116 comments

[ 0.23 ms ] story [ 193 ms ] thread
If you are giving data to someone, or having data produced about you, it is a good assumption at this point that someone is trading it, selling it or monetizing it.

With no effective data ownership or privacy legislation in the US, it will continue to be that way.

Lexis nexis is way beyond what you’re describing. Its basically a company that forms dossiers on every person, even if they had no digital footprint.

It combines every source of public data possible, and even includes court records that are sealed or expunged

How does it have access to sealed court records?

I thought the whole point of "sealed" meant that the contents of the case were off-limits to the public for any and all reasons

In this case they are probably just keeping a record of the fact you have a sealed record.
They are off limit to the public, but if at one time they werent then lexis scooped them up.
Little stays sealed for ever, and sealed documents are often mistakenly filed openly. IF you're in the data collection/scavenging business it's not that hard to get hold of stuff that wasn't meant to be circulated.
Most cases are not sealed from the outset - so anything already out there is indexed forever, regardless of current legal status.

This was the case at least when I looked into in ~20 years ago. There simply was no point in following the expungement process since all the usefulness of it was already gone due to the records existing in private databases.

Expungement is still useful (though less useful) because the record can no longer be used as a part of the legal process.
All they had to do was scrape public records before they were sealed or expunged. When a record is sealed or expunged, that only means the court stops publishing it or deletes their record. Anyone who retrieved it before that doesn't have to give it back and nobody's memory gets wiped.
But the court also can’t confirm the veracity of the claimed record. Anyone can say ‘there was a record of nonameiguess being charged with this crime in this court on this date but it’s since been expunged’. Okay, but you’re not that court, and the official records don’t exist so… what good does it do?
LN: "Sorry you don't get a house|job|whatever"

You: "Um, why not?"

LN: "That's our secret"

Course you won't even know LN is even involved in the loop. You're being judged in a court of opinion with no recourse.

Yes, also people dramatically undervalue how substantial the absence of data is when it comes to profiling someone. Especially when you compare it to other data points, for example not having credit cards on record is enough information to start building a whole lot of other connections.
No, it's exactly what I'm describing... courts generate data about you, someone (LN as an example) slurps it up. Buy a house, deed gets recorded, data gets generated and someone slurps it up.

Buy a product with a CC. All of the half dozen to dozen vendors involved in the transaction will generate data about you and sell/trade the data to other people.

Sure, LN might have some really good profiles, but there are so, so many companies doing the similar things.

I used to work for LN for years. At the time, basically all their data comprised public records than were purchased from government agencies such as DMV/DOL, courts, county assessors, etc. This isn't a problem of "if you aren't buying the product, you ARE the product."

Not long before I left, they were integrating with insurance data, which expanded out of government records. No clue where they've gone since.

Somewhat related, the anonymously sourced and unprovenanced document "PROTON, CLEARWATER and Lexis-Nexis"[1] provided to cryptome August 2013 in the wake of the Snowden revelation of "parallel construction" - though not itself from Snowden as far as we know - has the following:

> All members of the Intelligence Community have access to LEXIS-NEXIS. [...] All domestic law enforcement has access to LEXIS-NEXIS, its a fundamental investigative tool. IRS, DOJ, Treasury, Local PD, Sheriffs Office all have a LEXIS-NEXIS access or the means to pull data from them.

> [...] Imagine your a citizen in New York and you get surveilled by one of the numerous surveillance technicians the NYPD has fielded since 9-11 , a quick look-up via mobile device or WiFi and they know who you are now.

> So, a Special Agent or analyst simply runs the selectors in PROTON and CLEARWATER, then runs those names or other biographic/vital information again in LEXIS-NEXIS, all that data related to the TARGET is exported in Analyst Notebook format, those files are imported into the Analyst Notebook application and...viola!...a relatively complete social network and biographics of the TARGET. That could be you of course.

