For about one cent – or 1.2 Singapore cents to be exact – I can buy your name, home and email address, mobile number, and shopping history from a broker – all stolen without your knowledge.
And you’re not alone. Tons of customer data can be bought for a dirt cheap price, with 300,000 names going for as little as S$1,000 (about US$800).
This is Singapore’s grey market for data: where private customer information is extracted from customer databases either knowingly or unknowingly, and then sold to shady data brokers.
These brokers, in turn, are approached by people – marketers, ecommerce site owners, or anyone with any agenda and is willing to pay the right price – who are keen on getting a slice of a massive database.
Just recently, Tech in Asia was contacted by one such broker who goes by the name John Lee. In his sales pitch, which landed in our inbox, Lee claimed to have data from Deal.com.sg, Groupon, Zalora, Reebonz, CloutShoppe, and Lazada – some of the most popular daily deals and shopping sites in Singapore.
His assertions are hard to verify, but the amount of records that Lee claimed to possess is staggering if true – 650,000 records from Deal, 440,000 from Reebonz, and 400,000 from Zalora. That’s just for Singapore alone.
That’s not all. To prove his legitimacy, Lee included screenshots of emails from apparently satisfied customers, containing information like how many records they purchased, how many of them contained invalid email addresses, and the conversion rates from sending spam to these email addresses.
“Overall our sales revenue increased. We would like to purchase double quantity for second dealing [sic] with you,” wrote one of the buyers, who then requested an order of 900,000 records – about one-sixth the population of Singapore.
Data not compromised, says ecommerce sites
In response to Lee’s claims, a Zalora spokesperson told Tech in Asia that they are aware of data brokers who claim to have Zalora’s customer database. However, she asserts that its databases are “extremely secure and have never been compromised, sold, monetized or made available to any parties” outside of the company.
She adds: “Customer data privacy is of the utmost importance to us and is secured behind several layers of protection, via firewalls and access control mechanisms with detailed audit logs. We have not detected any intrusions into our systems to date.”
A Lazada spokesperson, meanwhile, has said that all its data is encrypted and kept in an isolated environment with isolated security. As such, only a restricted number of employees can access the real data, and all activity is monitored and logged.
“Lazada Singapore will not launch until later this year, so no Lazada Singapore customer databases currently exist. Therefore, if data is being offered for sale, we are confident it is not connected to Lazada Singapore… As a group, Lazada is not aware that any of its legitimate customer data has been misappropriated and sold in any of its markets.”
Other than these two, none of the other companies whose databases have allegedly been compromised have responded to Tech in Asia’s queries. Only a couple of the broker’s supposed customers have responded to our requests. Ian Chua, marketing director at Hermo, a Malaysian website selling beauty products. “The offers we’ve received are always very expensive and we as a startup can’t afford as well,” he says.
Meanwhile, ChicKissLove has claimed that the email Lee purportedly received from it was fabricated.
Privacy laws exist, but are hard to enforce
Businesses have been keeping records for centuries, and data brokerage is perhaps an activity that’s as old as civilization. But the internet changed things. Data can now be collected, stored, and distributed at a scale never before seen in history.
Duplicating data is no longer a matter of manually writing down the information from one ledger to another, it’s now about copying and pasting data by pressing a few buttons.
The importance of data in commerce has grown too. Google and Facebook are collecting data about your online behavior to determine the sort of ads to show you. Fashion labels are scouring the web for data on what their next collection of clothes should consist of. Businesses are also buying private information to pre-screen potential employees.
The ease of collecting data, combined with a rising demand for it, has led to the growth of a data brokerage industry that is starting to alarm regulators, particularly in the United States.
Recently, the US Federal Trade Commission found that 20 percent of data brokers in the country have failed to verify the identity of their customers, nor did they adequately check that they have legitimate purposes for buying the data.
In Singapore, the government enacted the Spam Control Act in 2007 to govern how advertisements should be sent over email, and then in 2012 finalized the Personal Data Protection Act (PDPA) to protect consumers from unsolicited phone calls and misuse of personal data.
Under the PDPA, organizations – individuals included – must obtain consent of consumers before using their data, says Jonathan Kok, partner at law firm RHTLaw Taylor Wessing. They must also inform consumers about how their personal data will be used, which is why many online shopping sites now do so in their terms of service. So, except in some circumstances, using data without your consent is, strictly speaking, illegal.
The problem lies in enforcing the law. The Personal Data Protection Commission does not police the collection, use, and disclosure of personal data by organizations and would usually only act on complaints or tip-offs. Since individuals can’t easily trace who is abusing their personal data, they would typically just let it go.
“The website or mobile app owner may be upfront about how your information will be used. But it is the third-party which the owner engages to operate the website or the mobile app that may be the culprit abusing the data. They have access to the website’s database, which means they can make their own analysis and even sell the information to some other interested party,” says Kok.
Also, there’s nothing in the law that expressly makes buying information procured via unethical means illegal, he adds. The PDPA is only intended to govern how organizations disclose data.
