with the example, - US based company Cignifi, which predicts the creditworthiness of phone users based on their phone call records. Cig nifi sees itself as the “ ultimate data monetization platform for mobile 100 ”. network operators 3.4 Devices and Internet of Things In terms of devices, smartphones may be contributing the most to today’s pervasive tracking and profiling ecosystems. The information recorded by mobile phones provide s detailed i n- sights into the user’s personality and everyday life. Usually, users must have a Google, Apple , smartphone apps artphones or Microsoft account to make their sm Additionally, most work. 101 transmit data to third party companies. - In recent years, many other kinds of devices with sensors and network connections have e n- tered the everyday lives of consumers, adding another dimension to the trac king ecosystem. These include everything from e - readers and wearables to smart TVs, meters, thermostats, , smoke alarms, fridges, glasses, toothbrushes phones, these devices give and toys. Like smart life contexts. companies access to consumer behavior across a wide variety of unprecedented The recorded data is either controlled by a single company, as with Amazon’s Kindle e - reader, or the devices are strategically opened up to third - parties, which might provide apps or make 102 - other kinds of data contracts with consumers. called Additionally , service providers , or so and that provide “IoT platforms” the infrastructure for analytics , device and data management 103 often sit between product vendors and consumers. Many experts and regulators see the Internet of Thing s as a major challenge for consumer pr i- 104 vacy. For example, as a recent study on privacy and car telematics shows, many different parties are interested in the data generated and recorded by the “connected car”. Car data is attractive not only for automaker m- s and their partners but also for car dealers, insurance co panies, financial lenders, telematics service providers, call center operators, third - party app developers, vehicle infotainment content providers, mobile network operators , and mobile d e- hird parties outside the telematics industry itself vice system providers like Google or Apple. T also standing in line to including local retailers and ; as such, actors are telematics data access merchants, online advertising agencies, data brokers, law en c- forcement agencies, debt colle 99 https://www.turn.com/platform/products [26.04.2017] 100 http://cignifi.com [26.04.2017] 101 Christl and Spiekermann (2016), p. 46 - 51 102 Ibid, p. 69 - 71 103 - scale - https://www.accenture.com/nz - en/insight - iot - platforms - agile innovation 104 72 - Christl and Spiekermann (2016), p. 71 20 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

21 , and many more can be added to the list of potential bidders tors, fraud investigators, litigants 105 for the data. 3.5 Financial services and insurance in the lives of play an essential role companies and other financial services Banks, insurers , - ranging consequences for co n- consumers. They make important decisions that can have far , sumers insurance claims are accepted, loans are , including whether services are provided called in , or payments are authorized. They decide the terms un der which financial services companies offer services, including loans and insurance policies. At the same time, they have 106 e- For this reason, many countries have d access to very sensitive information about people. y regulations in the past decades, especially regarding veloped relatively strict financial privac 107 Nevertheless, the financial services companies, their affiliates, as well as payments data. always related their third parties have been on the forefront of personal data collection, use , and analyti cs. their customers – Banks and payment companies have extensive amounts of identity data on as well as rich transactional data their payments, account balances, or on, among other things, 108 Financial institutions interactions with customer services. use data about consumer s for s- risk management, such as credit scoring and fraud detection, as well as for marketing, cu 109 and retention. They supplement their own data with external data from tomer acquisition , ting data companies. Conversely, banks, consumer reporting agencies, data brokers and marke , and other financial institutions share specific financial data about lenders, credit card issuers 110 111 , consumers with credit reporting agencies. PayPal, the biggest name in online payments shares personal information o- with more than 600 third parties including other payment pr viders, credit reporting agencies, identity verification and fraud detection companies, as well 112 as with the most advanced players within the online tracking ecosystem. rs also run loyalty programs, including co - branded debit and cre d- Banks and credit card issue that they issue in partnership with retailers or other companies. For example, W ells it cards 105 vacy Association (2015): The Connec ted Car: Who is in the driver’s seat? A study FIPA / B.C. Freedom of Information and Pri on privacy and onboard vehicle telematics technology. March 2015. Available at: http s://fipa.bc.ca/wordpress/wp - content/uploads/2015/03/CC_report_lite.pdf 106 European Banking Authority (2016): Discussion Paper on innovative uses of consumer data by financial institutions, - EBA/DP/2016/01, 04 May 2016. Available at: https://www.eba.europa.eu/documents/10180/1455508/EBA - DP - 2016 01+DP+on+innovative+uses+of+consumer+data+by+f inancial+institutions.pdf 107 Jentzsch, Nicola (2003): The Regulation of Financial Privacy: The United States vs Europe. ECRI Research Reports No. 5, 1 June 2003. Available at: http://aei.pitt.edu/9430/2/9 430.pdf 108 European Banking Authority (2016) 109 Hormozi, A. M. & Giles, S. (2004): Data Mining: A Competitive Weapon for Banking and Retail Industries.. IS Management, http://cjou.im.tku.edu.tw/dm200707/dm_application.pdf 21, 62 - 71. Available at: 110 Rieke, Aaron; Harlan Yu; David Robinson; Joris von Hoboken (2016) , p. 29 111 https://w ww.nytimes.com/interactive/2016/04/07/business/dealbook/The - Fintech - Power - Grab.html 112 https://www - .paypal.com/de/webapps/mpp/ua/third According to a list, which is part of their German privacy policy: ] [20.04.2017 list?locale.x=en_US - parties 21 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

22 Fargo, Citigroup and Discover reportedly , run programs through which they charge retailers a fee to use and access the financial services’ payment s data ; in this way, the retailers can better 113 sell their products, often in partnership with intermediary companies. One of the intermed i- ns reward programs with firm ary companies that help accomplish this is Cardlytics, a that ru 115 114 m- such as the Bank of America and MasterCard . Cardlytics pro 1,500 financial institutions ises financial institutions that it will “g enerate new revenue streams using the power of [their] 116 edit, ACH and bill pay spend for tens of millions of ” purchase data and claims to “ see debit, cr 117 individual consumers in the US and UK ”. Cardlytics is also a partner of LiveRamp, the 118 Acxiom subsidiary that links online and offline consumer data. have Credit card networks data about their customers’ purchases also started to make the available to the online tracking and profiling universe. For example, Visa provides data on 14 billion purchase transactions to the data broker Oracle and combines it with demographic, f i- 119 nancial , and other data er to help companies better categorize and target consumers in in ord 120 the digital world. For MasterCard, selling products and services created from data analytics given that “ information pr oducts, including sales of might even become its “core business” 121 data” al ready represent a considerable and growing share of its revenue. Google recently approximately 70% of credit and debit card transactions in the United stated that it captures “ third States ” through “ - party partnerships ” in order to track purchases, but did not disclose its 122 sources. Insurance companies were amongst the first to use statistical models to predict the behavior of consumers based on their demographic attributes. Already in the late nineteenth century 123 ’s life spans and their relative risk of death. began trying to Ever predict people life insurers element of their core collecting data for individual risk assessments has always been a since, 124 Depending on the legislation they operate under, insurers might only be allowed activities. types of information for underwriting and for evaluating claims, or might only to use certain acquire it in certain ways. Being a heavily regulated industry, large insurers, as well as large 113 http://money.cnn.com/2011/07/06/pf/banks_sell_shopping_data/ 114 - us/our - story/ [24.04.2017] http://www.cardlytics.com/about 115 tions/ institutions/fi - solu - [24.04.2017] http://www.cardlytics.com/financial 116 http://www.cardlytics.com/ [24.04.2017] 117 - us/our - http://www.cardlytics.com/about [24.04.2017] story/ 118 https://liveramp.com/partner/cardlytics/ [24.04.2017] 119 See p. 170: http://www.oracle.com/us/solutions/cloud/data - directory 2810741.pdf [24.0 4.2017] - 120 : - your - https://usa.visa.com/run Visa emphasizes to only use “anonymized and aggregated spend data” business/commercial card solutions/solutions/advertising - loyalty - - - programs.html [24.04.2017] 121 - analytics http://paymentweek.co m/2014 - 6 - 16 - for - mastercard - processing - and 4908/ - go - hand - in - hand - 122 and https://adwords.googleblog.com/2017/05/powering - ads - - analytics - innovations.ht ml 123 Bouk, Dan (2015): How Our Days Became Numbered. Risk and the Rise of the Statistical Individual. University of Chicago Press. 124 issue insurers such as most European health insurance programs only use it to calculate their risk - However, guaranteed ernally, and not for underwriting, see e.g. Ridic, Goran; Suzanne Gleason; Ognjen Ridic (2012): Comparisons of Health int – Care Systems in the United States, Germany and Canada. Mater Sociomed. 2012; 24(2): 112 120. Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3633404 22 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

23 banks, be slower in employing “alternative” and more cont r oversial digital information may than native Internet companies such as online advertiser s , and “Fintech” social networks, startups . Still, perhaps typical for a traditional insurer , the Boston Consulting Group sees the risk assessment and pricing, highest potential for the data in the areas of use of these new 125 marketing and sales, claims prevention and mitigation, and fraud detection. Although controversial, insurance companies have used information about an individual’s 126 credit worthiness for underwriting all . in the US since the 1990s In recent years, insurers have started to use digital data about everyday behaviors for risk assessment over the world offer Insurance companies already real their customers programs involv ing and pricing. - time or visits tracking of behavior such as e.g. driving behavior, health activities, grocery purchases , 127 the In this way insurers not only obtain that to the fitness studio. time behavioral data - real 128 eluded , but also are able to shape consumer behaviors and lower costs them in the past sophisticated reward programs. through Public sector and k 3.6 ey societal domains On a global level, the relationship between today’s pervasive consumer data ecosystem and crucial societal areas such as healthcare, welfare, education, housing and employment varies a great deal , depending on how societies and regulatory environments are or ganized in a speci f- for example, ic region or country. In the US, the extent of commercial data collection and uses 129 130 131 132 in the areas of , education , from a privacy , housing is and employment healthcare decisions e- alarming. While consumer reports are used for eligibility perspective, in many soci 133 134 In addition, tal contexts in the US , this is not allowed in many European countries. 135 healthcare i s, for example, wid ely run as a publicly funded service in Europe which makes environments , vast eligibility decisions based on behavioral data nonessential. In today’s work 125 Brat, Eric; Stephan Heydorn, Matthew Stover, and Martin Ziegler (2013): Big Data: The Next Big Thing for Insurers? Boston ble at: Consulting Group, March 25, 2013. Availa https://www.bcgperspectives.com/content/articles/insurance_it_performance_big_data_next_big_thing_for_insurers 126 FTC (2007): Credit - based Insurance Scores: Impacts on Consumers of Automobile Insurance. A Report to Congress by the Federal Trade Commission, July 2007. Available at: - based - insurance - scores - impacts - https://www.ftc.gov/reports/credit consumers - automobile - insurance - report - congress - federal 127 insurance programs involving car telematics and w earables see Christl and Spiekermann For a detailed description of how , p. 52 - (2016) 68 128 Brat, Eric; Stephan Heydorn, Matthew Stover, and Martin Ziegler (2013) 129 https://www.theguardian.com/technology/2017/jan/10/medical - data - multibillion - dollar - business - report - warns See e.g. 130 student firms/ data See e.g. https://www.equalfuture.us/2015/09/23/cl ever - - - tech - schools - 131 tenant See e.g. https://www.privacyrights.org/consumer - guides/renters - guide - - privacy - rights 132 - See e.g. http://www.nbcnews.com/business/consumer/exclusive - your - employer - may - share - your - salary equifax - might - sell f1B8173066 - 133 U.S. Consumer Financial Protection Bureau (2016): List of consumer reporting companies. Retrieved from: http://files.consumerfinance.gov/f/201604_cfpb_list - o f - consumer - reporting - companies.pdf 134 Ferretti, Federico (2015): Credit Bureaus Between Risk - Management, Creditworthiness Assessment and Prudential Supe r- 16. Available at: vision. EUI Department of Law Research Paper No. 2015/20, p. 13 - https://ssrn.com/abstract=2610142 135 Ridic, Goran; Suzanne Gleason; Ognjen Ridic (2012): Comparisons of Health Care Systems in the United States, Germany 120. Available at: – and Canada. Mater Sociomed. 2012; 24(2): 112 https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3633404 23 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

24 136 employees are collected and analyzed all over the world. amounts of As information about 137 arguably has , modern surveillance the numerous roots in Taylorist “scientific management” employees are hardly interconnections between the tracking of customers and the tracking of 138 surprising . political election campaigns has raised serious concerns, e s- The use of data in 139 pecially in the last year. Notably, the nonprofit and advocacy sector s have also been collec t- ing and acquiring marketing data for campaigning for decades. Charity and donation purposes 140 a inventory of consumer data brokers. In records are prominently represented within the dat the national security and law enforcement contexts , both excessive mass surveillance and 141 targeted investigations depend on the extensive data collections by corporate players. A detailed assessment of the degree t o which these different societal fields are already co n- lies nected to today’s networks of digital tracking and profiling beyond the scope of this report. the risk and ma However, some examples are following chapter s on in the r- further examined ndustries keting data i . 3.7 Future developments ? It is difficult to predict the future of the business of personal data and rapidly changing roles turn of its main players . Nobody knows whether Facebook will its patent for assessing credi t- 142 someone’s worthiness based on to reality friends . Few people could have predicted how in Uber and Airbnb took over taxi services and the booking of travel accommodations a few years 143 a ago . c- It is equal l y unclear how Google will change the future of driving or – with its 2016 144 Google has also entered seve quisition s of eight insurance technology startups – insurance. r- - percentage of primary al other areas such as education. In the US, a significant d- and secon 145 ary All of the tech giants school students already use Google’s laptops and education apps. - are actively shaping public policy and engage in lobbying lawmakers and regulators to advance 146 T he US telecom industry ’s recent successes their position. having with customer privacy demonstrate the effectivity of these efforts . At the same time, different protections eliminated 136 Kidwell, Roland E. and Sprague, Robert (2009): Electronic Surveillance in the Global Workplace: Laws, Ethics, Research and nology, Work and Employment, Vol. 24, Issue 2, pp. 194 - 208, July 2009. Available at SSRN: Practice. New Tech https://ssrn.com/abstract=1487801 137 Sprague, Robert D. (2007): From Taylorism to the Omnipticon: Expanding Employee Surveillance Beyond the Workplace, 25 J. Marshall J. Computer & Info. L. 1, 2007. Available at: http://repository.jmls.edu/jitpl/vol25/iss1/1/ 138 For example, s ystems that collect data for both customer and workforce management in retail or ca ll centers, see e.g. Christl and Spiekermann (2016) , p. 32; 75 139 See e.g. ode/1440 https://www.privacyinternational.org/n 140 See e.g. the lists offered in Infocore’s data catalog: http://www.infocore.com/insights/data - catalogs.htm 141 https://theintercept.com 142 - new - patent - anddigital - redlining/407287 http://www.theatlantic.com/technology/archive/2015/09/facebooks 143 - - mcrae/facebook - airbnb - uber and - the - unstoppable - http://www.independent.co.uk/news/business/comment/hamish rise - of - the - content - non - generators - 10227207.html 144 https://www.equities.com/news/insuring - the - future 145 https://www.nytimes.com/2017/05/13/ technology/google - education - chromebooks - schools.html 146 amazon - 114468 - google - facebook - http://www.politico.com/story/2015/01/tech - lobby - apple 24 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

25 industry sectors fight each other with legal means, such as when the data broker Oracle pro d- 147 Europe and the U ded regulatory examinations of Google’s user profiling practices in both S. Regardless, the trend is clear. Business consultants advise companies in all industries that they must join the personal data economy, that they should collect as much data as possible about their customers and prospects, and , of course , that they als o should find ways to reap the n- benefits of these riches. In an article entitled “ , the co ” How to Monetize Your Customer Data need to start treating information as a co r- sulting company Gartner suggests that companies “ 148 ture benefits”. porate asset that generates tangible fu Consumers, in contrast, have fewer and fewer options to resist the power of this data ecosystem. Often, they have no choice but to 149 accept the services on offer. Similarly, many companies that are not central players in this data driven wo rld , especially smaller ones, have no choice other than to accommodate the m- a- Comp . players by the large selves with the new rules, structures , and standards set corporate nies in many industries companies with access to data , cu s- other are strategically acquiring , and technology. While some commentators see finance “being taken over tomer relationships 150 151 , banks are investing in “fintech” startups. by tech” Many c ompanies openly try to amass hundreds of millions of data contracts with consumers , from loyalty programs to “free” online m services . Yet others aim to secretly track consumer behavior. Many website providers and o- information bile app developers - party companies to collect and share actively allow third about consumers in utterly irresponsible ways. Go ogle and Facebook , the de facto “duopoly” in the digital world, dominate today’s online a d- 152 vertising markets through their extensive data assets about billions of consumers – and , s Yet in spite of ome of the their dominance clearly have much further - reaching ambitions. or – traditional industry players are in an excellent position to join the game on a large scale have done e- so . What started with newspaper subscriptions and loyalty programs in travel, r of many of today’s companies : enti c- , and finance has become part of the business model tail ing large number that include frequent interactions and s of consumers into data contracts access to extensive behavioral data. General Data Protection Regulation (GDPR) , which will become effe c- The European Union’s in 2018, will certainly have a considerable impact on personal data practices not only in tive 153 The US legal and regulatory framework, on the other hand, Europe but also on a global level. onsumer safeguards – has enabled the growth of this data driven world without any effective c and there is little in sight that will bring about a fundamental change for consumers. Some 147 http://fortune.com/2017/01/25/google - super - profiles/ 148 http://www.gartner.com/smarterwithgartner/how - to - monetize - your - customer - data/ 149 Christl and Spiekermann (2016), p. 123 150 - dc97 - 11e6 - https://www.ft.com/content/2f6f5ba4 - f253db7791c6 86ac 151 http://www.pymnts.com/news/b2b - payments/2016/kpmg - pulse - of - fintech - report - cb - insights - bank - corporate - venture - c - vc - investment/ apital 152 http://adage.com/article/digital/verizon - chases - digital - duopoly - facebook - google/305258/ 153 gdpr/ - the - of - - impacts See e.g. https://iapp.org/resources/article/top - 10 - operational 25 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

26 in lost control over e v ha commentators warn that the political process and democracy general 154 the tech industry. c- The next two chapters further investigate today’s personal data ecosystem alongside the pra tices of data and analytics companies , both in the fields of marketing and risk, and their clients as well as from a under particular consideration of the broader environment described above con sumer perspective. 154 tech - reform - we - 581d58ee11fd - See e.g. https://medium.com/huma ne - tech/how - do 26 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

27 4. R isk D The I ndustry ata Rating people in finance, insurance and employment 4.1 Richard Cordray recently , the director of the US Consumer Financial Protection Bureau, has As consumer reporting agencies exert a “ tremendous influence over the ways and means stated, 155 ” through the data they manage . of people’s financial lives A typical contains information about a consumer’s payment and debt history as credit report provided by banks, lenders, collection agencies , and other institutions ; this in cludes, for i n- stance the number and type of accounts, the dates they were opened, and information about , 156 , e- . bankruptcies, liens Consumer reporting agencies in turn provide these r and judgments t- ports to creditors and potential creditors, including credit c ard issuers, car loan lenders, mor gage mobile phone service providers , collection , lenders, but also to retailers, utility companies and any entities with a court order. Experian, the world’s largest credit reporting agencies , 157 agency and , next to Equifa x and TransUnion , , one of the three major agencies in the United 158 States, has credit data on 918 million people. Several US consumer reporting agencies also provide reports for employers, landlords, insu r- , and other entiti ance companies, government agencies tenant screening r e- es. For example, ports contain information about someone’s address and rent payment history, eviction , and criminal information. Reports from employment screening companies additionally contain information pertaining to someone’s employm ent, salary, education and driving history, pr o- l- fessional licenses, health screening, drug and alcohol testing information, participation in vo personal property insu fingerprints. Reports for and sometimes , activities unteer even their r- ers can contain previous coverage and losses, vehicle ownership, and driving history. Some companies even provide reports containing medical conditions, pr escription drug purchase , as well as “ hazardous avocations ”, to life, long - term care, disabili ty income , and histories insurers . Specialized companies collect information about telecom and utility pa y- health 159 ments, as well as product returns in the retail business. Many of these agencies are organized as associations, exchanges , or “pools” where in the partic ipating companies can retrieve re c- 160 ords about consumers in exchange for information they contribute themselves. 155 cordray https://www.consumerfinance.gov/about - us/newsroom/pre pared - remarks - cfpb - director - richard - - consumer - 2017/ - meeting march - advisory - - board 156 U.S. Consumer Financial Protection Bureau (2016): List of consumer reporting companies. Available at : http://files.consumerfinance.gov/f/201604_cfpb_list - of - consumer - reporting - companies.pdf 157 - - https://www.wsj.com/articles/experian - fined 1490297908 over - alleged - deception - in - credit - score - marketing 158 https://www.experianplc.com/media/2744/discover 03.04.2017] [ fy17.pdf - experian - 159 US Consumer Financial Protection Bureau (2016) 160 al Reserve Bank 13, Working Papers, Feder - Hunt, Robert (2005): A century of consumer credit reporting in America, No 05 of Philadelphia, p. 17 27 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

28 In Europe l- , the situation is quite different. Many EU countries have public credit bureaus; Be rs. The types of data that credit reporting gium and France operate only public credit registe agencies may collect, and the purposes the records may be used for, also differ. While in the UK - credit data may be used, in France only “negative” information may be included even non as opposed to “positive” in formation about payments made on time. There are only a few EU countries – such as the UK, Germany, Sweden and Finland – in which credit reports may be 161 used for purposes than credit assessment. other Credit reports themselves are rarely used to make decis ions about consumers. Since the intr o- duction of credit scoring decades ago, the raw information is typically fed into mathematical algorithms, transformed into a number or score, and then used to make predictions about co n- sumers’ possible future financial behavior. The use of simple numbers instead of long reports a- improved the efficie ncy of automated decision - making for the assessment of credit applic tions and determinations of creditworthiness ratings and the thereby eva l- credit ; in this way, uals became comparable. In fact, rather than merely being based off of info r- uated individ credit score also mation pertaining to an individual’s characteristics and past behaviors, a 162 a It is judges a person in relation to other people. “ way of recognising different groups in a population according to certain features expressed by a combination of personal financial and 163 - personal data ”. other non Resident, driver and insurance scores. Data brokers also offer scores for purposes other than credit assessment. For exampl e, TransUnion’s “ResidentScore” promises to “predict negative 164 residence outcomes” for the rental industry. Its “Vehicle History Score” for insurance policy vehicle risk assessment does “not use consumer credit information”, but is instead based on 165 aggregates vehicle that and data from CARFAX, a company (VIN) s ication number identif history information from motor vehicle agencies, auto auctions, fire and police departments, 166 and rental agencies . , TransUnion’s “D riverRisk” collision repair facilities, fleet management 167 LexisNexis Risk Solutions product combines personal driving records with vehicle records. that are “designed for the relative rank ordering of applications and provides insurance scores 168 ”, including for auto, homeowners , and renter s insurance. policyholders The company’s - background checks for both “ pre - employment and post and scoring solutions hire information 161 Risk r- Management, Creditworthiness Assess - ment and Prudential Supe Ferretti , Federico (2015): Credit Bureaus Between vision. Law Research Paper No. 2015/20, p. 13 - 16. A vailable at: https://ssrn.com/abstract=2610142 EUI Department of 162 Ferretti, F. (2009): The Credit Scoring Pandemic and the European Vaccine: Making Sense of EU Data Protection Legisl a- tion, 2009(1) Journal of Information, Law & Technology (JILT). Available at: http ://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2009_1/ferretti 163 Ferretti, Federico (2014): EU Competition Law, the Consumer Interest and Data Protection. The Exchange of Consumer Information in the Retail Financial Sector. SpringerBriefs in Law, 2014, p. 17 164 http://rentalscreening.transunion.com/solutions/residentscore [03.04.2017] 165 See: https://en.wikipedia.org/wiki/Vehicle_identification_number 166 https://www.carfax.com/company/about [03.04.2017] 167 [03.04.2017] https://www.transunion.com/product/driverrisk 168 http://www.lexisnexis.com/risk/products/insurance/attract.as [03.04.2017] 28 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

29 169 - going criminal record reviews and “medical compliance monitoring”. Le x- needs” include on isNexis’ resident data services provide “c ontinu ous r esident m onitoring ” and should help 170 renters protect their property from “problem renters”. Similar services are also available in some European countries. For example, the German co m- pany Arvato large service provider – a subsidiary of the Bertelsmann media conglomerate and m- that has r relationship management 70.000 e in marketing, financial services and custome ployees in 40 countries claims to perform 100 million credit checks per year. The company – tion on consumers with negative payment behavior in the tel e- runs a pool containing informa 171 In addition, Arvato runs a system in which all com area and also offers tenant screening. 172 German insurers exchange information about consumers. In the US, the collection Regulation and accuracy. and use of data for credit reporting is su b- ject to several domain - specific laws protecting some individual rights. These restrict the types of information consumer reporting agencies are allowed to use and provide “ some guarantees 173 currently there are of access and accuracy ”. - In the EU , by contrast, no harmonized domain specific legal frameworks and the protection of the rights of individuals in the context of cre d- 174 e Despit national laws. diverse it reporting largely relies on data protection legislation and 175 assessments of data brokerage in the credit context being “well regulated” , surveys both in the US and in Europe found evidence that credit reports and credit scores contain incorrect data. In 2012, the FTC conducted a study on credit report accuracy an d found that 26% of su r- 176 A German study on vey participants had at least one error in one of three credit reports. credit scoring, published by the Federal Ministry of Justice and Consumer Protection and the Federal Ministry of the Interior , found that scor es are often based on estimations and their v a- 177 ndividual level should be questioned. lidity on an i The problem with credit scores is more complex. Although they may provide access to financial services for many , in spite of existing regulation, credit scor es remain opaque and may pr o- duce arbitrary outcomes. Moreover, the pervasiv e ness of scores in our scored society can make - creating the financial distress they claim merely to indicate fulfilling prophecies, ” them “self 169 https://www.lexisnexis.com/government/solutions/literature/screening.pdf [03.04.2017] 170 Ibid. 171 Christl and Spiekermann (2016), p. 104 172 https://www.arvato.com/finance/de/industries/versicherungen.html [03.04.2017] 173 Rieke, Aaron; Harlan Yu; David Robinson; Joris von Hoboken (2016) , p. 33 174 Ferretti, Federico (2014): The Legal Framework of Consumer Credit Bureaus and Credit Scoring in the European Union: Overindebtedness, Responsible Lending, Market Integration, and Fundamental Rights. Suffolk Un Pitfalls and Challenges — i- http://suffolklawreview.org/wp versity Law Review, Vol. XLVI:791, p. 807. Available at: - content/uploads/2014/01/Ferretti_Lead.pdf 175 , p. 33 Rieke, Aaron; Harlan Yu; David Robinson; Joris von Hoboken (2016) 176 Christl and Spiekermann (2016), p. 85 177 Ibid. 29 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