> [...] The DOJ and Intelligence Community access LEXIS-NEXIS through a VPN and a proxy (government). A DOD proxy is registered to the Virginia Contracting Office, but it's a non-logging proxy so, good luck in your discovery. LEXIS-NEXIS has no idea of the individual accessing it's database and, according to the spokesperson, does not maintain logs of government clients. A subpoena cannot discover what is not there.

"PROTON" and "CLEARWATER" are explained as follows:

> PROTON is a storage and analysis system of telecommunications selectors at the TS/SI/FISA/ORCON/NOFORN level of classification and handling. PROTON is the program name as well as the name of the technology. It has been described as "SAP-like", and I suspect that PROTON was once a DEA special program. PROTON is well known in HUMINT and DOJ clandestine law enforcement. It remains the primary, if not fundamental, tool of HUMINT and DOJ law enforcement operations, both of which have considerable overlap in phenomenology and methodology. PROTON carries the FISA caveat because Top Secret FISA collection is contained in PROTON's massive database.

> Through my professional associations within the Intelligence Community, I became aware of a Department of Justice (DOJ) system called CLEARWATER. CLEARWATER is similar to PROTON but at the SECRET/NOFORN level of classification and exclusively a DOJ program, where PROTON is CIA, DOJ and DOD. Most DOJ Special Agents and analysts do not have Top Secret clearance. Every informant is run through CLEARWATER, every witness gets vetted through the system.

Over the last 10 years I've sporadically searched for any sign this document has been investigated or debunked, with no result. I still find it pretty interesting.

1: https://cryptome.org/2013/08/proton-clearwater-lexis-nexis.h...

who is even capable of escaping this kind of thing? what would it take to stop things like this, and prevent them from happening again?

it seems impossible to even slow down

Legislation.

What is there to keep a food company from lying about the ingredients in their products? How could you stop it, unless you have a personal chemistry lab? You stop it by having people who constantly watch how you do business, and if you do it in a harmful way men with guns will come and shut down your business and take a lot of money out of your vault. If it was exceptionally harmful or you resisted or if you tried to start up again, the men with guns will come take you and place you in a concrete room against your will.

> What is there to keep a food company from lying about the ingredients in their products?

Food companies are not part of the "intelligence community," and there are significant disparities between enforcement of and compliance with the rules that each must follow. To the degree that food companies are even scared of the FDA (and not just willing to risk an inconsequential fine), it's because they know the FDA has strict guidelines and a history of enforcing rule violations that can kill an entire product line.

Whereas the intelligence community is subject to no such oversight, other than some nominal finger wagging by a group of senators (some of whom may even be spied on, blackmailed and coerced by the very agencies they oversee). There is a documented history of the NSA lying directly to congress about the scope and breadth of its surveillance programs, including falsely denying illegal activity. Given that evidence, it seems optimistic, bordering on naive, to trust that law enforcement agencies will respect legislation that restricts their ability to do what they consider to be their job, especially when nobody has been sent to jail for their criminality and deceit.

Why would they bother following the law if there are no consequences to breaking it? It's easier for them to obfuscate and argue semantics than it is to fundamentally alter their methods of intelligence collection.

I'm hearing an awful lot of criticism and complaints but no suggested alternatives. My boss wouldn't accept that kind of pointless defeatism and neither do I.
The viable alternatives are too extreme for most people to stomach.
It's pretty crazy that our legislators and courts haven't addressed this loophole that allows law enforcement agencies to buy data that they can't legally collect.

This essentially nullifies the fourth amendment.

It’s not really a loophole. It has been affirmed and reaffirmed and reaffirmed again. Nothing “sneaky” about it, just the case law hasn’t caught up to the amount and quality of privately-held data.

More entities should be subject to the telco exception to 3rd Party Doctrine.

> It has been affirmed and reaffirmed and reaffirmed again.

Doesn't mean it's not a loophole. The law is filled with loopholes that aren't sneaky at all.

