FT on How much is your personal data worth?

A recent Financial Times article asks “how much is your personal data worth?”  This sparked a thread on the VRM mailing list to which I’d like to respond.  Tony pointed out that their numbers are old.  I’d also add that the entire article is a bit disingenuous.  The headline “How much is your personal data worth” implies broad valuation as in “how much is a dollar worth?”  The article conveniently ignores many uses and markets for that data and in fact is extremely narrowly illustrated.  It should have read “What is your legally collected data worth to data brokers, assuming you are not a high value target?”

Let’s take these in reverse order.

High value targets

Obviously if you are a celebrity your data is worth more.  But if you work at a high value target, your data is worth more.  What’s a high value target?  When I worked at BofA they gave us training every year because apparently there’s a certain amount of trade in holding bank employees for ransom.  Of course, that’s just for crooks with no imagination.  These days they are just as likely to blackmail employees into doing their bidding, and it doesn’t have to be banks.  “High value target” includes law enforcement and judiciary, shipping and logistics companies, anyone with high-value IP, etc.  If you are between the crook and their target, you are a high value target and your data becomes valuable.

Of course, blackmail is so 20th century.  There’s still some of that going around but today they are more likely to use your data to social engineer you.  The more someone knows about you, the more likely it is they can convince you that they are a legitimate representative of [your company’s IT department | your vendor | a government agency | …] to convince you to do something that compromises your computer or your job.

The point is that bulk data is cheap.  Targeted data is expensive, far more so than is hinted at by the FT article.

 

Not a data broker

Your data is obviously worth a lot more than a few pennies to vendors who detect non-price-sensitive shoppers and jack up the price by 10 ~ 20%.  The article I linked a while back had per-item price differentials above $10.  Sites like backgroundreport360.com and backgroundpi.com get in the neighborhood of $30 ~ $40 to disclose the data they have on you.  One application we were developing when I left Equifax (on a project that eventually was spun off as Choice Point) was looking to find a market space between credit reports and mailing lists.  Unqualified mailing lists were pennies per name anyone could buy them.  Credit reports were many dollars each and you had to be doing business with the target.  Our project was to find a legal way to enrich mailing lists by pre-qualifying them, without triggering an obligation to generate a credit report inquiry record.  The enriched mailing lists would then be worth 4 to 10 times the regular ones.

Although portions of the profiles used in these cases are sourced from companies such as those listed in the FT article, there is clearly a difference between raw data items for pennies a piece versus aggregated, refined, and/or verified profiles.

 

Legally obtained

Security pro Brian Krebs lives a double life with his public face as a security researcher and with several secret identities as an underground hacker.  Thanks to his access to the hacker darknet marketplaces, we have some insight into what goes on there and pricing in the various markets.

“Freshtools, for example, sells purloined usernames and passwords for working accounts at overstock.com, dell.com, walmart.com, all for $2 each. The site also sells fedex.com and ups.com accounts for $5 a pop, no doubt to enable fraudulent reshipping schemes. Accounts that come with credentials to the email addresses tied to each site can fetch a dollar or two more.”
From: Exploring the market for stolen passwords

“One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.”
From: The value of a hacked email account

“Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.”
From: Credit reports sold for cheap on the underweb

The FT article claims “General information about a person, such as their age, gender and location is worth a mere $0.0005 per person, or $0.50 per 1,000 people.”  If that is true, then why is the black market price for the same data elements $0.50 per person – three orders of magnitude greater than the FT price?  How many black markets are there where the price is higher than the same product on an open market?

 

So yeah, in the VERY narrow use case of bulk data, legally obtained, and traded amongst certain data brokers, this stuff is cheap.  Aggregate it, refine it, target it, use it or collect it illegally, and it becomes much  more valuable.