30 178 and might systematize discriminatory The European consumer - finance scholar practices. min points to the fact that while credit scoring was originally intended to “ Federico i- Ferretti ”, lenders now mise the percentage of consumers who default them to “ identify the cu s- use tomers who are most profitable and to maximise profits through risk based pricing ”, while 179 blurring this all with direct marketing activities ”. He argues that “ credit scoring would e m- is phasize – which certainly a l e- the minimization of business risk and increased profitability 180 disproportional ly limit the rights of individuals. gitimate business interest, but should not In addition, he fundamentally questions the “ capability of credit data to prevent future over - indebtedness ”, because the use of credit data could not foresee m any major causes of over - 181 indebtedness, such as illnesses, divorce, job losses , and poor market conditions . 4.2 Credit scoring based on digital behavioral data Credit reporting agencies and financial technology companies are rapidly expanding the types of data they use to predict individual creditworthiness far beyond traditional data elements. This use of non - credit related behavioral data for credit scoring further undermine s the valid i- includes “alternative data” ty of these scores. TransUnion, for instance , such as address stabi l- 182 ity and “ club and subscription activity ” . Smaller companies already use data from mobile phone, social media , and web usage to predict people’s credit risk, and have started to partner with larger companies in consumer reporting, tel ecommunications , and e - commerce. based company with clients around the world, analyzes patterns from phone call Cignifi , a US records such as call durations time ated by, and the i , who a call or text message was init s and 183 numbers frequently called, to calculate credit risk scores The co m- mobile phone users. for 184 and has announced a partners with large mobile network providers such as Telefonica pany year” partnership with the large credit reporting a gency Equifax. “multi - Together with Cignifi, , and insurers in Latin America who can Equifax will provide credit scores to banks, retailers 185 now underwrite individuals who had no prior formal payment history. - based Lenddo for instance calculates credit scores based on online behavior, inclu d- Singapore ing mobile data, browser data, application data, transactional data from telecom companies, as data from web publishers and social networks well as , including information from someone’s 178 Citron, Danielle Keats and Pasquale, Frank A. (2014): The Scored Society: Due Process for Automated Predictions. Washin g- - 8. Available at: ton Law Review, Vol. 89, 2014; U of Maryland Legal Studies Research Paper No. 2014 http://ssrn.com/abstract=2376209 179 Ferretti, Federico (2015): Credit Bureaus Between Risk - Management, Creditworthiness Assessment and Prudential Supe r- vision. EUI Department of Law Research Paper No. 2015/20. Available at: https://ssrn.com/abstract=2610142 180 Ferretti, Federico (2009) 181 Ferretti, Federico (2015) 182 https://www.transunion.com/resources/transunion/doc/products/resources/product - creditvision - link - as.pdf [03.04.2017] 183 Christl and Spiekermann (2016), p. 30 184 Ibid. 185 unbanked https://venturebeat.com/2016/03/30/cignifi - and - equifax - partner - to - bring - next - generation - credit - scores - to - - america/ - latin - in - population 30 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

31 online frien . The company even include s computer mouse click data and data about how ds 186 people fill out web forms “ always running out of battery” might impact one ’ s . In this vein, extremely well - maintained smartphone might raise a red flag in credit score ; conversely, an 187 in 20 countries such as India, South Korea, Mexico and Phi operates the system, too. l- Lenddo . According to their chairman, they help ippines dozens of banks analyze data from millions of 188 smartphones globally . ZestFinance The US company u- predicts consumer creditworthiness based on data from “tho sands of sources”, including customer support data, purchase transactions, and how a custo m- 189 navigate s on a lender’s web site . er fills out a form or As part of partnerships with China’s leading e - ommerce and web search companies such as jd.com and Baidu, ZestFinance pr o- c 190 vides credit scoring based on data about online shopping habits and web searches. Most of these companies aggressively advertise their products in the name of financial incl u- d in support of the “underbanked”, i.e. people with little or no credit history – sion an both in the world’s richest societies and in the global south. In Kenya, the Commercial Bank of Africa and the mobile network operator Safaricom offer the mobile banking prod uct M - Shwari , which is connected to M - PESA, a mobile money service used by two - thirds of Kenyan adults. Their credit scoring algorithm, which is used to assess and to assign individual new applicants credit limits , is based on telecommunications data from Safaricom, including airtime, M - PESA 191 , and the length of the customer relationship history. data Another company active in both Kenya and Tanzania uses GPS data, call logs, and social network data for credit scoring, inclu d- 192 of text messages. ing the “grammar or punctuation” Financial inclusion is certainly a crucial challenge for billions of people in the world. However, personal social such as , unrelated to financial behavior activities information about the use of relationships and , everyday moments , constitutes a massive invasion of most private people’s . Moreover, the use of opaque , automated , predictive , and classifying algorithms for privacy leaves many questions about accuracy, fairness, equity, transparency, e x- this purpose open accountability, as well as about the informational power imbalance between plainability and es that purport to serve them. people and the business 186 Christl and Spiekermann (2016), p. 29 187 http://money.cnn.com/2016/08/24/technology/lenddo - smartphone - battery - loan/ 188 Christl and Spiekermann (2016), p. 29 189 http://www.businesswire.com/news/home/20170214005357/en/ZestFinance - Introduces - Machine - Learning - Platform - Underwrite - Millennials 190 Christl and Spiekermann (201 6), p. 28 191 Cook, Tamara and Claudia McKay (2015): How M - Shwari Works: The Story So Far. Access to Finance FORUM Reports by CGAP and Its Partners. No. 10, April 2015. Available at: https://www.cgap.org/sites/default/files/Forum - How - M - Shwari - Works - Apr - 2015. pdf 192 88487 - world - developing - the - https://www.devex.com/news/how - alternative - credit - scoring - is - transforming - lending - in CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017 31

32 4.3 Identity verification and fraud prevention - consumer identities and pre venting With the rise of technology mediated services, verifying both become increasingly important and challenging issues, especially in the light fraud have 193 of cybercrime and automated fraud. At the same time, today’s data - driven identity and fraud analysis systems have aggregated giant databases with sensiti ve information about e n- tire populations, ranging from names, addresses , and relationships between people to exte n- 194 sive behavioral and biometric data Many of these systems are operated by private comp a- . of of identity for financial services, a s- nies and cover a wide range of use cases, including pro sessing insurance and benefits claims, analyzing payment transactions, and evaluating a large variety of online transactions. They decide whether an application or transaction is accepted or rejected, or which payme nt and shipping options are available for someone during an online transaction. Commercial services for identity verification and fraud analytics are also used in a- areas such as law enforcement and national security. The line between commercial applic tions of identity and fraud analytics and those used by government intelligence services is i n- 195 creasingly blurring . When people by such opaque systems , they might get flagged as suspicious singled out are – or t hey may be rejected without explan a- and warranting special treatment or investigation – or, the system tion. They might get an email, a phone call, a notification, an error message may simply withhold an option, without the user ever knowing of its existence for others. Ina c- s- curate assessments may spread fr om one system to another. I t is often difficult , if not impo 196 of how especially because negative assessments that exclude or deny , such sible , to object to is hard it object to mechanisms or decisions that someone does not know about at all. Of to digital technologies determine lives the more course, nobody wants fraud. However, the more , that those systems becomes become more transparent and accountable , and important it also ly , comp anies should not be a l- that people can object to arbitrary decisions. Most important that they collect for fraud detection and secur i- lowed to use the vast amounts of sensitive data ty purposes for other purposes such as marketing. large consumer and credit reporting agencies also offer identity verification, frau d d Most e- tection , and other risk analytics services. For example, Experian’s “Precise ID Platform” pr o- vides consumer verification and identity screening, based on data about auto registrations, 197 , , including social s credit records property ownership, cellphones ecurity number s , name 193 EU Fraud Prevention Expert Group (2007): Report on Identity Theft/Fraud. Brussels, 22 October 2007. Available at: - theft - re port_en.pdf http://ec.europa.eu/internal_market/fpeg/docs/id 194 Christl and Spiekermann (2016), p. 106 195 Ibid., p. 38 - 40 196 faulty E.g. https://www.theguardian.com/money/2016/mar/18/banned - by - amazon - returning - - goods - blocked - credit - balance 197 [23.04.2017] l authentication.htm - fraud/identity - and - http://www.experian.com/decision - analytics/identity 32 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

33 199 198 current and previous addresses . In addition, the company uses fraud records and variants, from its cross - industry “National Fraud Database”, which contains addresses, phone numbers, , and driving licenses cont ributed to by companies in banking, tel e- social security numbers 200 Equifax, which claims to have data on 820 million consu and retail. , m- communications 201 202 203 ers and fraud detection , also offers several identity verification products using credit, e , and telecommunication account data , as well as information about mployment, utilities 204 familial household and Acxiom, which is mainly in the marketing data bus i- relationships. ness, provides risk mitigation products, too. Its identity verification services are based on data re cords about individual demographic s, personal assets, education, licenses, filings, business, 205 bankruptcies, judgment s, liens , The telecom giant Verizon also offers other “ risk flags ” . and identity verification services. For example, Verizon has been one o f several identity providers within “GOV.UK Verify”, a system that allows citizens to access digital services run by the UK 206 government. LexisNexis Risk Solutions, a data company which works for all of the 50 US largest banks and 207 for most local government , claims to have data on authorities and federal agencies in the US 208 500 million consumer identities. Through its “TrueID” system , the company offers the abi l- ity to verify identities against a database of 34 billion records from 10,000 sources. Identity do cuments can be checked against a database of 4,100 ID types from 200 countries. Identities can be linked to , and other customer data . The system is payment cards, checks, loyalty cards 209 can be integrated. also suitable for age verification. In addition, biometric fingerprints Moreover, Lexis Nexis provides biometric services for voice recognition using “the sound, pa t- 210 tern and rhythm of an individual's voice”. With its “LexID” the company uses its own unique identifier to store and link records about consum ers. As these identity profiles are continuou s- extremely accurate picture that accounts for identity ly updated, it claims that they paint an “ 211 government division ”. changes over time provides fraud prevention ’ LexisNexis In addition, systems for many , including food stamps, application areas of government services 198 https://www.experian.com/credit_report_basics/pdf/samplecreditreport.pdf [23.04.2017] 199 http://www.experian.com/decision - - and - fraud/identity - authentication.html [23.04.2017] analytics/identity 200 http://www.experi an.com/decision - analytics/national - fraud - database.html [23.04.2017] 201 - equifax/company - https://www.equifax.com/about [23.04.2017] profile 202 http://www.equifax.com/assets/IFS/efx - 952 - adv - acctVerify.pdf [23.04.2017] 203 fax.com/assets/IFS/Fraud/efx [23.04.2017] http://www.equi 2038_suspicious_id_ps.pdf - usa - 204 http://www.equifax.com/assets/IFS/efx_identity_proofing.pdf [23.04.2017] 205 https://www.acxiom.com/what - we - do/identity - verification - authentication/ [23.04.2017] 206 Bria, Francesca; Javier Ruiz, Gemma Galdon Clavell, José Maria Zavala, Laura Fitchner, Harry Halpin (2015): D3.3 Research on Identity Ecosystem. Report by D - CENT, Decentralised Citizens Engagement Technologies, 31 June 2015, Version Number: 2, p. 63. Available at: http://dcentproject.eu/wpcontent/uploads/2015/10/research_on_digital_identity_ecosystems.pdf 207 [23.04.2017] http://www.lexisnexis.com/risk/about/default.aspx 208 http://www.lexisnexis.com/risk/identity/verification.aspx [23.04.2017] 209 http://www.lexisnexis.com/risk/downloads/literature/t rueid.pdf [23.04.2017] 210 [23.04.2017 ] biometrics.aspx http://www.lexisnexis.com/risk/products/voice - 211 ] [23.04.2017 http://www.lexisnexis.com/risk/about/lexid.aspx 33 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

34 healthcare, retirement, public housing, student loan , tax refund s, and unemployment insu r- s 212 ance. iometrics , or the use of “any automatically measurable, robust and distinctive physical cha B r- a cteristic or personal trait” of a person to “ identify an individual or verify the claimed identity 213 ” C , is now used in many governmental and commercial fields. of an individual redit card networks facial re cognition to verify the such as MasterCard, started to use fingerprints or 214 In the UK, a private company has d e- cardholder’s identities for their payment solutions. ployed a facial recognition system that is connected to the CCTVs of more than 10,000 partic i- 215 cious faces. pating retailers, and manages a blacklist of suspi Facebook states that its facial recognition technology is able to identify people with 83% accuracy, even if their faces are 216 partly covered on a photo. Generally, biometrics can be based on many physical and beha v- ioral traits or characterist ics, such as fingerprints, shapes of hands or faces, iris and DNA co m- used for position, as well as how someone talks, walks , or types on a keyboard. Biometrics is physical access control, border control , ce , and law enforcement, as well as in healthcare, finan 217 218 In 2016, a report found that a facial recognition database used by the FBI and marketing. all adults in the US, without their knowledge or consent. Notably, contained photos of half of detection algorithm was wrong nearly 15% of time and more lik c an ely to misidentify Afri the 219 Americans. Online identity and fraud scoring in real - time 4.4 In addition to traditional identity verification and fraud prevention technologies, a large i n- dustry focusing on the digital world has emerged in recent years, evaluating billions of online transactions every day, and sometimes linking their vast amounts of digital information with offline identity data. Trustev , an online identity verification and fraud prevention company based in Ireland, which digital was acquired by TransUnion in 2015, evaluates transactions for clients in financial se r- 220 vices, government, healthcare , and i nsurance in real - time analyzing digital behaviors, by refriger and even , and devices such as phones, tablets, laptops, game consoles, TVs identities , a- 212 - challenges/ [23.04.2017] http://blogs.lexisnexis.com/identitygov/identity 213 Woodward, J. D. , N. M. Orlans, P.T. Hig gins (2003): Biometrics: Identity Assurance in the Information Age, McGraw, Hill Osborne Media, 2003 214 http://newsroom.ma stercard.com/eu/press - releases/mastercard - makes - fingerprint - and - selfie - payment - technology - a - reality/ [23.04.2017] 215 - unaccountable - crowds ourc.html http://boingboing.net/2015/12/17/uks 216 - looking photos https://www.newscientist.com/article/dn27761 - facebook - can - recognise - you - in - not - even - if - youre - 217 See e.g. http://findbiometrics.com/applications/ 218 Garvie, Clare; Alvaro Bedoya; Jonathan Frankle (2016): The Perpetual Line - Up. Unregulated Police Face Recognition in America. Georgetown Law Center on Privacy & Technology, October 18, 2016. Available at: https://www.perpetuallineup.org/ 219 - https://www.theguardian.com/technology/2017/mar/27/us - facial - recognition database - fbi - drivers - licenses - passports 220 - of - - acquisition http://newsroom.transunion.com/transunion - expands - fraud - and - identity - management - solutions - with ] [23.04.2017 trustev 34 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

35 221 . tor The company offers corporate clients s the ability to analyze how visitors click and inte r- act with website s and apps , and uses a wide range of data to assess users , including phone numbers, email addresses, postal addresses, browser and device fingerp rints, credit checks, 222 transaction histories across merchants, IP addresses, mobile carrier details , and cell location. 223 is assigned a “unique device fingerprint”. To help “approve future transactions” every device During an online transaction, all data gets combined and compiled into a score of 1 - 100, which is then used to allow, deny , or flag it. In addition, Trustev offers a “social fingerprinting” tec h- e- entification” analyzing social m nology, which includes “friend list analysis” and “pattern id dia content. he latter , at least, is only used with the “ full permission ” of individuals through a T 224 voluntary social network login ”. “ The credit reporting agency TransUnion, which states obtains data from 90,000 so urces that it 225 one billion consumers globally, on has integrated Trustev technology into its own identity 226 and fraud solutions. Its “IDVision” product combines information about personal identity ( fraud and watch lists) with e.g. demographics, licenses, accounts) and reputation ( e.g. shared location, mobile, devices) and transactions ( e.g. behavio rs, sco r- e.g. data about digital identity ( 227 ing history, inquiries). TransUnion also runs a “fraud prevention exchange” which utilizes 228 real - time transaction data contribute d by industry clients. have developed similar capabilities by connecting online Other credit reporting agencies fraud detection with their extensive consumer identity databases. Equifax, for instance, states where a device really is and that it has data on “nearly 1 billion devices” and can validate “ whether it is associated with other devices used in known fraud ”. By combining this data with across industries ” billions of identity and credit events “ to find suspicious activity , and with s- employment and about relationships between households, families and a information about 229 sociates, Equifax claims to be able to “identify devices as well as individuals”. In Germany, the vidual “ ability to recognise indi Arvato’s profile tracking product similarly promises to have 230 internet access devices on the basis of their fingerprint ” for fraud detection. ID Analytics, a t- US - based credit and fraud risk data company recently acquired by Symantec , runs an “ID Ne industry work” with “ - rom leading cross 100 million identity elements coming in each day f 221 Trustev Sales Pack. Personal copy of REAL TIME ONLINE IDENTITY VERIFICATION . PDF Brochure. file with author Wolfie Christl 222 ] [23.04.2017 http://www.trustev.com/how - it - works 223 Sales Pack. Trustev 224 Trustev Sales Pack. 225 http://www.annualreports.com/HostedData/AnnualReports/PDF/NYSE_TRU_2016.pdf [23.04.2017] 226 - http://newsroom.transunion.com/transunion - expands - fraud - and - identity - management - solutions with - acquisition - of - trustev [23.04.2017] 227 https://www. transunion.com/idvision [23.04.2017] 228 http://transunioninsights.com/fraud - exchange/ [23.04.2017] 229 .com/assets/IFS/efx_identity_proofing.pdf [23.04.2017] http://www.equifax 230 - https://www.arvato.com/content/dam/arvato/documents/financial ns/Onepager_Profile_Tracking_ohne_RSS_EN.pdf solutio [23.04.2017] 35 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

36 231 232 , containing data about 300 million consumers . organizations They aggregate data about ” credit card and wireless phone applications, to changes in consumer behaviors, ranging from “ 233 prime loan s and eCommerce transactions ”. In 2014, - checking account information, to sub “six of the top ten U.S. financial service institutions, three of the top four U.S. wireless carriers, 234 issuers” have contributed data. and seven of the top ten U.S. credit card The company’s “ID formation about digital devices, as well as personal data such as names, s Score” evaluates in o- 235 cial security numbers, postal and email addresses. ID Analytics’ partners include CoreLogic, TransUnion, Visa, and ThreatMetrix. The cyber security company ThreatMetrix runs a “Dig ital Identity Network” which “ captures millions of daily consumer transactions including logins, payments and new account origin a- ” and maps the “ ever - changing associations between people and their devices, locations, tions ” in order to prevent online fraud, verify and authenticate account credentials, and behavior 236 that it The company emphasizes digital identities. incorporate s only “ anonymized, non - 237 regulated personal information such as user name [and] email address ” . Similarly, data 238 passed from online bus inesses is “anonymised and encrypted”. However, its software allows companies to “ understand the intricate connections between individuals, devices, behaviors, 239 iscover hidden relationships between activities ”. ” and to “d locations and any present threats According to an industry report, ThreatMetrix processes more than two billion transactions per 240 month involving 1.4 billion “unique user accounts” across “thousands of global websites”. , TransUnion , and other financial services The company’s partners include Equifax, Lexis Nexis 241 bridge the gap between static identity assessment data and online . It helps Visa “ companies 242 243 identities ”. and companies in fields as diverse as gaming, Other clients include Netflix government services , and healthcare. Devic , credit reporting and marketing. Similarly, the large credit reporting e intelligence agency Experian provides “device intelligence solutions” that allow online services to “i nvisibly 244 ” “ without stopping their online activi ty ” . protect customers applying online One product “ establishes a reliable ID for the device and collects rich device data ,” “ identifies every device 231 http://www.idanalytics.com/data - and - technology/idnetwork/ [23.04.2017] 232 [23.04.2017] Datasheet.pdf - Resolve360 http://www.idanalytics.com/media/VA - 233 - and - technology/ [23.04.2017] http://www.idanalytics.com/data 234 - - - Impact - of http://www.idanalytics.com/media/Exploring SSN - Randomization.pdf [23.04.2017] the 235 http://www.idanalytics.com/media/Fraud - ID - Score - 9.0 - Datasheet.pdf [23.04.2017] 236 - security - https://www.threatmetrix.com/cyber [24.04.2017] software/ 237 https://www.threatmetrix.com/cyber - crime/solution - brief/global - shared - intelligence/ [24.04.2017] 238 - https://www.threatmetrix.com/digital - identity - blog/travel/fighting - fraud - data science - innovations - digital - identity/ [24.04.2017] 239 management/ security - software/decision - - [24.04.2017] https://www.threatmetrix.com/cyber 240 The Paypers (2016): Web Fraud Prevention & Online Authentication Market Guide 2016/2017. 241 http [24.04.2017] s://www.threatmetrix.com/partners/ 242 https://www.threatmetrix.com/transaction - fraud/case - study/threatmetrix - supporting - visa - consumer - authentication - service/ [24.04.2017] 243 https://www.threatmetrix.com/transaction - fraud/case - study/netflix - prevents - new - account - fraud/ [24.04.2017] 244 intellige - fraud/device - ] [24.04.2017 and nce.html http://www.experian.co.uk/identity - 36 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

37 on every visit in milliseconds” and “ gives unparalleled visibility into the person behind the 245 ” for online fraud detection purposes. According to Experian, its product protects payment 246 a year and is used by “ “7+ billion transactions” 120 of the world’s most recognized online 247 tier one global banks ”, including 5 of the 6 “ merchants ” and 4 of the top 5 global airlines. combines beha v- Experian states that the ir fraud management solution for account opening “ blacklisted data, inco ioral and device data, combined with user information ”, including “ n- d device sistent locale indicators, risky locales and physical addresses, links to known fraud, an inte lligence attributes”. It “ ” and co n- brings together information from multiple data sources 248 ”. sumers can also be screened “ against bureau data and past application history Experian’s device identification technology comes from 41st parameter, a web fraud det ection 249 41st parameter has also offered a second pro d- provider that the company acquired in 2013. uct marketed under the brand “AdTruth”, which provides "universal device recognition for 250 “ AdTruth promises to “identify users” across effective digital advertising" both desktop and . 251 ”. According to a product sheet, the company created a “unique user ID” mobile web and apps IP address es for each device, by collecting information such as s and device se t- , device model 252 . tings The service is now marketed as “ AdTruth by Experian ”. It provides “u niversal device recognition ” and promises to “ d- recognise devices whether in mobile, web or apps while uphol 253 ”. In 2015, Experian announced “ AdTruth Resolve ” , which is ing consumer privacy and choice associate” a company’s “existing digital identifiers — able to “reconcile and including cookies, device IDs, IP addresses and more”. As a part of Experian’s m arketing suite , this would repr e- - term strategy to provide ma rke t- sent “another milestone in Experian Marketing Services' long 254 ers with a ubiquitous, consistent and persistent link across all channels”. I am not a robot. not be aware of it , Google’s reCaptcha may product Although most people provides similar functionality. It is embedded into millions of websites and helps we bsite pr o- viders decide whether a visitor is a legitimate human being or not. Until recently, users had to solve several kinds of quick challenges such as deciphering letters on a picture, choosing o b- 255 on a “I’m not a robot” checkbox. jects in a grid of pictures, or simply click ing In 2017, Google introduced the “invisible” version of reCaptcha, explaining that from now on “human users will be let through” without any user interaction, while “suspicious ones and bots” would still 245 - one - payments fraud/device ] [24.04.2017 pager.pdf http://www.experian.co.uk/assets/identity - and - - - insight - for 246 Ibid. 247 http://www.experian.com/decision - parameter.html [24.04.2017 analytics/41st - ] 248 //www.experian.com/decision analytics/identity - and - fraud/account - opening.html [24.04.2017 ] http: - 249 parameter exchanges/experian - buys - device - id - firm - 41st - - - for - 324m - gets - adtruth - in - the - https://adexchanger.com/data bargain/ [24.04.2017 ] 250 https://we b - beta.archive.org/web/20140208125208/http://adtruth.com/what - we - do/differentiators 251 - beta.archive.org/web/20140208070551/http://adtr uth.com/what - we - https://web - is - adtruth do/what 252 https://struqmarket.files.wordpress.com/2013/11/ad - truth - fact - sheet - uk.pdf [24.04.2017 ] 253 ] http://www.experian.co.uk/marketing - services/products/adtruth - device - recognition.html [24.04.2017 254 https://www.experianplc.com/media/news/2015/adtruth - resolve/ [24.04.2017 ] 255 announces captchas/ - background - - invisible - https://arstechnica.com/gadgets/2017/03/goo gles - recaptcha CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017 37

