What Stays in Vegas

Personal data and the end of privacy as we know it.

What Stays in Vegas

Adam Tanner begins his book “What Stays in Vegas” by describing being tailed by East Germany’s Ministry of State Security, the Stasi, while researching the Frommer’s travel guide Eastern Europe & Yugoslavia on $25 a Day (1989). At the time, Tanner was unaware he was under surveillance; he obtained the fifty-page dossier security agents had compiled on him only after reunified Germany opened the Stasi files to those who had come under investigation. He tells the story to illustrate that gathering information about individuals is no longer a labor-intensive process, as [private] “companies have fine-tuned efficient methods of gathering information … that would make the Stasi green with envy.” Yet like spies, most data collectors remain unseen and are subject to minimal oversight. In fact, today, governments are “turning to data brokers and other companies to supplement their own files because the private-sector data collection is so extensive,” Tanner writes.

In “What Stays in Vegas: The World of Personal Data—Lifeblood of Big Business—and the End of Privacy as We Know It” (PublicAffairs),” Tanner explores the wide world of personal data collection, and answers the questions: Who is gathering personal data about us and what are they doing with that data? Along the way, Tanner reminds us that public records and personal information are being used to publicly shame people—consider Just Busted mug shots, for example—and discriminate against them. In the following Failure Interview, Tanner—a fellow at the Institute for Quantitative Social Science at Harvard University— takes us behind the scenes and introduces us to “this gathering and aggregating of data that you don’t see and may not understand the implications of.”

Why did you use Las Vegas—and the famous advertising slogan “What Happens Here, Stays Here”—as the cornerstone of your book?
In the world of personal data, Las Vegas is interesting on a couple of fronts. First, the basis of personal dossiers that companies gather about people are public records, and Las Vegas gathers more public records than other places, in particular marriage licenses and wedding records, because more people get married in Las Vegas than anywhere else.

Also, there’s more video surveillance in private spaces in Las Vegas than anywhere else, and a great deal of sophistication in the way [casino] loyalty programs are done—and loyalty programs are an important way in which personal data is gathered. All of that, plus the inherent interest in Las Vegas and the mysteries about what goes on behind the scenes there make it an interesting place to set much of the book.

Who collects data on us?
Many of the biggest and best-known companies in the country, as well as data brokers you’ve never heard of—like Acxiom and Experian—who are putting together hundreds and even thousands of individual points of detail about you into massive files that tell the world who you are, so companies can market to you more specifically.

How are they collecting all this information?
They start with the transactions you do with them. If you buy something from a company they are now going to track you, whereas decades ago they didn’t have a complete record of everything you ever bought. Then they often supplement additional data on top of that. It might be public record or other information about who you are, and they might get that from data brokers. It’s largely about trying to sell you goods and services; it’s not to try and do evil to you. But it’s using a lot of data behind-the-scenes to target the right goods to the right people.

Can an individual see what information data brokers have on them?
Traditionally, no. But about a year ago Acxiom set up a free site at aboutthedata.com, which allowed people, for the first time, to see part of their consumer file—what they think you are interested in as a consumer. I talked to a few dozen people who have looked up their profiles and some people are listed as having children and they don’t have children or are [supposedly] interested in a pastime that they have never had any interest in. But a lot of the data is accurate.

What do you not see in your file?
You don’t see projections that are based on modeling. They model the information; as in, who is likely to make a trip to South Florida or buy a car in the next six months. This is considered proprietary information because they have to do sophisticated data analysis.

Is there any way to avoid having your data collected and sold?
For example, at aboutthedata.com you can opt out entirely, and a small percentage of people have—less than two percent. But the best way to do it is to be cautious with how you share your data to start with and to be aware what sites and companies are doing with your data. Some companies do not sell or share the data with others and other sites very widely sell or distribute the data. So you should opt-out—ask them not to share the data—if you care about that. But as far as I’m concerned, it’s up to each person to set their level of privacy protection. One solution is not going to fit everyone.

But when you open a bank account or sign up for a credit card or buy a car you receive that notice advising you that the company can share your information, even if you are no longer a customer.
But different institutions have different policies, so if that’s of interest to you as a consumer you should let your wallet lead the way, and companies that offer you that choice of what’s going to happen to your data may win your business. It’s not an easy thing to find out, but over time the companies that are most open and transparent about what they do with data are going to win attention.

The Appendix of “What Stays in Vegas” offers tips for taking control of your data. What’s one important thing you can do to avoid having your data exploited?
If it’s a sensitive purchase or transaction—like medical data, financial data or sex-related stuff—you should think especially carefully about it. For example, at adameve.com you can buy adult videos and toys, and Adam & Eve sells mailing lists. So if you’re a marketer and want a list of women who have bought porn in the last six months, Adam & Eve will sell that. If you are buying something sensitive that’s the instance when you should pay closer attention as to what happens to your personal information. In that case you might want to buy in the conventional analog world and pay cash.

And what’s a proactive thing you can do to protect yourself?
You mentioned the Appendix of the book and one idea is to use individual email addresses for different companies. You can set the parameters so that United Airlines has one address and Disney has another address and your local restaurant has a third address and they all bounce to your main email [using a program like Abine’s MaskMe]. The reason you might want to do this is if one company starts sending an excessive amount of communication you don’t want to receive you can just shut down that one bounce account. This puts you in control in terms of what information is coming to you.

What do you think is the next “big thing” in data exploitation? Medical data?
Medical data is what I’m writing about next because it’s especially complicated to understand what’s happening with it. Medical data is also interesting because unbeknownst to most people when you go to the pharmacy your pharmacy records are sold and when you go to the hospital data about your visit is sold. And sometimes if you have a blood test that data is sold. It’s sold in anonymized fashion—for example, a 38-year-old woman living in such-and-such zip code had such-and-such test done. Then those records will be synched up over time. The problem is that as our ability to handle data becomes more sophisticated, it’s easier to identify individuals. So there is the potential of being able to see trends in health that we weren’t able to see before. At the same time there is more danger to privacy.

How does the U.S. compare to other countries in terms of the collection and sale of personal data?
I just came back from the [36th annual] International Conference of Data Protection and Privacy Commissioners and what struck me is how this issue is of wide interest throughout the world. There was a presentation from the Privacy Commissioner for Personal Data from Hong Kong [Allan Chiang], and he was explaining a number of practices that outraged local people in terms of how data was handled and what the companies were doing. Those practices are commonplace in the U.S. and do not stir up outrage from the public. Standards differ from place to place with America being a little more adventurous in terms of allowing the collection of data with fewer controls.

Is regulation of the personal data industry in need of a legal overhaul in the U.S.?
First we need to have a national discussion so people can better understand what is going on and then we can decide what we are comfortable doing. I don’t think there is inherently anything bad in trying to know your customers and targeting offers to the right people. What has happened over time is something akin to the development of industry. You develop a product and then there are side effects that you hadn’t anticipated. It might be worth examining those right now when it comes to personal data, so we don’t have unintended consequences where lives are being damaged. There are all sorts of potential uses of personal information that can be humiliating or even discriminating. But I do want to emphasize that all the technology—whether it’s our cell phones or being able to shop at all hours of the day or night—has overwhelmingly been a positive development. It’s just that there are side effects that are worthy of looking at alongside all the good things.