This is a loophole around the fourth amendment, and it allows law enforcement to violate people's constitutional rights without consequence.

Constitutional rights are defined in large part by case law. It’s incoherent to say that SCOTUS’s rulings are violating people’s Constitutional rights.
It's legally incoherent, but it's far from logically incoherent.
> This essentially nullifies the fourth amendment.

Courts seem to think that this information does not have an expectation of privacy since the user gave it away.

I don’t like the government being able to do this, but common sense seems to dictate that in cases where the user has freely given out their information and where a private citizen can go buy that information, the government should be able to buy it.
> in cases where the user has freely given out their information

How often have people freely given their information? I'd argue that if you have to give out information in order to live, that doesn't count as freely giving it. That's being compelled to give it.

In US society, it's literally impossible to live without giving your information to a variety of entities.

I freely give out my information when I choose to use Facebook, Instagram, MySpace, google maps while logged into google, sweetgreen for ordering for pick up, Uber eats while ordering for delivery. There are myriad of cases where people choose to give out their personal information — and yes before you protest: I can live without having my Sweetgreen ready when I arrive (versus ordering at the terminal when I arrive) or without Uber delivering my meal (I can go to the restaurant).

I acknowledge there are cases where it’s effectively impossible in modern society, such as with giving out your info to get a cell phone, but believe by verbiage “freely giving out information” accounts for this.

Lets say you live in a cul-de-sac for this.

I setup a camera recording everything you do in your lawn and document when leave and come back to your house. I bundle this up with everyone else's information and sell this to the government.

Where was your "freely giving information out at".

You quickly turn into "even going outside removes any privacy I have and the government can pretty much track everything I do".

Also, going to those stores will gladly track you with cameras too. You're left farming weeds in the mountains to get away from this.

I'm not at all talking about optional goods and services.

> I acknowledge there are cases where it’s effectively impossible in modern society, such as with giving out your info to get a cell phone

Or if you pay rent, own real estate or a car, buy anything using a method other than cash, have electrical or other utility service, etc.

You are forced to give out your information for almost everything you need in order to live in modern society.

The courts seem to place little to no value on privacy.

Within simple interaction I agree, but disagree when it comes to aggregate data. Maybe I tell Amazon some info, Wayfair different info, and Vitacost something else. A 3rd party can aggregate that into a new superset that I didn't give anyone explicitly. This goes well-beyond in-store surveillance and expands potentially and in-reality to full-time surveillance: when your smart thermostat senses you are home, when your car is moving, etc.

Someone needs to go into a court room and demonstrate to the judge and/or jury that their personal data is available for sale.

Then ask them if they expected that data to be private.

If it involves technology newer than the steam engine, the average court is badly out of its depth...
Is that because the user signed it away in the terms and conditions?
It's more straightforward than that.

I have a constitutional protection against the government searching my stuff without a warrant. However, the constitution only restricts governmental actions, not the actions of citizens or other private entities.

So, the government can't search my records without a warrant -- but if a private entity has any data on me whatsoever, there's no prohibition on that entity providing it, and law enforcement can ask (as opposed to demand) anything they want, just like any of us can. All they do is ask that party for the data and if that party wants to, they can provide it.

You don't have to agree to this in any contract, T&C, or anything of the like. Private entities have the right to do anything they like with data (or property) they legally control by default.

You'd have to have a contract with them that explicitly prohibits them from sharing. In other words, it's opt-out, not opt-in.

Legally, it's no different than cops knocking on your neighbors doors and asking them if they've seen you doing sketchy things. The neighbors don't have to comply with the request, but most will.

The government hasn't searched nor seized anything. This is identical to if somebody found out your favorite color is Blue, gave that info to a newspaper reporter, and the newspaper sold the information on the street for a nickle a paper. The government bought one of the papers.
I'm not sure how you equate agencies like the FBI and CIA with newspapers.

Seems like a really weak argument from here.

