Data Brokers Are Selling Your Data – So We Built Software to Protect Your Privacy

 

Dilbert 1.gif

One summer morning in 2013, two suspicious black SUVs pulled up to Michele Catalano’s house on Long Island.

Her husband went outside to see what was happening and was met by two federal officers. They immediately asked to confirm his identity – and permission to search the house. 

Uncertain why they were there, Mr. Catalano had nothing to hide. So he let the agents in.

After searching the building, they asked if anyone in their household had searched for information on pressure cookers or backpacks recently.

One thing quickly became clear. The family’s recent Google searches had triggered an investigation by the Department of Homeland Security. 

This home intrusion happened in the weeks following the Boston Marathon bombing, when pressure cookers were turned into makeshift explosives. 

Investigators must’ve discounted Catalono’s Google search for “What the hell do I do with quinoa?” And as for the backpack search — her husband wanted one.

Most people are appalled at the idea of having the privacy of their home violated because they searched for cooking tips in Google.

But today your privacy is no longer a passive right. You need to understand how your data is being collected and used against you, so you can protect yourself. 

And one of the most important – and unknown – threats to your online privacy is a group of companies called Data Brokers. 

What you’ll learn in this guide:

  1. What are Data Brokers?

  2. What sensitive information do they collect?

  3. How do they get your data without your knowledge?

  4. How exactly do they put your privacy at risk?

  5. How do you remove your sensitive info from data brokers?

What is a Data Broker?

A group of companies operating behind the scenes of public awareness is making billions of dollars by tracking and selling your personal information.

They’re called Data Brokers. Their goal is to amass as much data as possible about you from any source – and profit from it. 

You may recognize some by name: Acxiom, Intelius, Spokeo, WhitePages, TruthFinders and Radaris are a few of the major players.

Data Broker websites often show up in search results when you Google your own name — and expose your home address, date of birth, email, phone, relatives, and other sensitive personal info.

“Most people have no idea who these companies are and how they got their data on them. They would be very surprised to know the intimate details that these companies have collected,” explained Amul Kalia, an analyst at the Electronic Frontier Foundation, an organization that advocates for digital rights.

Just how much money are these companies making from your data?

Acxiom — a single Data Broker — expected annual revenue of just under $1 billion in 2018.

As a whole, the industry generates billions of dollars every year. No wonder that personal data has been dubbed the “new oil”.

And while data brokers make money off your information, they also put your privacy and security at risk. 

Luckily there are clear steps you can take to protect yourself. 

I’m the co-founder of BrandYourself, which helps nearly a million people protect and improve their online reputation and privacy. Over the last decade I’ve designed systems that help people find and remove their sensitive information from the web, and from the companies collecting it without their consent. 

I’ve been privileged to gain a unique insight on the industry, which I feel responsible for sharing with you because of its ramifications on your privacy, security and safety. So join me as I take you on a guided tour of one of the darkest and most profitable industries in the world — and show you what to do about it to protect yourself. 

How do Data Brokers work?

Johan Fourie is a veteran of the Data Broker industry. He started out mining data in real estate, collecting private information about foreclosed properties and then selling that data to clients. 

But at one point, he said in an interview, “We just amassed so much data that we started a people search engine.” 

Fourie has operated several people search sites including SpeedyHunt and others.

In a rare behind-the-scenes interview about the people search industry, led by Michael Bazzell, a computer crime investigator for the FBI’s Cyber Crimes Task Force, Fourie explained how the industry operates.

“There are about 3,000 free feeder sites that post pieces of your personal info online.” These pages show up in search engines, exposing info like your phone number and your email address. He went on to explain that they often hide some data and charge you for a “full report.”

Feeder sites are operated by much larger brokers, which flood search results with webpages that funnel people back into their main site. 

This has resulted in a massive amount of data scraping systems that continually collect and republish each others’ data about you. 

“There are about 200 parent sites earning revenue,” Johan explained. “Of those, about half are owned by a bigger corporation.”

How exactly are they making money – to a tune of up to $1 billion?

Johan explained that People Search sites, whic is just one type of Data Broker, usually charge customers $25–30 for the full report. Some runs ads. To grow faster, they pay $30–50 to affiliates that refer a new paying customer. After taking a loss on the affiliate fee, “the company has to keep that subscriber to recur enough to make a profit.” That’s why it’s often so difficult to cancel your subscription if you ever upgrade. 