38 256 have to solve a challenge or Google states that it use s a “combination of click on a checkbox. machine learning and advanced risk analysis” but does not disclose which kinds of user data 257 e and behaviors they us Critical investigations by journalists, and iro n- to “identify humans”. ica lly also by Experian’s AdTruth, suggest that Google does not only use IP addresses, browser fingerprints, the way users type, move their mouse, or use their touchscreen "before, during, 258 and after" a reCaptcha interaction, but also several cookies set by Go ogle’s services. It is not clear whether people without Google user accounts face a disadvantage, whether Google is able to identify specific individuals rather than only “humans”, or whether Google also uses the data recorded within reCaptcha for other p urposes than for bot detection. Either way, Google decides which individuals are considered valid and which are classified as suspicious or frau d- on millions of websites. ulent 4.5 Investigating consumers based on digital records primarily optimized Other fraud prevention systems are not - time automatic detect ion for real of suspicious behavior, but rather help investigators of banks, insurers, law enforcement age n- cies , or other organizations analyze large amounts of digital records . IBM For example, as a part of its i2 platform, provides software which helps client s analyze a wide range of data including “telephone call records, financial transactions, computer IP logs and mobile forensics data” in order to “ identify, predict, preve nt and disrupt criminal, terrorist and fraudulent activities” . Their software is used by intelligence agencies, police departments, prisons , as well as by insurance companies to “Identify key people, events, connections and patterns” and to “highlight key individuals and relationships and their connections to key 259 that it helps pr events” . e- Another IBM analytics product promises governmental agencies better by vent “social program waste and abuse” combining r- eligibility and identity info 260 mation, including ins ”. familial relationships ights into “ , a software tool to “discover hidden relationships, connections, and pa t- Sentinel Visualizer 261 massive number of terns among people, places, and events” in all kinds of data , including “ 262 ” , is used by both in telligence and law enforcement agencies . At the same time, phone calls l arge banks, insurance companies , and healthcare organizations, including Capital One and 263 CIGNA, use the product for customer relationship mining and fraud detection . Similarly, the 264 services provided by the highly controversial are analytics company Palantir data mining 256 https://www.google.com/recaptcha/intro/invisible.html ] [24.04.2017 257 Ibid. 258 2015 2 - - http://www.businessinsider.com/google - no - captcha - adtruth - privacy - research 259 http://www.ibm.com/software/industry/i2software [24.04.2017] 260 [24.04.2017] https://www.ibm.com/analytics/us/en/industry/government/social - programs/ 261 [24.04.2017] http://www.fmsasg.com/ 262 [24.04.2017] http://www.fmsasg.com/LinkAnalysis/telephone_logs/call_data_records.htm 263 http: [24.04.2017] //www.fmsasg.com/LinkAnalysis/Commercial/Solutions.asp 264 Christl and Spiekermann (2016), p. 108 38 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

39 l- used by intelligence agencies, as well as by banks, insurers and healthcare organizations. Pa insurance ana lytics product , for example, enables clients to “i ntegrate and analyze antir’s g- health data to identify fraudulent schemes, improve patient outcomes, and identify meanin 265 ”. ful trends Together with Social Intelligence , a company that provides technology for social media searches and insurance claim investigations, LexisNexis R isk Solutions offers a product to - “Social Media Locator” called - This so . “ discover an individual’s online presence in real ” time minute intelligence on individuals searches of hundreds of based on “ ” provides “ up - to - the - ” that leave “ social networks and millions of websi tes virtually no stone unturned when it h- “ to gat comes to identifying fraudulent claims ”. Social Intelligence promotes its capabilities er, aggregate, analyze and distribute social data to improve fraud detection ”. The company - social data available and actionable for decision to make “ aims making processes in every social media risk scoring to improve risk asses ” and also provides “ business environment s- 266 ment ”. Many business intelligence and analytics tools including data mining, predictive alytics, data management and integration, provide similar functionalities IBM, Sentinel, as an often and Palantir’s software . These tools integrate many different services from risk mitig a- tion to marketing. The market leaders in business intelligence and anal ytics solutions are Or a- , i- and Informat cle, SAP, IBM, Microsoft, SAS, Teradata, Salesforce, Adobe, Tableau Software 267 ca. 265 https://www.palantir.com/solutions/ [24.04.2017] 266 intelligence http://insurancenewsnet.com/press - releases /social - - - and - lexisnexis - risk - solutions - integrate - social - data prevention - platform - - with fraud 267 IDC (2016): Worldwide Business Analytics Software Market Shares, 2015: Healthy Demand Despite Currency Exchange Rate Headwinds. July 2016, IDC. 39 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

40 5. The M arketing D ata I ndustry 5.1 Sorting and ranking consumers for marketing driving behind ubiquitous The marketing data industry is arguably the main consumer force surveillance. It consists of a wide range of different types of companies, including marketing and advertising agencies, list brokers, database management providers, online and mobile a d- vertisers, and firms engaged in direct mail , telephone sales services , and data - driven co m- 268 merce companies offering loyalty programs. Marketing data companies, which , as well as are often called “data brokers”, mostly offer a smaller or bigg er selection of these services. Client firms pa y for the use of the data brokers’ data, marketing, analytics , and technology se r- vices to find, attract, and target valuable new customers, but also to retain existing customers derive from that they profitability or “lifetime value” to maximize the and prospects and 269 pr . They do so by utilizing data and analytics to sort and rank both customers and them o- spects for prioritization purposes and personalized treatment, such as customized telemarke t- 270 Data ing scripts, promotional materials, online content , ads, offers , discounts and pricing. 271 broker clients can also buy additional consumer data and append it to their own data. Based on this data and analytics services, businesses in all industries try to sell their customers co m- plementary or more expensive produc ts, to prevent customer attrition, and, generally, to pe r- 272 suade consumers to act in certain ways . as can be defined A data broker a “company or business unit that earns its primary revenue a- by supplying data or inferences about people gathered mainly from sources other than the d 273 According to the US Federal Trade Commission (FTC), data brokers ta subjects themselves”. collect “ massive amounts of data, from online and offline sources, and combine them into pr o- 274 While “multiple layers of data brokers” are “providing data to each files about each of us ”. 275 indef Some of them store data other”, consumers are “largely unaware” of their activities. i- 268 Deig hton, John; Peter A. Johnson (2013): The Value of Data: Consequences for Insight, Innovation & Efficiency in the U.S. Available at : https://www.ipc.be/~/media/documents/public/markets/the - value - of - data - Economy. October 8, 2013. for - in - insight - inno vation - and - efficiency - consequences - the - us - economy.pdf 269 LTV In marketing , customer lifetime value ( CLV or often CLTV ), lifetime customer value ( LCV ), or life - time value ( ) is a net profit l- Abdolvand, Neda; Amir A . See e.g. prediction of the attributed to the entire future relationship with a customer badvi; Hamidreza Koosha (2014): Customer Lifetime Value: Literature Scoping Map, and an Agenda for Future Research. - 59. Available at: International Journal of Management Perspective, Vol. 1, No.3, pp. 41 https://www.researchgate.net/publication/277843944_Customer_Lifetime_Value_Literature_Scoping_Map_and_an_Agenda _for_Future_Res earch 270 Christl and Spiekermann (2016) , p. 41 - 44 271 Ibid., p. 82 272 Ibid., p. 127 - 128 273 Rieke, Aaron; Harlan Upturn’s report about data brokers conducted an evaluation of different definitions of this term, see: Yu; David Robi p. 4 nson; Joris von Hoboken (2016), 274 FTC, US Federal Trade Commission (2014): Data Brokers. A Call for Transparency and Accountability, p. C3. Available at: - http://www.ftc.gov/system/files/documents/reports/data - brokers - call - transparency - accountability - report - federal - trade may - 2014/140527databrokerreport.pdf - commission 275 , p. iv Ibid. 40 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

41 276 nitely and make inferences about consumers The , including “potentially sensitive” ones. FTC’s report is based on the examination of nine companies, including companies engaged in marketing data, identity verification , and fraud detection, but doesn’t cover credit reporting 277 , ot agencies. While some large data brokers like Acxiom originated from direct marketing h- , ers like Experian , come from credit and consumer reporting but also offer marketing data se r- 278 vices. The information that consumer data brokers collect from commercial, governmental and public sources includes , data about demographic attribut es, occup a- , but is not limited to tion, education, purchases, property ownership, income, interests, and ethnicity, as well as r e- 279 ligious and political affiliation. Lists of people with names , addresses , or other contact information that group consumers by specific characteristics have historically been an important product sold by marketing data companies. Today these lists include people with low credit scores and with specific conditions 280 party companies which sell or rent - te from third They origina such as cancer or depression. information about their customers to data brokers. Lists have been used to sell products and services and to send direct mail to consumers, but also as a basis for other applications. In 2017, for instance, Amnesty International was offered a list of 1.8 million US M uslim s ; during an investigation on data companies, the organization also discovered offers for lists of “ Amer i- 281 The website cans with Bosnian Muslim Surnames ” or “ U nassimilated Hispanic Americans”. dmdatabases.com offers email and mailing lists of wheelchair and insulin users, of people a d- dicted to alcohol, drugs , and gambling, as well as of people suffering from breast cancer, HIV, 282 , and vaginal infections. Nextmark o clinical depression, impotence ffers consumer lists titled 283 – Hispanic” “Pay Day Loan Central , “Help Needed – I am 90 Days Behind With Bills”, “ One 285 284 ” or “ Identity Theft Protection R , Hour Cash ” e- , “ High Ranking Decision Makers in Europe 286 sponders ”. Unified consumer databases with unified Data brokers have different kinds of identifiers . contracts with their data providers. They might claim “ownership” of the acquired data or only 287 the right to use it or resell it for a specific time period. may be r Similarly, their clients e- 276 Ibid. 277 http://www.fundinguniverse.com/company - histories/acxiom - corporation history [20.04.2017] - 278 [20.04.2017] - exp - experian - history - book_abridged_final.pdf https://www.experianplc.com/media/1323/8151 279 FTC (2014): Data Brokers 280 Senate Committee on Commerce, Science, and Transportation (2013): A Review of the Data Broker I ndustry: Collection, Use, and Sale of Consumer Data for Marketing Purposes. Staff Report for Chairman Roc kefeller, December 18, 2013, p. 5. - Available at: https://www.commerce.senate.gov/public/_cache/file s/bd5dad8b - a9e8 - 4fe9 - a2a7 senate broker commerce - b17f4798ee5a/D5E458CDB663175E9D73231DF42EC040.12.18.13 - - - data - committee - report - on - industry.pdf 281 https://medium.com/amnesty - insights/data - brokers - data - analytics - muslim - registries - human - rights - 73cd5232ed19 282 mail http://dmdatabases.com/databases/consumer - ing - lists/ailments - lists [20.04.2017] 283 https://lists.nextmark.com/market?page=order/online/datacard&id=311835 [20.04.2017] 284 https://lists.nextmark.com/market?page=order/online/datacard&id=261706 [20.04.2017] 285 https://lists.nextmark.com/market?page= order/online/datacard&id=340254 [20.04.2017] 286 [20.04.2017] https://lists.nextmark.com/market?page=order/online/datacard&id=290341 287 FTC p. 16 (2014): Data Brokers, 41 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

42 288 or licensed data can be used. stricted in ho In addition to the data i t- , w the acquired, rented self, data brokers provide software to manage their client’s customer databases, enhance data, specific characteri s- merge lists, remove duplicate records, and to sort them into groups with tics. In 1999, large companies such as Acxiom and Experian introduced their master customer database products “AbiliTec” and “TruVue” as single sources for information on individuals in which every person gets a unique co de. This allowed them to link together and households s , address es, and zip records from different sources by combining key identifiers such as name 289 s . Providing other companies with “identity resolution” code and linking capabilities , based on highly accurate centralized databases which are constantly updated with information about marriages, divorces , births, deaths, name and address changes , became an important service in 290 291 itself. The respective national postal services were always an important source for this information and kind of play a vital role in the consumer data business themselves. For they 292 293 example, national postal services in both Europe and North America offer consu m- while ers change - of - address service s to forward mail to their new addresses, they also se ll this i n- formation to other companies . Data brokers also receive data about address changes from companies when consumers update their magazine subscriptions, phone connections, credit 294 or other services. card details , Combining data about neighborhoods, Data comp a- buildings, households and individuals. - level data on consumers. When they started to se g- nies have never only collected individual 295 ment and cluster consumers, they generally relied on census data to attribute specific cha r- acteristics and behavior s to postal addresses in certain neighborhood s , and thus to households. market Today, all manner of larger - scale information are still in use , including census data , 296 as well as households and surveys, , aggregated data on research data from consumer panels was originally collected from individuals. Especially in most European countries, data that to profile individuals brokers rely more on aggregated data due to stronger data protection regulations that limit the direct , and sharin g of individual - level data. collection, use For example, the German consumer data broker Arvato AZ Direct, a subsidiary of the media giant Bertelsmann, offers different kinds of data at the individual, household, building, and s – the latter of which con sist of either 5, 20, 70 , neighborhood level or 500 households. The 288 Ib id, p. 40 289 Identity re solution might be defined as a “ data management process through which an identity is searched and analyzed between disparate data sets and databases to find a match and/or resolve identities. Identity resolution enables an organiz a- ributes”: tion to analyze a particular individual’s or entity’s identity based on its available data records and att https://www.techopedia.com/definition/29011/identity - ion resolut 290 http://blogs.gartner.com/martin - kihn/a - brief - incredible - history - of - marketing - data - matching/ 291 FTC (2014): Data Brokers 292 - - kritik - am - daten - handel http://www.sueddeutsche.de/wirtschaft/verbraucherschutz der - post - 1.196084 293 - https://www.forbes.com/sites/adamtanner/2013/07/08/how - the - post - office - sells - your - new address - with - anyone - who - t pays and - the - little - known - loophole - - o - opt - out 294 Ibid. 295 Senate Committee on Commerce, Science, and Transportation (2013) , p. 23 296 pane - http://www.nielsen.com/apac/en/solutions/measurement/consumer E.g. [20.04.2017] ls.html 42 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

43 company also offers data at the zip code level or at the level of geographic grid cells, sized from 297 10x10km . Arvato provides attributes such as gender and age at the individual 125x125m to “geoscore”, predicting creditworthiness, is provided only for groups of level, but their x- appro imately 20 households. However, when using this data for targeting prospects or to sort cu s- tomer databases, this group - level credit rating can be assigned to a person at the indi vidual again, as it is originally based on individual level data. In their marketing data catalog, people - with the best credit rating are labeled with an “ A ” and “VIP clients” , while th ose with worst r e- 298 ceive a According to Arvato, detailed information about G ” and “postpone processing”. “ buildings which individuals inhabit is the basis for many other attributes they pr o- of the 299 social stan Aggregated data about registered vehicles are used to predict individuals’ vide. d- 300 ing, purchasing power and attitudes. Overall, the company provides 600 attributes on 70 , million consumers in Germany , assigning e very person, household , and building a unique 301 ID. At global level , an industry report by Forrester lists eleven major consumer data brokers and ana lytics companies , which it refers to as “customer insights services providers”: Acxiom, A n- r- sira, Epsilon, Experian Marketing Services, Harte Hanks, Merkle, Precision Dialogue, Rapp, Ta 302 , heir services to Client companies use t . Yes Lifecycle Marketing and getbase, Wunderman, for example, manage their customer and prospect databases to analyze, segment and as well as characteristics, behaviors, and lifetime value. In sort customers regarding their profitability 303 , for exa Acxiom addition, clients can buy consumer data and m- append it to their own data. a- manages customer databases for 7,000 clients, including 47 or the Fortune 100 comp ple, 304 305 nies. Similarly, Experian manages 7,500 customer databases of large companies. Merkle tes that it manages more than 3 . sta 7 billion customer records for clients, including for Dell, 306 Nespresso, Microsoft, Marriott, Chase, American Express and Universal. , The Bertelsmann Arvato “maintains relationships with over 600 million consumers and business cl i- subsidiary 297 AZ Direct (2015): AZ DIAS PROFILDATEN. Merkmalskatalog. Personal copy of file with author Wolfie Christl Arvato 298 Geoscore prognostiziert die Zahlungsausfallwahrscheinlichkeit auf Mikrozellenebene (mit Ibid., in German: “Der Informa - im Schnitt 20 Haushalten je Mikrozelle). Er basiert im Gegensatz zu vielen anderen externen Daten auf validen adress - bzw. Kunden, - personenbezogenen Informationen, welche auf Mik Nahezu kein Risiko (VIP rozellenebene aggregiert werden“, „1 A) “, „ “ 7 Höchstes Risiko (Bearbeitung zurückstellen, G) 299 Ibid., p. 9 300 Ibid., p. 52 301 Hüffner, W. (2015): Datenschutzkonformes Smart Data und Data Pooling. arvato Digital Marketing, Mar. 05, 2015. a- Avail ble at: https://www - 950.ibm.com/events/wwe/grp/grp006.nsf/vLookupPDFs/H%C3%BCffer_IBM_SPSS_2015/$file/H%C3%BCffer_IBM_SPSS_20 15.pdf [20.04.2017] 302 Customer Insights Services Providers, Q4 2015. November 10, 2015. Forrester (2015): The Forrester Wave™: 303 Ibid., p. 5 304 Acxiom (2015): Annual Report 2014. Available at : http://files.shareholder.com/downloads/ACXM/0x0x763250/A1DBFBD8 - E136 - 4701 - B0F2 - 3DC695E5ED08/acxiom2014_Ann ual_Report_FINAL_RRD_PDF_.pdf [08.04.2017] 305 Forrester (2015): The Forrester Wave™: Customer Insights Services Providers 306 [20.04.2017] Overview_5.23.14_v2.pdf - https://www.merkleinc.com/sites/default/files/Sum14_Agency 43 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

44 307 ents” on “behal At the same time, these “customer insights services provi d- f of its clients”. also have their own databases with extensive information on consumers across the world. ers” Yes Lifecycle Marketing , for example, has “business and consu mer data According to Forrester, 308 ”. in 225 countries The rise of 5.2 technology programmatic advertising Over the last ten years the collection, integration, analysis, and utilization of digital info r- mation about consumers has be c ome embedded into many areas of life , a development ac co m- and variety. Some aspects of this are panied levels of data volume, velocity , nprecedented by u obvious : the ascent of the Internet, the pervasive nature of social media, the spread of smartphones, the ubiquity of online advertising , and the variety and number of applications rapid evolution of data and Internet connected devices visibl represent the y - driven services. Nevertheless , many of the technical and commercial developments that enable today’s digital occur data economy not r ed in the background , and remain opaque and barely understood by only consumer s, but also jour nalists and policymakers . most ies aiming at the The online advertising sector has become one of the most advanced industr ion of value from and monetiz ation of i data . While the extract ndustry consists of a plethora of different kinds of companies interacting with one an other , only a , technologies, and practices tip of m- iceberg – both in terms of complexity as well as sheer volume – is visible to consu this b- ers. Every time a user visits a website or uses an app, data is not only transmitted to the pu 309 party services. - third because occurs This ) lishers, but often additionally to circa 30 ( or more publishers and other service providers incorporate tiny pieces of software that transmit data to into their websites and apps. Some of these tracking services – such as Fac e- tracking services – provide user fun c- book Like buttons, embedded YouTube videos, or other kinds of widgets to . M , however, are invisible any users visiting a we b- tionality or are otherwise visible to users 310 . site or using a mobile app Those tiny piec e s of embedded software are usually referred to as 311 web bugs, beacons or tags. Marketing and ad technology . Ensighten , a “tag management platform”, provides publisher s party vendors with tracking tags from 775 different third - an easy way to embed into their we b- 312 Many of those third in order to transfer user data to third parties. - sites and mobile apps party services rs provide analytics, testing, facilitate certain aspects of online advertising. Othe , or fraud detection services. Some allow publishers to transmit user data into personalization 307 top https://www.ar vato.com/en/about/press/2017/arvato - systems - and - arvato - crm - solutions - again - receive - german - - employer - [20.04.2017] award.html 308 Forrester (2015): The Forrester Wave™: Customer Insights Services Providers 309 Christl and Spiekermann (2016) , p. 45 310 , Arvind; Dillon Reisman (2017): The Princeton Web Transparency and Accountability Project. Pre - published Narayanan book chapter. Available at : http://randomwalker.info/publications/webtap - chap ter.pdf 311 Christl and Spiekermann (2016) , p. 45, 49 312 management/integrations/ - tag - https://www.ensighten.com/products/enterprise [20.04.2017] CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017 44

45 313 based customer databases or email newsletter and marketing services. their cloud Most of - collect, analyz re and sha these services extensive user data across many websites, mobile e, , reason and platforms. Sometimes the only apps a website and app publisher embeds such tags 314 in order to is This ecosystem of third - party vendors sell the data about their visitors or users. is often refe rred to with the buzzwords “advertising technology ” or “ad tech”, as well as “ma r- keting technology” sometimes used interchangeably, “ ad tech ” often . Although all three are refers more specifically to technologies that address groups of consumers, while “ marketing 315 technology ” relates to technologies that pertain to single individuals. occurs through Programmatic bidding on profiles . Most of today’s advertising o- highly aut mated real - often referred to as time auctions between publishers and advertisers , a process 316 When a person visits a website, it sends metadata about the “programmatic advertising”. page, user profile data , and , usually, some kind of user identifier to multiple contents of the Then, a dvertisers who are interested in delivering an ad to this particular user at advertisers. this particular time and in the context of this particular page make a bid. The highest – bidding advertiser wins and gets to place the ad. This so - called "real - time bidding” happens within the 317 Similarly, advertisers can bid for user profiles and ad a website load i ng . milliseconds of placements within mobile apps. For the most part, however , this process doesn’t happen direc t- ly between publishers and advertisers : rather, it involves a range of advertising technology m- companies so wide that sometimes even experts in online marketing have difficulty fully co 318 ing it common types of services are: of the Some . prehend - and ad networks , which help publishers manage advertising requests from Ad servers connect several ad networks. many advertisers, and vice versa. Ad exchanges - side platforms (SSP) , which - allow publishers to sell user profiles and ad plac e- Sell , and demand - side platforms (DSP). ments to many ad networks, exchanges - Demand - side platforms (DSP) , which allow advertisers to b id on ad placements and u s- er profiles with specific characteristics from many publishers, ad servers, exchanges , - side platforms (SSP). and sell 319 The terms being used to describe these main types of ad technology providers are not always consistent. The lin es between the different kinds of vendors, such as ad exchanges, SSPs , or DSPs, are often blurred. The consulting firm LUMA Partners provides popular overlapping and 320 extensive lists of relevant companies in different fields . maps containing An additional di s- 313 integrations o f the tag manager Segment: https://segment.com/catalog list of [20.04.2017] See e.g. the 314 http://www.gartner.com/smarterwith gartner/how - to - monetize - your - customer - data/ 315 power See e.g. slide 7: https://www.slideshare.net/tkawaja/luma - digital - brief - 010 - - to - the - people 316 015): The Programmatic Primer. A Marketer's Guide to t he Online Advertising Ecosystem, p. 8 McConnell, Ted (2 317 Ibid., p. 7 318 http://blogs.gartner.com/martin - kihn/ad - tech - worse - wall - street/ 319 Gallagher, Kevin (2017): Ad Tech explainer. How innovation is changing the digital advertising business and creating new opportunities for disruption. Business Insider, BI Intelligence, January 2017. 320 [20.04.2017] 2/ - center/lumascapes - http://www.lumapartners.com/resource 45 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

46 tinction is usually made between companies that focus on tracking and advertising alongside 321 323 324 325 322 , mobile ads , social network ads , general ads on the web , , video ads search results 326 . In any case, Google dominates the o nline advertising landscape. The and ads within games offers several types of services for both advertisers and publishers, and in 2016 a c- company 327 counted for 32.8% of worldwide digital ad revenues, followed by Facebook with 14.1%. viors over time. The delivery of ads based on a Profiling users requires tracking online beha 328 , browsing , or app usage behavior is referred to as behavioral advertising. user’s web search es In contrast, when serving contextual ads, a publisher does not need to know much about the site visitor or app u ser, but simply serves ads that relate to the content on the site – such as, for instance , serving an automotive ad on a car - racing site. To profile web or mobile app user s, all parties have developed sophisticated methods to accumulate, involved in online advertising , and link information from different companies to create extensive long - term profiles compile 329 . Companies use cookie syncing to “anonymously” follow individuals s about users’ behavior across websites, or link different user accounts, devices a nd even offline data, such as store . To achieve this, they make use of pseudonymous identifiers that refer to individ u- purchases 330 based on email addresses, phone numbers, and cookie and device IDs. als, mainly 331 Only a few companies have all the collected Often profiles profile information in one place. about individuals are put together only for a single interaction by combining information from multiple companies in the moment . In this way advertisers can find and target users with sp e- cific characteristi cs and behaviors in milliseconds, regardless of which service or device is , pursued is or where the user of the participating services Many located. is used, which activity might not know the name of the person to whom the ad was served. Nevertheless, an i ndivid u- attribute al’s profile or a specific that was assigned to that profile may follow her everywhere and can have a significant impact on that person across ad networks and other data comp a- . nies 321 http://www.lumapartners.com/lumascapes/search - [20.04.2017] lumascape/ 322 http://www.lumapartners.com/lumascapes/display - ad - tech - lumascape/ [20.04.2017] 323 http://www.lumapartners.com/lumascape s/mobile - lumascape/ [20.04.2017] 324 http://www.lumapartners.com/lumascapes/video - lumascape/ [20.04.2017] 325 //www.lumapartners.com/lumascapes/social [20.04.2017] lumascape/ http: - 326 http://www.lumapartners.com/lumascapes/gaming - lumascape/ [20.04.2017] 327 - https://www.emarketer.com/Chart/Net - Digital - Ad - Revenue - Share - Worldwide - by Company - - 2016 - 2019 - of - total billions/205364 328 iang, and Zheng Chen (2009): How much can behavioral targeting help Yan, Jun; Ning Liu, Gang Wang, Wen Zhang, Yun J online advertising?. In Proceedings of the 18th international conference on World wide web (WWW '09). ACM, New York, NY, USA, 261 - 270. Available at: http://dl.acm.org/citation.cfm?id=1526745 329 , p. 13 Narayanan, Arvind; Dillon Reisman (2017) 330 Christl and Spiekermann (2016), p. 90 331 ies such as Acxiom Facebook, or large data compan Large platforms such as Google and 46 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

