If they use the data you provide (such as your address) to search other data brokers, doesn't that potentially give the data broker MORE information than they already had on you? Do the companies in this space prevent this somehow?
Edit: Lest people think this is somehow impossible otherwise - all it should take would be to search for just your name + location, get the query results, then filter on the client side. Which is exactly what a human would do for the brokers that have a "remove this entry" option when you see (presumably) yourself in the search results. However, this not only requires the data brokers to support such an API, but also requires the deletion services to actually put in the effort to do it this way for every broker they can, which seems nontrivial. Hence my question of whether these services make such an attempt at all.
Not a dumb question at all. Yeah, in the process of finding you within a data brokers system and sending a removal request, they need to send that broker your personal data... it's a bit awkward. Optery, another PII removal service has a whole section about this in their privacy policy (section 7 of https://www.optery.com/privacy-policy/):
> Optery, Inc. must send your PII to the data brokers and information aggregators included in the Removal Lists... We cannot control, guarantee or warranty how these third-parties will treat your PII or what they will do with it.
Optery also has a Help Desk article on this catch-22 where in order to opt out of data broker sites, you must first tell them who you are, otherwise, how else would they know who to opt out: https://help.optery.com/en/article/what-information-does-opt...
And you need to enter all of the information that you're trying to protect into one central location that is probably heavily targeted. These types of services never made sense to me.
Nothing is impossible in tech. (Rhetorical hyperbole!) But seriously let me give you an analogous example, with its pros and cons.
DNS now has something widely deployed called "query name minimization". For no particular reason other than it made server's lives easy (which it does, as we will explain) the recursion process historically sent the actual qname (what was asked for) to each nameserver contacted.
Much was made of this in recent years, that this leaked potentially important information to servers which demonstrably couldn't have the actual answer for the qname (even if they could provide a useful referral).
Two flavors of qname minimization exist in the field. One flavor asks qtype A questions of the form "_.example.com" until it triangulates on the server with the answer; the other asks qtype NS questions (regardless of the actual qtype). (In case you've noticed a change in the mix of your DNS traffic.) In a nutshell, qname minimization asks questions which enable it to triangulate on the server which can potentially answer the question, before sending the actual question to it.
A good rule of thumb is that with a cold cache qname minimization will result in nearly twice as many queries being issued / answered during the resolution process, assuming nothing goes wrong. Both of these approaches are prone to mistakes when servers don't conform to assumptions about how proper DNS should operate.
Any 3rd party service or individual doing opt outs should limit data sharing as much as possible. Steps to do that include setting up email aliases, searching data in separate queries, using a proxy or VPN, verifying data exists before sending a data deletion request with all your pii in it, pushing back on any invasive requirement for govt ID...
It's tempting to just automate sending a mass email to all the brokers with your full name, DOB, and address asking for deletion (some services actually do this - beware), but that exposes you to a bunch of new spam.
I've been building Kanary for 4+ years (we're a removal service & YC grant recipient) and we take a conservative approach to each site. I wrote a bit more about why this matters: https://www.kanary.com/blog/dont-get-spammed
Could there be some sort of Robin Hood action to all of this? What if you took all the leaked data about millions of people and used that to opt out them out of all the various services that buy and then sell the data?
That is a possibility. Another scenario is one in which you sign up to a service like Optery and submit a non-existent individual with fabricated information for PII removal; after about a month or so, this fabricated individual started showing up as a possible person that lived at my address when I was trying to get a quote from Progressive.
So, seems like somewhere in the midst of this process, one of the 240 brokers that Optery sends your information to get it removed, someone aggregated it, sold it to Progressive and in the underground realm of data brokers and buying and selling data, someone unfortunately (or fortunately?) is now targeting 'Paige Notfound' and 'Meg A. Byte'.
With an American SSN, one could dump 1,000 queries of numbers with only 1 of them being the client's actual SSN so the logs don't reveal as much. Still, though, it's a Catch 22 to find the thing you don't want found by using that thing.
It seems to me like this is a core problem with the scummy nature of this business. I’d like to believe you’re weong but have trouble given the business model.
I wanted to try this, but it seems to be restricted to only people in the USA. It is impossible to enter a location outside the USA in the sign-up form, and it's impossible to skip that form. Please, Mozilla, make it much clearer which countries are supported to avoid causing this frustration and to give people a reason to come back once other countries are supported.
Sorry about that. The form should only be shown for people in the USA, but detecting the country you're in can't be done perfectly. Which is a good reminder - we'll look into making the US-only part clearer.
Mozilla Monitor Plus - $14/mo, or $108/yr. Too pricey for most.
>Every month, we use the information you provided about yourself (name, location and birthdate) to search across 190 data broker sites that sell people’s private information. If we find your data on any of these sites, we initiate the request for removal. Data removal can take anywhere from a day to a month. This feature is available for Monitor Plus users only.
Anyone know if there are any local/open source tools to do this?
I use this pattern but I'm starting to move away from it. Some things just don't work (ex. linking accounts between companies) and it also throws customer service agents into a panic when they see their own company name in the e-mail address.