Horror stories abound of people trying to cancel their recurring payment but being denied or asked for faxed documents proving ID, making it purposely difficult to leave. 

And the market is fiercely competitive. Brokers resort to extreme tactics to get ahead – behavior would shock other industries. 

For example, Fourie explained that some sites purposely launch Denial of Service attacks – malicious hacks to bring down a competitor’s servers and website – to manipulate Google rankings and steal a competitor’s traffic. This is the same attack used by cyber terrorists and extortionists.

Some brokers go even further by initiating Chargeback Attacks, Fourie explained. By purposely buying reports from a competitor – then initiating many credit card chargebacks in rapid succession – it signals to banks that the service is fraudulently charging customers.

Racking up many chargebacks within a short period of time then forces credit card processors to flag and “fire” the broker as a customer, requiring the broker to switch to a different payment processor. This forces them to pay higher fees to banks that are willing to process riskier transactions. 

And the way they treat your data is no more comforting than the way they treat each other. The more I investigated the issue, the more I discovered just how little regard they have for ethical considerations or privacy concerns.

“The scary part is, literally anyone can buy your data,” explains Patrick Ambron, CEO of BrandYourself. “That includes hackers, stalkers, spammers, scammers, governments, advertisers — you name it.”

So where do they draw the line about selling your data?

Acxiom’s Chief Privacy Officer and Global Executive for Privacy and Public Policy emphasized making efforts to ensure that data was used ethically over the phone. 

They said that a team of professional ethicists helped develop the data use guidelines its employees used every day to approve any given use of its data.

However, when directly pressed on whether it would be willing to provide a written copy of those guidelines, the company declined to do so.

When a company refuses to be transparent about what it considers ethical, that is a big red flag. 

Forbes contributor Kalev Leetaru described his conversation with Acxiom in his investigative piece The Data Brokers So Powerful Even Facebook Bought Their Data. Leetaru explained that when he explicitly asked if they’d turn down selling someone’s data to known harmful organizations – like predatory lending companies – they dodged the question and did not answer.

The more places you look, the more you’ll find this kind of unscrupulous behavior woven into DNA of the Data Broker industry. 

But perhaps the most unsettling part about it is how they manage to collect so much data you without your consent. 

What information do Data Brokers collect about you?

A single Data Broker may track over 3,000 pieces of information about you. 

That’s more information than your closest family and friends could ever provide about you. 

Let that sink in for a second.

An exposé on the industry written by the FTC breaks this down in great detail. When I read the report start to finish, I couldn’t believe just how deep the rabbit hole goes.

In his article Brokers use billions of data points to profile Americans, Washington Post report Craig Timberg explained how the FTC was very concerned about the way data brokers treated consumers. So they subpoenaed nine of them to investigate the issue. 

Their goal was to investigate the system of commercial surveillance that draws on government records, shopping habits, social-media postings and more, undermining the privacy of consumers.

“Officials said the intimacy of these profiles would unnerve consumers who have little ability to track what’s being collected or how it’s used,” Timberg explained in his investigative piece. 

The FTC called for legislation to bring transparency to the multibillion-dollar industry and give consumers some control over how their data is used.

But not surprisingly, the FTC’s recommendations – which are not technically U.S. laws – have been completely ignored. 

“The extent of consumer profiling today means that data brokers often know as much — or even more — about us than our family and friends,” FTC Chairman Edith Ramirez said in a statement. “It’s time to bring transparency and accountability to bear on this industry on behalf of consumers, many of whom are unaware that data brokers even exist.”

FTC Commissioner Julie Brill strongly urged Congress to act, saying that Americans should learn more about how their data is being collected and used. “Consumers can’t manage this process by themselves,” she explained. “It’s too big. It’s too complex. There are too many moving parts.”

What do the brokers have to say in response?

Stuart P. Ingis is General Counsel for the Direct Marketing ­Association, which represents nearly 2,000 companies that collect and distribute consumer data. 

He said that the FTC’s proposals – such as a requirement for a centralized portal for consumers who want to know what information data brokers collect about them – are unnecessary and cumbersome. “The industry helps prevent consumer fraud and improves the effectiveness of online advertising — the main revenue source for free services, such as e-mail and social-networking sites. I’m not sure that there’s a problem that requires a law here.”