47 5.3 Connecting offline and online data , markete rs who used Facebook, Google or other online ad networks, could only Until recently solely on online behavior. In 2012, Facebook started to allow target individual profiles based m- companies to upload their own lists of email addresses and phone numbers from their custo 332 databases to its platform. er Even though these email addresses and phone numbers are co n- 333 , verted into pseudonymous codes Facebook has since then been able to directly link third . In party with their Facebook accounts, assuming they are present on the platform customers this way Facebook enables companies to find and target exactly those persons they have email addresses or phone numbers on. As a result , companies can also use Facebook’s powerful filter subset of these persons. criteria to target – or systematically exclude – only a Facebook’s ability to target people based on email addresses and phone numbers is pe r- exactly haps more powerful than it appears at first glance. It lets companies systematically connect their own customer data with Facebook’s data Moreover, it allows also other ad tech vendors to . synchronize with the platform's databases and tap into its capacities, essentially providing a kind of real - time remote control for Facebook’s data universe . Today companies can capture information ab out very particular activities – such as specific webpage activities, swipes in a immediately smartphone app, or types of purchases in real - time and tell Facebook to find and – 334 335 person s who performed these activities . Google target and Twitter the launche d similar features in 2015. Today, most online advertising platforms allow companies to pass different , from email addresses, phone numbers kinds of pseudonymous identifiers ( mostly generated or device IDs . to each other ) In addition, ing with the four large consumer data brokers Acxiom, partner Facebook started 336 and BlueKai in 2013, of which the latter two Epsilon, Datalogix Oracle subsequently a c- , . As of 2017, six data brokers provide “audience data” to Facebook to help the platform quired better sort a nd categorize its user s. Currently, these six data brokers are Acxiom, Epsilon, E x- 337 , and Quantium (Australia). perian, Oracle, CCC Marketing (Japan) D Beside the large online platforms and the different types of a d- ata management platforms. vertising technol ogy providers , another type of service has , in recent years, become essential to online advertising, and digital tracking and profiling in general . Data management platforms 332 - ads/ - audience Facebook introduced its “custom audiences”: http://techcrunch.com/2012/10/11/facebook - custom 333 Email addresses and phone numbers are “hashed”: https://www.facebook.com/ads/manage/customaudiences/tos.php [20.04.2017], for details see also section 7.3 334 Google introduced “cust om match”: https://adexchanger.com/mobile/google - allows - targeted - ads - based - on - first - party - data/ 335 http://venturebeat.com/2015/03/05/twitters - new Twitter introduced its “partner audiences”: partneraudiences - will - - help - more - advertisers - track - you - outside - twitter/ 336 data - providers/ - https://techcrunch.com/2013/02/27/facebook - ad 337 https://facebookmarketingpartners.com/marketing - [20.04.2017] partners/#ad=&co=&in=&la=&qss=&sp%5B%5D=Audience+Data+Providers 47 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

48 (DMPs) assumed the role of “central hubs” that aggregate, integrate, manage a nd deploy have 338 They provide the following functionalities: different sources of data about consumers. First , DMPs allow companies to upload - data about customers and prospects in their own real - time, including demographic data and real - time information about purchase acti v- ities, website visits, app usage , and email responses . T his data can then be combined and link with data from myriads of third - party vendors . ed - Second , DMPs help companies analyze, sort , and categorize consumers , add or remove them from lists of individuals with certain characteristics ( “audiences” and “se g- . Thus, a company can for specific treatment select them address certain ments” ) , and 339 people It could , in certain ways with certain messages on certain channels or devices. for example, targ et a group of existing customers who have visited a certain page on its website, and are predicted as valuable and likely to respond, with personalized content on Facebook, in a mobi – either or a discount le app , or on the company’s own website. - Third , DMPs provide to find and target people with similar characteristics and b ways e- 340 haviors as the people provided (“lookalikes”) as well as to exclude certain kinds of 341 people from targeting (“audience suppression”). larger companies such as software vendors, data brokers, direct marketing In recent years, agencies, and customer relationship management (CRM) companies have acquired some of these data management platforms. Oracle (see chapter 6 ), Adobe, Salesforce (Krux) , and Wu n- Neustar, derman (KBM Group/Zipline) run the most relevant DMPs, but other vendors, such as 342 . Lotame , and Cxense also provide such platforms the ability , for example, offers its clients Lotame - time data from their customer to provide real databases, email systems and ad campaigns to its data management pla t- , , websites, apps 343 be combined with “billions of consumer profiles, each T he uploaded data can then form . with thousands of behavioral attributes” originating from both data collected by Lotame itself 344 Client c party sources and by thir . d ompanies can then profile, sort , and rank their users, - 345 , and prospects with regard to their demographics, interests , and behaviors customers in o r- der to target them with ads through software integrations with many other advertisin g tec h- 346 They can share this data with partner companies or feed it into personal nology providers. i- 338 Winterberry Group (2012): The Data Management Platform: Foundation for Right - Time Customer Engagement. A Winte r- berry Group Whitepaper. : http://www.iab.net/media/file/Winterberry_Group_White_Paper - Available at Data_Management_Platforms - November_201 2.pdf 339 kihn/data http://blogs.gartner.com/martin - - management - platform 340 w.krux.com/data - management - platform http://ww solutions/lookalikes/ [28.04.2017] For example: - 341 https://blogs.adobe.com/digitalmarketing/advertising/increase - ad - roi - audienc e - suppression/ [28.04.2017] 342 Forrester (2015): The Forrester Wave™: Data Management Platforms, Q4 2015. Available at: http://www.krux.com/upl oad/image/company/The_Forrester_Wave_Data_Management_Platforms_Q4_2015.pdf 343 - management - https://www.lotame.com/data [28.04.2017] platform/ 344 http://resources.lotame.com/data - stream - content - access [28.04.2017] 345 https://www.lotame.com/data - management - platform/ [28 .04.2017] 346 - https://www.lotame.com/data [28.04.2017] platform/ - management 48 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

49 zation and product recommendation engines, CRM and business intelligence systems or even , 347 Neustar runs not only an ad tech DMP, but also pr o- use it for fraud prevention. , in contrast, link trad i- vides fraud detection and identity verification services. The company promises to “ - line identity verification (name, address, phone, email, etc.) with 21st century digital tional off - locati on, cookie, device ID, synthetic ID, and more) to give a holi s- identity data (IP address, geo 348 ”. tic view of the consumer and the device The emergence of data management platforms marks a key moment in the development of pervasive commercial behavioral tracking. With their help, companie s in all industries across can seamlessly combine and link the customer and prospect the globe that they have been data collecting for years with billions of digital profiles. Traditional consumer data brokers play a key role in this evolution. They have m orphed from old - school direct mail marketing agencies selling consumer lists into high - tech data analytics companies. time Recording and m 5.4 - anaging behaviors in real The shows how today’s companies can sea m- customer data platform mParticle example of the ly collect rich data about their customers and others in real - time, add more information less about them from third parties, and utilize the enriched profiles within the marketing and ad technology ecosystem. Real - time d ata collection. With the mParticle platfo rm companies can collect customer data including interactions such as views, clicks, searches, social media posts or shares, menu or tab 349 350 , subscribes, app installs, purchases, and refunds – from apps, websites , and navigation 351 third - party tools . several . They can collect information about whether somebody remove d an 352 user’s item from a shopping cart and many other custom - defined “events”. a If available, 353 monitor clients Screen tracking allows to location can be logged for every event. how users 354 navigate t Additionally, they can import data feeds from third - party adverti s- hrough an app. 355 , and customer relationship management tools such as Salesforce. ing, marketing The co m- 356 ata from Roku video channels. pany also supports collecting d Identify ing and profiling . Each user profile on mParticle may contain, in addition to device 357 a customer ID, email address and carrier information, , and user IDs from Google, Apple, M i- 347 http://resources.lotame.com/data - stream - cont ent - access [28.04.2017] 348 https://www.neustar.biz/risk/fraud - detection [28.04.2017] 349 http://docs.mparticle.com/#event - type [22.04.2017] 350 data - criteria - [22.04.2017] http://docs.mparticle.com/#selecting 351 https://www.mparticle.com/ [22.04.2017] 352 criteria - data - http://docs.mparticle.com/#selecting [22.04.2017] 353 http://docs.mparticle.com/#location - tracking [22.04.20 17] 354 http://docs.mparticle.com/#screen - tracking [22.04.2017] 355 http://docs.mparticle.com/#feed - configurations [22.04.2017] 356 http://docs.mparticle.com/#roku [22.04.2017] 357 http://docs.mparticle.com/#selecting [22.04.2017] criteria - data - 49 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

50 crosoft, Facebook, Twitter, Yahoo “any other identifier that can contribute to user as well as 358 entification”. Other available user attributes include name, address, gender , and phone id 359 360 number the as well as customer lifetime value ” . As soon as data is captured, mParticle “ 361 enriches it with data from providers such as Oracle’s Datalogix , adding information about occupation, income, brand preferences, interests, hobbies , and credit cards used. Alt ogether, it 362 makes “thousands of 3rd party data segments” available to its clients . 363 C ompanies can create “audiences” , Managing groups of people. i.e. l ists of user profiles with certain kinds of identifiers, and then “ship” those audiences to a wide selection of pla t- forms and marketing technology companies, including Adobe, AppNexus, Facebook, Google, 364 Inmobi, Lotame, Millennial Media (Ver , and Twitter , Snapchat, Tapad . A co m- zon), Pinterest i , for example, create an “ audience ” consisting of high - income users who installed pany could have used this app less than three times and additionally have visi an app in the last 72 hours, t- ed a certain location. This “ audience ” consisting of a dynamic list of users might then be fo r- the warded to Facebook which can identify these people by matching email addresses or m o- , 365 366 to its own userbase in order to address the m with specific messages. bile identifiers is very similar to how companies have used mailing lists with Real - time beha vioral feeds . This that mParticle’s “audiences” with the crucial difference – ages names and addresses for are not simply static lists of people. They are dynamic feeds about groups of people with certain cha r- by real time interactions captured in different updated - acteristics and behaviors, continuously are contexts, and used to make automated decisions on tho se people across devices and pla t- according to complex sets of rules and instructions. forms in order to influence their behavior interactions and events can also be directly transmitted to other platforms The recorded user acle) or Krux (SalesForce). , such as Abakus (SAP), Bluekai (Or 5.5 Collecting identities and identity resolution A report on the “strategic role of identity resolution” in marketing does a good job describing how companies should proceed with collecting data on their customers and others as we ll as 367 how best utilize this data . to 358 [22.04.2017] http://docs.mparticle.com/#user - identity 359 attributes - http://docs.mparticle.com/#user and [22.04.2017] - - tags 360 http://docs.mparticle.com/#lifetime - value [22.04.2017] 361 http://docs.mparticle.com/#user - insights [22.04.2017] 362 - http://blog.mparticle.com/mparticle - feature - spotlight - third party - segment - insight/ [22.04.2017] 363 http://docs.mparticle .com/#audiences [22.04.2017] 364 http://docs.mparticle.com/#audience - configurations [22.04.2017] 365 To be precise, pseudonymous identifiers based on hashed email addresses or mobile ident ifiers 366 [22.04.2017] http://docs.mparticle.com/#audiences 367 Stanhope, Joe; Mary Pilecki; Fatemeh Khatibloo; Tina Moffett; Arleen Chien; Laura Glazer (2016): The Strategic Role Of n. Identity Is Context In The Age Of The Customer. Forrester, October 17, 2016. Identity Resolutio 50 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

51 Aggregating identifiers. ability to accurately identify custo m- The report suggests that the “ ” ers the “ most basic prerequisite for marketing analytics, orchestration, and exec u- constitutes tion ” today. Marketing has alwa ys been about “knowing the customer [s] ” , which means “being able to identify them is “more than name recognition”. Thus, co m- ”. Identification, though, plete identity resolution should marry “ multiple sources of identifier and interaction info r- mation ” in order to “ build robust customer profiles based on multiple data sources and inte r- strategic capability that facilitates the links b e- actions ”. To enable identity resolution as a “ tween systems and interactions the report suggest s a four - step process : ”, - First , companies should “collect identity keys” such as names, addresses, social handles, device IDs, cookie IDs, IP addresses, MAC addresses , and other types of identity keys that refer to consumers, devices , or other entities. Every interaction in a “customer life c y- cle” wo key s . Keys might also be sourced from other co m- uld generate or leverage such panies. - Second , companies should “link the keys together”, for example by “associating a cookie er”, possibly su p- ID with an email address, or a phone number with a loyalty card numb or third - ported by “second will party data sets”. Generally, “more keys and linkages” - create “increasingly robust identities”. - Third , companies should “connect identities to descriptive data” in order to create pr o- files, for example by “a ggregating device and channel data, behavior and interactions, self - submitted information, purchase and customer data, and third - party data require the “ability to continuously update profiles as identity sources”. This will also nges over time ”. keys and personal data cha Fourth , companies should “apply identities to marketing use cases”. For example, they - might them use for individual targeting and recognition across channels, devices , and s- and tran “touchpoints”, for measurement, analytics, personalization, fraud d etection , action authorization. Companies might also use it to “proactively omit consumers from m- co campaigns” and make “online data available for offline applications”. In addition, consider incorporating “emerging channels” such as panies should e- Smart TVs or IoT d their identity data by vices. Eventually, should also consider monetiz ing they selling it to other companies. The report adds that identity resolution capabilities require a balance between “complete and n accurate data” and “return o investment”. In this way, it implies that it is acceptable for some data to be inaccurate, as long as it adds enough to the bottom line. As the above summary su g- t least, the a , although, a extensive corporate data collection u- gests, the report largely praise s warn that collecting and using consumer data carries the “risk of repeatedly thors damaging brands and incurring legal consequences ”. 51 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

52 Accordingly, the consumer data broker has rebranded itself as an “identity resolution” Acxiom 368 i T heir website state s that their company. dentity resolution would help clients services “ connect data to consumers in a privacy - compliant way ”, so they can “ create a single view of the customer . Clients could “m atch data at scale across a broad set of identifiers including emai l addresses, postal addresses, phone numbers, and digital IDs”, in order to “r ecognize co n- 369 sumers accurately across offline and digital channels ”. The data broker explains in a brochure that a “consumer” in the context of customer Experian databases would be “any uniquely identifiable individual who has at all interacted with a brand ”. The “ persistent consumer ID for each channel or device ” would “ broadly speaking ” be 370 “ the equivalent of a postal address for that channel ”. Experian’s “Truvue” system provides , accurately identify “ to and households “persistent ID linkage” between individuals, addresses individual customer ast name and address history ” which is contin u- s”, based on Experian’s “v 371 reliable and verifiable data ” from “ thousands of contributors ”. Simila ously updated with “ r- s- ly, Experian’s “ ” ConsumerView helps companies “r ecognise cu persistent linkage platform tomers across channels ” and “l ink fragmented and incomplete data including email, social and on ” based on data personally identifiable information (PII), across channels and devices “ 8 bi l- 372 lion name and address combinations ”. Managing consumers with 5.6 CRM, CIAM and MDM Businesses in all industries use different kind s of software and services from third party ve n- dors to collect, manage, utilize , and share customer data on the enterprise level . C ustomer r e- lationship management (CRM) software accounts for a key piece in this puzzle . The research as enabling a “ business strategy that optimizes revenue and pro f- CRM Gartner considers firm 373 itability while promoting customer satisfaction and loyalty ”. enable CRM technologies “ strategy, and identify and manage customer relationships, in person or virtually ” by providing ionalities for sales, marketing, customer service and digital commerce. The CRM sof t- , funct 374 is dominated by Salesforce, followed by SAP, Oracle, Microsoft, and Adobe. CRM ware market d SAS, data br tools and services are also provided by other large IT corporations like IBM an o- kers and analytics companies like Acxiom, Experian, Epsilon, and FICO, as well as by large 375 business consulting companies like Accenture, Capgemini, Deloitte, and McKinsey. 368 – Acxiom”: In the HTML title tag of their website they use the phrase “Identity Resolution https://www.acxiom.com [30.04.2017] 369 https://www.acxiom.com/what - we - do/identity - resolution/ [30.04.2017] 370 device identification.pdf - - [30.04.2017] h ttp://www.experian.co.uk/assets/marketing - services/white - papers/wp - cross 371 persistent keting - services/customer - data - management - http://www.experian.com/mar - - id.html [30.04.2017] integration 372 http://www.experian.com.au/marketing - services/consumerview.html [30.04.2017] 373 016): The Gartner CRM Vendor Guide. Gartner, 9 May 2016 Gartner (2 374 https://www.forbes.com/sites/loui scolumbus/2016/05/28/2015 - gartner - crm - market - share - analysis - shows - salesforce - - market - - than in - the - lead - growing faster 375 Gartner (2016) 52 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

53 Customer value analytics, personalization and Ga rtner’s CRM vendor price optimization. guide lists hundreds of companies in different segments such as digital commerce, loyalty management, lead management, customer segmentation, email marketing, contact center routing, customer engagement, customer journey analytics, and c ustomer experience ma n- agement , among many others. For example, solutions for “customer value analytics” provide predictions and scores about the current and future profitability of customers. So called “pe r- - sonalization engines” are used to create “ relevant , individualized interaction ” based on cu s- tomer data or data from “similar individuals”. Software for “real - time decisioning” combines data with business strategy to “ identify the optimal customer treatment that applies broadly , mostly deployed in contact centers, retail stores, bank branches across the enterprise ”; this is and on websites. It also includes applications for “ prioritizing customer support opportunities, fraud detection and service personnel alignment ”. Tools for “price management and optimiz a- tion” provide data - driven analytics, ranging from “pricing guidance” to “digitally enabled and 376 algorithm - based pricing ”. Consumer identity and access management (CIAM). nother genre of sof t- In recent years, a ware related to consumer data has arisen from a completely different field – namely, that of security and authentication within enterprises. Some of the traditional software solutions for provision, authenticate, a u- “ “identity and access management” (IAM), which are designed to thorize, and store inform evolved n- Co into platforms for “ ”, have ation about employee users sumer Identity and Access Management ” (CIAM). Instead of user account management and authentication for a company’s employees and business partners, these platforms provide the same features for customer and prospect data management in the consumer sphere. In add i- tion, CIAM platforms support collecting and analyzing information about consumers from 377 many sources, in both the realms of fraud prevention and marketing. According to a report from a consulting firm, they are “ merging and absorbing functionality from CRM and m arke t- utomation ing a ” but also provide features with regards to “Know Your Customer” (KYC), an actors in the especially important service for banks and other financial sector . CI AM software Okta, Janrain, LoginRad , vendors include F orgeRock, Salesforce, Microsoft, IBM, PingIdentity i- 378 , and SAP. , us, iWelcome SecureAuth software for master data management, which General ly, Master data management (MDM). , linking and synchronization of master data domains across supports the “ global identifica tion ” within large corporations heterogeneous data sources customer data , is provided , including 379 and SAS. by companies such as IBM, Informatica, Oracle, SAP , 376 Ibid. 377 Tolbert, John (2016): CIAM Platforms. Leaders in innovation, product features, and market reach for Consumer Identity and Access Management Platforms. Your compass for finding the right path in the market. KuppingerCole Report, November 2016. 378 Ibid. 379 id. Ib 53 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

54 6. Examples of Consumer Data Broker Ecosystems chapter collect data on consumers, summarizes how the data brokers Acxiom and Oracle This who they partner with, and how their clients use their data services. These two large companies 380 examples of wider practices were based on previous research. illustrative The selected as findings are based on publicly available information from e.g. corporate websites, marketing materials, brochures, data catalogs, case studies, developer guides, and , as well as API docs ne articles. from reports, news, and trade magazi Acxiom , its services, data providers, and partners 6.1 381 Founded in 1969, Acxiom is one of the most cited examples of a large US data broker that 382 collects, analyzes and trades vast amounts of consumer information. The company mainly provides data and marketing services, but also risk mitigation, identity verification, and fraud 383 detection solutions. Acxiom helps its clients analyze, enhance, sort, and utilize consumer 384 data, as well as link and combine their client’s customer data to data from other . The sources company’s clients include large organizations in the fields of financial services, insurance, 385 It manages 15,000 customer dat a- telecommunications, retail, healthcare, and government. for 47 of the Fortune nts, including bases and 2.5 billion customer relationships for 7,000 clie 386 With regards to consumer data, Acxiom claims to provide access to up to 100 companies. 387 5,000 data elements on 700 million people worldwide from “thousands of sources” in many 388 389 390 , including data about consumers in the US, the UK, countries and Germany. 391 Acxiom attaches every person in its database to a globally unique identifier. These perso n- al ID numbers within the company’s “Abilitec Link” system refer to persons with certain 392 ail addresses, and other identifiers, names, postal addresses, phone numbers, em and are 380 Christl and Spiekermann (2016), p. 94 - 100 381 Retrieved from: Grant, Tina (2001): International Directory of Company Histories, Vol. 35, St. James Press, 2001. - http://www.fundinguniverse.com/company - history/ - corporation histories/acxiom 382 ofconsumer - the - q uiet - giant - http://www.nytimes.com/2012/06/17/technology/acxiom - database - marketing.html 383 we https://www.acxiom.com/what - - - do/identity verification - authentication/ [14.05.2017] 384 Christl and Spiekermann (2016), p. 94 - 97 385 Acxiom (2015): Annual Report 2014. Available at: B0F2 http://files.shareholder.com/downloads/ACXM/ 0x0x763250/A1DBFBD8 - E136 - 4701 - - [08.04.2017] 3DC695E5ED08/acxiom2014_Annual_Report_FINAL_RRD_PDF_.pdf 386 Ibid. 387 Acxiom (2017): Annual Report 2016. Available at: https://s21.q4cdn.com/580938034/files/doc_financials/annual_reports/ACXM_Annual_Report_FINAL_RRD_Printers_Proof_ 6 - 17 - 16_.pdf 388 http://ec.europa.eu/justice/news/consulting_public/0003/contributions/organisations/acxiom_en.pdf 389 Study http://dq2qu0j6xxb34.cloudfront.net/wp - content/uploads/2014/01/Facebook - - Case - Final - no - bleed.pdf [22.01.2016] 390 Anbieter" V ideo from the panel discussion "Die Strategien der großen Daten - at the d3con 2014 conference. In German: "Heute haben wir in Deutschland Offline - Profildaten verfügbar für nahezu jeden Haushalt": https://www.youtube.com/watch?v=W41HcRo - 3P8 [22.01.2016] 391 - bundles/bundle/abilitec https://developer.myacxiom.com/code/api/data [11.05.2017] 392 Ibid. 54 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

55 393 Acxiom has long based on name change data and residential histories that go back decades. been collecting data from p ublic records as well as from other companies, including magazine subscriber lists, consume r surveys and questionnaires, prod uct and warranty registrations, 394 and . purchases When asked about a specific person, Acxiom provides, for example, one of 13 religious affiliations including “Catholic”, “Jewish” and “Muslim” and one of nearly 200 “et h- 395 nic c Overall, the company provides hundreds of data attributes and scores about co n- odes”. sumers; these include information about education, occupation, children, political views, i n- terests, activities, purchases, media usage, properties and vehicles owned, ba nking and insu r- ance policies, income, loans, health interests, and economic stability as well as scores, such as 396 that someone ” likelihood ”. will change careers or jobs in a person’s household “ the “ : 2 Figure Acxiom and some of its data providers, partners and services . 393 https://lp.liveramp.com/rs/982 - LRE - 196/images/Identity%20Graph%20One%20Pager.pdf [ 14 .05.2017] 394 , and Acxiom (2012): R Products.pdf - e- See https://www.acxiom.com/wp - content/uploads/2013/09/Acxiom - Marketing sponse letter to U.S. congress inquiry, August 15, 2012. Available at: http://web.archive.org/web/20130425093308/http://markey.house.gov/sites/markey.house.gov/files/documents/Acxiom. pdf 395 - https://developer.myacxiom.com/code/api/data bundles/bundle/eTechDemographics [20.04.2017] 396 See note 49 4 55 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