I'm also not sure it gets me that much. I do get to see how was compromised or sold my data, but most of that just goes to spam anyway. I also usually find out about the compromises from other sources anyway.
Yael's resource is amazing. Highly recommend this open source guide.
Also check out Michael Bazzell's how to disappear guides: https://inteltechniques.com/links.html
We are working on a fully local version of this @ https://redact.dev - Beta should be out within a month or so. Huge (obvious) advantages for doing it locally
Also an unaffiliated, long term, and happy user of Optery.
If nothing else, I’m glad there are more offerings showing up on this space because of the competition this will hopefully generate.
Consumer Reports also has a semi-related offering called “Permission Slip” that is focused on opting out of data sharing with individual companies, e.g. Netflix, Home Depot, etc.
Many data brokers will not permit third party services to remove the data without a signed limited power of attorney. Note that the power of attorney is limited to interactions for submitting removal requests and opt outs.
Isn't it to be expected? I guess that they have to make demands on your behalf to have your data removed. I guess that's optional because they can still work without it is some cases, and ask you on a case-by-case basis for others, but that's extra work for you and for them, so they may not do it, at least not on the lower tier pricing.
Blame data brokers for making such asinine restrictions.
You can also just use the free version to collect a list of brokers your self and manually contact all of them to find out how much of a pain in the ass it is.
I cleared my name from the net using another service that charged by the month. I paid them for three months, when their work clearing my data from about 100+brokers was completed, then cancelled. 2 years later, my name and personal data still remain no longer to be found like it once was before the scrubbing.
That's great to hear, often they do show up again later, which is why it's a longer-term subscription service. OneRep is the provider for the removal functionality of Monitor, incidentally.
I can't help but be a bit miffed that despite ostensibly being a privacy service, optery is still running a bunch of third party scripts on their site, including google...
I'm curious, what's the point of paying for Optery per year? Isn't removing your data be a one time request. Except for supporting new brokers that might appear.
Your point is spot on. Data removal services have an aspect where a ton of value is obtained in the first 1 - 4 months as the majority of profiles are wiped away, and then after that you're sort of in maintenance mode where the service catches profiles as they pop back up, or when new data brokers are added to the system for coverage.
Optery generally has 2 types of customers:
- The first type are those that care a lot about their privacy and the cost of an ongoing subscription is insignificant to them, so they keep the service running on an ongoing basis for the ongoing automated scans and removals and for getting new data brokers they get coverage for immediately as they are added into the system.
- The second type of customer is more price conscious and is basically looking back and forth between their credit card statement and their Optery dashboard each month and then they either pause or cancel the subscription when they feel they're reached a good stopping point. Optery's pause subscription feature is very popular for this type of customer and you can use it to automatically re-start the service in 3, 6, 9 months, etc.
- Another thing to point out is many other services only offer Yearly subscriptions, Optery offers Yearly or Monthly. If you're price conscious, the Monthly is nice because you can turn it on and off, or pause it as you wish.
More detail on the topic of keeping Optery running on an ongoing basis is on the Optery Help Desk here:
Also a satisfied Optery user. Been using their service for the past year, from what I can tell, they seem to have the most robust solution in the space.
Discover's service is limited to only a few sites (which is why it's free). And it is not transparent about progress of removals or requirements.
That might not be the most effective way to reduce spam or reduce targeted attacks, because it ignores many hard to remove exposures.
We have a similar price point at Kanary (I'm the founder) and it covers the resources we invest in the cat & mouse game required to escalate and complete removals on a wide variety of sites, not just a handful of easy ones.
Anyone have experience comparing this to Incogni? I’ve been an unaffiliated user for over a year now. While many brokers have replied, many never seem to.
Optery founder here. We did a deep dive comparison between Incogni and Optery (https://www.optery.com/incogni-review/). The biggest takeaway is Incogni, at this time, does not cover many of the most popular people search sites like Whitepages, TruePeopleSearch, Spokeo, RocketReach, ThatsThem, BeenVerified, TruthFinder, InstantCheckmate, and many others. Most Incogni reviews you'll find online are written by their affiliate partners.
Optery founder here. If you're taking a look at Mozilla Monitor, I recommend taking a look at Optery too:
- Optery's Ultimate plan covers 300+ data broker sites and offers Unlimited Custom Removals providing the most comprehensive coverage in the industry. Optery has a variety of plans for different coverage needs (Free, Paid, Family, Business), and the ability to pause or cancel a subscription at any time.
- Mozilla Monitor Plus is powered by OneRep, which partners with data brokers through its affiliate program: https://imgur.com/a/juSC66b. This is a fine line most data removal services do not cross. Optery's removals are proprietary and are not powered by any other company.
- Optery (YC W22) was awarded the Fast Company Next Big Things in Tech in 2023 and PCMag.com Editor's Choice award in 2022 and 2023, over DeleteMe, Kanary, Incogni, IDX Privacy, etc.
- Optery has completed its SOC 2, Type II security certification. To our knowledge, DeleteMe is the only other data removal service with this certification. This is probably the most overlooked attribute when selecting a data removal service.