But people who find their sensitive personal information plastered all over the web for anyone with a search engine to find strongly disagree. 

Privacy advocates working to help protect the security of people like you and me see little hope of regulation. “There’s no political pressure on Congress to act. The data-broker lobby is in­cred­ibly powerful,” explained Jeffrey Chester, executive director of the Center for Digital Democracy. 

He noted another important point: that political campaigns use information collected by data brokers to target their election and fund-raising messages. “They’re not going to vote against their political self-interest,” he said. Data brokers provide the very information they need to laser target their campaign messages to the masses.

Data Brokers track all of the personally identifiable information that an identity thief, hacker, stalker, spammer or scammer would need to take over your accounts, destroy your credit, and spam your email or phone.


Kevin Mitnick, perhaps the most infamous hacker of all time, contextualizes the issue in his book “The Art of Invisibility”. To paraphrase Mitnick: you barely need any personal information about someone to start gaining access to even their most sensitive accounts.

For example, armed with one or two pieces of personally identifiable info, it can be trivially easy to trick a support rep into giving you access to someone’s account — or providing more information that can be leveraged to steal their identity later.

Here’s just a brief sampling of information that Data Brokers collect: 

Full name, date of birth, address history, relatives, phone number, email address, net worth, social media profiles, websites visited, search history, financial habits, physical location, stores visited, online behavior, age, race, sex, weight, height, marital status, education level, politics, shopping habits, health issues, purchase history, home ownership status, public records, loyalty card memberships, warranty subscriptions, holiday plans, and much more.

But how do Data Brokers get all this info about you in the first place?

How Data Brokers collect your data without your knowledge:

Data Brokers are notorious for scraping as much information as possible about you from any available source. 

Even if that means breaking the rules.

Brokers collect data in many ways, including:

  • Buying it from companies. You know the little checkbox saying you agree to a company’s privacy policy when you first sign up? The fine print often gives explicit permission to sell your data. Common offenders include social networks, advertising platforms, banks, loyalty card memberships, warranty subscriptions, email newsletters, travel sites, subscription sites and free sample sites.

  • Scraping social networking profiles. Sites like LinkedIn and Facebook have tons of public data on people. Data brokers have no qualms violating terms of service of other sites in order to download as much data as possible. Most have built sophisticated scraper systems meant to avoid being detected as “bots”, stealing data from other sites and violating their terms of use in the process.

  • Public records. Data brokers pull data from court records, driving records, divorce records, death records, voting records, police blotters, SEC filings, city records, state records, federal records and other public data sources.

  • Scraping plaintext email addresses and phone numbers. If you Google your email address or phone number in quotes, it’s likely you’ll find at least one webpage that publicly exposes it in plaintext. That’s ripe for the taking. Crawlers meant to traverse the web looking for contact information will download anything that looks like a phone number or email address, and add it to lists that can be bought. 

  • Scraping public data breaches. When a large company like Equifax is hacked, sensitive information about millions of its users may be leaked publicly. That’s called a Data Breach. Hacked lists often include millions of exposed email addresses, phone numbers, passwords, etc. They’re generally posted on the Dark Web, the under-the-radar part of the Internet that can’t be accessed via a normal web browser. Data breaches are goldmines for data brokers, because it gives them access to an entire database of information from another organization. You can see if any of your sensitive personal data has been posted on the Dark Web using BrandYourself's Private Info Scanner.

  • Email list aggregators. Many companies make it their sole mission to build massive lists of email addresses, paired with demographic and behavioral tags. They then sell this data to companies that want to send an unsolicited email. For example, I could Google “email list of lawyers in New York over 50” and find something ready-made for me. You can see if your email has been added to any major spam lists using BrandYourself's Private Info Scanner.

  • Other data broker websites. Data brokers constantly try to scrape each other’s sites in order to stay ahead. So if one broker adds a piece of data about you, it’s only a matter of time before others pick it up as well. It’s an incestuous data collection industry that feeds upon itself. You can see which of the 20 major data brokers are exposing your sensitive personal info using BrandYourself's Private Info Scanner.