56 Connecting to the digital data ecosystem. Since the acquisition of the online data company 397 LiveRamp in 2014, spanning database Acxiom has made major efforts to connect its decade - v- acking and profiling universe. With technologies such as Li to today’s pervasive digital tr connect offline data eRamp’s “Identity Graph” and “IdentityLink”, the company is now able to “ 398 In other words, clients can “resolve all ” and online data back to a single identifier ”. of their 399 line and online identifiers back to the individual consumer To achieve this, the comp a- “ ”. off 400 t- , pos ny matches the consumer profiles in its “Abilitec Link” system, which contains names 401 402 403 and IP address , geo locations al addresses, email addresses, phone numbers , to online es 404 As a result, LiveRamp is now able to and mobile identifiers, such as cookie and device IDs. 405 link digital profiles across hundreds of data and advertising companies. ata from more than Clients can upload their own consumer data to LiveRamp, combine it with d 406 100 third - , and then party data providers such as Equifax, Experian, TransUnion and Epsilon 407 utilize it on more than 500 marketing technology platforms. They can use this data to find 408 and target people with specific characteristics recognize and track consumers across d e- , to 409 410 , to profile and categorize them vices and platforms , to personalize content for them, and 411 to measure how they behave. For example, clients could “recognize a website visitor” and 412 provide a customized offer ” “ based on extensive profile data, without requiring said user to 413 log in to the website. Furthermore, LiveRamp’s “IdentityLink” technology enables other 414 buy and sell valuable customer data companies to “ ” in its “Data Store”. and partners . s of companies which Acxiom’s LiveRamp has recently Data providers Example 415 promoted as data providers include Ibotta, Freckle IOT, Samba TV, and Crossix: 397 acquisition/ https://www.acxiom.com/news/acxiom completes - liveramp - [14.05.2017] - 398 https://liveramp.com/discover - identityl ink/identitylink - features/build - an - omnichannel - view/ [ 14 .05.2017] 399 - LRE - 196/images/Identity%20Graph%20One%20Pager.pdf https://lp.liveramp.com/rs/982 [ 14 .05.201 7] 400 s- . Providing access to Identity - based data and buyers across the marketing ecosy LiveRamp (2016): IdentityLink Data Store tem . PDF brochure, p. 2. Personal copy of file with author Wolfie Christl 401 14 [ graph/ - features/identity - - .05.2017] https://liveramp.com/discover identitylink/identitylink 402 [14.05.2017] https://developer.myacxiom.com/code/api/endpoints/match 403 , p. 2 LiveRamp (2016): IdentityLink Data Store 404 https://liveramp.com/discover - id entitylink/identitylink features/identity - graph/ [ 14 .05.2017] - 405 https://liveramp.com/discover - identitylink/identitylink - features/ [ 14 .05.2017] 406 Several companies are listed as "data providers" on https://liveramp.com/partners , including Equifax, Experian, TransUnion, Corelo gic, Epsilon, IBM and Microsoft [09.05.2017] 407 https://liveramp.com/discover - identitylink/identitylink - features/ [ 14 .05.2017] 408 https://liveramp.com/discover - identitylink/ [ 14 .05.2017] 409 .05.2017] 14 https://liveramp.com/discover - identitylink/identitylink - features/ [ 410 .05.2017] - identitylink/identitylink - features/build - an - omnichannel - view/ [ https://liveramp.com/discover 14 411 https://liveramp.com/discover - identitylink/ 14 .05.2017] [ 412 Ibid. 413 - https://liveramp.com/discover identitylink/identity - r esolution/people - based - marketing/personalization/ [ 14 .05.2017] 414 https://liveramp.com/discover - identitylink/identitylink - features/ [ 14 .05.2017] 415 Some of the "unique data sets available" on LiveRamp include Ibotta, Samba TV and Freckle IOT data - ). Ibotta and Samba TV are promoted as owners/ ( https://www.acxiom.com/news/liveramp - launches - identitylink - for - "new data spotlights" for "data buyers" in LiveRamp's "IdentityLink Data Store" brochure from 2016. Crossix is listed as "dat a ) http://liveramp.com/partners provider" in LiveRamp's partner directory ( [16.04.2017] CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017 56

57  provides “ i Ibotta - level purchase data from millions of mobile users” , according to a tem 416 ; said data is recorded by the company’s smartphone app. Ibo t- LiveRamp press release 417 12 million monthly active users ta’s can earn rewards by either taking photos of r e- 418 ceipts after shopping or by directly linking store loyalty cards with their app. , Accor d- ing to a LiveRamp brochure, Ibotta receives purchase data from 1.3 million users who additionally receipts per new scans 1.25 million and have linked their loyalty cards 419 week collecting purchase information from more than 175,000 , overall stores, inclu d- 420 ing retailers, restaurants, bars, mo vie theatres, and pharmacies. 421 422 ,  Freckle IOT collects real - time location data from m including mobile identifiers , o- bile app partners and a network of beacon sensors placed in stores, restaurants, bars, 423 malls, airports, movie theatres, college campuses , and even in street furniture. The company partners, for example, with Blue Bit e, a firm which operates 60,000 beacons and other technologies to track across North America, and uses NFC, Bluetooth, WiFi , 425 424 Freckle’s services are level. the location of mobile phone users on a “hyper - loca l” e- embedded into mobile apps of partner companies, altogether installed on 50 million d 426 vices. They are, for example, integrated in more than 2,000 apps of Airkast ’s , a large mobile publisher in the US that provides apps f or broadcasters and media companies 427 and Fox News Radio. including Cumulus Media, ESPN, CBS News Radio Freckle pr o- , 429 428 to LiveRamp vides profile data “built from mobile and beacon data” , as well as data via “ about people who have visit specific locations , ed one to one matching of real - time 430 user data”. second” TV viewing behaviors from more than 10 million  Samba TV records “second - by - - - demand platforms, including data from 9 - on top boxes, and video “opted - in” TVs, set 431 major TV manufacturers. The company provid es content recommendation software, 416 owners [16.04.2017] - https://www.acxiom.com/news/liveramp - launches - identitylink - for - data 417 sign 9 2016 - http://www.businessinsider.com/groupon - and - jetcom - - partnership - with - mobile - shopping - app - ibotta - 418 [16.04.2017] https://ibotta.com/how 419 LiveRamp (2016): IdentityLink Data Sto re. 420 [16.04.2017] store - https://ibotta.com/where/in 421 - comfreckles - industry - first - attribution - tag - supported - by - five - global - dsps/ http://freckleiot.com/httpfreckleiot [16.04.2017] 422 http://freckleiot.com/privacy - [16.04.2017] policy/ 423 http://www.prnewswire.com/news - releases/freckle - iot - and - blue - bite - partner - to - create - north - americas - largest - proximity - 300063315.html [16.04.2017] network - 424 Ibid. 425 See also: http://adage.com/article/datadriven - marketing/mobile - data - marketplace - creates - direct - path - app - dollars/305947/ 426 - the party - marketing - http://freckleiot.com/freckle - iot - partners - with - liveramp - to - bring - in - store - 1st - to - data - segments - ecosystem [16.04.2017] 427 http://freckleiot.com/freckle - partners - with - airkast - to - further - cement - freckle - iot - as - largest - beacon - attribution - world company in - the - - [16.04.2017] 428 for https://www.acxiom.com/news/liveramp - launches - - identitylink - data - owners [16.04.2017] 429 - http://www.prnewswire.com/news - releases/freckle - iot - partners - with - liveramp - to - bring - in - store 1st - party - data - - segments to - the - marketing - ecosystem - 300418304.html [16.04.2017] 430 [16.04.2017] - iot/ https://liveramp.com/partner/freckle 431 re. LiveRamp (2016): IdentityLink Data Sto 57 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

58 which is behind many apps on Roku and also used on smart TV platforms from Sa m- 432 sung, LG, and Sony. r- According to the company’s privacy policy, the recorded info tched, as well as “actions mation includes titles and amounts of time the content is wa 433 taken while viewing the content” and other data. LiveRamp lists Samba TV as one of 434 435 and as a “new data spotlight” for “data buyers”. “the unique data sets available” 436 and is ital match” Samba TV’s own data management platform allows “1:1 TV to dig 437 powered by LiveRamp’s IdentityLink platform. 438 Crossix , claims to have  , a company which is listed as a “data provider” by LiveRamp health data on more than 250 million US consumers, including doctor visits, treatment history, medical cl aims, prescriptions, and patient health information such as blood 439 Recently, Crossix announced the ability to pressure, cholesterol level, and diagnoses. 440 According access additional data from hospitals, labs, insurers, and medical devices. ase, Acxiom and Crossix are “connecting consumer data to predictive to a press rele health data” for marketing purposes and to provide people with “relevant messaging, 441 The mobile advertising company support, and behavioral modification content”. 4Info, for example, uses Crossix’ data to target mobile ads at consumers who show a 442 “propensity” to have a certain disease, such as diabetes. For this purpose, Acxiom “matches its household - level data with 4Info's household - level data associated with mobile device IDs, and in turn connects it with a unique Crossix ID”, according to Adve r- 443 tising Age. To find out a mobile users’ home address, 4Info reportedly “tracks loc a- fter a device has been spotted tions of mobile devices when people open certain apps. A several times during certain hours in a particular residential location, it is determined to be a home address”. In addition, the company “verifies home location data through mapping apps that give directions to or from a hom e address provided directly by the 444 user”. All involved parties emphasize many times that only “de identified” data is - used. Partnerships with the large online platforms. Acxiom also partners with platforms such as 445 446 447 Google Facebook, and Twitter l ways. For example, the company helps them in severa 432 http://rethinkresearch.biz/articles/samba - tv - takes - connected - tvs - by - storm/ [16.04.2017] 433 https://samba.tv/privacy - policy/ [16.04.2017] 434 - data for - identitylink - [16.04.2017] owners https://www.acxiom.com/news/liveramp - launches - 435 re. LiveRamp (2016): IdentityLink Data Sto 436 https://samba.tv/advertising/tv - dmp/ [16.04.2017] 437 bring https://samba.tv/samba - tv - launches - tv - dmp - digital - speed - accuracy - - television/ [1 6.04.2017] 438 https://liveramp.com/partner/crossix/ [16.04.2017] 439 http://www.crossix.com/platform.aspx [16.04.2017] 440 - http://www.businesswire.com/news/home/20161117005239/en/Crossix - Completes - Largest - Ever - Expansion - Connected Data - Health 441 and http://www.crossix.com/Press - Releases/Crossix - Solutions - - Acxiom - Partnership.aspx 442 - http://adage.com/article/dataworks/data - partners - tie - mobile - ads drug - refills - doc - visits/302937/ 443 Ibid. 444 Ibid . 445 partner - program/ marketing - https://www.acxiom.com/news/acxiom - becomes - audience - data - provider - facebook - .05.2017] 14 [ 58 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

59 track and categorize their users even better, based on data collected from beyond these pla t- 448 forms. Oracle as a consumer data platform 6.2 449 business software and database Oracle, one of , h as recently b e- the world’s largest vendors . In recent years, the company acquired come one of the largest consumer data brokers as well several data companies, including Datalogix, AddThis, Crosswise, and BlueKai, a data ma n- 450 . While Datalogix aggre agement platform and data marketplace gates data on billions of 451 452 and 1,500 large retailers purchase transactions across 50 grocery chains , the social boo k- AddThis tracks 900 million users across 15 million websites as well as 1 billion marking service 453 . Crosswise mobile users activity collects and identifies which data across billions of devices 454 and TVs are being used by an , dual consumer PCs, phones, tablets . In addition, Oracle indivi 455 700 million social messages daily ” aggregates and analyzes “ from social media networks, 456 message boards, sites, and video platforms. blogs, consumer review Overall, Oracle’s data 457 more than 30,000 data attributes on ”. marketplace provides “ two billion consumer profiles . These include characteristics such a s Oracle sorts consumers into thousands of categories age, gender, family composition, parenthood, education, occupation, political views, media usage, income, loans, net worth and purchases, but also data about online searches. For exa m- zing drugs, gay marriage, ple, Oracle tracks who has searched for issues such as abortion, legali 458 military bases, protests, heart failure, or medical facilities. Together with its data partners 459 the company provides over 50,000 different categories that may be assigned to consumers. Within its data cloud , Oracle claims to rec ord “what consumers do”, “what consumers say”, and “what consumers buy” in order to allow companies to find and target people across devices 460 Oracle’s clients and platforms, personalize interactions, and measure consumer behavior. 446 https://www.acxiom.com/news/liveramp - extends - data - connectivity - partnership - with - google/ [ 14 .05.2017] 447 - - .05.2017] 14 [ twitter/ - with https://www.acxiom.com/news/acxiom - expands - its - global - data partnership 448 above. See the press releases 449 - - overtakes - ibm - as - second largest http://www.computerworld.com/article/2489278/itmanagement/oracle software - - vend or -- gartner - says.html 450 http://www.oracle.com/us/assets/general - presentation - 2150582.pdf [12.05.2017] 451 - presentation - http://www.oracle.com/us/corporate/acquisitions/datalogix/general [12.05.2017] 2395307.pdf 452 http://www.oracle.com/u s/products/applications/audience - guide - 3034880.pdf [12.05.2017] 453 [12.05.2017] http://www.oracle.com/us/products/applications/audience - guide - 3034880.pdf 454 [12.05.2017] https://www.oracle.com/corporate/acquisitions/crosswise/index.html 455 - for - business - 2245611.pdf [12.05.2017] http://www.oracle.com/us/solutions/cloud/daas 456 brief - relationship - mgmt - - 1915605.pdf [12.05.2017] http://www.oracle.com/us/products/social 457 https://www.oracle.com/corporate/pressrelease/eyeota - 011917.html [12.05.2017] 458 Supra note 495 459 Oracle (2017): Taxonomy Changes Report , of all data categories offered by Oracle, see the Inventory 31.01.2017. For a list worksheet in its "taxonomy changes report" : https://docs.oracle.com/clo ud/latest/marketingcs_gs/OMCDA/Resources/xls/TaxonomyChangesReport2017 - 01 - 31.xlsx via https://docs.or acle.com/cloud/latest/marketingcs_gs/OMCDA/Help/AudienceDataMarketplace/Taxonomy_Updates/taxono my_updates_january_2017.html [12.05.2017] 460 - .oracle.com/us/corporate/acquisitions/datalogix/general http://www [12.05.2017] 2395307.pdf - presentation CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017 59

60 can import their own data about customers, website visitors, and app users into Oracle’s data 462 461 and then transfer and utilize it cloud, combine it with data from Oracle and its partners, 463 on hundreds of other marketing and advertising services. Furthermore, companies can also 464 sell their data about consumers on Oracle’s data marketplace. : Oracle and some of its data providers, partners and services. 3 Figure and , and match user profiles across different companies, platforms, devices , o identify, link T contexts in real - time, Oracle uses its “Identity Graph” or “ID Graph”. This technology promises to “u nify addressable identities across all devices, screens and channels ” and to “identify cu s- nteraction tomers and prospects everywhere”. It “u nites a ll i s a cross v arious c hannels to c reate ” by linking several types of identifiers referring to indivi , d- o ne a ddressable c onsumer p rofile uals, including postal addresses, email addresses, user accounts for online services, mobile IDs, 465 set . When data providers or clients want to connect their online, o f- - top IDs, and cookie IDs 461 cloud.pdf - 1 https://docs.oracle.com/en/cloud/saas/data - cloud/dsmkt/using - oracle - data - p. 4 [12.05.2017] 462 p. 523 http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCDA/OMCDA.pdf [ 12.05.2017] 463 [12.05.2017] - platform/ecosystem.html https://www.oracle.com/marketingcloud/products/data - management 464 oracle p. 3 - 107 https://docs.oracle.com/en/cloud/saas/data - cloud/dsmkt/using - - data - cloud.pdf [12.05.2017] 465 - 2395307.pdf [12.05.2017] http://www.oracle.com/us/corporate/acquisitions/datalogix/general - presentation SURVEILLANCE IN EVERYDAY LIFE 60 , 2017 | A REPORT BY CRACKED LABS CORPORATE

61 fline, or mobile data to Oracle’s data cloud, they can send “match keys” that “ ” their identify 466 “ in both the online and offline spaces Oracle will then “ synchronize ” these match users ”. its network of user and statistical IDs that are linked together in the Oracle ID Graph “ to ”, keys 467 ” used to manage IDs and user attributes To create these match keys, Oracle’s data which is “ . providers and clients have to convert email addre sses, phone numbers, postal addresses, IP 468 469 470 and mobile device IDs into pseudonymous codes addresses . These codes are still unique , and other identifiers; they are pseud o- references to certain email addresses, phone numbers When a company sends these pseudonyms to Oracle, they are “ are mapped to the ne t- nyms. work of BlueKai anonymous user profiles, anonymous user IDs, and statistical IDs in the Oracle 471 “anonymous Although these ostensibly ID graph ” user IDs still refer to certain individuals ”. 472 d to recognize and single out individuals and can be use the pr o- , Oracle no longer considers 473 data as “personally identifiable information” cessed . Oracle also partners with large online platforms. For example, it provides data to Facebook in order to help the platform b etter sort and categorize its users with data collected from beyond 474 475 Facebook, track its user’s purchases in stores. In addition, Oracle provides d a- as well as to ta about its clients’ customers to Facebook in order to find and target these customers on Fa c e- 476 book. Conversely, many companies provide consumer data to Oracle. Nearly 100 companies are listed as - party data providers in Oracle’s “data directory”. Examples of companies that third 477 in clude: provide different types of consumer data to Oracle’s data cloud  Beside other consumer data brokers such as Acxiom , which provides behavioral, dem o- 478 graphic, financial, political retail and other data , , all three large credit reporting 466 - oracle - cloud/dsmkt/using data [15.05.2017] cloud.pdf - p .4 - 7 https://docs.oracle.com/e n/cloud/saas/data - 467 Ibid, p. 4 - 8 468 Ibid. p .4 - 7 469 Ibid. p . 4 - 20 470 Ibid. p. 4 - 7; For example, clients can send “ Oracle Hashed IDs MD5 and SHA (oHashes)”, which are “ - 256 hashed email a d- dresses or phone ”, “ E n- numbers that have been automatically generated from raw, personally identifiable information crypted hashed UUIDs ”, which are “ Encrypted hashed email addresses, phone numbers, physical addresses, and client a c- count numbers ”, or “ IP Addresses ” (“ The us er's IP address, which is collected f rom the IP header and encrypted”) 471 Ibid. p. 4 - 48 472 he Oracle ID graph seamlessly pulls together the many IDs across marketing channels and devices that “ Ibid. p. 4 - 27; t comprise a given person, enabling marketers to The Oracle ID graph tie their interactions to an actionable customer profile. helps marketers connect identities across disparate marketing channels and devices to one customer ” 473 E.g. “ No personally identifiable information (PII) may be sent to BlueKai or stored in the BlueKai platform. All IDs derived from PII must be hashed in the browser or on your serve rs before being sent to BlueKai” https://docs.oracle.com/en/cloud/saas/data - cloud/dsmkt/using - oracle - data - cloud.pdf ) ( 474 - https://www.propublica.org/article/facebook - doesnt tel l - users - everything - it - really - knows - about - them 475 https://facebookmarketingpartners.com/marketing - partners/datalogix/ [16.04.2017] 476 Ibid. 477 - http://www.oracle.com/us/solutions/cloud/data irectory. Available at: Oracle Data Cloud (2017): Data D directory - 2810741.pdf [13.05.2017] 478 Ibid. 61 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

62 479 are listed in Oracle’s data directory . Experian , which has marketing data on agencies 480 provides data on financ es , purcha s- 700 million people in America, Europe and Asia, e s , mortgage s , property, psychographic s, and more . Similarly, Transunion , which has 481 data on 1 billion people in America, Africa and Asia from 9 , provides f i- 0,000 sources 482 , pr IXI , a subsidiary of the credit reporting agency Equifax nancial and other data. o- 483 vides credit, financial, mortgage, retail and other data. KBM Group’s subsidiary i - Behavior , which belongs to the advertising and marketing gi ants Wunderman and 484 contributors 339 million people from 5,820 data WPP in the collects purchase data on US, Canada, UK, France and Brazil a- and provides financial, political, retail, and other d 485 ta. In addition to traditional consumer data brokers, many of the data companies that have  486 appear as data providers in Oracle’s data directory. Vi s- emerged in recent years also ualDNA , for example, has psychographic profiles o n 500 million users in the US, UK, 487 other regions, in parts collected through online quizzes. Germany, Russia, and L o- tame , one of the largest independent data management platforms, collects extensive profile data about website visitors and mobile app users which is linked to 3 billion 488 ice IDs. location data, movement pa PlaceIQ , which collect s cookies and 1 billion dev t- 489 terns , and activity profiles from 100 million mobile devices , provides “real - world vi s- transport Proxama ’s “ ” provide - itation” data to Oracle. based mobile proximity services location data collect buses, trains, stores, ed using Bluetooth beacons placed across 490 . cinemas and malls, stadiums, Both Visa and MasterCard are listed as data providers, too. Visa a- , which provides “audience d - transactional data with card payments in the US, combines its ta” based on 16 billion credit demographic, purchase and other data from Oracle. The company emphasizes that it “aggr e- 491 identifies all transactional data output”. MasterCard gates and de , in contrast, seems to go - , explain one step further that its data gets “a ssociated with cookie populations” through a ing 479 http://www.myfico.com/credit - education/questions/why - Experian, Equifax and TransUnion. See e.g. - my - credit - are - different - for - 3 - credit - bureaus/ scores 480 experian Experian 2016” fy17.pdf - - https://www.experianplc.com/media/2744/discover Experian Brochure “Discover [13.05.2017] 481 TransUnion Annual Report 2015 http://s21.q4cdn.com/588148537/files/doc_financials/2015/YE/TRU 2015 - Annual - - Report - FINAL.PDF 482 Oracle Data Cloud (2017): Data Directory 483 Ibid. 484 us/our - [13.05.2017] https://www.i - behavior.com/about - history/ 485 Oracle Data Cloud (2017): Data Directory 486 Ibid. 487 https://d3i35f0m1a0vwn.cloudfront.net/wp - content/uploads/2016/02/VisualDNA - Data - Jan - 161.pdf [16.04.2017] 488 - [16.04.2017] https://www.lotame.com/resource/cross device/ 489 Data Directory Oracle Data Cloud (2017): 490 Ibid. 491 Ibid. 62 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

63 492 , which suggests that purchases might get directly linked “double blind matching process” an individual’s online activities . Overall, MasterCard ’s professional services division o f- with “actionable intellige nce based on 95 billion anonymized, real transactions from 2 billion fers cardholders in 210 countries worldwide ” in order to “ forecast consumer behavior ” and help 493 make better decisions with real - time intelligence ”. companies “ 6.3 Examples of data collected by Acx iom and Oracle 494 495 Figure 4 shows examples of data on consumers provided by Acxiom and Oracle. 492 Ibid. 493 services.html http://www.mastercardadvisors.com/information [16.04.2017] - 494 Acxiom provides thousands of attributes and scores about consumers, including: name, postal address, zip, city ( https://developer.myacxiom.com/code/api/data - bundles/bundle/postalContact ), email ( https://developer.myacxiom.com/code/api/data - bundles/bundle/emailContact ), phone number ( https://developer .myacxiom.com/code/api/data - bundles/bundle/phoneContact ), age, gender, education level, employment status, occupation, political party, marital status, number of children ( https://developer.myacxiom.com/code/api/data - bundles/bundle/basicDemographics ), ethnicity, assimilation index, religion ( code/api/data - bundles/bundle/eTechDemographics ), activities, interests, media usage, https://developer.myacxiom.com/ purchases (see also menu on the left side: https://developer.myacxiom.com/code/a pi/data - bundles/level1bundle/spending ), loans ( - bundles/bundle/mortgagesAndLoans ), income, net worth, economic https://developer.myacxiom.com/code/api/data ), socioeconomic status ty ( https://developer.myacxiom.com/code/api/data - bundles/bundle/investmentsAndAssets stabili bundles/bundle/areaDemographicsGS ), details about banking & insu r- - https://developer.myacxiom.com/code/api/data ( ance policies ( - ), details about vehicles bundles/level1bundle/financial https://developer.myacxiom.com/code/api/data owned ( https://developer.myacxiom.com/code/api/data bundle s/level1bundle/vehicles ), details about properties owned - https://developer.myacxiom.com/code/api/data - bundles/level1bundle/property ), alcohol interests ( ( https://developer.myacxiom.com/code/api/data - bundles/bundle/alcohol ), tobacco interests ( https://de veloper.myacxiom.com/code/api/data - bundles/bundle/tobacco ), casino gaming & lottery interests https://developer.myacxiom.com/code/api/data ( - i- bundles/bundle/gambling ), healt h interests like arthritis/mobility, card ac health, diabetic, disabled ( - bundles/bundle/healthAndMedical ), details https://developer.myacxiom.com/code/api/data about someone’s home, including the “number of bedrooms”; the type of the home e.g. “multi - family residential”, “mobile home” or “prison” ( https://developer.mya cxiom.com/code/api/data - bundles/bundle/propertyDescription ), information about whether someone “has been reported as deceased” ( https://developer.myacxiom.com/cod e/api/data - ), the “actual number of purchases made with a Visa credit card in the last 24 months”, bundles/bundle/basicDemographics - the “max range of new credit granted for an individual” ( https://developer.myacxiom.com/code/api/data ), the “likelihood someone has no formal banking relationships” bundles/bundle/creditAndBankCards - ( https://developer.myacxiom.com/code/api/data ), the “likelihood to have no major bundles/bundle/bankingAndServices medical insurance” ( acxiom.com/code/api/data - bundles/bundle/healthAndMedical ), information https://developer.my about the “presence of an expectant parent in the household”, a “divorce in the household in the last 12 months” or a “recent college graduate in the household”; the “likelihood that so meone in the household” is “planning to have a baby”, is “planning to adopt a child”, “will become a grandparent” or “will change careers or jobs” ( https://develo per.myacxiom.com/code/api/data - bundles/bundle/basicDemographics ), the “likelihood of individual” to “be a heavy user of Facebook”, to “respond to posts on social media”, to “have influence in the social media universe” or to “be influenced by social media” ( - bundles/bundle/socialMedia ) [11.05.2017] https://developer.myacxiom.com/code/api/data 495 er, number and age of children, education, Oracle sorts consumers into thousands of categories, including about age, gend occupation, number of bedrooms, income, net worth, hobbies, interests, purchases, loans, new parents, new movers, credit card holders by brand and type; people who are interested in gay & lesbian films; people who are interested in political issues like ecology, healthcare, immigration, taxes, homeland security, jobs, welfare; people who are interested in air force, army, marines, navy, military bases; people who purchased Bayer pain relief products; people who sea rched for flights, hotels, car rentals; people who searched for schools or financial aid ( http://www.oracle.com/us/products/applications/audience - guide - 3034880.pdf ), expecting parents; social influencers; people who searched for allergy relievers, stomach issues, hearing assistance, sleep issues, medical facilities; people who searched for cardiology and heart failure; people who searched for military base names; peopl e who searched for abortion, legalizing drugs and gay marriage; people who searched for protests, strikes, boycotts and riots - 31.xlsx ) s://docs.oracle.com/cloud/latest/marketingcs_gs/OMCDA/Resources/xls/TaxonomyChangesReport2017 - 01 http ( [12.05.2017] 63 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

