Oracle logo is seen on top of building showing class action lawsuit on global surveillance

Class Action Lawsuit Accuses Oracle of “Global Surveillance,” Creating Detailed Profiles of Five Billion People

A class action lawsuit is accusing Oracle of conducting global surveillance, essentially attempting to create detailed shopping and spending profiles of the world’s entire population.

The suit accuses Oracle of creating profiles for five billion people worldwide, attaching things like purchase records and GPS locations to their name and contact information. While social media platforms usually dominate the conversation about global surveillance, the Oracle Data Marketplace and the company’s BlueKai service have quietly become one of the world’s largest sources of the sort of personal information that “data brokers” sell for targeted advertising purposes.

Class action lawsuit alleges frighteningly comprehensive details about consumer purchases and habits

The class action lawsuit points to Oracle marketing materials claiming to provide dossiers on five billion individuals, generating some $42.4 billion in annual revenue for the company. The suit alleges that these profiles tie names, home addresses, emails to a worrying amount of information: purchases online and in the real world, physical movements in the real world, income, interests and political views, and detailed accounts of online activity. One illustrative detail provided is the profile of a man in Germany who had a €10 bet on an esports betting site logged in his profile.

The class action lawsuit has been filed in California and alleges violations of Federal Electronic Communications Privacy Act, the Constitution of the State of California, the California Invasion of Privacy Act, competition law, and common law. The suit seeks to force Oracle to stop collecting this data and to make restitution to those who have had profiles created, due to being created without the subject’s knowledge or consent.

If the class action lawsuit’s contentions about global surveillance turn out to be accurate, Oracle has profiled over half of the world’s total population and nearly every adult. Oracle’s BlueKai is the primary source of this data. It uses cookies and “invisible pixels” to track users across websites in the same manner that Google and Facebook’s ad platforms do, but it incorporates an even broader range of external data. Oracle purchases information from the credit reporting firms and various analytics firms and data brokers, but it has also acquired a great deal of data from a series of acquisitions of related companies. Numerous individual companies also sell customer data to Oracle (such as PlaceIQ, which is a primary source of its consumer physical location and movement information).

The class action lawsuit highlights the fact that there remains very little federal-level legal protection for consumers against the sort of “global surveillance” approach it describes. This is the reason for the seeming scattershot approach in citing violations of various aspects of California law along with competition law.

Some of the biggest “global surveillance” firms remain invisible to the people they profile

Consumer awareness of how websites and apps track them has risen greatly in recent years, particularly as relates to the “free” services offered by the major social media companies. But one of the core building blocks of the class action lawsuit is the assumption that consumers are still generally unaware of the data brokers that centralize all of this information. For example, consumers know that stores like Amazon might use purchase history for targeted ads, but are not aware that these stores might also package and sell this information to “global surveillance” outfits that pair it with similar data from all sorts of other sources.

The class action lawsuit contends that if people are not even aware of what Oracle (and similar brokers) are doing, they have no material relationship with these companies and cannot possibly be giving consent to have these marketing profiles developed. The suit also alleges that the damage Oracle has done has crossed beyond mere invasion of personal privacy. It cites “Project Alamo,” a 220-million person database created using Oracle services, as an example of micro-targeted voter suppression that may have impacted the outcome of the 2016 presidential election. It also raises fears about the potential use of these marketing databases by law enforcement organizations in the wake of the Roe v. Wade repeal, as a means to surveil the visitors of services such as Planned Parenthood.

Oracle has already encountered some legal challenges that alleged similar global surveillance practices, but nothing has stuck as of yet. A class action suit founded on General Data Protection Regulation (GDPR) violations was filed in Holland in 2020, but was dismissed this year due to lack of standing (though with the possibility of appeal). BlueKai also suffered a data breach in June 2020 when an unprotected internet-facing server containing billions of records was discovered, but this was documented by a security researcher and it is unclear if threat actors got to it first.

Lawsuit accuses Oracle of creating global #surveillance profiles for 5 billion people worldwide, attaching things like purchase records, income, interests and political views, and GPS locations to their name and contact information. #privacy #respectdataClick to Tweet

Chris Olson, CEO of The Media Trust, sees potential for this lawsuit to break this pattern: “In 2016, the rules for data targeting were still up in the air – since then, emerging data privacy legislation has drawn a hard line around microtargeting, collecting and selling user’s data without express permission. However the ICCL’s lawsuit pans out, the fact that it’s happening is a major development for businesses around the world, especially since it is happening in the U.S, and alleges a violation of California law. While not all businesses directly harvest data from their users in a way that violates data privacy legislation in Europe or America, most partner with digital vendors who do, whether through their websites or mobile platforms. Now more than ever, businesses must commit to digital trust and safety protections – otherwise, it is only a matter of time before they will suffer from breaches, lawsuits and expensive fines.”

 

Senior Correspondent at CPO Magazine