  • Other trade secrets. In a call with Acxiom’s Chief Privacy Officer and Global Executive for Privacy and Public Policy, the company emphasized transparency is absolutely critical to them. Yet when asked where they acquire their data from, the company refused to provide any detail, arguing that it was a “trade secret.” You can bet that data brokers are doing everything they can – shady or not – to get more data every day. 

How can I protect myself from Data Brokers?

The good news is that you can opt out of Data Brokers — and remove your information from their public-facing websites.

In fact, Fourie from SpeedyHunt estimated that his people search sites receive 13,600 information removal requests every day, split between their online opt-out form and emails.

That’s about 5 million opt-out requests a year. Fourie ballparked that 5% of total users end up opting out of people search sites.

And those people have the right idea. Because if your info is exposed on even a single Data broker, it impacts your life in ways you may not realize.

Let’s investigate exactly why you should opt yourself out of these sites: 

  • Spammers buy email addresses from Data Brokers to send unsolicited email. Spam is big business: over half of all emails are spam (source). A single spammer can earn $3.5 million a year, or $7,000 a day (source) from recipients clicking their links. The more emails they send, the more likely it is someone will click their offer. So they mine email addresses like its gold, buying, scraping and stealing as many email addresses as they can. And Data Brokers are a gold mine to build their target lists. If a Data Broker knows your email address, you’re at high risk of new spam. That’s why removing your info data brokers is essential to stop getting added to new spam lists.

  • Telemarketers and robo dialers buy phone numbers from Data Brokers to make unsolicited calls and texts. Robocalls have become an epidemic, with 5 billion placed in the U.S. in September 2018 alone (YouMail Robocall Index). Those affected get 10+ unwanted calls a month. They’re annoying, frustrating, and waste your time. Like spam, it’s a numbers game: some percent of people will inevitably pick up — and unwittingly provide personal information or buy something. But how do telemarketers find phone numbers to call? From Data Brokers. That’s why removing your phone number from Data Brokers is key to preventing unsolicited calls and texts.

  • Identity thieves find the personal information they need to impersonate victims on Data Brokers. Every two seconds somebody gets their identity stolen. Someone can impersonate you by doing a quick Google search and finding your mother’s maiden name, date of birth, mailing address, and other info needed to assume your identity. At BrandYourself we recently proved this to a class at Syracuse University by finding answers to the security questions of 80% of students within the beginning of our lecture on online reputation management. It was frighteningly easy — a quick Google search of Data Brokers provided all the info we needed for free. So if you don’t want fraudsters and identity thieves to find this information about you, be sure to remove your personal information from data brokers.

  • Hackers scrape email addresses from Data Brokers to send viruses and malware. Malware is malicious code that gives hackers access to your information and your computer. And Data Brokers are the first place hackers look to find targets to send viruses, worms, trojans and phishing attacks. That’s why removing your email address from data broker sites helps minimize your exposure to hackers and spammers. With a quarter of spam sent in 2017 containing malware (source), you should do everything you can to protect yourself from being targeted.

  • Stalkers and bullies can find home addresses, phone numbers and relatives names on Data Brokers. As FBI Cyber Crimes Task Force investigator Michael Bazzell explains: “When we were young, the only option for [finding someone’s phone number] was a phone book or community roster. If the subject of interest paid for an unlisted number, we were out of luck. Today, an unlisted number and address means nothing to the Internet. Other sources, such a tax data, social networks, resumes, and marketing databases, fill in the gaps.” 

  • Advertisers buy your information from Data Brokers to profile you and your behavior. The Federal Trade Commission published an in-depth report titled Data Brokers: A Call For Transparency, It found that a single company collected over 3,000 data segments on people. This information is extremely valuable to companies that want to pay for advertising and make it as targeted as possible. So advertisers have every motivation to gather as much info as possible about you and your online behavior. And a top source of their profile data comes from Data Brokers. Opting out of Data Brokers is necessary to help protect yourself from being profiled without your consent.

  • Governments scrape Data Broker sites to track and profile you. As the opening story of the Boston Marathon bombing showed, governments have a strong desire to know everything that’s going on at all times. Intelligence gathering is the name of the game in law enforcement — to a degree that many find unsettling. Removing yourself from Data Broker sites helps minimize the places that organizations can check to connect the dots of your sensitive personal information, including your recent Google searches.