64 : Examples of data on consumers provided by Acxiom and Oracle. 4 Figure , 2017 64 | A REPORT BY CRACKED LABS CORPORATE SURVEILLANCE IN EVERYDAY LIFE

65 7. Key D evelopments in R ecent Y ears 7.1 tracking and profiling Networks of digital In recent years, - existing practices of commercial consumer data collection have rapidly pre evolved into pervasive networks of digital tracking and profiling . Today, a vast and complex landscape of corporate players continuously tors the lives of billions. A first big step into moni systematic consumer surveillance occurred in the 1990s through database marketing, loyalty programs , and advanced consumer credit reporting. After the rise of the Internet and o nline and progra of social networks, smartphones advent the and y 2000s , m- advertising in the earl trad the advertising in the late 2000s , we are now witness ing a new phase defined by matic i- tional consumer data industry joining forces with the new data industry. 5 Figure , realms and sources of consumer data collection : Different levels Companies have never only used data collected on a strictly personal level to label, profile, sort , gs and rank individuals. I and registered vehicles has nformation about neighborhoods, buildin been used to characterize consumers at a household address level for decades . Today, postal standing role address es continue playing their long - combining as a key attribute that enable s and linking data about consumers from different sources. In addition to information about the 65 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

66 types of buildings people in, companies now profile people with information about th e live surf the and types of websites they , metadata about the videos they watch, the apps they use, and depth tions they geographic loca T he scale visit of behavioral data streams generated by all . manner of everyday life activities , such as web browsing, social media use , and device usage by smart , tablet s , PCs , and many other “ smart ” phones devices has changed rapidly . The online advertising industry is the pioneering force in developing sophisticated technologies that combine and link digital profiles across different companies such as data brokers and data a g- individ profiling of time - real les created the infrastructure that enab u- gregators ; it has made customer als , platforms , and across different types of technologies databases. One s ingle interaction of a consumer , such as a website visit, might trigger a wide range of data flows and a chain of hidden events across many different parties. Profile data distributed across several services get dynamically interlinked and combined in order to make many a u- s tomated decisions , both trivial and consequential, every day . While some actors – about people forms, data brokers, and other companies with hundreds of millions of such as the large plat – , have customers s profile a u nique position in terms of the scale and depth of their consumer often not held in one place, but assembled fro m the data used to make decisions on people is several places in the moment and data, analytics as needed. While a wide range of , and marke t- ing services provide the means to deploy these powerful technologies, businesses in all indu s- this happen. in making tries and their consumer databases play a n equally important role - : Tracking, profiling and affecting people in real 6 Figure time. 66 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

67 While this goes on behind the scenes , consumers are left in the dark , with little understan d- term of a view on the short - and long - ing of these technological processes, and with even less impact s that these mechanisms have on their lives . One reason for this certainly lies in the high levels of complexity and abstraction in play . Perhaps more importantly , though, comp a- g nies to improve transparency or understandin make no effort ; on the contrary, they inform consu mers incompletely, inaccurately , or not at all , often employing ambiguous , misleading , and obfuscating language . Whether in user inter faces or in contracts, the d isclosures that do , – and exist are difficult to understand, obscure such as privacy policies and terms of service – use Moreover , companies often systematically trick consumers into hypothetical language. data contracts . A s soo n as privacy advocates, consumer rights organizations, regulators , scho l- s ars and journalists express their concern , and ask for more information , companies decline to answer , arguing that their data practices constitute trade secrets and must therefore be pr o- 496 tected proprietary . and kept 7.2 Large - scale aggregation and linking of identifiers One of the major development s in recent years is that companies can now address, identify , a- situ parate and recognize consumers on an individual level across a growing number of dis for combining suitable tions in their lives. Therefore, they increasingly aggregate data , link ing, and cross - , such as email addresses and phone referencing profile data from different sources ing . After Facebook started allow to upload their customer data to its pla t- numbers other firms , and began partner ing with large consumer data brokers in 2013 in order to co m- form in 2012 many other companies followed suite. platforms and Today, many bine online and offline data, provide ways to integrat , enhance , firms and utilize digital profiles across different technol o- e gies and contexts . Basic attributes such as name, gender, birthdate, postal address , and ZIP code still individual play a crucial role . Any combination of two or three of these attributes can be used to uniquely 497 identify individuals with relatively high certainty . For decades , both consumer reporting se agencies and direct marketing companies amassed and maintain ed databases containing the identifiers on entire s , in and previous addresses basic , including name variants population order to help other businesses organiz and manag e their consumer data. e Today, large number s of companies are busy aggregating a wide range of digital identifiers pointing to billions of consumers . The most important identifiers used to link profiles across different services, platforms, devices , , and life contexts are email address es , phone number s and those that refe r to devices such as smartphone s . Semi - temporary identifiers such as coo k- ie IDs are attached to users surfing the web get synchronized between different services , which and interlinked with other identifiers. Also, the user account IDs of the large platfor ms such as 496 - 123 , p. 121 Christl and Spiekermann (2016) 497 23 - Ibid., p. 21 67 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

68 and Microsoft , Google, Apple Google, Facebook, Apple , and Microsoft play an important role. also provide so called “advertising IDs” for users, which are now widely used to match - Roku i- hardware device identif elying on and link digital profiles on an individual level instead of r 498 499 ers. : How companies identify consumers and link profile information about them. 7 Figure 500 501 502 Experian , , , some large data companies such as Acxiom and Oracle have intr o- Similarly their own for proprietary identifiers duced people , which are used to link their extensive co n- sumer profile information with data managed by other companies, and then to link it with the . advertising data ecosystems around the globe Often , these companies use two different ide n- identifiable information” , , and names such as tifiers, one for data that they see as “personally - data that is used for other digital profile one . However, both identifiers are link able . This data ” should not be underestimated; the ability to li nk the private “ population registers that 498 Christl and Spiekermann (2016), p. 92 499 https://sdkdocs.roku.com/display/sdkdoc/Roku+Advertising+Framework [] 500 See section 6 .1 501 5.5 See section 502 See section 6.2 SURVEILLANCE IN EVERYDAY LIFE 68 , 2017 | A REPORT BY CRACKED LABS CORPORATE

69 companies for decades with both corporate customer databases and the dig i- have maintained completely tal world brings pervasive consumer surveillance to a new level. - device matching. Other companies prov Cross pla t- ide services to link digital profiles across forms, devices and contexts by running data cooperatives or by applying machine learning technologies to large amounts of data in order to ascertain which devices and user fingerprints belong to the same per For example, Adobe runs a service through which participating son. member companies contribute knowledge about login IDs and other user data. Subsequently, the company is able to link groups of devices to persons and households, which allows other companies to “ measure, segment, target and advertise directly to individuals across all of their 503 devices ”. In contrast, Tapad, which has been acquired by the Norway - based telecom giant based PII data points” and use Telenor, analyze s “billions of non - - s “ behavior al and relationship patterns discover the probability of certain computers, tablets, phones , and ” to statistically 504 ing to one person . other devices belong Companies have even started to use hidden ultrasonic , but audio signals, which cannot be heard m- are played by the speakers on one device (e.g. a co puter, phone or TV) and then recorded and recognized by another device (e.g. a smartphone exactly which TV commercials and programs someone has seen across app) in order to track 505 devices. 7.3 “ Anonymous ” rec ognition When data brokers and online companies write about their services on their websites, in br o- and in their privacy policies, they often claim to only process “anonymized” or “de - chures , on identified” data s- names and convert email addres remove tend to . Indeed, they individuals es and phone numbers into , for example, a crypt o- alphanumeric string codes by using unique 506 function such as MD5. In theory, hashing graphic is a one - way operation and cannot be hash . However, in most cases it is misl eading to consider this data as “de - identified” or reversed even “anonymized” for several reasons. First, th e se hashed identifiers still persistently refer to unique individuals and therefore can not be considered as anonymized, but rather should be 507 understood as ps eudonyms . h- Second, most companies use identical and deterministic met , they to match and link profiles as can therefore ods create – or calculate – these unique codes ; soon as one of these pseudonymous identifiers appears within digital data ecosystem . the 503 https://marketing.adobe.com/resources/help/en_US/mcdc/mcdc - overview.html [02.05.2017] 504 - [02.05.2017] graph https://www.tapad.com/device 505 See e.g. Calabrese, C., McI nnis, K. L., Hans, G. S., Norcie, G. (2015): Comments for November 2015. Workshop on Cross - Device Tracking. Center For Democracy & Technology. Available at: - Device https://cdt.org/files/2015/10/10.16.15 - CDT - Cross - Comments.pdf 506 Christl and Spiekermann (2016), p. 90 507 Pseudonymization involves the replacement of names and other identifying attributes with pseudonyms, for example by digits. The EU General Data Protection Regulation defines it as the “processing of personal data combinations of letters and in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional rmation, for example how names relate to pseudonyms, is known, pseudonymity can be information”. When additional info - easily reverted. For more details see Christl and Spiekermann (2016), p. 21 23 69 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

70 Third, many companies have billions of records that map email addresses and phone numbers which undermines claim s of "anonymization" at all . to these unique codes any The third aspect aside, s ome of the companies collecting data might indeed not know anything connected to such an other than that a person e.g. “breast cancer”. identifier has searched for In an extreme case, neither the website collecting and sharing this information with other s e r- vices, nor the company searched for “breast cancer” , know s much targeting individuals who more about a person n- – yet is still able to effectively target her . Nevertheless , t he person’s ide . across several databases rm search te tifier is irrevocably connected with the “breast cancer” this person interacts with a digital service, this identifier remains inextricably Whenever linked to “hashed” or her previous search for “cancer”. In this way, even though companies use recognize upon again “encrypted” email addresses and phone nu mbers , they can consumers a nother service linked with the same email addresses or phone numbers. M arketing their using scholar Joseph Turow states that when a “ company can follow and i nteract with you in the dig i- its tal environment – and that potentially includes the mobile phone and your television set – o f- claim that you are anonymous is meaningless, particularly when firms intermittently add make it y strip the name and address to fline information to the online data and then simpl 508 ‘a nonymous’”. Singling r- ut p eople w ithout k n owing their names” privacy scholar Frederik Bo o In his paper “ gesius conclude s name is “merely one of the identifiers that can be tied to data about a that a 509 in ” today’s online tracking economy . person, and it is not even the most practical identifier Several scholars, privacy regulators and even some industry representatives share the same , conclusion . erson across a unique identifier consistently links digital profiles to the same p If regardless of the data ecosystem , these digital profile s should be considered personal data 510 stored in . clear text or hashed whether the identifiers are 7.4 categorizing, rating and ranking people Analyzing, said list indic ates A list of identifiers might already provide certain insights, especially when that the individuals it refer s to share certain characteristics . For example, a data collector subscriber database, or a list of might have a list of names and addresses from a magazine data collector Similarly, a cookie IDs referring to people that have visited a certain website. might know which people are living at a certain address and assign them to a household ID. Much of today’s corporate data collection and analysis happens on such a seemingly trivial, but in fact very powerful l evel. Companies, however, try to extract many additional insights f rom the collected data by using mathematical and statistical methods, data mining , and predictive 508 Joseph Turow (2011): The Daily You. Cited from: Senate Committee on Commerce, Science, and T ransportation (2013, p. 32) 509 Behavioural Targeting, Borgesius, Frederik J. Zuiderveen (2016): Singling Out People Without Kn owing Their Names – Pseudonymous Data, and the New Data Protection Regulation (February 16, 2016). Available at: http://ssrn.com/abstract=2733115 510 - For a more detail explanation see: Christl and Spiekermann (2016), p. 90 91 70 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

71 511 data s However, m ost companies keep the details of how they analyz e consumer analytics. e- cret. Scientific studies have shown that many kinds of personal characteristics can be inferred from transactional and behavioral data such as web searches, browsing histories, product pu r- . For exam viewing or listening behaviors ple, personal attributes chases , Facebook likes, and religious and political views, relationship status , sexual orientation, and a l- such as ethnicity, cohol, cigarette , or drug use life sati as well as personality traits such as emotional stability, s- can be inferred fa nd “ sensationalist interest ” ction, impulsivity, depression, a reasonably acc u- information about the be inferred from rately from Facebook likes. P ersonality traits can also app usage. Info mobile websites someone has visited, as well as from phone call records and r- mation about someone’s occupation and educational level can be inferred from the browsing successfully predicted emotional states such as conf i- even history. Canadian researchers have adness , and tiredness by analyzing the rhythm of typ ing patterns on a dence, nervousness, s 512 keyboard . computer probabilit These predictions are statistical correlations with certain based on y levels . Al t- attributes and personality traits significantly above chance, they are hough they predict these in every case sort, . Ne not accurate categorize, similar methods to vertheless , companies use c- and rank people. For example, w ithout actually using data related to financial transa , rate tions, such as whether somebody pays off the bills on time , data based on the timing and fr e- quency of phone call records, social media data , or web searches are already used to predict an 513 Companies technologies individual’s creditworthiness. recognition even claim to use facial 514 to predict smoking habits and mortality ris might be a terro , as well as whether someone r- k 515 ’s individual an . LexisNexis Risk Solutions offers a health scoring product that predicts ist 516 health risk based on vast amounts of consumer data, including purchase activities. are These extreme outliers . P latforms such as Facebook us e similar methods to categorize not 517 518 , ethnicity users or political views. , for example by An investigation of ProPublica their 52,000 unique attributes Facebook uses to categorize its users, about 350 of which are found 519 Overall , the data provided by Oracle. Oracle claims to provide 40,000 data attributes broker 520 about hundreds of millions of consumers . This data originates from to other companies . Most of data providers create extensive taxonomies by which many different sources today’s 511 - 12 Christl and Spiekermann (2016) , p. 11 512 p. 13 - 21 For a more detailed description of these academic studies see: Christl and Spiekermann (2016), 513 See section 4.2 514 https://lapetussolutions.com/assets/atto/f ile/chronos_brochure_v01_6.pdf 515 [02.05.2017] http://www.faception.com/ 516 http://www.lexisnexis.co m/risk/downloads/literature/health - care/socioeconomic data - coverages - br.pdf [02.05.2017] - 517 https://www.propublica.org/article/facebook - lets - advertisers - exclu de - users - by - race 518 - political - preferences https://www.theverge.com/circuitbreaker/2016/8/24/12621784/facebook ads - 519 https://www.propublica.org/article/facebook - doesnt - tell - users - everything - it - really - knows - about - them 520 - 2015 [02.05.2017] 2604862.pdf - toledo - ses16178 https://www.oracle.com/us/assets/lad - 71 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

72 they categorize and gr regard to certain characteristics or (predicted) b e- oup consumers with r- pu haviors, such as “hispanics”, “low income”, “new parents”, “interested in military” or “ 521 pain relief products”. chased Generally segments , which are , data and advertising companies either provide each other with 522 or they basically lists of recognizable or addressable individuals assigned to these categories for specific individuals . The attributes provided might repr e- directly provide profile attributes d about consumers, such as their age, educational level sent actual data collecte or the “ actual , They might also re p- number of purchases made with a Visa credit card in the last 24 months ”. nst i m- resent predictive scores that only tell about certain probabilities, such as “is likely agai Dy namic real - time scoring migration” or “has very likely no formal banking relationships”. 523 in recent years , according to Acxiom ’s Live Ramp . has emerged from “static segments” Once , the process of large - scale corporate data collection from different sources and its utilization . A few big companies provided “static segments” about consumers, was complicated and slow did or did not have certain which only contained “on/off” information about whether a person These segments were compiled and several which took assigned traits. curated by humans, weeks and only represented a one way data flow from corporate data collectors to data users . - Today, thousands of data companies provide real - time data “signals” , which are transformed into scores that predict the probability of whether a person certain traits . does or does not have machine learning and other technologies , calculating scores about consumers By applying 524 - way data flows. happens within milliseconds and includes two Consequently, the lines b e- tween corporate data collectors and data users are increasingly blurring . nobody really knows how , the companies themselves for , perhaps, e- accurat Accuracy? E xcept ly the - scale data collection and predictive analytics really repr e- digital profiles based on large an . individual ’ s characteristics and behaviors sent Some evidence suggests that data used for 525 526 and mobile targeting may often online be largely inaccurate. One reason for this might be that marketers are “ty pically seeking only marginal gains in customer sales and acquisition ” and therefore often accept that wildly inaccurate data as long as it helps them meet their bus i- 527 ness goals. Another reason may lie in the fact that most of the technologies used are sti ll at an early stage. Either way, ultimately , profile data is attributed to individuals and used to sort 521 See chapter 6 522 More precisely, not lists of individuals, but lists of identifiers. Mar keters describe a “segment” e.g. as an " identifiable group of individuals who share similar characteristics or needs and generally respond in a predictable matter to a marketing - - every - - stimulation" : http://www.visualiq.com/resources/marketing terms attribution - newsletter - articles/30 - attribution business should - know [02.05.2017] - 523 LiveRamp (2016): IdentityLink Data Store . Providing access to Identity - based data and buyers across the marketing ecosy s- tem . PDF brochure. Personal copy of file with author Wolfie Christl 524 Ibid. 525 E.g. https://www.nytimes.com/2016/11/08/us/politics/facebook - ads - campaign.html 526 data E.g. https://adexchanger.com/data - exchanges/half - age - - mobile - exchanges - inaccu rate/ 527 Chapter 6 Online Privacy (February 1, - Hoofnagle, Chris Jay (2016): Federal Trade Commission Privacy Law and Policy e- 2016). Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy (Cambridge University Press 2016); UC Berk https://ssrn.com/abstract=2800276 Law Research Paper No. 2800276, p. 174 Available at: ley Public 72 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

73 and rank them according to its effect on the company’s bottom line . As Mark Andrejevic state s , to someone who has been denied health care, employment, or credit, the difference between a “ 528 probabilistic prediction and a certainty is, for all practical purposes, immaterial Regardless ”. of whether data is accurate or inaccurate, today’s pervasive tracking and profiling ecosystem leads to a massive invasion of privacy and threatens the fundamental rights of individuals. 7.5 Real - time monitoring of behavioral data streams The technolog ies currently in place allow for the monitoring and analysis of an individual’s behavior in nearly any situation. Companies have always been interested in understanding to additional customers, subscribers, regi a d s- how their advertising and marketing efforts le bottom line trations, and, ultimately, affect their visits and purchases s . Generally spea k- store ing, advertis ers and market e rs want to influence people’s behavior and measure the outcomes , i deally at the individual level. To achieve that, companies have made efforts in the past to link a particular piece of advertising or marketing to eventual purch a se. Mail order catalogue an companies , f or example, printed unique codes on their direct mail pieces and asked their cu s- tomers to provide these codes when purchasing products . In the past these efforts were spora d- n remained incomplete. and ofte , ic, disjointed, spread across various companies and databases n- A TV advertisement, for example, could not be directly measured for its effectiveness in i creasing sales. at the individual level collected ubiquitous streams of behavioral data Today, the by myriads of services across many fields of lif n- e are linked and utilized to monitor and analyze every i c- teraction of a consumer that might be relevant to a company’s customer management and a quisition efforts. occured in 2012, when Facebook started to link its profile A crucial milestone with information about offline purchases in stores . Provided by Oracle’s Datalo gix, co m- data 529 affect for the first time, measure how Facebook ads panies could , store visits and purchases. Today, companies try to capture as many “touchpoints” across the whole “cu stomer journey”, from online and mobile to in store purchases, direct mail, TV ads , and call center calls , as po s- - sible . Tracking the consumer journey . T he online data management platform Krux, which is owned by the leading customer data management company Salesforce, describes on its website how it might track and associate very different behaviors across a person’s day, including intera c- tions s, and store visits. A person desktop computers, mobile phones, tablets, TV that involve the web, “like” a product and share it on social media, view a TV may search for a product on commercial, find a coupon on the web , and us e it at a grocery store for a purchase . Krux e x- plains that by monitoring the whole of such a “consumer journey” and getting a “granular u n- 528 Andrejevic, Mark (2014): The Big Data Divide. International Journal of Communication 8 (2014), p. 1677. Available at : http://ijoc.org/index.php/ijoc/article/download/2161/1163 529 - - whether https://www.forbes.com/sites/kashmirhill/2012/09/26/facebook - is - tracking - what - users - buy - in - stores - to - see work - ads - its 73 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

74 derstan can “support [their] best cu s- ding of individual interests and behaviors”, companies tomers at the most critical points in their journey” and “influence high potential prospects - 530 exactly when they’re ready to engage”. Figure 8 : How the data management platform Krux explains to track the “consumer journey” of an ind i- vidual across channels and devices. Source: Krux Website (http://www.krux.com/data management - - platform - solutions/customer - journeys) x- rly, the customer data management company Merkle e The connected event stream. Simila of plains how their “connected event stream” trace all sorts of behaviors may a person looking for auto insurance. They describe how an “anonymous consumer” sees an ad on a car shopping site, searches for “insurer x” with G oogle, clicks on an “organic search link”, and then browses the website of “insurance x” on the work PC. he next day, the consumer researches insurance T offers on a different website, navigates back to the website of “insurance x” and then starts to f i n- in the application on the home PC. Two days later, the person calls at the insurer’s call ce ll email address. The company sends an email an ter and leaves personal information, including a count number, which the person opens on ac with an embedded including a link to its website smartphone. Later the person returns to the insurer’s website using the work PC. x- Merkle e s it possible to “connect nearly all of plains that their “connected recognition linking” make these interactions across mult n- iple devices back to a single master identifier” in order to “mai 531 tain a traceable 1:1 relationship across classic CRM data and online engagement”. These examples show how companies have moved from creating static consumer profiles to e- continuously updatin g dynamic profiles . They try to capture every interaction, whether rel on websites, platforms m- control the do not they and devices vant or not, including those that , 530 - http://www.krux.com/data - management solutions/customer platform - - journeys [14.05.2017] 531 - management - cloud/connected data - https://www.merkleinc.com/what - we - do/market ing - technology/merkle - [02.05.2017] recognition 74 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

75 selves. By putting these interactions in a temporal relation, profiles become dynamic. As e c- s shows in detail, today’s customer management platforms allow the definition of co m- tion 5.4 consumer activities plex sets of rules about how to automatically react to certain kinds of - time tracking of behaviors across the based on profile data from different sources and real digital world and beyond . In today’s digital world consumers never know whether their behavior may have trigger ed a from any of those interconnected, opaque systems , how this may lead to them ge t- n action ting their emotions and , and, ultimately, how this causal chain may affect taken advantage of these processes how , it is also entirely unclear affect groups of behavior . On an aggregate level d people that without their knowing, are treated in similar ways over time , an how socie t ies as , a whole are affected by those consequences. 7.6 Mass personalization Large online platforms were the first companies with the capability to provide personalized iety of data about their users services at a large scale , based on a large volume and var – f or e x- ample, Google with its , Facebook with its news feed , and Amazon, YouTube personalized search and Netflix’s recommendation systems . A report by GroupM, a subsidiary of the marketing giant WPP, estimates that Facebook makes 200 trillion decisions a day that decide which co n- Relevance, though, is a two way street; relevant to each of its users. the report su g- tent may be Facebook both gests that what is relevant for about economic outcomes for the and Google “is 532 company as much as it is about quality of us ”. er experience delivered by others Calculations aimed at maximizing eff i- The same applies to targeted ads . determine which ad someone sees, including whether said individual might ciency and profit worth ‘ ’ the ad exposure in the first place be at a certai n moment . The profile data used for pe r- sonalization is based – seemingly innocuous to most people – on a broad variety of data including websites visited, terms searched for, apps used, products purchased, friends added on a social network, or place - visite d . T ogether with sophisticated yet myopically and single s echnology companies, mindedly consumption - focused modeling and classification schemes, t , n- i seemingly now data brokers and many other businesses are able to learn what people are terested in, what they did , what they will likely do the next , and how much they might that day be worth as a customer. Data can now be used not only to display ads on websites or within mobile apps, but also on a company’s own website, to dynamically pers onalize the contents, For example, online options , stores and choices offered to a seemingly “anonymous” visitor. di s- personalize how they address someone , which products they , on an individual basis, can 533 play prominently , and even the prices of products or services. 532 [03.05.2017] https://groupmp6160223111045.azureedge.net/cmscontent/admin.groupm.com/api /file/2618 533 Christl and Spiekermann (2016) , p. 41 75 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

