Cybersecurity & Tech Surveillance & Privacy

Data Brokers, Elder Fraud, and Justice Department Investigations

Alistair Simmons, Justin Sherman
Monday, July 25, 2022, 8:01 AM

Three data brokers knowingly sold Americans’ data to scammers—and the Department of Justice charged them.

Person using a magnifying glass to find information on a page (mohamed hassan, https://pxhere.com/en/photo/1640402; CC0 1.0, https://creativecommons.org/publicdomain/zero/1.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

On June 24, Sens. Ron Wyden, Elizabeth Warren, and Cory Booker and Rep. Sara Jacobs wrote a letter to Lina Khan, the chairperson of the Federal Trade Commission (FTC), requesting that the FTC investigate Apple and Google for some of their online advertising-related activities. Specifically, the members of Congress requested that the FTC look into the companies “engaging in unfair and deceptive practices by enabling the collection and sale of hundreds of millions of mobile phone users’ personal data.” Then, the letter called out data brokers: “[T]hese identifiers have fueled the unregulated data broker market by creating a single piece of information linked to a device that data brokers and their customers can use to link to other data about consumers.”

This letter follows on the heels of multiple recent congressional bills on data brokers. Sen. Wyden, with a bipartisan group of senators, led the introduction on June 23 of the Protecting Americans’ Data from Foreign Surveillance Act. The bill would create new export control authorities to control the transfer of certain sensitive categories of Americans’ data to certain foreign entities (for example, those deemed to threaten national security). Just before that, on June 15, Sen. Warren led the introduction of the Health and Location Data Protection Act, which would ban data brokers from transacting in Americans’ health and location information.

As congressional attention to data brokerage grows, it is worth understanding some of the few instances in which legal authorities in the United States have already pursued cases against data brokers for engaging in harmful activities.

Justice Department Cases Against Epsilon, Macromark, and KBM 

In 2020 and 2021, three data brokers—Epsilon LLC, Macromark Inc., and KBM—all faced legal punishment for supplying lists of individuals who were elderly and vulnerable to scammers. All three data brokers were charged with conspiracy to commit mail and wire fraud in violation of 18 U.S.C. § 1349. They were supplying these lists of individuals (who would later become victims) to scammers for many years before being caught by investigators from the Department of Justice. Epsilon, as detailed in U.S.A. v. Epsilon Data Management, provided lists of 30 million American consumers’ private information to scammers from July 2008 to July 2017. Macromark, as detailed in the guilty plea for U.S.A. v. Macromark, provided information and assistance to scammers from February 2005 to September 2016. KBM, as detailed in U.S.A. v. KBM Group, partnered with scammers from January 2012 to December 2018. The legal evidence does not specify the consistency of the brokers’ support for scammers, but it makes clear that every data broker partnered with multiple scamming clients simultaneously. All three companies developed sustained revenue streams from their partnerships with scammers. They were profiting not only from selling lists to scammers but also by collecting data on successful scams to refine their algorithms’ ability to profile consumers.

All three data brokers, according to court documents, intentionally sold data to scammers despite knowing that their clients were engaged in criminal activity and exploiting the vulnerable. Epsilon established a Direct to Consumer (DTC) Unit, which sold data specifically to companies that conducted personal solicitations by sending mail to people’s homes. The DTC Unit sold targeted lists of potential “opportunity seekers,” who were primarily “elderly and vulnerable Americans,” to scammers. Scammers then used that information to run fraudulent “astrology” schemes, “sweepstakes” solicitations, and other scams. The Justice Department’s court filing states clearly that Epsilon was aware of what it was doing:

Due to their regular interaction with the fraudulent “opportunistic” clients, the Employees were familiar with the clients’ practices, as well as their deceptive solicitations. The Employees worked to develop and increase business with clients engaged in fraud despite receiving notice that those and similar clients had been arrested, charged with crimes, convicted, and otherwise were subject to law enforcement actions for engaging in misleading practices. The Employees engaged in this conduct, in part, to benefit Epsilon, to enrich themselves through sales-based compensation, and to enable the fraudulent clients to solicit new customers.

In total, Epsilon’s DTC Unit “sold data associated with more than 30 million American consumers” to scammers who then used that information to help perpetuate “fraudulent mass-mailing schemes.”

Macromark, as detailed in its guilty plea with the Justice Department, was fully invested in conspiring with scammer clients. The guilty plea describes that Macromark executives were aware that the company had clients stealing from Americans—including elderly people with Alzheimer’s—and continued to allow it to happen. Around February 2012, a list owner wrote a Macromark executive telling them that:

 just yesterday a guy wrote to me about his [A]lzheimer wife believing she won ..... for all offers, including this one, where it really appears that the person is getting a check sent to them for lots of money and seemingly no qualifiers, I must say no.