One is a commercial venture with zero license to kill or interfere with foreign political processes.

The FBI and CIA are newspaper readers in this analogy.
It's a newspaper that isn't affordable to the majority of the public, doesn't do any advertising to the public, nor does the public even know about it.

Not a great analogy really.

Actually it is affordable to the majority of the public. It’s quite cheap to buy a dossier on a person, like $5-25.

If LN allowed it, the general public could afford to run as much as they like.

idlewords said a long time ago that "If the data is gathered at all, the government can get to it; whether it is on private or public servers is an irrelevant implementation detail. The only way to keep data out of government hands is to not collect it". Nobody wanted to listen to this because taking it seriously would mean tearing down large portions of the ad infrastructure that keeps the tech industry humming. But he was still right even if nobody wants to admit it.
Who is idlewords?
A very quick Google search reveals they are a tech essayist
For emails in the cloud, and probably other data, they don't need a warrant if it's 6 months or older anyways. So they probably can force them to give it out for free. But either way they have a black budget so we are fucked in many ways.

https://emailserverprovider.com/emails-texts-documents-older...

How tempting would it be to use blackmail to influence a democratic election.

Given this national security blackmail apparatus exists how can we be sure this insidious rootkit hasn’t already been deployed?

Epstein was able to have bill gates in his back pocket due to knowing about his affair. Imagine having access to that kind of leverage on every reporter journalist activist politician etc. I can’t be sure the integrity of our democracy is even still intact

> "I can’t be sure the integrity of our democracy is even still intact"

It isn't. Our politicians are pretty much corporate puppets, fully "owned and operated" by our corporate overlords.

Where did you read that about Epstein and Gates?
Forbes, Guardian.. pretty widely reported on last month.
The stories I read say that Epstein attempted to extort Gates but was ignored.
That’s the beauty of the current situation. Instead of government it’s private businesses that are building a surveillance machine of unprecedented scale. The Nazis or Stalin would have loved to have such infrastructure.
The Holocaust likely would have been impossible (or at least far more limited in scale) if IBM hadn't sold them the tabulators they used to collate census data on their Jewish population.
It's by design. The politicians love the money from GEO Group, CoreCivic, and MTC for expanding prisons and incarcerating more poor people and minorities for minor infractions. I'm sure the politicians absolutely hate money from LexisNexus too.
As someone who brokered Lexis PII in a past life, what scares me about this is how dirty the data are.

That said, it’s not a loophole. State and federal laws make certain data public or quasi-public for limited purposes, and I can’t think of any reason the government should be prohibited from buying it for one of those purposes. The fourth amendment is designed to prevent the government from collecting information that is distinguished as categorically private by definition.

>" how dirty the data are."

What do you mean?

This data is often of terrible quality. Source: I worked for the part of LN that deals with this data.
(comment deleted)
> This essentially nullifies the fourth amendment.

Yes, it does. Hopefully, this practice will be made illegal in the absence of a search warrant.

ALPR Automatic License Plate Readers are a significant portion of this article, and they raise a lot of questions in my mind.

If the police have access to realtime info on the location of all vehicles, how is auto theft still a thing? How are gangs stealing $100k worth of tools from hardware stores and driving away scott free?

Are we just at a time before wide use of the data ALPRs provide?

Maybe the stolen cars are taken to a chop shop or ditched before the owner even realizes it has been stolen.
Don't the chop shop locations show up at the hub of stolen car paths when the ALPR data is used retrospectively for cars reported as stolen?
I imagine chop shop owners would destroy all nearby license plate cameras when setting up their location.
That would still narrow down the search quite a bit. Unless you think the cops won't notice a 10 block area where all the cameras are broken.
Yes, but that only matters if the cops are willing to search the buildings on all of those blocks for crimes. All the criminals need to do is prevent them from narrowing it down to an area that could be searchable.
Ok, and that would definitely not show up as suspicious?
ALPRs are usually on regular cars, which have regular people driving them around. You don't see them and they're paid to drive around all day. They're contracted like Uber.

