If you’ve lived in the United States long enough to receive mail, your personal information is probably being sold in a vast ecosystem of poorly-regulated companies known as data brokers. Even if you’ve done nothing to make that information available online, these companies make it easy for anyone to look up the home address of strangers.
Because of the lack of regulation for these companies in the US, Americans are uniquely vulnerable to people who want to cause them harm. Stalkers, trolls, or haters can easily find anyone’s home address using “people search” websites, allowing them to escalate online harassment and putting their victims at significant personal risk. Some incidents have tragically resulted in murder. And even if you never draw the targeted attention of online harassers, your publicly available personal information is used by scammers, fraudsters, and identity thieves at a massive scale.
The US is unique in its lack of regulations protecting the personal data of Americans — making Americans singularly vulnerable to people who want to misuse that information. But that can change. The Consumer Financial Protection Bureau (CFPB) is holding an open call for comments on the American data broker ecosystem until July 15. We’re submitting a comment highlighting the challenges and risks data brokers pose to our customers and clients, but it’s important for individuals to submit comments as well.
You can submit your comment here or email it to DataBrokersRFI_2023@cfpb.gov. If you decide to send an email, make sure to include the document title and Docket No. CFPB-2023-0020 in the subject line of the message. And if you need a little help getting started, we’ve created a template that you can personalize with your own experiences and opinions.
For the past six years, investigative reporter and tech journalist Yael Grauer has maintained the most comprehensive list of data brokers we know of. As a product manager, Yael maintains Consumer Reports’ Security Planner, which we consider the best in-depth free and publicly available personal cybersecurity guide. We spoke to Yael about the risks data brokers could pose to individuals like you.
We mentioned a couple of high profile cases, such as the murder of Judge Salas’s son and the situation that Dr. Hotez faced. What other harms have you seen data brokers cause?
Yael: With online harassment, attackers have used data brokers to find their victim’s personal information to use to escalate their harassment. People have been doxxed [a term for the non-consensual sharing of sensitive personal information] and swatted [an attack where an adversary calls in a fake bomb threat or hostage situation in order to trigger an aggressive law enforcement response at the target’s location] by attackers using that information. Sometimes their friends and family members receive abusive or threatening phone calls and even in-person confrontations as a result of these harassment campaigns as well.
Information from these sites can also facilitate crimes such as fraud and identity theft. The companies collecting these information have been hacked, resulting in names, addresses, email addresses, and even driver’s license data and social security numbers to be easily searchable by criminals. Even without such sensitive information exposed, the information provided by data brokers makes people vulnerable to spam and phishing attacks.
People have alleged that data brokers sold inaccurate information about them, and that they may have missed out on job opportunities as a result. There have also been instances where data brokers were accused of selling information to recruiting or background screening companies without complying with FCRA regulations, such as allowing people to correct errors.
People often defend data brokers and “people search” sites by comparing them to phone books. They suggest that, like with physical phone books, people can simply opt out of having their information listed on these sites. What would you say to people who think this ecosystem is a 21st century version of a phone book?
Yael: The cool thing about the white pages in physical phone books is that you were able to opt out by contacting a single company (your phone company). Nowadays, opting out of data brokers means contacting 60+ different websites, which is much more time-consuming. The phone books of yore also contained less personal information. They printed people’s names, phone numbers, and addresses — but data broker sites can also include the names of housemates and relatives, links to social media accounts, and much more. They sometimes even include past addresses going back decades.
The threat landscape has also changed. In 2008, the FBI began warning the public about swatting, a criminal harassment tactic of deceiving emergency services into dispatching police response teams to another person’s address with false reports of active shooters, hostage situations, or other serious crimes.
Additionally, data brokers may hold onto data indefinitely (even when people opt out, which only suppresses it publicly) and share or sell it to others. They may also sell inferences derived from that data which can affect which job ads you see online, the cost of your insurance, and more.
As you said, opting out of these data brokers is a lot of work. Is it worth bothering to do so if you’re not a famous person or politically controversial?
Yael: You don’t have to be famous or controversial for someone to find a reason to be mad at you online. Having your information available through data brokers makes it easy to find where you live, link your different social media accounts to you, and find your relatives or your roommates. Attackers and trolls can then use that information to fuel a harassment campaign. And beyond that, there’s also the risk of impersonation, identity theft, or even account takeover if some of the data may be used as an identifier or an answer to a security question used to reset an account.
It is definitely a lot of work to opt out of dozens of data brokers, and isn’t entirely foolproof since information can crop up in other places. I think just focusing on the most prominent data brokers—the ones you highlight on the Tall Poppy web app—can be useful preemptively, especially when combined with other common sense practices like using multi-factor authentication, using a password manager, and not using information that could be public as an answer to an account security question.