However, it does not appear the company changed its practices. Around June 2015, a Macromark executive “knew that the Company was warned by the Iowa Attorney General’s Office that the Company’s clients were deceiving elderly Iowans”—and yet “Macromark and its co-conspirators continued to provide mailing lists of victims to mass mailers they knew were engaged in fraud.” Around August 2016, in dealing with a fraud-committing client, “a Macromark executive advised the client on how to restructure the client’s company to make it easier to change names frequently and thereby evade law enforcement scrutiny.” The list goes on in the guilty plea. And in total, data broker Macromark was fully aware that some of its scammer clients were using data to prey on elders with Alzheimer’s but did not care to change its practices.

KBM supported scammers that were prosecuted while using data that they supplied. Between January 2012 and December 2018, KBM employees “arranged for KBM to license consumer data to more than a dozen Deceptive Clients they knew were engaged in fraud.” The licensed data in question came from “other Deceptive Clients and legitimate business, non-profit, and charitable-organization clients, including clients with many elderly customers.” In the case of one scammer client, a KBM employee emailed colleagues—including a general manager—a copy of the client’s “fraudulent solicitations,” which the client “proposed to mail to thousands of consumers identified by KBM.” The mailer included statements like the following:

[O]ur company has been tasked with closing out your account by paying out a certified check in your name…you are indeed the lucky recipient and the exact amount of the payment I am require (sic) to send you is really: 45,000.00 dollars by bank check in your name.

In response, the general manager of KBM’s Merchant Services group wrote: “Who responds to this stuff?? Obviously we have those people.”

A few months after the prosecution of that first client, KBM employees signed up another scammer, despite the company’s acknowledgment that the new client was “another astrology type mailer similar to” the previous client. The client was signed and the data was supplied despite this knowledge and the previous incident. Interestingly, there was one case in which KBM appeared to have internal controls in place to vet potential clients: “[D]uring the recruitment process for Client 3 [unnamed], the KBM Finance Department conducted a due diligence review and found various red flags,” according to the court document, “including online consumer complaints about Client 3 being a scam.” When this information was reported to KBM’s Finance Department controller, they did not approve the extension of a line of credit to the client and thereby prevented KBM from licensing data to the scammer. Yet, a KBM vice president and the general manager of KBM’s Merchant Services group—the one who responded “we have those people” to the scam mailer mentioned above—convinced the Finance Department controller to approve the client. KBM then licensed the names of more than 100,000 U.S. consumers to the scammer.

These data brokers also incorporated the data that they collected from scammers into their databases, recycling victims’ information to target them again. For example, even after Epsilon employees knew about the court-ordered closure of a scammer client, they attempted to monetize the data they collected from their client. Two employees “collaborated on a model” in February 2016 “for clients engaged in fraud that used data from” one of Epsilon’s clients. They expanded Epsilon’s databases by getting information back from scammers, and then used that information to determine which people would be most susceptible to future targeting. In other words, those who fell for a scam once would be documented in Epsilon’s database, so it could provide other scammers with lists of people who were identified to be gullible and receptive to that kind of marketing. Over time, the business relationships developed between Epsilon’s DTC Unit and fraudsters “enhanced Epsilon’s ability to model consumer data to develop potential customer lists for legitimate clients,” meaning the company also used this scam-generated information on Americans to expand its other data brokering businesses.

Macromark followed a similar strategy of data refinement. It realized that “the most effective mailing lists for any particular fraudulent mass mailing were lists made up of victims of other mass-mailing campaigns that used similarly deceptive letters.” The data received from past scams enabled data brokers to home in on specific victims and target the “same demographic pool: elderly and vulnerable Americans.” Similarly, KBM developed “iBehavior” databases that contained data on over 100 million households in the United States and served at least 2,500 clients at any time. KBM offered data to legitimate business customers that came from the same algorithm that aided scammers, demonstrating how KBM refined its behavioral models based on the data supplied by scammers. The illegal targeting and scamming of elderly, cognitively impaired, and otherwise vulnerable Americans was used to further profile individuals and inform the algorithms used by the three data brokers in multiple of their business verticals.

The Brokers’ Guilty Pleas and Implications for Policymakers

All three data brokers pleaded guilty to fraud and other charges. Epsilon and KBM got off with deferred prosecution agreements, in which the Justice Department and the defendant agree not to pursue a trial by signing an agreement that admits guilt and issues penalties for the defendant violating the law. Deferred prosecution agreements are also “extrajudicial contracts that operate outside of the regular legal system,” which means they cannot be used as legal precedent. In other words, Epsilon and KBM did not have to publicly defend themselves in court.

Stipulated in the conditions of the deferred prosecution agreement, the data brokers were required to pay a fine for victim compensation and adopt new compliance measures. Epsilon paid a $150,000,000 fine, which was divided into “a Criminal Monetary Penalty in amount of $22,500,000; and a Victim Compensation Amount of $127,500,000.” Epsilon paid the government less than the base fine ($25,000,000) according to USSG § 2B1.1, for Criminal Monetary Penalty. Epsilon’s estimated yearly revenue is $2.1 billion, meaning that the imposed fines are less than 10 percent of its annual revenue. KBM did not pay the government anything but was charged victim compensation penalties totaling $42,000,000. Epsilon and KBM were both required to start a corporate compliance program and report on their compliance to the government. Macromark pleaded guilty to wire fraud and admitted that the lists it provided to scammers resulted in the loss of at least $9,500,000 from victims. Stipulated by Macromark’s guilty plea, the company was “sentenced to three years of probation, forfeiture and fines totaling $1,000,000.” Macromark did not pay victim compensation, and the penalties they received were minor in comparison to the money that they expropriated.