  • Politicians looking to target you in their campaigns. Dave Maass wrote a great exposé called Voter Privacy: What You Need to Know About Your Digital Trail During the 2016 Election. He explained that “Many people think voter records are completely private. In reality, most states allow campaigns to obtain voter lists, including every registered voter, along with their addresses, party registration and voting history (whether they voted in an election or not, but not how they voted).” He notes that political campaigns have been compiling, sharing, buying, and selling voter lists for decades. For example, a company called Response Unlimited has been compiling lists of conservative voters for more than 35 years, selling them to campaigns and advocacy groups for the purposes of direct mail solicitation. These lists often reveal highly personal information about people, including their religion, political priorities, and donation habits. For example, a campaign might buy access to lists such as Catholic householdsveteran donors, and Second Amendment active supporters.

How can I remove my information from data brokers?

Fortunately, most data brokers do provide a way for you to opt out. 

If you want them to block your info from appearing online, they each have a process you can take to request removal of your info.

However, since their goal is to make money off your data, and since every piece of info they collect about you is a chance for them to show up in search engines, they purposely make it very difficult to remove yourself.

In an investigative piece on Data Brokers for Vice, Yael Grauer explained: “For now, it is possible for some consumers to opt out of some sites, but the process is time-consuming, difficult, and needs to be regularly repeated because data brokers will just add you again. Some pull data from other sites and update automatically. And then there are data brokers who don’t remove information even when asked.”

Once you send in your request, it can take anywhere from a minute to 45 days to remove your info. 

But you need to individually request removal of every individual listing that mentions you, because there may be many listings containing your data for each broker. 

Gruer explained: “If a consumer submits identifying information in an opt-out request that varies from the identifying information in the data broker’s records, the opt-out may not capture all of those records. As a result, consumers may find themselves having to submit many opt-out requests to the same data broker again and again. So, opting out is best done early and often.”

Tiffany George, a senior staff attorney in the FTC’s Division of Privacy and Identity Protection, found that variations of her name continued to proliferate on Data Broker sites for this reason, requiring multiple opt-out requests.

Many sites also require you to fax in information like your government issued ID, verification of your address, and provide all kinds of other personal information. This in itself is a privacy nightmare, requiring transmission of sensitive personal details that could be tracked in transit.

Griffin Boyce, a system administrator at Berkman Klein Center for Internet & Society at Harvard University, describes the first time he attempted to remove his own information.

“The first time I did this, it took about 2–4 hours. I used to check the most common sites every quarter. For someone in the public eye, like a celebrity, doing a quick search once a month is not a bad idea. These companies merge and spin off on a regular basis.”

He’s right — new sites are constantly appearing, shutting down, merging, and exposing more and more of our private information. 

If all this wasn’t bad enough already, it’s important to know that after a broker honors an opt-out request, most don’t even delete your data from their servers. 

This is because they constantly re-scrape, re-collect and re-publish information they find about you online — and in order to not display a certain piece of information about you, they need to have it “on file” already in case they scrape it from another source.

The irony is that if any of these brokers experience a data breach — and it’s only a matter of time before they do — then the data on their serves will be compromised.

And data brokers are by far one of the most lucrative targets for hackers because they provide such a huge goldmine of data.

As Grauer wrote for Vice:

“Companies scooping up tons of data on individuals are vulnerable to security breaches, so the information they’re collecting has ended up in the wrong hands. In addition to the Equifax breach, which affected more than 145 million people, Acxiom was hacked in 2003, and over 1.6 billion records (including names, addresses, and email addresses) were stolen, and some were sold to spammers. Epsilon was hacked in 2011, exposing names and email addresses of millions of people on email marketing lists who were then subject to spam as well as spear phishing attempts.”

Because data is so lucrative, people will break the law to steal it. 

Jathan Sadowski explained the impossible task of securing massive amounts of data in his piece Why do big hacks happen? Blame Big Data for The Guardian: “The vaults of these databanks are impossible to secure, in large part, because the wealth of information they hold is a beacon for hackers. Even the most impenetrable cybersecurity will eventually fail under the pressure of dogged hackers probing for weaknesses to exploit.” 

Sadowski notes that without putting hard limits on the data capitalists who extract and exploit our personal information, they will continue to reap the benefit while we bear the risks.

Here’s what you should do now to protect yourself

Even if opting out doesn’t delete your data, you should still opt out of all major data broker sites. 