76 Instant personalization. Direct marketin g has long been working on personalizing direct mail, ment in general. Now, companies can call center and email communication, and customer treat - time, across devices and communi cation channels, based on co m- do personalization in real ought to react to different kinds of interactions by consu m- plex rules about how their systems . Three types of software services play an important role for this kind of instant personaliz a- ers tion. In the first two steps, softwa re mentioned earlier plays a role; first , companies use a d- vanced n shi p o Management (CRM) systems to manage their customer data. Customer Relati Second, they use Data Management Platforms (DMPs) and other data platforms to connect their own data to the digital advertising ecosystem , and gain additional profile information about their customers. Finally, as a third step , they use “predictive marketing platforms”, which help 534 them to compile the “right message to the right person at the right time”. a company might RocketFuel, which claims to Predictive marketing. employ For example, 535 offers clients to “b ring together tri l- have “2.7 billion unique profiles” in its data store and - world signals to create individual profiles and deliver personalized, lions of digital and real 536 - - relev ant experiences to the consumer”. on, always RocketFuel says that it “scores always 537 every impression for its propensity to influence the consumer ”. i- Another platform , Opt personalize a website for “first time vi sitors” , based on extensive digital pr o- can help mizely, 538 those visitors provided by Oracle. files about The predictive marketing platform TellApart, which is owned by Twitter, promises to create a “customer value score” for each shopper and product combination, a “ compilat ion of likelihood to purchase, predicted order size, and lif e- s- time value ”, based on “100s of online and in - store signals about a particular anonymous cu Subsequently, tomer”. automatically assemble e- product imag “ pieces such as TellApart helps 539 ry, logos, for ads, emails, and websites . offers and any metadata ” into personalized content Similar methods can be used to personalize Personalized pricing and election campaigns. by , for example, making predictions as to prices in online shops how valuable someone might in the long - term , or how much someone may . willing to pay at that moment be as customer be Strong evidence suggests that online shops already show differently priced products to diffe r- sed on individual characteri ent consumers, or even different prices for the same products, ba s- 540 behaviors. However, tics and since past companies such as Amazon already vary their prices 541 up to 2.5 million times on an average day , it will be difficult to prove whether and, if so, to what extent they might incorporate use r behavior into their dynamic pricing one day . Another similar field is the use of personalization during election campaigns. Targeting voters with 534 often used in online marketing: Standard phrase e+to+the+right+person+at+the+right+time https://www.google.at/search?q=right+messag 535 http://rocketfuel.com/wp - content/uploads/DSP_2015.pdf [03.05.2017] 536 https://rocket fuel.com/predictive - marketing [03.05.2017] 537 http://rocketfuel.com/wp - content/uploads/DSP_2015.pdf [03.05.2017] 538 https://www.optimizely.com/de/partners/technology/bluekai/ [03.05.2017] 539 https://www.tellapart.com/platform/ [03.05.2017] 540 Christ l and Spiekermann (2016) , p. 41 541 not - - price price/ - lowest - https://www.digitalcommerce360.com/2014/12/30/right 76 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

77 personalized messages adapted to their personality and political views on certain issues has 542 massive debates about its potential for political manipulation. already raised Generally speaking, as Ryan Calo has summarized, the “ digitization of commerce dramatically 543 companies The more alters the capacity of firms to influence consumers at a personal level ”. 544 individuals , such as their about “personal biases and weaknesses” , the better they can know 545 f Shoshana Zubo “change people’s actual behavior at scale”. f point s to the fact that we are also of not only witnessing but the rise of “markets for personal data” “ ma rkets for behavioral control”, which are “composed of those who sell opportunities to influence behavior for profit 546 and those who purchase such opportunities” . 7.7 Testing and experimenting on people 61 million randomly chosen u s- During the US congressional elections 2010, Facebook showed ers a box that suggested vote ; users were additionally given a way to tell their going out to After a comparison with a control group and with other data, Facebook friends when they did. 547 In another exper i- estimated that this nudging increased voter turnout by at least 340,000. ment on 1.9 million of users, Facebook secretly manipulated what was shown in the ir users’ news feeds, e.g. decreasing the amount of personal posts such as baby pho tos in favor of more 548 “hard” news led to increased voter turnout during the 2012 elections . ; this, too, In the same year, Facebook conducted its “ mood experiment ” on nearly 700,000 users that i n- notorious volved manipulating the amount of emotionally posit ive and negative posts in the users’ news feeds, which influenced how many emotionally positive and negative messages the users pos t- 549 ed themselves. of these experiments were conducted After massive criticism, not only , but also because all icipants’ knowledge, the online dating platform OkCupid followed up with a without the part provocative blog post defending such practices, stating “we experiment on human beings” and “so does everybody else”. T they had manipulated the in which an experiment reported hey “ to pairs of users. When they showed a 90% match to pairs that a c- n match” percentage show had a much lower score , these users exchanged significantly more messages with each tually 542 data See e.g. https://medium.com/@privacyint/cambridge - analytica - explained - - and - elections - 6d4e06549491 543 Calo, Ryan (2013) 544 Helberger, Natali (2016): Profiling and Targeting Consumers in the Intern et of Things – A New Challenge for Consumer Law . Feb 6, 2016, p. 15. Available at: http://ssrn.com/abstract=2728717 545 Available at: Zuboff, Shoshana (2016): The Secrets of Surveillance Capitalism. Frankfurter Allgemeine Zeitung, 05.03.2016. http://www.faz.net/aktuell/fe - capitalism uilleton/debatten/the - digital - debate/shoshana - zuboff - secrets - ofsurveillance - 14103616.html?printPagedArticle=true 546 Zuboff, Shoshana (2015): Big Other: Surveillance Capitalism and the Prospects of an Information Civilization (April 4, rnal of Information Technology (2015) 30, 75 – 89, p. 85. Available at: http://ssrn.com/abstract=2594754 2015). Jou 547 Bond, R. M., Fariss, C. J., Jones, J. J., Kramer, A. D. I., Marlow, C., Settle, J. E., & Fowler, J. H. (2012): A 61 - million - person expe r- iment in social influence and political mobilization. Nature, 489(7415), 10.1038/nature11421. http://doi.org/10.1038/nature11421 548 - http://www.motherjones.com/politics/2014/10/can - voting - facebook - button improve - voter - turnout 549 scale emotional cont a- Kramer, Adam D. I.; Jamie E. Guillory; Jeffrey T. Hancock (2014): Experimental evidence of massive - 8790. Available at: – networks. PNAS vol. 111 no. 24, 8788 gion through social http://www.pnas.org/content/111/24/8788.full 77 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

78 other. OkCupid stated that when they would “ they were a “ good ma tch ”, those pe o- tell people ” 550 ”. All these ethically act as if they are questionable experiments demo n- ple would “ highly - driven personalization clearly has the potential to influence behavior on a strate that data This form of unaware use rs has become the new normal in massive scale. experimentation on Facebook stated in 2014 to run “o ver a thousand experiments each day ” in the digital world. 551 Testing is - term design decisions ”. ptimize specific outcomes inform long at ” or to “ order to “o economy. the core of today’s digital tracking different ads to different groups of users in order to Today, online advertisers routinely show one make s more people click and interact. Similarly, more and more news organiz a- test which 552 tions, including large outlets such as the Washington Post , use different versions of article 553 headlines to which variation performs better. figure out Generally, when companies use two different variations of functionalities, website designs, user interface elements, headlines, button texts, images or even diff erent discounts and prices, and then carefully track and , A/B testing ” or “split measure how different groups of users are interacting, this is known as “ testing”. Tests with more than two variations are known as “multivariate”. Optimizely, one of the major technology providers for such tests, offers its clients the ability to “ experiment a- broadly across the entire customer experience, on any channel, any device, and any applic 554 tion ”. Usually, marketers focus on optimizing “ conversion rates ”, which describe the percentage of people, who were persuaded to act t. For exa m- exactly in the way marketers wanted them to ac ple, want users to visit a website, click on an ad, register for a service, su b- companies might scribe to a newsletter, download an app , or purchase a product. To achieve this, t hey conduct tests with different variations of some element and then carefully monitor and analyze which The most users. “converts” more n for on these kinds of tests is data requirement basic versio how users interact ideally by tracking and measuring every single interaction on an individual , level. et al point to the concept of “ persuasion profiles Maurits Kaptein “sets of estimates on the ” as effectiveness of particular influence - strategies on individuals, based on their pa st responses to 555 real Pervasive behavioral tracking, in combination with these strategies”. - time personaliz a- tion and testing, has become a powerful tool set to systematically influence people’s behavior. 550 https://theblog.okcupid.com/we - experiment - on - human - beings - 5dd9fe280cd5 [03.05.2017] 551 - https://www.facebook.com/not es/facebook - data - science/big - experiments - big - datas - friend for - making - decisions/10152160441298859/ [03.05.2017] 552 - washington - posts - bandit - tool optimizes https://www.wsj.com/articles/ content - for - clicks - 1454960088 - 553 https://blog.upworthy.com/why - the - title - matters - more - than - the - talk - 867d08b75c3b 554 https://www.optimizely.com [03.05.2017] 555 Kaptein, Maurits; Dean Eckles, and Janet Davis (2011): Envisioning Persuasion Profiles: Challenges for Public Policy and Ethical Practice. 9/10 Interactions 66 - 69, 66; Availabl e at: https://www.semanticscholar.org/paper/Envisioning - persuasion - - inEckles/fe5f2029df491bdea2cf46697b2e4145c1e226f2/pdf Kapte - for - challenges profiles 78 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

79 7.8 Mission creep – e veryday life, risk assessment and m arketing very normal everyday lives of consumers are monitored and tracked by a wide range Today, the services , via data transfer to of companies that provide , both directly and indirectly them with third parties or impossible with out also opting out of much of modern . Opting out is difficult Extensive data is recorded when people us e the web, social media , life. smartphones, when or they something in a store, or when they listen to music . Furthermore, many other purchase kinds of devices with sensors and network connections, including wearables, e - readers, smart , and cars TVs, thermostats comprehensively record and report information . C ompanies often collect and store a range of consumer data far wider than tha t need ed to provide the services online they offer M uch of this excessive data collection has been introduced a s a byproduct of . 556 and approaches as well as popular advertising imperatives. “more data is always better” At the same time, information about pe ople’s behaviors, social relationships , and most private moments is increasingly in contexts or for purposes completely different from those applied 557 which it was recorded. Most notably, for data about everyday life behaviors is increasingly used to make automated decisions about individuals in crucial areas of life such as finance, insurance, employment , and law enforcement. to predict started have C Risk assessment based on everyday life data. ompanies consumers’ creditworthiness based on factors the timing and frequency of phone call records, GPS such as and , t- location, customer support data, online purchases, web searches data from social ne works, including information about someone’s social network connections. Also, behavioral lls out an online form or navigates on a website is already being data about how someone fi , as the grammar and punctuation of is text messages and even used to calculate credit scores an individual’s phone battery status. Most of these services are provided by startup companies ra telecom network providers to ther than large banks. However, many large companies from credit card networks to consumer reporting agencies have started partner ing with such startups . The larger - scale application of such services is particularly on the rise in countries of 558 the global south, as well as for vulnerable population groups in other regions. n- In addition, large insurers in the US and in Europe have introduced programs that allow co discounts on their - they agree to provide real premiums sumers to get significant if insurance steps, grocery purchases time data about car driving behavior activities such as the ir and , or 559 . fitness studio visits In 2016, Facebook blocked a program by the large UK insurer Admiral, s- who on personality assessments calculated of their cu wanted to price auto insurance based 556 gil http://www.nytimes.com/2012/03/25/business/factuals - - elbaz - wants - to - gather - the - d atauniverse.html 557 As Helen Nissenbaum has argued, contextual integrity of data is a cornerstone for the protection of peoples’ privacy. See (2004): Nissenbaum, H. P rivacy as Contextual Integrity. Washington Law Review (79:1), pp 101 - 139. 558 4.2 See section 559 68 - Christl and Spiekermann (2016), p. 52 79 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

80 560 Facebook profile information. tomers However, Facebook itself has registered a patent for ’ 561 decisions based on credit ratings of someone’s friends on a social network , automated loan casting this seemingly beneficent decision in a new light. In healthcare, data companies and insurers are working on programs that use everyday life data about consumers to predict someone’s health risks. For example, the large insurer Aviva, together with the consulting firm D eloitte, predicted individual health risks for e.g. diabetes, cancer, high blood pressure and depression for 60,000 insurance applicants based on marke t- , 562 consumer data that they had purchased from a data broker . ing Similarly, the consulting firm McKinsey helped predict the hospital costs of patients based on consumer data for a 563 s, family structure, about demographic “ Using information ” in healthcare . large US payor such “ insights could help iden t i- purchases and car ownership and other data, they stated that 564 cost episodes occur - a- ” . fy key patient subgroups before high GNS healthcare, a US health an individual health risks for patients lytics company, also calculates , from a wide range of data consumer lab data, mobile health d evices , – and including from genomics, medical records, behavior . The company partners with insurers such as Aetna , provides a score that identifies people likely to participate in interventions , and offers to predict the progression of illnesses 565 k Solutions offers a health scoring product that and intervention outcomes. LexisNexis Ris predicts individual health risks of people based on vast amounts of consumer data, including 566 purchase activities. Risk data for marketing . a- Key players in data, an and customer relationship management lytics , and technology that provide risk assessments of individuals in important fields of life For example, such as credit and insurance assessment mostly also provide marketing solutions. he large credit reporting agency TransUnion offers marketing and audien ce segmentation t 567 products with a focus on consumer financial behaviors - to - online matc h- , including “offline ” and “insights into consumers who are actively engaged in searches for insurance, mor ing t- 568 provide “consumer and account TransUnion’s “risk triggers” gages, auto loans and more”. monitoring” to alert companies about “changes for collections, account management and marketing”, for example, about when “consumers' credit activities indicate receptiveness to 569 rtners with the ad technology In addition, TransUnion pa marketing messages”. firm Rocket 560 https://www.theguardian.com/money/2016/nov/02/facebook - admiral - car - insurance - privacy - data 561 http://www.theatlantic.com/technology/archive/2015/09/facebooks redlining/407287 - - new - patent - anddigital 562 Christl and Spiekermann (2016), p. 35 563 Ibid., p. 36 564 http://healthcare.mckinsey.com/sites/default/files/791750_Changing_Patient_Behavior_the_Next_Front ier_in_Healthcare_ Value.pdf [03.05.2017] 565 Christl and Spiekermann (2016), p. 36 566 - http://www.lexisnexis.com/risk/downloads/literature/health care/socioeconomic - data - coverages - br.pdf [02.05.2017] 567 se https://www.transunion.com/solution/marketing - audience - gmentation [03.05.2017] 568 [03.05.2017] https://www.transunion.com/product/adsurety 569 2017] [03.05. https://www.transunion.com/product/triggers 80 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

81 570 . The company also Fuel to help banks and insurers track consumers across the digital world 571 provides “aggregated consumer credit data segments” to Oracle’s online data marketplace 572 and is liste ” for LiveR amp, the data matching platform of Acxiom . d as a “data provider Ultimately, TransUnion’s “DecisionEdge” product for financial services and retail “ unifies ” marketing, risk management , and a company’s economic goals. It allows companies to impl e- 573 isk strategies tailored for customer, channel and business goals” ment “marketing and r based on credit data It also promises “unique insights into consumer behavior, preferences , . 574 and risk to drive profitable growth”. a- It includes consumer “prescreening” and “prequalific tion ” during customer acquisition by , for example, letting consumers “choose from a suite of offerings that are tailored to their needs, preferences and risk profile” or by letting companies “evaluate a customer for multiple products across channels, and then only present the offer(s) 575 that are most relevant to them, and profitable” for the company. Similarly, Experian provides solutions for “credit marketing” to “identify profitable popul a- 576 their offers for cu consumer prescreening and prequalification. tions” Amongst s- such as tomer acquisition they list marketing solutions which allow companies to “identify prospective customers matching [their] business objectives” using Experian’s “specialized research, market surveys, psychographic profiles and analyt ics tools to segment audiences”. T he company also provides solutions that allow clients to “determine which businesses and consumers make 577 profitable new customers and present the least amount of risk”. Another product combines 578 “consumer credit and marketing i nformation that is compliantly available from Experian”. The company’s “Identity Element Network”, a fraud detection solution, provides not only a “ predictive identity fraud risk score ” describing the likelihood that a customer's identity has been comprom ised , but also allows the client to “rank - order” the “best and riskiest accounts” 579 and to prioritize “less risky” customers in costly operational processes. Most marketing data brokers also trade many kinds of s ensitive information about consumers, about ng about their financial situation. Acxiom, for example, provides data and scores includi 582 581 580 income, net worth, economic stability someone’s loans , banking , socioeconomic status , 570 - - rocket - fuel - combine - technologies - to enable http://rocketfuel.com/uk/transunion ai - powered - marketing - initiatives/ - [03.05 .2017] 571 http://www.oracle.com/us/solutions/cloud/data - directory - 2810741.pdf [03.05.2017] 572 https://liveramp.com/pa rtner/transunion/ [03.05.2017] 573 https://www.transunion.com/product/decisionedge [03.05.2017] 574 https://www.transunion.com/resources/transunion/doc/products/resources/product - decisionedge - overview [03.05.2017] 575 Ibid. 576 - information/lending - http://www.experian.com/consumer [03.05.2017] marketing.html 577 http:// www.experian.com/business - services/customer - acquisition.html [03.05.2017] 578 - http://www.experian.co.uk/integrated - marketing/delphi - for [03.05.2017] mailing.html 579 fraud.html http://www.experian.com/decision - analytics/identity - and - fraud/current - account - [24.04.2017] 580 https://developer.myacxiom.com/code/api/data - bundles/bundle/investmentsAndAssets [09.05.2017] 581 https://developer.myacxiom.com/code/api/data - bundles/bundle/areaDemographicsGS [09.05.2017] 582 bundles/bundle/mortgage - https://developer.myacxiom.com/code/api/data [09.05.2017] sAndLoans 81 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

82 583 584 , and and the “max range of new credit granted for an individual” insurance policies for marketing purposes. Similarly, t he German marketing data broker Arvato AZ Direct, a subsid i- ary of the media giant Bertelsmann, provides information about creditworthiness. In its ma r- keting data catalog, those with the best credit rating ar e labeled with an “ A ” and “VIP clients”, 585 the worst with G and “postpone processing”. Information about people’s creditworthiness has already even entered online advertising. Thanks to data provided by Oracle’s Datalogix, ads 586 Twitter, for example, can n ow be targeted by users’ predicted creditworthiness. on Online fraud detection and the marketing dragnet. Conversely, the ubiquitous streams data of behavioral data in the digital world are being fed into t- systems. T he marke fraud detection to for example, s- send data about their cu ing data platform Segment, s offers clients easy way tomers, website and mobile app users to many different marketing technology services, but , also to fraud detection companies. One of them is Castle, which uses “ customer behavioral data 587 ” . Another one, Smyte, helps “ to predict which users are likely a security or fraud risk prevent 588 scams, spam, harassment and credit card fraud ”. Generally, t oday’s online fraud detection digital services use highly invasive technologies to evaluat e billions of transactions and collect s vast amounts of information , and devices, individuals uspicious behaviors. about Large data and analytics companies often provide both marketing and risk services. Experian, for example, offers a service that p rovides “universal device recognition” across mobile, web , 589 and apps for digital marketing . T he company promises to “reconcile and associate” their “existing digital identifiers”, including “cookies, device IDs, IP addresses and more” , , client’s 590 “ providing marketers with a ubiquitous, consistent and persistent link across all channels”. Experian’s c- device identification technology comes from 41st parameter, an online fraud dete 591 Based on 4 1 st parameter’s technology, Exper tion company that Experian acquired in 2013. i- solution for fraud detection during online payments, an also offers a “device intelligence” which “establishes a reliable ID for the device and collects rich device data”, “identifies every , and “giv es unparalleled visibility into the person behind device on every visit in milliseconds” 583 https://developer.myacxiom.com/code/api/data - bundles/level1bundle/financial [09.05.2017] 584 https://developer.myacxiom.com/code/api/data - bundles/bundle/creditAndBankCards [09.05.2017] 585 In German: “Der Informa - Geoscore prognostiziert die Zahlungsausfallwahrscheinlichkeit auf Mikrozellenebene (mit im Schnitt 20 Haushalten je Mikrozelle). Er basiert im Gegensatz zu vielen anderen externen Daten auf validen adress - bzw. Kunden, personenbezogenen Informationen, welche auf Mik rozellenebene aggregiert werden“, „1 Nahezu kein Risiko (VIP - iko (Bearbeitung zurückstellen, G) “, „ Arvato AZ Direct (2015): AZ DIAS PROFILDATEN. Mer k- Source: “. 7 Höchstes Ris A) malskatalog. Personal copy of file with author Wolfie Christl 586 https://twitter.com/W olfieChristl/status/850467843430912000 587 [18.05.2017] https://segment.com/integrations/castle 588 https://segment.com/integrations/smyte [18.05.2017] 589 recognition.html http://www.experian.co.uk/marketing - services/products/adtruth - device - [03.05.2017] 590 https://www.experianplc.com/media/news/2015/adtruth - resolve/ [03.05.2017] 591 - - - the adtruth - in htt ps://adexchanger.com/data - exchanges/experian - buys - device - id - firm - 41st - parameter - for - 324m - gets bargain/ 82 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

83 592 It is not clear the payment”. a- whether Experian uses the same data for its device identific tion services in fraud detection and marketing . F raud prevention, network and information security have a special status in the forthcoming European General Data Protection Regulation , which makes it easier for companies to process 593 user e- data for these purposes without Therefore, any data collected for fraud pr consent . The same holds vention and information security may not be used for any other p urpose. true for other online fraud detection services examined in this report , including ThreatMetrix and 594 Captcha. re Google ’s services all kinds of by recorded This is especially important since, generally , behavioral data increasingly used for risk management. Conversely, data that has been collected and devices is or in the context of fraud prevention, identity verification, credit scoring , payment processing and other ma is increasingly used for customer relationship management, onlin e targeting , r- . Many companies in data, customer relationship management keting purposes and business , n- analytics provide services for marketing as well as for risk management, including la w e forcement and intelligence. 592 /assets/identity pager.pdf - one [03.05.2017] - http://www.experian.co.uk payments - and - fraud/device - insight - for - 593 European Commission (2016), Recitals 47,49 594 See also section 4.4 83 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

84 8. Conclusion This how commercial actors collect, analyze, share, and utilize examine to investigation aimed information about individuals and to better map the structure and scope of today’s personal individuals, groups data ecosystem, placing a strong focus on elucidating its implications for of people, and society at large. The findings suggest that networks of online platforms, adve r- tising technology providers, data brokers, and businesses in many industries can now monitor, cts of their lives many aspe recognize, and analyze individuals in . Information about personal characteristics and behaviors of individuals is linked, combined, and utilized across comp a- time. uided by their Based on data and g - nies, databases, platforms, devices, and services in real nd economic goals, companies have constructed an environment in which business interests a individuals are constantly surveyed and evaluated, investigated and examined, categorized e- and grouped, rated and ranked, numbered and quantified, included or excluded, and, as a r treated different sult, ly. Pervasive digital tracking and profiling, in combination with personalization and testing, are not only used to monitor, but also to systematically influence people’s behavior. Companies are also increasingly using behavioral data abou t everyday life situations to make both trivial and consequential automated decisions about people, which may lead to cumulative disadvantages for and discrimination against groups of individuals, and may reinforce or even worsen exis t- se developments affect everyone, whether as individuals or as members of ing inequalities. The groups – memberships of which one often remains unaware and, ultimately, the dynamics of – society at large. While companies have been collecting and utilizing data about individuals for decades, several key developments in recent years have rapidly introduced completely unprecedented new qualities of ubiquitous corporate surveillance. These include the rise of social media and ne t- worked devices, the real - time tracking and linking of b ehavioral data streams, the merging of online and offline data, and the dissolution of the distinction between marketing and risk management data. Although the degree to which different industries are connected to the invasive tracking ec o- systems developed within online advertising varies, businesses across a diverse set of sectors n- are joining unconditionally. Both consumer facing companies with direct customer relatio party tracking services for the most part do not consider either a ships and hidden third - ny kinds of ethical and societal implications or possible legal consequences. At the same time, o n- c- individuals. Much of it o ly the tip of the iceberg of data and profiling activities is visible to opaque and barely unders and remain s curs in the background tood by most consumers , as well c- as by civil society, journalists, and policymakers. Companies inform people incompletely, ina , and obfu , s- ambiguous misleading curately, or not at all about their data practices. They use language in both user interfac cating es and contracts such as privacy policies and terms of service. Moreover, companies systematically trick con sumers into data contracts. 84 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

85 At the same time, people have ever fewer options to resist the power of this data ecosystem; cking and profiling has essentially become synonymous with opting opting out of pervasive tra 595 Even though corporate leaders argue that “privacy is dead” out of much of modern life. 596 also car ing a great deal about their own privacy ) , (while p eople do indeed perceive the power asymmet ries in today’s digital world and react to them. The research of Mark Andrejevic su g- gests that people feel “frustration over a sense of powerlessness in the face of increasingly s o- 597 es phisticated and comprehensive forms of data collection and mining” l- He argu . in a compe that users “operate within structured power relations that they dislike but feel powe r- ling way 598 less to contest” . This report focuses on the actual practices and inner workings of today’s personal data indu s- t- tries. It explores relevant recent developments, as well as technologies, business models, pla forms, services, devices, and data flows . While the picture is becoming clearer, large parts of the systems in place still remain in the dark. Enforcing transparency about corporate data remains a key prerequisite to resolving the massive information asymmetries and practices power imbalances between data companies and the individuals that they process data on. B e- side corporate transparency, there is also a strong need for a much better general understan d- ing of today’s pervasive tracking and profiling technologies, as well as their impact on and consequences for individuals and society on a broad level. Existing metaphors and narratives watched naked by a stranger, do not that describe violations of personal privacy, such as being implications of interlinked databases that analyze help much in comprehending the privacy ubiquitous data streams on everyone. e x- short of fully addressing the relationship between the falls Admittedly, this investigation amined corporate practices on the one hand and the existing and upcoming regulatory fram e- works on the other. Hopefully, however, this report’s findings will encourage and contribute to further work by researchers, scholars, journalists, and stakeholders in the fields of civil rights, data protection, consumer protection, and hopefully also of policymakers and the companies themselves. In 1999, Lawrence Lessig famously predicted that “left to itself, cyberspace will ”, shape d by commerce and the market’s “invisible hand”. He become a perfect tool of control suggested that we could “ e- build, or architect, or code cyberspace to protect values that we b lieve are fundamental, or we can build, or architect, or code cyberspace to allow those values to 599 disappear ”. – Today, the latter has nearly been made reality by billions of dollars in venture capital poured into funding business models based on the mass exploitation of unscrupulous ment in E u- data. The shortfall of privacy regulation in the US and the absence of its enforce 595 https://www.theguardian.com/technology/2010/jan/11/facebook - privacy 596 - to http://www.msn.com/en - us/money/compani es/facebooks - zuckerberg - sues - hundreds - of - hawaiians - force - property - sales - to - him/ar - AAm1TvX 597 : . Available at: . 1685 Andrejevic, Mark (2014): The Big Data Divide. International Journal of Communication 8 (2014), p. http://ijoc.org/index.php/ijoc/article/download/2161/1163 598 Ibid., p. 1678 599 Lessig, Lawrence (1999): Code and Other Laws of Cyberspace 85 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