These actions did not comprehensively address some of the root problems associated with data brokerage and these scams of elderly, cognitively impaired, and otherwise vulnerable Americans. Importantly, the deferred prosecution agreements and guilty plea did not require the companies to implement any changes to the algorithmic systems that enabled even more effective scamming. After victims fell prey to a scam, data brokers used that information to further their data set refinement and to better understand which individuals were susceptible to scamming. In some of the aforementioned cases, this included analyzing which elderly and cognitively impaired Americans were most gullible. Requiring companies to implement internal compliance programs without requiring them to make any changes to their business model only allows the current technological targeting systems to persist.

The required corporate compliance programs may also be ineffective in preventing future scams. For instance, in addition to paying fines, Epsilon’s deferred prosecution agreement required Epsilon to provide “strong, explicit, and visible support of and commitment to its corporate policy against fraudulent or deceptive marketing by its clients and to the Company’s compliance code.” KBM was required to do the same. However, the agreements largely left the compliance policy programs up to the broker to decide in house, rather than requiring companies to develop and publish a set of best practices. The deferred prosecution agreements also did not require Epsilon or KBM to look at a particular set of know-your-customer best practices from other industries, which could serve as a useful starting point for a data brokerage ecosystem that appears to have no visible set of industry best practices and controls. This response to data broker-enabled scams risks allowing the data brokers in question to create ineffective compliance programs as a cosmetic “fix.” This response also does not address a key problem raised in the court filings: In one case where a data broker (KBM) did have vetting controls in place to prevent the company from enabling scams, the revenue-focused employees at the company simply ignored the controls and overrode the decision not to license data.

This feeds into another problem with the deferred prosecution agreements. Epsilon agreed to report to the Justice Department at least every 12 months over a 30-month term, which is the only form of external oversight guaranteed by its deferred prosecution agreement. The Justice Department then has the opportunity to provide feedback on that report, after which point Epsilon is required to produce “at least two follow-up reviews and reports” that incorporate government feedback “to further monitor and assess whether Epsilon’s policies and procedures are reasonably designed to detect and prevent violations of Federal Law.” But the reports written by Epsilon for the Justice Department will not be released to the public, meaning that the public, civil society, and legislators will not gain further insight on the changes (or reported changes) in Epsilon’s operations. These groups will also not be able to assess how much a company is complying in practice with its on-paper compliance program, and the Justice Department will not be able to do so, either. In the case of a full trial, there would have been more evidence collection and investigation into Epsilon’s practices. A lack of transparency around data broker controls will continue to impede legislators attempting to better understand and regulate against data harms in the long term.

Without an established regulatory framework to restrict the actions of data brokers, it will be increasingly difficult to generate the momentum necessary to change their practices. For example, turning to deferred prosecution agreements with data brokers keeps these criminal activities out of a courtroom trial and prevents the establishment of case law around these kinds of harms. Doing so also does not properly address this kind of data-driven targeting that will continue to create risks for Americans—particularly the vulnerable—because it effectively creates a whack-a-mole system wherein specific companies are prosecuted for specific harms only after those harms occur and they are caught—by which time people’s lives are already hurt or even ruined. Legislation and regulation at the federal level would prevent some harms of data brokerage outright—for instance, banning the sale of Americans’ health data, as laid out in the Health and Location Data Protection Act—while also placing tighter controls on areas where there is great risk of harm, such as with scamming the elderly.

Data brokers are extremely profitable and can overcome imposed fines while continuing their operations. The more money they make, the more money they will have to spend on legal defenses. In the three mentioned cases, the data brokers’ internal compliance measures were ineffective, because these companies already knew that they were partnering with scammers and continued to do so because they saw it as financially advantageous. If controls were in place, they were ignored. And in the one case where controls were enforced, the controls were overridden by data broker employees pushing for profit above all else. This raises a series of critical policy questions about the effectiveness of company controls today and how much company controls should be prioritized as part of a policy solution when there is evidence that they can be overridden.

Comprehensive legislation, at the federal if not state level, to regulate data brokerage and prevent and mitigate its harms is necessary to protect all Amercians. This should include a focus on stopping the algorithmic revictimization of people who fall for scams. It should also include a focus on controlling the sale and licensing of data on vulnerable Americans—particularly when data brokers knowingly use that information to help scammers prey on the elderly, cognitively imparied, and otherwise vulnerable.


Alistair Simmons is an undergraduate researcher at Duke University's Sanford School of Public Policy and an artist and journalist.
Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.

Subscribe to Lawfare