There’s one other aspect of this that nobody seems to take into account and it’s related to my “value of data over time” pitch from IIW.  In the past there was a premium on data that was fresh.  Stale data could be wrong.  The more stale, the higher the chance it was wrong.  Most data was collected in real time for instantaneous use.  This is why, for example, almost all discussion of security focuses on securing the connection and not signing the data.  The business value of that unsigned data is only valid in the context of the connection that delivers it.

But today there’s a time element of data value, and this is completely ignored by the FT piece.  Having a single instance of your GPS coordinates is only valuable in real time.  Having a series of GPS coordinates becomes extremely valuable to find out where you’ve been, the route you traveled to get there, etc.  Similarly, having your personal data at a point in time is considerably less valuable than having the history of it.  One reason data brokers sell in bulk so cheap is that the real value is in refining the data through aggregation, correlation and verification, so that it becomes not a low-res snapshot but rather a hi-def movie.

The personal data to which the FT article refers is like crude oil.  The personal data which we should be worried about is like premium unleaded gas.  Either way, it’s about you, directly impacts you and has market value to everyone but you.  Don’t let anyone tell you it has no value.  Even the Financial Times.

For another take on this, read Mary Hodder’s post over at the Napsterization site.

Comments

  1. Hi.

    Thanks for your analysis. I have a very basic question about the FT article : they always mention the price of profile, but do they mean price of the profile with the email attached ? They never mention (of maybe I missed it) how you can reach the customer ?

    Is it because the data includes the names ? It is CPM view of a website ? Is it physical address ? ..

    Thanks

    • Hi Arnaud, you have hit on another problem with articles such as the FT one referenced: lack of detail regarding the specifications of the data, lack of context regarding the markets in which it is sold, and lack of detail regarding the purchasers and uses for that data. Any article can argue “your data is valuable” or “your data is cheap” in the abstract and make a case that a casual reader would agree with.

      But to answer your question more directly, data used in aggregate for targeting ads or market trend research is generally cheaper than data with which you can contact a person. That second type of data has a special name and is treated differently from a legal standpoint. Personally Identifiable Data, or PII as it is often known, includes any data element that identifies you by name, address, phone, email FAX or other means of contacting you. Obviously any other information that is unique to you and can be used to identify you such as fingerprints or retina patterns also qualifies as PII but may be classified under a more strict subset of PII that is regarded as health or financial data, and even more tightly regulated. The cost of the data tends to rise as the level of regulation and protection increases.

      Unless you are the NSA in which case you just ask a secret court to make a secret ruling that let’s you have the data legally and at zero incremental cost.

      • Yes, sure, the NSA example is very good :-)) The only good point for us is that you don’t need to worry anymore about saving your datas in a remote server, just call NSA if you loose your contacts infos..

        So in the FT article, I agree with you that they are not precise enough… When they say “your personal data is worth 0,103$” , do you think they mean with PII included ? I’m not even sure they know the difference btw…

        And just for my information, I personaly don’t know a way to use non-PII infos..? What can I do if I have 10000 item with age and town and an info like “I love movies”… ?

        Thanks a lot for sharing your thoughts 🙂

        Arnaud

        • The article uses the example of pitching goods and services so either there is PII available to the buyer, or else the buyer gives the ad copy to the broker who then manages the campaign. As for your other question it isn’t so much what you can do with 10000 item with age and town and an info like “I love movies” but rather the ability to forecast that number going up or down, or possibly the context of how many love movies versus how many love books. In those kinds of statistics the value is in either seeing the relative sizes of the pie pieces in a market, or else making predictions on how those ratios will change in the near future. Those uses are valuable and do not depend on PII. Whether you personally could use that aggregated data depends a lot on whether are choosing between alternatives of investing in a theater or a book store. If you already own one of these and wish to drive revenue, you probably need the PII to do you any good.

Trackbacks

  1. Thoughts About the Value of My Personal Data…

    Financial Times has a calculator for the value of your personal data. The numbers they use to calculate this are old, but even if the numbers were new and fresh, this is the wrong discussion. I don’t care that my……

Leave a Reply to ArnaudCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.