Bernie Sanders Is Very Worried About Your Data

During last week's Democratic presidential debate, avowed pinko and every cool teen's favorite Larry David impersonator Bernie Sanders had some dire warnings about our online privacy.

"Virtually every telephone call in this country ends up in a file at the NSA. That is unacceptable to me," Sanders told debate moderator Anderson Cooper. "I think the government is involved in our emails, is involved in our websites."

Then he took it a step further. "But it's not just government surveillance," he said, as (I assume) a dark cloud made up of ones and zeroes gathered over his head slightly out of view of CNN's cameras. "Corporate America is doing it as well."

In an email to VICE this week, a Sanders campaign spokesperson expanded on the 2016 candidate's comments, saying, "In addition to government surveillance, the Senator is concerned about the lack of privacy consumers have, and how their information is often unwittingly collected, shared, and sold." The campaign also pointed to Sanders' vote against the controversial NSA reform bill earlier this year, and to an amendment the Senator attempted to attach to this year's National Defense Authorization Act. The amendment, which did not make it into the final version of the NDAA, would have created a two-year commission to investigate changes in data collection, and the possible impact on privacy rights and surveillance.

"I believe we need to take a look at how the public and private sectors are gathering data on the American people and how we are moving toward an Orwellian society in which your location and movements can be tracked at any time through your smartphones and computers," Sanders said in a June statement announcing his plans to introduce the amendment.

One of the big reasons we've encroached upon an "Orwellian society," as Sanders puts it, is because of data brokers—companies that aggregate, package, and sell people's personal information to advertisers. If you've ever been fucking around online and encountered an ad you felt was almost scarily apt, you have data brokers to thank—a 2014 report from the FTC showed that nearly everything Americans do online is collected by someone. That means that information we post in our social media profiles, our shopping histories both online and off, and information we provide to websites when we register for accounts is all fair game to data brokers, who'll either scrape your data with their own software or buy it from someone else who has it.

To some degree, companies have always collected information about their customers, but the amount of data that data brokers are now sitting on is unprecedented. When I spoke to Ron Moritz, the CEO of cybersecurity firm BioCatch recently, he estimated that they have "richer sets of information about people than the wildest dreams of the CIA and NSA."

As for the accuracy of Sanders's warning, "I think he gets the gist of it right," said Kelly Lum, an application security expert who has worked extensively in the public and private sectors. "The more entities that are collecting data on you, the higher the likelihood that one or more of them is going to screw up and have their information compromised, or sold off to someone who uses that data for malicious purposes."

Many businesses have found that information they gather from their customers can be sold off. Apps also frequently collect data, with consumers often waiving their rights to privacy by agreeing to long and confusing terms of use. Lum told me that even a company that runs what might be considered a "legitimate app" may be "collecting the data you send through it and selling it off to a broker." Additionally, she said, "information collected by the government, such as real estate sales and criminal records can make it into a data broker's collection."

A 60 Minutes segment on the subject of data brokers that aired last year reported that Acxiom, one of the world's largest data brokerage firms, owned an average of 1,500 pieces of information on 200 million Americans. That's a lot of information, and the more details a company has on you, the easier it is for those companies to make other assumptions about things like your age, your medical history, and even weird shit like whether or not you've got an STD or if you're likely to buy a Fleshlight. According to the 60 Minutes report, data brokers may have lists of people with addictions, STDs, and severe student loan debt.

Related: Watch the full HBO Special Report: Fixing the System

In September, the data broker Experian was hacked, exposing the identifying information of some 15 million people, most of whom had sought credit checks through the company as part of the process of getting T-Mobile cell service. Although the company claimed that the hack "did not impact Experian's consumer credit database," it nevertheless proved that data brokers are not infallible.

If the information data brokers have collected were to leak, experts say the consequences could be dire. "Imagine data in the wrong hands being used to out a person living in a conservative town as homosexual or transgender," said Lum, "or a person's daily routine being discovered by an abusive ex."

If Sanders is serious about stopping the spread of Big Data, though, he might want to start in his own backyard. A September audit of campaign websites conducted by the Online Trust Alliance, a consumer watchdog group, gave Sanders' 2016 site a failing grade.

Over the phone, OTA's Craig Spiezle explained that the audit rated 23 presidential campaign sites on a variety of criteria, including privacy protection, site security, the privacy policy listed on campaign websites, and authentication measures. "The total (your campaign) could get was a 100," he said. "The average was 57.7, the highest was 90, and the lowest was 37. The Sanders campaign was towards the very bottom of that scale."

Of the major candidates graded in the OTA audit, only Jeb Bush's campaign site was awarded a passing grade. OTA's report did not reveal the specific scores for each campaign site, and Spiezle declined place the candidates on a continuum, but he did tell me that Hillary Clinton's campaign site scored slightly higher than that of the Sanders campaign.

Though Sanders' site does provide an easy-to-understand privacy policy, it states that the campaign reserves the right to share visitors' personal information "with groups, causes, organizations, or candidates we believe to have similar views, goals, and principles." It also states that the site "communicate[s] with third-party vendors like Google, and that in some cases, those vendors "may decide which ads to show you based on your prior visits to [Bernie Sanders] Sites."

Spiezle compared Sanders's data-sharing policy to that of "a retailer saying, 'Thanks for buying with us, but we may share your data with other merchants that share your interest.'" While he admitted that "many of the candidates" have similar policies in place on their sites, "that doesn't mean it's right."

Spiezle expressed concern that the Sanders' campaign site didn't mention whether or not these third-party entities were bound by confidentiality agreements. "You're collecting data on what [your donors] contribute and their political points of view," he said. "What contractual requirements are those third parties required to adhere to?"

In an email, the Sanders spokesperson said that despite the relatively loose language used in its privacy policy, the campaign has never sold user data to third parties. The campaign did not say whether they have shared data with other entities.

Indeed, selling data can be quite lucrative for presidential campaigns. A report published by the Pittsburgh Post-Gazette earlier this year found that the campaigns of several 2012 candidates—including Mitt Romney, Rick Santorum, and Newt Gingrich—as well as a now-defunct committee for Hillary Clinton raked in money—and helped retire their debts—by selling data collected from supporters.

"Candidates have taken the liberty of sharing data as they see fit," said Spiezle. "I think it's hypocritical that candidates say the government and industry shouldn't be doing something when their own campaigns are marching to a different tune."

The long and short of all of this is that no one seems to know where the line should be when it comes to our online privacy—least of all the government. In last week's debate, Sanders suggested that federal law has not yet caught up with the rapid acceleration of privacy-breaching technology, and there is some truth to that.

In its 2014 report, the FTC urged Congress to "enact legislation that would enable consumers to learn of the existence of the activities of data brokers and provide consumers with reasonable access to information about them held by these entities," as well as offering consumers "the ability to opt out of having [that data] shared for marketing purposes." So far, though, there hasn't been much movement on that front.

A bill introduced last year by West Virginia Senator John D. Rockefeller would have required data brokers to provide consumers with access to whatever personal information they had collected, and allow them to opt out of being included on the firms' lists. Loftily titled the "Data Broker Accountability and Transparency Act," the bill died in committee. A similar bill was introduced earlier this year, but it too died before ever hitting the Senate floor.

Follow Drew on Twitter.