Cop cars also have them, and so do parking enforcement, etc. They're generally not fixed locations.

I believe that the very first thing professional car thieves do is to remove the car's license plates.
I'm not too familiar with trends in auto theft, but do know around coastal areas your stolen car (truck, usually) goes straight into a shipping container. Thieves do not stop to fuck with swapping plates or any of that Hollywood stuff, they do not care about every ALPR camera in the city watching them drive it across town-- this isn't CSI, nobody's watching those cameras and readying the chopper. That vehicle is getting shipped off to the South Pacific as fast as possible, long before anybody can be bothered to get a warrant to search a foreign container ship for a random container among thousands that might contain a stolen late-model Tacoma.

Same with those recycle-your-phone kiosks in the mall. You can find-my-stolen-iPhone all the way to it, but the vendor empties the tray and ships the collected phones to a parts shop in Brazil every night, before the cops can get a warrant to open it themselves.

Crime pays when you think globally.

In Chicago most stolen cars are used either to joyride or to do a theft of some kind. In both cases ALPRs would be useful to prevent it.
It's very rare for a crime to be truly unsolvable. For the vast majority it's all about the amount of time and effort the authorities want to put in. License plate readers or not, if your local PD and the DA's office have decided to deprioritize auto thefts then there's nothing you can do about it.
Illegal immigration could easily be solved by giving anyone who hires undocumented workers a million dollar fine. The American economy relies on a cheap, obedient and disposable class of workers.
Yep this is one of my two (probably annoying) complaints to friends and family.

1. you really want to solve illegal immigration: extremely large fine and 1 year felony sentence for hiring an illegal immigrant without running their ID through e-verify

2. If we wanted to really do something about climate change we would have a huge investment in nuclear power plants dotting the US country side.

-->1 I point out to show that I think it's all a smoke and mirrors game with GQP politicians. We need a worker visa program and completely revamped immigration system

-->2 I am completely serious about.

I don't know why this is downvoted. In the car community, you hear TONS of stories about stolen cars. The owners have tracking devices, video with clear shots of the people stealing it with their faces, location of the car, plates of the getaway car, and every piece of evidence handed to them on a silver platter. And the cops never do anything.
Eh, when cops do nothing make it public information yourself.
The glib answer is that cops are lazy and don't want to do their job. Another is that even though the data is there and theoretically could be searched as you describe, nobody has built a system that a typical detective could reasonably use to actually conduct that search.

Also, professional car thieves would just start swapping plates if the cops started doing this.

It's funny, because growing up I thought LexisNexis were just one of those guys I'd use to find academic articles from the school library system, like JSTOR.

Then I got employed by the collections industry straight out of college and found out what skiptracing is. There used to be quite a few skiptracing vendors: Accurint, Banko, FastData, to name a few. LexisNexis bought all of them. I imagine that the dossier they have on the average person dwarfs what the credit bureaus have.

> I imagine that the dossier they have on the average person dwarfs what the credit bureaus have.

It does. LexisNexis and Equifax [used to be, maybe still are] the first two calls the US Marshals make when setting out to find a fugitive.

You can get a free copy of what LexisNexis has on you, just like you can with your credit report. The difference is that the LexisNexis report is book thick for most people. The amount of information far exceeds what the credit bureaus have. In my case, quite a bit of it was wrong but adjacent. It thought I owned a huge commercial building, which was actually owned by the developer of a condo I owned in another part of town. It also showed me making an insurance claim for hail damage on my brother's house. My brother actually did make a claim for hail damage and I did live with him, but that was several years after the insurance claim.
Would you be willing to list what categories of data are in that file?
This is what makes it concerning when it is used by law enforcement. Way too many people have been railroaded by the system due to bad data, especially poor people who can't afford a good lawyer. If the judges, lawyers, and especially juries are told that LexisNexis is a reliable source of information because the prosecution wants to get that conviction they could send innocent people to jail.
> just like you can with your credit report

Something I literally have never been able to do, despite tons of trying.