86 rope has actively impeded the emergence of other kinds of digital innovation, that is, of pra c- freedom, democracy, social justice, and tices, technologies, and business models that preserve human dignity. ion, which supersedes the 1995 Data Protection The upcoming new European privacy legislat Directive and includes both the already adopted EU General Data Protection Regulation (GDPR), as well the still disputed ePrivacy Regulation, will become effective in May 2018. Although far , lobbying, and compromise aracterized by many years of s, it from perfect and ch negotiations might come just in time to prevent the worst. Still, because of its complexity, the implications who e on a broad scale are difficult to predict. Interpretations such as that of Doc Searls, x- 600 pects that “surveillance capitalism” will become “ illegal a year from now in the EU ”, may be too optimistic. Nevertheless, the GDPR might ban or at least slow down the most irresponsible and invasive practices of third - ys to make corporate data pra c- party tracking and open up wa tices more transparent and accountable. Furthermore, its impact will most likely reach beyond The US legal and regulatory framework, in contrast, has enabled the the European Union. any effective consumer safeguards and there is driven world without growth of today’s data - little in sight that will bring about a fundamental change. The recent backlash regarding broadband privacy shows that rather the opposite is the case. - not mitigate the consequences a data may On a broader level, data protection legislation alone e- driven world has on individuals and society, whether in the US or Europe. , pr In particular a- d unprecedented venting the dominant data platforms and conglomerates from abusing the ta power that they have consolidated based on extensive behavioral information on billions of While consent and choice are crucial principles to resolve people presents a major challenge. u- can also produce an “ill some of the most urgent problems of intrusive data collection, they 601 sion of voluntariness”. For example, when insurers offer programs without all - day monito r- ing of a consumer’s physical activity only for significantly higher prices, a consumer’s choice would end up being between participation and punishment and thereby shift the default t o- ward the former. As such, w hile important in many respects, a policy discourse that focuses only on individual empowerment and control over one’s data may not lead to effective long - - discrimination, co n- term solutions. Besides additi onal regulatory instruments such as anti generally sumer protection, and competition law, it will require a major collective effort to Otherwise, we might soon end up re information society reality. make a positive vision of a futu – ociety of pervasive digital social control, where privacy becomes – if it remains at all in a s a luxury commodity for the rich. The building blocks are already in place. 600 - https://blogs.harvard.edu/doc/2017/03/23/brands - need to - fire - adtech/ 601 - Engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Co Davis, Simon G. (1997): Re m- modity. In: Technology and Privacy: The New Landscape, eds. Agre, Philip E. and Marc Rotenberg. Cambridge, MA: The MIT 162. - Press. Pp. 143 86 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

87 Figures Figure 1: Mapping the commercial digital tracking and ... ... 13 profiling landscape Figure 2: Acxiom and some of its data providers, partners and services. ... ... 55 Figure 3: Oracle and some of its data providers, partners and services. ... ... 60 64 ... Figure 4: Examples of data on consumers provided by Acxiom and Oracle. ... ... ... 65 Figure 5: Different levels, realms and sources of consumer data collection Figure 6: Tracking, profiling and affecting people in real - time. ... ... 66 Figure 7: How companies identify consumers and link profile i nformation about them. ... 68 Figure 8: H ow the data management platform Krux explains to track the “consumer journey” of an individual across channels and devices. Source: Krux Website ... platform - 74 solutions/customer journeys) (http://www.krux.com/data - management - - References b- Collected Works by Ro Allenby, Greg M (2010): Perspectives on Promotion and Database Marketing: The ert C Blattberg. World Scientific, 2010. Ammari, Nader; Gustaf Björksten; Peter Micek; Deji Olukotun (2015): The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy. Access Now, August 2015. Available at: - Report.pdf https://www.accessnow.org/cms/assets/uploads/archive/AIBT Andrejevic, Mark (2014): The Big Data Divide. International Journal of Communication 8 (2014). Available at: http://ijoc.org/index.php/ijoc/article/download/2161/1163 Angwin, Julia; Jeff Larson; Lauren Kirchne; Surya Mattu (2017): Minority Neighborhoods Pay Higher Car Insurance Premiums Than White Areas With the Same Risk. ProPublica, April 5, 2017. Available at: - https://www.propublica.org/article/minority - neighborhoods - higher - car - insurance premiums - same - - areas risk - white Arvato AZ Direct (2015): AZ DIAS PROFILDATEN. Merkmalskatalog. Personal copy of file with author Wo l- fie Christl Bennett, Colin (2016): Is Your Neighbor and Democrat or a Republican? Lateral Voter Surveillance and the Political Culture of Modern Election Campaigns (April 20, 2016). Available at: https://ssrn.com/abstract=2776308 Bond, R. M., Fariss, C. J., Jones, J. J., Kramer, A. D. I., Marlow, C., Settle, J. E., & Fowler, J. H. (2012): A 61 - mill ion - person experiment in social influence and political mobilization. Nature, 489(7415), 10.1038/nature11421. http://doi.org/10.1038/nature11421 – le Without Knowing Their Names Borgesius, Frederik J. Zuiderveen (2016): Singling Out Peop v- Beha ioural Targeting, Pseudonymous Data, and the New Data Protection Regulation (February 16, 2016). http://ssrn.com/abstract=2733115 Available at: i- r Days Became Numbered. Risk and the Rise of the Statistical Individual. Un Bouk, Dan (2015): How Ou versity of Chicago Press. 87 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

88 Brat, Eric; Stephan Heydorn, Matthew Stover, and Martin Ziegler (2013): Big Data: The Next Big Thing for . Available at: Insurers? Boston Consulting Group, March 25, 2013 https://www.bcgperspectives.com/content/articles/insurance_it_performance_big_data_next_big_ thing_for_insurers B ria, Francesca; Javier Ruiz, Gemma Galdon Clavell, José Maria Zavala, Laura Fitchner, Harry Halpin (2015): D3.3 Research on Identity Ecosystem. Report by D - CENT, Decentralised Citizens Engagement Technologies, 31 June 2015, Version Number: 2. Available at: http://dcentproject.eu/wpcontent/uploads/2015/10/research_on_digital_identity_ecosystems.pdf Calabrese, C., McInnis, K. L., Hans, G. S., Norcie, G. (2015): Comments for November 2015. Workshop on Cross - Device Tracking. Center For Democracy & Technology. Online: Cross Comments.pdf - e Devic - https://cdt.org/files/2015/10/10.16.15 - CDT - Calo, Ryan (2013): Digital Market Manipulation. 82 George Washington Law Review 995 (2014); University of Washington School of Law Research Paper No. 2013 - 27, August 15, 2013. Available at: https://ssrn.com/abstract=2309703 Calo, Ryan and Rosenblat, Alex (2017): The Taking Economy: Uber, Information, and Power (March 9, 2017). Columbia Law Review, Vol. 117, 2017; University of Washington School of Law Research Paper No. 2017 https://ssrn.com/abstract=2929643 08. Available at : - first century. Journal of Co Capizzi, Michael T. and Rick Ferguson (2005): Loyalty trends for the twenty - n- 80 sumer Marketing, 22/2, 72 - Cegłowski, Maciej (2016): The Moral Economy of Tech. Text version of remarks, SASE conference, Berk e- http://idlewords.com/talks/sase_panel.htm ley, June 26, 2016. Available at: ol. A Report on Corporate Surveillance, Digital Christl, Wolfie and Sarah Spiekermann: Networks of Contr Tracking, Big Data & Privacy. Facultas, Vienna 2016. Available at: http://crackedlabs.org/en/networksofcontrol w detailed information about you gets into the hands of organizations CIPPIC (2006): On the data trail: Ho with whom you have no relationship. A report on the Canadian data brokerage industry, April 2006. https://idt rail.org/files/DatabrokerReport.pdf Available at: Citron, Danielle Keats and Pasquale, Frank A. (2014): The Scored Society: Due Process for Automated Pr e- dictions. Washington Law Review, Vol. 89, 2014; U of Maryland Legal Studies Research Paper No. 2014 - 8. Available at: http://ssrn.com/abstract=2376209 Cook, Tamara and Claudia McKay (2015): How M - Shwari Works: The Story So Far. Access to Finance F O- RUM Reports by CGAP and Its Partners. No. 10, April 2015. Available at: 2015.pdf - https://www.cgap.org/sites/default/files/Forum - How - M - Shwari - Works - Apr Cox, Emmett (2011): Retail Analytics: The Secret Weapon. Wiley, November 2011 - Simon G. (1997): Re Davis, Engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Commodity. In: Technology and Privacy: The New Landscape, eds. Agre, Philip E. and Marc - 162. Rotenberg. Cambridge, MA: The MIT Press.Pp. 143 Deighton, John; Peter A. Johnson (2013): The Value of Data: Consequences for Insight, Innovation & Eff i- ciency in the U.S. Economy. October 8, 2013. Available at: https://www.ipc.be/~/media/documents/public/markets/the value - - of - data - consequences - for - - the - - economy.pdf us insight - innovation - and - efficiency - in Donatello, Michael (1998): Audience research for newspap ers. In: Blanchard, Margaret (eds): History of the Mass Media in the United States: An Encyclopedia, Fitzroy Dearborn Publishers, September 1998. 88 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

89 EU Fraud Prevention Expert Group (2007): Report on Identity Theft/Fraud. Brussels, 22 October 2007. report_en.pdf at: - theft Available http://ec.europa.eu/internal_market/fpeg/docs/id - European Banking Authority (2016): Discussion Paper on innovative uses of consumer data by financ ial institutions, EBA/DP/2016/01, 04 May 2016. Available at: https://www.eba.europa.eu/documents/10180/1455508/EBA DP - 2016 - - 01+DP+on+innovative+uses+of+consumer+data+by+financial+institutions.pdf Evans, Peter C. and Annabelle Gawer (2016): The Rise of the Platform Enterprise. A Global Survey. The Emerging Platform E conomy Series No. 1, The Center for Global Enterprise, January 2016. Available Survey_01_12.pdf - Platform WEB - - at: http://thecge.net/wp - content/uploads/2016/01/PDF o- Ferretti, F. (2009): The Credit Scoring Pandemic and the European Vaccine: Making Sense of EU Data Pr tection Legislation, 2009(1) Journal of Information, Law & Technology (JILT). Available at: http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2009_1/ferretti Ferretti, Federico (2014): EU Competition Law, the Consumer Interest and Data Protection. The Exchange of Consumer Information in the Retail Financial Sector. SpringerBriefs in Law, 2014 Ferretti, Federico (2014): The Legal Framework of Consumer Credit Bureaus and Credit Scoring in the — t Integr Overindebtedness, Responsible Lending, Marke a- European Union: Pitfalls and Challenges tion, and Fundamental Rights. Suffolk University Law Review, Vol. XLVI:791, p. 807. Available at: tti_Lead.pdf http://suffolklawreview.org/wp - content/uploads/2014/01/Ferre Ferretti, Federico (2015): Credit Bureaus Between Risk - Management, Creditworthiness Assessment and Prudential Supervision. EUI Department of Law Research Paper No. 2015/20. Available at: ://ssrn.com/abstract=2610142 https FIPA / B.C. Freedom of Information and Privacy Association (2015): The Connected Car: Who is in the driver’s seat? A study on privacy and onboard vehicle telematics technology. March 2015. Available https://fipa.bc.ca/wordpress/wp content/uploads/2015/03/CC_report_lite.pdf - at: Forrester (2015): The Forrester Wave™: Customer Insights Services Providers, Q4 2015. November 10, 2015. Forrest er (2015): The Forrester Wave™: Data Management Platforms, Q4 2015. Available at: http://www.krux.com/upload/image/company/The_Forrester_Wave_ Data_Management_Platforms _Q4_2015.pdf Frida Alim, Nate Cardozo, Gennie Gebhart, Karen Gullo, and Amul Kalia (2017): Spying on Students: School - Issued Devices and Student Privacy. Electronic Frontier Foundation, April 13, 2017. Available at: https://www.eff.org/wp/school - issued - devices - and - student - privacy FTC (2007): Credit - based Insurance Scores: Impacts on Consumers of Automobile Insurance. A Report to l Trade Commission, July 2007. Available at: Congress by the Federa consumer - - https://www.ftc.gov/reports/credit - based - insurance - scores - impacts - automobile s - insurance report - congress - federal FTC (2014): Data Brokers. A Call for Transparency and Accountability, p. C3. Available at: transparency http://www.ftc.gov/system/files/documents/reports/data - brokers - call - - accountability - report - federal - trade - commission - may - 2014/140527databrokerreport.pdf Tech explainer. How innovation is changing the digital advertising business Gallagher, Kevin (2017): Ad and creating new opportunities for disruption. Business Insider, BI Intelligence, January 2017. Seeta Peña (2012): Digital inclusion and data profiling. First Monday, Volume 17, Number 5 , Gangadharan - 3199 http://firstmonday.org/ojs/index.php/fm/article/view/3821/ 7 May 2012. Available at: 89 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

90 Garvie, Clare; Alvaro Bedoya; Jonathan Frankle (2016): The Perpetual Line Up. Unregulated Police Face - a- Recognition in America. Georgetown Law Center on Privacy & Technology, October 18, 2016. Avail https://www.perpetuallineup.org/ ble at: Helberger, Natali (2016): Profiling and Targeting Consumers in the Internet of Things – A New Challenge http://ssrn.com/abst ract=2728717 for Consumer Law. Feb 6, 2016, Available at: Hoofnagle, Chris Jay (2016): Federal Trade Commission Privacy Law and Policy Chapter 6 Online Privacy - m- (February 1, 2016). Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy (Ca ublic Law Research Paper No. 2800276. Available at: bridge University Press 2016); UC Berkeley P https://ssrn.com/abstract=2800276 Hormozi, A. M. & Giles, S. (2004): Data Mining: A Competitive Weapon for Banking and Retail Industries.. IS Management, 21, 62 - 71. Available at: http://cjou.im.tku.edu.tw/dm200707/dm_application.pdf Hunt, Robert (2005): A century of consumer credit reporting in America, No 05 - d- 13, Working Papers, Fe eral Reserve Bank of Philadelphia Irion, Kristina and Natali Helberger (2016): Smart TV and the online media sector: User privacy in view of changing market realities. Telecommunications Policy, Volume 41, Issue 3, April 2017, Pages 170 – 184. Available at: http://doi.org/10.1016/j.telpol.2016.12.013 Jentzsch, Nicola (2003): The Regulation of Financial Privacy: The United States vs Europe. ECRI Research Reports No. 5, 1 June 2003. Available at: http://aei.pitt.edu/9430/2/9430.pdf Kaptein, Maurits; Dean Eckles, and Janet Davis (2011): Envisioning Persuasion Profiles: Challenges for Public Policy and Ethical Practice. 9/10 Interactions 66 - 69. Available a t: challenges - - persuasion - https://www.semanticscholar.org/paper/Envisioning profiles - for - ckles/fe5f2029df491bdea2cf46697b2e4145c1e226f2/pdf KapteinE Kidwell, Roland E. and Sprague, Robert (2009): Electronic Surveillance in the Global Workplace: Laws, 208, Ethics, Research and Practice. New Technology, Work and Employment, Vol. 24, Issue 2, pp. 194 - Jul y 2009. Available at: https://ssrn.com/abstract=1487801 Kihn, Martin (2016): A Brief, Incredible History of Marketing Data Matching. Blog article at Gartner for - Marketers, May 16, 2016. Available at: http://blogs.gartner.com/martin - kihn/a - brief - incredible - matching/ - data marketing - history - of Kingstone, Sheryl; Rich Karpinski; Brian Partridge (2015): M onetizing ‘Telecom Data as a Service’. Sep 2015, 451 Research. Executive overview available at: https://451research.com/report - long?icid=3534 Kramer, Adam D. I.; Jamie E. Guillory; Jeffrey T. Hancock (2014): Experimental evidence of massive scale - 8790. Available at: emotional contagion through social networks. PNAS vol. 111 no. 24, 8788 – http://www.pnas.org/content/111/24/8788.full Kumar, V. (2008): Managing Customers for Profit: Strategies to Increase Profits and Build Loyalty. FT Press Lee, Newton (2014): Facebook Nation. Total Information Awareness. Springer, 2014. Lessig, Lawrence ( 1999): Code and Other Laws of Cyberspace - LiveRamp (2016): IdentityLink Data Store. Providing access to Identity based data and buyers across the marketing ecosystem. PDF brochure. Personal copy of file with author Wolfie Christl Surveillance, Power and Everyday Life. In: Kalantzis Martín, - Cope, Phillip; Gherab - Lyon, David (2010): Karim (eds): Emerging Digital Spaces in Contemporary Society: Properties of Technology, Palgrave 2010 90 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

91 McConnell, Ted (2015): The Programmatic Primer. A Marketer's Guide to t s- he Online Advertising Ecosy tem Napoli, Philip M. (2011): Ratings and Audience Measurement. In: Nightingale, Virginia (eds): The Han d- - Blackwell. book of Media Audiences, April 2011, Wiley Narayanan, Arvind; Dillon Reisman (2017): The Princeton Web Transpare ncy and Accountability Project. Pre - published book chapter. Available at: http://randomwalker.info/publications/webtap - chapter.pdf Ngai, E. W. T., Li Xiu, and D. C. K. Chau (2009): R eview: Application of data mining techniques in customer relationship management: A literature review and classification. Expert Systems with Applications 36, 2 (March 2009), 2592 - 2602. Available at: http://dx.doi.org/10.1016/j.eswa.2008.02.021 Nissenbaum, H. (2004): Privacy as Contextual Integrity. Washington Law Review (79:1) Norwegian Consumer Council (2016): Consumer protection in fitness wearables. November, 2016. Avai l- 26 - - 2 - vedlegg - able at: https://fil.forbrukerradet.no/wp - content/uploads/2016/11/2016 - 10 - protection - in - fitness - wearables - forbrukerradet - final - version.pdf consumer Oracle (2016): The Audience Playbook. Available at: - guide - 3034880.pdf http://www.oracle.com/us/products/applications/audience Oracle (2017): Oracle BlueKai User Guide. Available at: http://docs.oracle.com/cloud/latest/marketingcs_gs/OMCDA/OMCDA.pdf Oracle (2017): Taxonomy Changes Repo rt, 31.01.2017. Available at: https://docs.oracle.com/cloud/latest/marketingcs_gs/OMCDA/Resources/xls/TaxonomyChangesRe - (via 31.xlsx - 01 port2017 /Ta https://docs.oracle.com/cloud/latest/marketingcs_gs/OMCDA/Help/AudienceDataMarketplace ) xonomy_Updates/taxonomy_updates_january_2017.html Oracle (2017): Using Oracle Data Cloud. Available at: https://docs.oracle.com/en/cloud/saas/data - cloud/ dsmkt/using oracle - data - cloud.pdf - Oracle http://www.oracle.com/us/solutions/cloud/data - directory - (2017): Data Directory. Available at: 2810741.pdf Rhoen, Michiel (2016): Beyond consent: improving data protection through consumer protection law. Internet Policy Review, 5(1). Available at: http://policyreview.info/articles/analysis/beyond - - consent improving - data - protection - throughconsumer - protection - law Ridic, Goran; Suzanne Gleason; Ognjen Ridic (2012): Comparisons of Health Care Systems in the United States, Germany and C anada. Mater Sociomed. 2012; 24(2): 112 – 120. Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3633404 Rieke, Aaron; Harlan Yu; David Robinson; Joris von Hoboken (2016): Data Br okers in an Open Society. An Upturn Report, prepared for the Open Society Foundations. November 2016. Available at: etyfoundations.org/sites/default/files/data - brokers - in - an - open - society - https://www.opensoci 20161121.pdf - Ruiz, Blanca (1997): Privacy in telecommunications: a European and an American approach. Rodríguez The Hague, Boston, Kluwer Law International, 1997. Rothmann, Robert; Ste - Lamina, Jaro; Peissl, Walter; Čas, Johann (2012): Aktuelle Fragen der Geodaten - rbik Nutzung auf mobilen Geräten – - Endbericht. Bericht - Nr. ITA - PB A63; Institut für Technikfolgen - Abschätzung (ITA): Vienna. Available at: https://www.oeaw.ac.at/itaen/projects/the - use - of devices/overview/ - mobile - on - geodata 91 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

92 Schneier, Bruce (2015): Data and Goliath. The Hidden Battles to Collect Your Data and Control Your World. . W. Norton & Company W Senate Committee on Commerce, Science, and Transportation (2013): A Review of the Data Broker Indu s- try: Collection, Use, and Sale of Consumer Data for Marketing Purposes. Staff Report for Chairman Rockefeller, December 18, 2013. Avail able at: https://www.commerce.senate.gov/public/ _cache/files/bd5dad8b - a9e8 - 4fe9 - a2a7 - b17f4798ee5a/D5E458CDB663175E9D73231DF42EC040.12.18.13 - senate - commerce - committee - industry.pdf - on report - broker - data - k- Seneviratne, Suranga; Harini Kolamunna, and Aruna Seneviratne (2015): A measurement study of trac ing in paid mobile applications. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec '15). ACM, New York, NY, USA, Article 7, 6 pages. Available at: https://www.researchgate.net/publication/282356703_A_measurement_study_of_tracking_in_paid _mobile_applications Singer, Natasha (2012): Mapping, and Sharing, the Consumer Genome. New York T imes, June 16, 2012. Available at: http://www.nytimes.com/2012/06/17/technology/acxiom - the - quiet - giant - - marketing.htm ofconsumer - database Sprague, Robert D. (2007): From Taylorism to the Omnipticon: Expanding Employee Surveillance Beyond the Workplace, 25 J. Marshall J. Computer & Info. L. 1, 2007. Available at: y.jmls.edu/jitpl/vol25/iss1/1/ http://repositor Tanner, Adam (2017): Our Bodies, Our Data. How companies make billions selling our medical records. Beacon Press, Jan 10, 2017 Tene, Omer (2007): What Google Knows: Privacy and Internet Search Engines (October 1, 2007). Uta h Law https://ssrn.com/abstract=1021490 Review. Available at: Tene, Omer and Jules Polonetsky (2013): Big Data for All: Privacy and User Control in the Age of Analytics. 11 Nw. J. Tech. & Intell. Prop. 23 9 (2013). Available at: http://scholarlycommons.law.northwestern.edu/njtip/vol11/iss5/1 The Paypers (2016): Web Fraud Prevention & Online Authentication Market Guide 2016/2017. Tolbert, John (2016): CIAM Platforms. Leaders in innovation, product features, and market reach for Co n- sumer Identity and Access Management Platforms. Your compass for finding the right path in the market. KuppingerCole Report, November 2016. Tr ustev Sales Pack. REAL TIME ONLINE IDENTITY VERIFICATION. PDF Brochure. Personal copy of file with author Wolfie Christl T urow Joseph (2011): The Daily You. , U.S. Consumer Financial Protection Bureau (2016): List of consumer reporting companies. Available at: companies.pdf t - of - consumer - reporting - http://files.consumerfinance.gov/f/201604_cfpb_lis United States Government Accountability Office (2015): Facial Recognition Technology. Commercial U s- es, Privacy Issues, and Applicable Federal Law. Report to the Ranking Member, Subcommittee on Pr i- vacy, Technology and the Law, Committee on the Judiciary, U.S. Senate, July 2015. Available at: http://www.gao.gov/assets/680/671764.pdf Winterberry Group (2012): The Data Management Platform: Foundation for Right Customer E n- Time - gagement. A Winterberry Group Whitepaper. Available at: agement_Platforms Data_Man - http://www.iab.net/media/file/Winterberry_Group_White_Paper - November_2012.pdf 92 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

93 Woodward, J. D. , N. M. Orlans, P.T. Higgins (2003): Biometrics: Identity Assurance in the Information Age, McGraw, Hill Osborne Media, 2003 r- w much can behavio Yan, Jun; Ning Liu, Gang Wang, Wen Zhang, Yun Jiang, and Zheng Chen (2009): Ho al targeting help online advertising?. In Proceedings of the 18th international conference on World - wide web (WWW '09). ACM, New York, NY, USA, 261 270. Available at: http://dl.ac m.org/citation.cfm?id=1526745 Yu, Zhonghao; Sam Macbeth, Konark Modi, and Josep M. Pujol (2016): Tracking the Trackers. In Procee d- ings of the 25th International Conference on World Wide Web (WWW '16). International World Wide 132. Avail mittee, Republic and Canton of Geneva, Switzerland, 121 Web Conferences Steering Com a- - http://www2016.net/proceedings/proceedings/p121.pdf ble at: Latanya Sweeney (2015): Who Knows What Zang, Jinyan, Krysta Dummit, James Graves, Paul Lisker, and About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps. http://tech science.org/a/2015103001 Technology Science, 2015103001, 30.10.2015. Available at: Zuboff, Shoshana (2015): Big Other: Surveillance Capitalism and the Prospects of an Information Civiliz a- tion (April 4, 2015). Journal of Information Technology (2015) 30, 75 – 89. Available at: http://ssrn.com/abstract=2594754 Zuboff, Shoshana (2016): The Secrets of Surveillance Capitalism. Frankfurter Allgemeine Zeitung, 05.03.2016. Available at: http://www.faz.net/aktuell/feuilleton/debatten/the - digital - - capitalism - ofsurveillance - secrets 14103616.html?printPagedArticle=true - debate/shoshana - zuboff 93 CORPORATE SURVEILLANCE IN EVERYDAY LIFE | A REPORT BY CRACKED LABS , 2017

Related documents