This means that while the PDPA is somewhat effective in combating unwanted phone calls, it is less effective against other kinds of data abuse. Organizations certainly won’t complain since they benefit from procuring data – especially if they’re sold at one cent apiece (Note: The Commission has responded to the article. Scroll to the bottom to see their response).
Meet the shadow broker
Reaching John Lee by email or phone is not difficult at all. Lee tells Tech in Asia he is in cahoots in the past five years with marketing and IT managers who are working inside ecommerce websites from which he obtained the data.
Based primarily in Malaysia, he makes trips down to Singapore a couple of times a week to transact with clients. He even has an after-sales service to replace invalid email addresses free-of-charge.
Lee claims that Foodpanda – owned by Rocket Internet, the same entity that runs Zalora and Lazada – and well-known local blogger Dawn Yang are also customers. Both have vehemently denied the claims.
“No, we’ve never purchased customer data. We never did and we never will. This is against our values and principles,” says Vera Futorjanski, the global head for public relations at Foodpanda and sister site Hellofood.
Meanwhile, Yang says that her customer database has been built up only through three years of marketing effort and word-of-mouth.
“Several sellers have contacted me repeatedly before, and I did ask them questions for curiosity’s sake, but in the end I have not purchased from any of them…our number stands at less than 30,000, which is barely a fraction of what these brokers are selling,” she says. So it appears that some of Lee’s claims may have been burnished.
Most of the customer data that Lee attached in his initial email to Tech in Asia do seem valid though. I attempted to reach out to all of them via email, and only a few bounced.
I also called three of them, and their names match Lee’s records. All three, however, were blasé about the fact that their data is being sold without permission.
“I’m not necessarily concerned because the information I shared isn’t particularly sensitive. Any junk mail I get goes into my spam folder anyway,” says Hari Shankar.
A lecturer, who declined to be named, isn’t too worried either. “As long as I don’t lose any money, I’m fine. This is inevitable. You have to give your particulars whenever you join a contest or lucky draw. And besides, I don’t mind being updated about whatever products they have. Whether I buy them or not is another thing, but it’s good to have more options,” he says.
Asian consumers, it seems, aren’t as concerned about data privacy as their Western counterparts, who have been recently rocked by the NSA surveillance revelations.
Saiyai Sakawee, Tech in Asia’s Thailand correspondent, tells me that people in Thailand tend to overshare about their lives. “They even post credit card information on Facebook sometimes,” she adds.
The notion that Asians don’t care where their data goes to is, of course, a generalization.
Belmont Lay, a writer and editor from Singapore, doesn’t think companies deserve a free lunch with all the data they are gathering and profiting from. “If my data is so valuable, I should have been paid for it.”
As siren servers grow, consumer power may wane
Lay’s sentiment is echoed in the book Who Owns the Future? by technologist Jaron Lanier, in which he talks about a future where the middle class will be rendered powerless by the rise of “siren servers” – entities like Facebook, Google, governments, or any organization with a trove of customer data.
Eventually, these mega-entities will create software that will replace many middle class jobs, using the data they’ve obtained to replicate human behavior, according to the book. It’s starting to happen: robots are rendering warehouse workers obsolete, and self-driving cars will soon take over the roads, displacing taxi drivers. Wealth will be concentrated on the machine owners as new jobs are not created proportionately to replace old ones, drastically reducing the middle class.
The solution to this, Lanier argues, is that customers should be compensated by companies for any personal data they use. That way, wealth is more equally distributed, and people are rewarded for any data they reveal which eventually leads to profits for a company.
Making his utopian dream a reality, however, will take a lot of political will. Consumers too will need to play their part, although the devil’s deal of using a service for free in exchange for giving up private data may be too hard to resist.
The challenge with raising consumer awareness, though, comes in how data transacting is an opaque process. These transactions occur behind closed doors and in hushed tones, and for someone like Lee to so brazenly email a media organization like Tech in Asia either signals carelessness or an ulterior motive.
As consumers, we simply have no clue how our data is being used and by whom, and that perhaps is the scary part.
“It’s not about what we know we’re sharing, it’s about what we don’t know is being collected and sold about us,” says Tim Sparapani, Facebook’s former director of public policy.
“The Personal Data Protection Commission does not police the collection, use and disclosure of personal data by organizations and would usually only act on…. Typically just let it go” – Individuals can inform the PDPC of the circumstance which they believe their personal data is abused and PDPC will follow up to investigate the claim, so the process is not as onerous as inferred. The individual does not have to trace the claim himself.
“…there is nothing in the law that expressly makes buying information procured via unethical means illegal, he adds. The PDPA is only intended to govern how organisations disclose data” – The selling (or disclosing the data) is governed under the PDPA. The Commission will follow-up with complaints to investigate how the buyer had obtained the third party information, and take action against the seller if consumers had not consented to the disclosure of their personal data. Illegally trading in data will still be enforced against, though on the end of the seller rather than the buyer. In addition, enforcement action could be taken against the buyer if the buyer had used such personal data in the list (e.g. to contact an individual for a purpose) since he had not obtained consent to both the collection and use of the data per se.
Lead photo credit: g4ll4isEditing by Steven Millward