Does this have like a option to email them to delete all your data, prolly not huh?
The option is always there. I can guarantee nothing will happen if you try.
> Does this have like a option to email them to delete all your data, prolly not huh?

Not really. There's a process for suppressing data, but it's not a viable option for most people.

From the "LexisNexis Individual Requests for Information Suppression Policy (Non-FCRA Opt-out Policy)"

https://www.lexisnexis.com/en-us/privacy/for-consumers/opt-o...

> Documentation Required for Suppression Requests

> Requests for suppression from restricted public records products must include documentation substantiating the risk of physical harm or the individual's status as an identity theft victim. LexisNexis reserves the right to determine, in its sole reasonable discretion, what documentation meets this criteria. If your suppression request is not approved we will promptly inform you about that determination.

> * If you are a victim of identity theft, submit a copy of a police report documenting the identity theft or documentation that verifies the identity theft claim such as a letter from your credit card company, and an Identity Theft Affidavit; or

> * If you are a law enforcement officer or public official, submit a letter from your supervisor stating that your position exposes you to a threat of death or serious bodily harm; or

> * If you are at risk of physical harm but do not work in law enforcement, submit a copy of a court protective order, a copy of a police report or similar documentation such as a letter from a shelter administrator or a health care professional

(comment deleted)
California residents, here's the data deletion form: https://consumer.risk.lexisnexis.com/request#california
Is there any downsides to deleting or opting out?

Eg if you opt out of credit agencies then you have trouble getting credit cards and loans.

I don't think that it's meaningfully possible to opt out or delete, so this is a purely academic question.
You can factually opt out AND delete the data if you’re a California resident - as specified by the above link.
Not to a great enough degree, though. Just try opting out of the major data collectors, such as LN or credit rating agencies, and see how that goes.

Also, it does nothing for people who aren't in California.

California's law is much better than nothing, but it's not as good as the GDPR and the GDPR isn't really adequate.

Thanks for this. Sadly, but not surprisingly, it is broken with the following error: "A system error has occurred and we are not able to process your request. Please try again later."
I got that same message (twice!), but got a confirmation email a few minutes later.
This form asks for your address, ssn, etc. I'm wary of giving this type of a company more information than they may already have. It's like those opt out email links where you need to enter your email address. Are you opting in or opting out ?
I was flagrantly misidentified by Lexis Nexis and subsequently a recipient of a pittance resulting from a class action lawsuit many years later. I had to pay for and live out of hotels for several weeks due to their background check connecting me to a person from a state I had never lived in with a middle name and middle initial that was not even same.

The most dystopian part of this is that they aren’t good at the service they provide, don’t have competition or incentive to be, and as a result, people will get caught up in their destructive wake. Fully expecting The Trial to manifest in real life.

One of those salary check services they run has me working as a Civil Engineer in upstate New York, while I was in high school.
This is an example of how bad data makes the system less effective. Privacy via purposeful data pollution.
If you're in California you can opt-out of all sale of your personal data on LexisNexus here: https://consumer.risk.lexisnexis.com/request#california

In theory, it's a one-step process, though we'll see. Also if you request information they send it to you over snail-mail.

Horrible … it should be brought to justice …
No surprise. The intelligence apparatus uses illegally intercepted data to report crimes to law enforcement who then find parallel constructions to avoid disclosure of intelligence sources and methods. Now we're entering the territory of precrime and making accusations based on correlation and AI rather than evidence, but with a commercial interest akin to for-profit prisons.
When are gonna get a new law that bans the practice of buying dragnet information from private sources? I can understand warrants for a person or small group but buying information on millions of Americans? That's just bypassing the 4th amendment because the founding fathers obviously didn't know about the internet. It's pretty obvious what the fkn intent of the 4 and 5th amendments are, though.