A class action lawsuit is accusing Oracle of conducting global surveillance, essentially attempting to create detailed shopping and spending profiles of the world’s entire population.
The suit accuses Oracle of creating profiles for five billion people worldwide, attaching things like purchase records and GPS locations to their name and contact information. While social media platforms usually dominate the conversation about global surveillance, the Oracle Data Marketplace and the company’s BlueKai service have quietly become one of the world’s largest sources of the sort of personal information that “data brokers” sell for targeted advertising purposes.
Class action lawsuit alleges frighteningly comprehensive details about consumer purchases and habits
The class action lawsuit points to Oracle marketing materials claiming to provide dossiers on five billion individuals, generating some $42.4 billion in annual revenue for the company. The suit alleges that these profiles tie names, home addresses, emails to a worrying amount of information: purchases online and in the real world, physical movements in the real world, income, interests and political views, and detailed accounts of online activity. One illustrative detail provided is the profile of a man in Germany who had a €10 bet on an esports betting site logged in his profile.
The class action lawsuit has been filed in California and alleges violations of Federal Electronic Communications Privacy Act, the Constitution of the State of California, the California Invasion of Privacy Act, competition law, and common law. The suit seeks to force Oracle to stop collecting this data and to make restitution to those who have had profiles created, due to being created without the subject’s knowledge or consent.
The class action lawsuit highlights the fact that there remains very little federal-level legal protection for consumers against the sort of “global surveillance” approach it describes. This is the reason for the seeming scattershot approach in citing violations of various aspects of California law along with competition law.
Some of the biggest “global surveillance” firms remain invisible to the people they profile
Consumer awareness of how websites and apps track them has risen greatly in recent years, particularly as relates to the “free” services offered by the major social media companies. But one of the core building blocks of the class action lawsuit is the assumption that consumers are still generally unaware of the data brokers that centralize all of this information. For example, consumers know that stores like Amazon might use purchase history for targeted ads, but are not aware that these stores might also package and sell this information to “global surveillance” outfits that pair it with similar data from all sorts of other sources.
The class action lawsuit contends that if people are not even aware of what Oracle (and similar brokers) are doing, they have no material relationship with these companies and cannot possibly be giving consent to have these marketing profiles developed. The suit also alleges that the damage Oracle has done has crossed beyond mere invasion of personal privacy. It cites “Project Alamo,” a 220-million person database created using Oracle services, as an example of micro-targeted voter suppression that may have impacted the outcome of the 2016 presidential election. It also raises fears about the potential use of these marketing databases by law enforcement organizations in the wake of the Roe v. Wade repeal, as a means to surveil the visitors of services such as Planned Parenthood.
Oracle has already encountered some legal challenges that alleged similar global surveillance practices, but nothing has stuck as of yet. A class action suit founded on General Data Protection Regulation (GDPR) violations was filed in Holland in 2020, but was dismissed this year due to lack of standing (though with the possibility of appeal). BlueKai also suffered a data breach in June 2020 when an unprotected internet-facing server containing billions of records was discovered, but this was documented by a security researcher and it is unclear if threat actors got to it first.
Chris Olson, CEO of The Media Trust, sees potential for this lawsuit to break this pattern: “In 2016, the rules for data targeting were still up in the air – since then, emerging data privacy legislation has drawn a hard line around microtargeting, collecting and selling user’s data without express permission. However the ICCL’s lawsuit pans out, the fact that it’s happening is a major development for businesses around the world, especially since it is happening in the U.S, and alleges a violation of California law. While not all businesses directly harvest data from their users in a way that violates data privacy legislation in Europe or America, most partner with digital vendors who do, whether through their websites or mobile platforms. Now more than ever, businesses must commit to digital trust and safety protections – otherwise, it is only a matter of time before they will suffer from breaches, lawsuits and expensive fines.”