It can take a while — each one has its own multistep removal process — but it’s worth it.

You will almost certainly need to continually request opt-outs over time. Your data will likely re-appear at some point. 

However, opting out across the board ensures that personally identifiable information will no longer be in plain sight for anyone who Googles your name.

How to opt out of the major Data Broker sites

It’s a nuisance and a time sink to manually opt yourself out of every single data broker on a regular basis. But it’s a huge risk to your privacy and security if you don’t. 

So what’s a person to do?

My company BrandYourself decided to tackle this problem head on. We decided to build tools that automate the process of opting you out of the 20+ major data brokers that put you at the most risk throughout your life. 

To be clear, this is not a simple feat. Most brokers have highly sophisticated ways of blocking automated systems from opting people out. They want to keep their data, because more data yields more money. 

So we put our best engineers on it, and built software that will emulate the opt out process – pretending to be a human – doing all the work for you. Not just to opt out once. But to continually monitor for newly exposed information about you, and request removal repeatedly over time. So you can stay safe. 

It’s a travesty that you have to waste your time doing this yourself, so we’re trying to put privacy back in the hands of the people who have been taken advantage of by these brokers. 

You can get a free privacy scan to see if any of your sensitive info is exposed on the top 20 major Data Broker sites. If you want to remove your info from all of them once, it’s $99. 

Considering it takes hours to do yourself, if you value your time at $25/hr or more, this is a no-brainer. This isn’t meant to be a hard pitch for my company— it’s just an honest look at the value of our time (not to mention headaches dealing with this kind of stuff). 

Unfortunately, brokers are notorious for re-exposing info over time. If you want to add ongoing privacy protection, and automatically monitor and remove any new info that appears, it’s $4.99/month. That way you don’t have to worry about your home address or age showing up again, and they inevitably will. It’ll opt you out of 20+ broker sites every month on your behalf so you can just set-and-forget it. 

Alternatively, you can manually opt out of the major data broker sites yourself. To make it as easy as possible, I’ve linked to manual instructions to remove yourself from the major data brokers below. 

Once you go through the whole list once, you’ll see just how tricky some of these sites make it to stop sharing your data with the world. 

Click a link to find the most up-to-date removal instructions for each one. 

  1. WhitePages

  2. Intelius

  3. Instant Checkmate

  4. TruthFinder

  5. Acxiom 

  6. PeopleFinders

  7. Spokeo

  8. ThatsThem

  9. Addresses

  10. FamilyTreeNow

  11. AnyWho

  12. Nuwber

  13. AddressSearch

  14. PeopleSmart

  15. PeopleSearchNow

  16. TruePeopleSearch

  17. VerifyThem

  18. CheckPeople

  19. USPhoneBook

If you want to bookmark this page for later, you can always return back when you have time to go through the process. 

Conclusion

With hacks and data breaches getting so much publicity, it’s common to assume that nothing is private anymore. 

Fortunately, removing yourself from the major Data Brokers above on a regular basis is a very powerful way to help protect your privacy online.

First, it’ll help ensure that your sensitive personal data isn’t showing up right at the top when people Google your name. 

Second, it’ll protect you from the malicious people who leverage exposed data to build spam lists, build robo-dialer lists, steal identities, hack accounts, and all the other “black hat” activity in the seedy underbelly of the web. 

Third, it’ll minimize the amount of data passed around from broker to broker, decreasing the frequency that your information will re-appear in the future.

It’s also important to remember how these Data Brokers get your info in the first place. Avoid signing up for free samples, shady looking newsletters, contests and giveaways, and other common traps for capturing personal info. 

Make sure you browse the web from here on out with your skeptic’s hat on.

Why is this site asking for my info? Does it really need my age and home address if it’s just a newsletter?

Be cautious and don’t offer your information to any sites that don’t actually need it. Otherwise — you’re wiser now — you can assume it’ll eventually end up in the wrong hands. 

If you think this article might be useful to your family or friends, please do pass it along. By sharing this article, you help support the time and energy required to investigate, interview, report, synthesize, and combat the privacy challenges that we increasingly face.

Thanks for joining me! I'm excited to continue helping everyday people take back control of their online privacy. And don't forget to get your free privacy scan if you want to see whether your sensitive info is being exposed by the data brokers in this article.