A recent Financial Times article asks “how much is your personal data worth?” This sparked a thread on the VRM mailing list to which I’d like to respond. Tony pointed out that their numbers are old. I’d also add that the entire article is a bit disingenuous. The headline “How much is your personal data worth” implies broad valuation as in “how much is a dollar worth?” The article conveniently ignores many uses and markets for that data and in fact is extremely narrowly illustrated. It should have read “What is your legally collected data worth to data brokers, assuming you are not a high value target?”
Let’s take these in reverse order.
High value targets
Obviously if you are a celebrity your data is worth more. But if you work at a high value target, your data is worth more. What’s a high value target? When I worked at BofA they gave us training every year because apparently there’s a certain amount of trade in holding bank employees for ransom. Of course, that’s just for crooks with no imagination. These days they are just as likely to blackmail employees into doing their bidding, and it doesn’t have to be banks. “High value target” includes law enforcement and judiciary, shipping and logistics companies, anyone with high-value IP, etc. If you are between the crook and their target, you are a high value target and your data becomes valuable.
Of course, blackmail is so 20th century. There’s still some of that going around but today they are more likely to use your data to social engineer you. The more someone knows about you, the more likely it is they can convince you that they are a legitimate representative of [your company’s IT department | your vendor | a government agency | …] to convince you to do something that compromises your computer or your job.
The point is that bulk data is cheap. Targeted data is expensive, far more so than is hinted at by the FT article.
Not a data broker
Your data is obviously worth a lot more than a few pennies to vendors who detect non-price-sensitive shoppers and jack up the price by 10 ~ 20%. The article I linked a while back had per-item price differentials above $10. Sites like backgroundreport360.com and backgroundpi.com get in the neighborhood of $30 ~ $40 to disclose the data they have on you. One application we were developing when I left Equifax (on a project that eventually was spun off as Choice Point) was looking to find a market space between credit reports and mailing lists. Unqualified mailing lists were pennies per name anyone could buy them. Credit reports were many dollars each and you had to be doing business with the target. Our project was to find a legal way to enrich mailing lists by pre-qualifying them, without triggering an obligation to generate a credit report inquiry record. The enriched mailing lists would then be worth 4 to 10 times the regular ones.
Although portions of the profiles used in these cases are sourced from companies such as those listed in the FT article, there is clearly a difference between raw data items for pennies a piece versus aggregated, refined, and/or verified profiles.
Security pro Brian Krebs lives a double life with his public face as a security researcher and with several secret identities as an underground hacker. Thanks to his access to the hacker darknet marketplaces, we have some insight into what goes on there and pricing in the various markets.
“Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.”
From: Exploring the market for stolen passwords
“One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.”
From: The value of a hacked email account
“Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.”
From: Credit reports sold for cheap on the underweb
The FT article claims “General information about a person, such as their age, gender and location is worth a mere $0.0005 per person, or $0.50 per 1,000 people.” If that is true, then why is the black market price for the same data elements $0.50 per person – three orders of magnitude greater than the FT price? How many black markets are there where the price is higher than the same product on an open market?
So yeah, in the VERY narrow use case of bulk data, legally obtained, and traded amongst certain data brokers, this stuff is cheap. Aggregate it, refine it, target it, use it or collect it illegally, and it becomes much more valuable.
There’s one other aspect of this that nobody seems to take into account and it’s related to my “value of data over time” pitch from IIW. In the past there was a premium on data that was fresh. Stale data could be wrong. The more stale, the higher the chance it was wrong. Most data was collected in real time for instantaneous use. This is why, for example, almost all discussion of security focuses on securing the connection and not signing the data. The business value of that unsigned data is only valid in the context of the connection that delivers it.
But today there’s a time element of data value, and this is completely ignored by the FT piece. Having a single instance of your GPS coordinates is only valuable in real time. Having a series of GPS coordinates becomes extremely valuable to find out where you’ve been, the route you traveled to get there, etc. Similarly, having your personal data at a point in time is considerably less valuable than having the history of it. One reason data brokers sell in bulk so cheap is that the real value is in refining the data through aggregation, correlation and verification, so that it becomes not a low-res snapshot but rather a hi-def movie.
The personal data to which the FT article refers is like crude oil. The personal data which we should be worried about is like premium unleaded gas. Either way, it’s about you, directly impacts you and has market value to everyone but you. Don’t let anyone tell you it has no value. Even the Financial Times.