Data Privacy in a World of Data Brokers

Our personal information is a valuable commodity. Data brokers depend on this – their whole business is collecting, aggregating, and selling your information. Even more unnerving, you’ve probably never heard of the companies that have your data. Right now, data privacy is crucial. It’s important to explore ways to protect your privacy and keep your data from ending up out there.

See Navigating Data Brokering and Privacy with Darius Belejevas for a complete transcript of the Easy Prey podcast episode.

Darius Beleievas is the head of Incogni, a subscription services that helps people get their personal data off data broker lists. He has been in cybersecurity for about seven years, but that’s not where his career started. His education was in computer science, but it only took him a few years to realize he was better suited for the business side of things than for a career as an engineer or developer. By joining the cybersecurity company Surfshark, he started a switch over in security. For the last four years, he’s had the opportunity to take Incogni from an idea to where it is now. Last year, they hit the milestone of over 100 million data removal requests on behalf of users.

How Incogni Started

Surfshark already had a VPN and already alert monitoring for data breaches. But they were looking into what else they could offer. They ended up generating a list of ideas and sending them out to customers, asking what new product or service would be most helpful for them. One of the entries was removal of personal data from data brokers. That one got the most votes from users. So Darius and his team knew what they had to do, but they had to figure out how. At the time, there wasn’t really a service out there that did it. They had to figure it out from scratch.

They started with manual testing. After talking with the legal team about what kind of options they had and gathering a list of volunteers and a list of data brokers, they started trying to remove those volunteers’ information from the data brokers. Some brokers were easy to work with and removed the data right away. Others replied with arguments about why they weren’t going to, and Darius and his team had to go back to the legal department and find more arguments. It became obvious why this was a service people wanted – almost none of the volunteers continued past the second week of the testing because it was such a hassle.

The most difficult part was often finding the data brokers. Some states, like California and Wisconsin, require data broker companies to register. But most of these companies are ones you’ve never heard of. It’s extremely difficult to remove your data from them if you have a hard time just finding them.

Who are these companies that I have never heard about in my life that have my personal information? Just finding those companies is a bit of a pain.

Darius Belejevas

What Are Data Brokers?

With so many people talking about data brokers compromising your data privacy, it’s easy to think of them like some kind of mythical villain. But they’re actually businesses that provide services to other businesses. Those services just happen to be collecting, aggregating, and selling your data. It’s also important to note that none of this is illegal. All of these companies are following applicable data privacy laws. Those laws do allow them to collect and sell your data.

It’s important to understand that it is legal to collect data, to sell it. That’s within the law.

Darius Belejevas

It’s also important to know that when we talk about privacy and security problems with data brokers, it’s not just a handful of companies that are the problem. There’s a whole dysfunctional ecosystem around data protection and privacy. These companies may scrape your LinkedIn account, get data from loyalty programs you use, use your location data and browsing history, and more. They also trade between themselves to create elaborate profiles. We’re talking about hundreds of millions, sometimes billions, of data points in one place.

When we talk about the privacy and security issues when it comes to data brokers, it’s not about one, two, or five particular companies. We have the whole ecosystem that’s a bit dysfunctional.

Darius Belejevas

This also makes data brokers big targets for data breaches. Darius did some research a few years ago, and a lot of data brokers, even the big ones, have been breached multiple times. The reality of cybersecurity is that if you’re a good target, it’s more a matter of time than anything.

The best way to not get affected [by data broker breaches] is just essentially not to be in that list.

Darius Belejevas

Data Brokers, Privacy and Transparency

In addition to the risk of data breaches, another scary aspect of data brokers is the lack of transparency around your data and its privacy. At the end of the day, you don’t know who gets access to your data. It could be a marketer who wants to send you a promotional email or postcard. Or it could be someone coding bots to call you with a scam. You have no way of knowing.

And as previously mentioned, it can be challenging to figure out where your data actually is and which data broker companies even have it. Based on how Icogni calculates it, there are a few thousand different data broker companies out there. But they are specifically targeting data brokers who pose the biggest privacy risk – the ones with personally identifiable information. That means they don’t go after every data broker. Generally, they deal with a few hundred of them. In this case, Darius has found the Pareto principle, also called the 80/20 rule, applies. In many cases, it’s just a few dozen companies feeding data to a much larger number of smaller ones.

Getting it Off and Keeping it Off

Protecting your data privacy by removing your information from data brokers has two aspects. One is initially removing your information from the data broker. The other is keeping it from getting back in. Data brokers import new data sets every so often, and if your data is in that new set, chances are you’ll be right back in their records.

Darius has encountered a few dozen data brokers that have a suppression list. With these lists, the company leaves a small bit of your information in their records on that suppression list. When they get new data, they compare it with that list, and if your data is in that new data, they throw it out.

