Mozilla Monitor Plus, data brokers and data breaches

The Mozilla Foundation launched its Mozilla Monitor service to help people detect whether their personal information had been exposed in a data breach. But beyond cyberattacks and data losses, there’s another way your data might end up in the wrong hands – via data brokers.

To help people better control their personal information, Mozilla is offering a new subscription service called “Monitor Plus”. This product helps users locate and delete information held by data brokers.

This article looks at the link between data breaches and data brokers, explores how data brokers are regulated under US and EU law, and explains how Monitor Plus works.

Data breach vs data brokerage

Mozilla’s original “Mozilla Monitor” product offers data breach monitoring. Monitor Plus tackles data brokers. While very different phenomena, there are links between data breaches and data brokerage.

There are many definitions of a “data breach” and “data broker”, but most include the following elements:

• A “data breach” occurs when personal information is subject to unauthorized access, theft, or loss.
• A “data broker” obtains and sells data about people, and normally has no direct relationship with the people whose data it sells.

Data breaches often result from cyberattacks, where criminals steal personal information. People usually steal information (or buy stolen information) to commit identity fraud.

Data brokerage is not illegal, although some data brokers have violated data protection laws. Data brokers typically sell personal information for advertising or market research purposes.

Yet both data breaches and data brokers can cause people to lose control of their personal information and experience a loss of privacy.

You can learn private facts about a person by buying personal information that has been leaked illegally on the dark web following a data breach or by purchasing information on the open market from a data broker.

How do data brokers obtain personal information?

Data brokers get personal information in many ways, including from:

• Public records maintained by government bodies
• Other companies such as social media firms, retailers, or loyalty programs
• Apps, including third-party apps

Some apps include Software Development Kits (SDKs) provided by data brokers that track users’ activities and locations. In the US, the Federal Trade Commission (FTC) has taken action against several data brokers whose SDKs collect personal information from other companies’ apps.

So, is data brokerage illegal?

As noted, data brokers aren’t necessarily breaking the law. However, there are certain laws that set down rules for data brokers.

• The California Delete Act requires data brokers to register publicly and enables California residents to delete information that registered data brokers have collected about them via a centralized portal.
• Other US privacy laws in states such as Connecticut, Colorado, and Virginia enable residents of those states to request that the company erase personal information it has obtained about them.
• At the federal level, the FTC Act minimizes harmful consumer practices, which might impact some data brokers’ activities. Other laws, such as the Health Breach Notification Rule and the Children’s Online Privacy Protection Act (COPPA), protect personal information in specific sectors.

Mozilla’s Monitor Plus is only available in the US. In most of Europe, data brokers are more strictly constrained, thanks to the following laws:

• The EU and UK General Data Protection Regulation (GDPR), which requires every company to have a “legal basis” for processing personal data. While the law doesn’t specifically refer to data brokers, it effectively restricts the purchase and sale of personal data.
• The ePrivacy Directive, which requires consent for most electronic marketing activities. Combined with the GDPR, the ePrivacy Directive law limits how companies use data bought from third parties for marketing purposes.

How Mozilla Monitor Plus works

Just as Mozilla Monitor scans the web for signs that your data has been breached, Monitor Plus scans data brokers’ websites for evidence that your personal data is up for sale.

Subscribers provide their first and last name, current city and state, date of birth, and email address. Mozilla then scans nearly 200 data brokers’ websites.

If the service locates a subscriber’s personal information in a data broker’s database, Mozilla will request that the data broker delete it on the subscriber’s behalf.

Mozilla doesn’t say whether a data broker will always delete a subscriber’s data on request. Depending on where a subscriber is located, the data broker might not be obliged to delete the information.

Furthermore, deleting information held by a data broker isn’t a “one-and-done” operation. In the US, outside California, data brokers might delete personal information about a person and then obtain further personal information from another source.

As such, Monitor Plus continuously monitors data brokers’ websites for as long as the subscriber keeps paying Mozilla. This continuous monitoring may remain necessary until the US introduces stricter data protection and privacy laws.