But most data brokers don’t have these lists. And often companies re-add information roughly every two months, though this varies based on what you’re doing online, what they do with your data, and how they get it. So removing your data from data brokers once doesn’t keep it out of their records forever. Protecting your data privacy is not a one-and-done situation.

Protect Your Data Privacy from the Start

There are actually three stages to data privacy when you’re dealing with data brokers. First is that prevention aspect of keeping your data from becoming available for them. Second is getting your information out of data brokers where possible. This is where tools like Incogni come in. And third is dealing with the consequences if something has been leaked. This involves things like dark web monitoring and taking steps to protect your identity and information.

You can take steps to protect your data before it gets out. In Darius’s experience, the most common identifiers to aggregate data across platforms are email addresses or phone numbers. So when something in your life asks for an email or phone number, ask yourself if you really need it. Once you submit that information, whatever you’re doing can be added to your profile. If it’s worth it, you can do it while being aware of the risks. If it’s just something like a 5% coupon, it’s probably not worth it.

The most obvious thing you can do to protect your data privacy is not sharing your information. There is also the option of using alternative emails or phone numbers to confuse the profiles. Of course, that would take quite a bit more work on your end. This tactic hasn’t been well-studied yet. But Darius would be interested to see how that affects data brokers’ businesses, because it would make it much more difficult for someone who wants to collect and aggregate your data.

More Specific Steps to Better Data Privacy

If anything asks for your email or phone number, whether it’s a person or an online form, stop and reconsider. Do you need to be there? Do you really need to subscribe or do this particular thing? Doing that alone over time will make a huge difference.

Depending on where you live, you may also have the right to know how a person or company got your information. When Darius gets an unexpected phone call or email, he replies asking how they acquired his information. It can lead to some interesting results. And it can help you identify some of those data brokers where you need to opt out. Services like Icogni can do a lot of this work on your behalf.

In the US, many companies send you annual reminders about privacy policies or updates to their privacy policies. These policies also talk about who they share data with and in what circumstances. And a lot of them have opt-out processes. You don’t have to read the whole policy – just find the section about selling or sharing your data and see who they share with and if there’s a way to opt out. You may have the option to prevent a data broker from getting your information from that company.

When filling out forms, look at the various checkboxes. You don’t necessarily have to check all of them. Often one says something like, “You agree to let us share your information with friends and affiliates.” Those are the data brokers. Just don’t check that box. And on some forms, you can ask what they really need. It’s possible they just need your name and address, but the form has a bunch of other fields by default and you don’t have to give them that information at all.

Data Privacy Regulations

Europe is a good example of data privacy regulations done really well. There’s not many data brokers in the EU because it’s much more difficult to operate and much more scrutiny. It’s not perfect, and there are still loopholes and problems. But they’ve had GDPR for almost a decade, and from an overall standpoint it’s worked quite well.

California’s CCPA is also a strong law. The big issue that Darius has seen with it is that companies are allowed to offer two options for how to remove your information, and they often make both very frustrating. Some areas could be improved, but overall it’s good.

The problem for United States citizens is that there’s no overarching privacy laws that could really help you protect your private data from data brokers. Instead, the US has a combination of laws around specific information (like HIPAA for medical data) and state laws like CCPA. In terms of data protection and removal, we really don’t have a lot of rights.

Right now, as a consumer, you don’t really have that many rights in terms of removal.

Darius Belejevas

Some people think that since their data is out there anyway, there’s not really much point in doing anything about it. But at the end of the day, it’s about personal comfort. If you’re fine with the idea that your personal information is out there and anyone who wants to pay a few dollars can access it and use it, that’s fine. At the end of the day, it’s up to you to decide whether data privacy is important to you or not.

The Future of Data Brokering and Data Privacy

A lot of where data brokering is going to go in the future will depend on how data privacy laws develop. In the past five years, things have been pretty good in that regard. Every year a new state comes up with privacy laws. Federal law can’t seem to even get started with a general privacy law. And there’s an argument that this isn’t a bad thing – maybe it’s better to have strict laws at the state level than a watered-down overarching federal law.

Increasing data privacy laws will cause consolidation. It’s going to be harder and more expensive for smaller data brokers to operate. AI development could also lead to some interesting things. Darius is curious to see how data collection and the very concept of personal information will change over the next few years.

A few decades ago, nobody thought of posting every detail online for anyone to see. Now we’re starting to see a backlash of people who care about anonymity and privacy. Incogni was built for these people. Users have even said that after using Incogni, the amount of robocalls and spam they get has gone way down. This is great – the goal has always been having people feel the benefit in everyday life.

Our goal … was always [to] get so good at targeting the data removals that people actually feel the benefit in their day-to-day life.

Darius Belejevas

Learn more about Incogni at incogni.com. They recently launched a free data removal scanner to send you a report of where your information is on people finder sites.