If you ever do this manually, the data brokers that have data removal options will first show you an ad for using a removal site. Because that way, they at least get a cut of the proceeds when you sign up. Data brokers don't get much benefit from people doxing $some_random, other than a few dollars for every thousand people who do that. But, they can get $10s of dollars for when $some_random signs up with their affiliate link.
So, you have a clear conflict of interest with onerep not blocking data brokers from their affiliate. It probably doesn't go very deep, but with the subscription-based nature of these privacy services you start to wonder what happens when you churn...
I think if you express an opinion like that you ought to say why too. It could be you have a point. But you could also be (mis)interpreted as a critic who, instead of building things themself, finds imperfections in things the real builders make...
I really wish employers would pay for a service like this because a lot of spear phishing attacks start with data stole or scraped from brokers, LinkedIn, etc. If a company buys a service like this in bulk, it can get significant discounts. Personally I've resorted to hiding my information on LinkedIn and noticed that I've been passed over by attackers while my coworkers get spear phishing attacks all the time.
Many employers do - we work with plenty of teams and even have specific guidance for how members can ask their HR or Security lead to sponsor a membership.
I like how the solution to the privacy issue is _yet another account_. I don't know why, but I find it highly amusing. I do get it, you need to share your details with them so they know which details to delete, but I still can't help but laugh.
I attempted to use this, entered my email, was prompted with a "create your account" page, laughed out loud and closed the tab. This is a comical misunderstanding of what the product even IS or DOES.
How do they think they’re supposed to do their job if they don’t even have a way to identify you in the first place. What is comical is your blend of ignorance of the technical needs of the product and arrogance to suggest that it should be done in this “magical anonymous way” that nobody seems to grok.
One of the ironies of these things is that they tend to map to a specific e-mail address, whereas the more paranoid of us who'd want to pay for a service like that tend to have different addresses, either entirely or something like Gmail with +filters.
HIBP supports domain searches[^1] at least, but part of the problem is also how we keep trying to reinvent the e-mail system to not fall prey to this, much how Fastmail have Masked Emails, and Apple have Hide My Email.
In a sense, it sounds like the advice of the services is less subscribing to them than trying not to have a few e-mails that map to your personal identity.
> In a sense, it sounds like the advice of the services is less subscribing to them than trying not to have a few e-mails that map to your personal identity.
The phone masking looks great, too. Like Privacy.com, it's awesome with virtual alternatives for PII, except they don't tend to be available here in Europe, but I'm definitely jealous.
Readit News
If they use the data you provide (such as your address) to search other data brokers, doesn't that potentially give the data broker MORE information than they already had on you? Do the companies in this space prevent this somehow?
Edit: Lest people think this is somehow impossible otherwise - all it should take would be to search for just your name + location, get the query results, then filter on the client side. Which is exactly what a human would do for the brokers that have a "remove this entry" option when you see (presumably) yourself in the search results. However, this not only requires the data brokers to support such an API, but also requires the deletion services to actually put in the effort to do it this way for every broker they can, which seems nontrivial. Hence my question of whether these services make such an attempt at all.
> Optery, Inc. must send your PII to the data brokers and information aggregators included in the Removal Lists... We cannot control, guarantee or warranty how these third-parties will treat your PII or what they will do with it.
DNS now has something widely deployed called "query name minimization". For no particular reason other than it made server's lives easy (which it does, as we will explain) the recursion process historically sent the actual qname (what was asked for) to each nameserver contacted.
Much was made of this in recent years, that this leaked potentially important information to servers which demonstrably couldn't have the actual answer for the qname (even if they could provide a useful referral).
Two flavors of qname minimization exist in the field. One flavor asks qtype A questions of the form "_.example.com" until it triangulates on the server with the answer; the other asks qtype NS questions (regardless of the actual qtype). (In case you've noticed a change in the mix of your DNS traffic.) In a nutshell, qname minimization asks questions which enable it to triangulate on the server which can potentially answer the question, before sending the actual question to it.
A good rule of thumb is that with a cold cache qname minimization will result in nearly twice as many queries being issued / answered during the resolution process, assuming nothing goes wrong. Both of these approaches are prone to mistakes when servers don't conform to assumptions about how proper DNS should operate.
It's tempting to just automate sending a mass email to all the brokers with your full name, DOB, and address asking for deletion (some services actually do this - beware), but that exposes you to a bunch of new spam.
I've been building Kanary for 4+ years (we're a removal service & YC grant recipient) and we take a conservative approach to each site. I wrote a bit more about why this matters: https://www.kanary.com/blog/dont-get-spammed
So, seems like somewhere in the midst of this process, one of the 240 brokers that Optery sends your information to get it removed, someone aggregated it, sold it to Progressive and in the underground realm of data brokers and buying and selling data, someone unfortunately (or fortunately?) is now targeting 'Paige Notfound' and 'Meg A. Byte'.
I got the last laugh! :)
I can't think of other ways to verify yourself other than to verify yourself.
(I'm an engineer on Monitor.)
haveibeenpwned will notify you if your email address was in a breach.
The Mozilla offering seems to include the same, but also cover other pieces of personal data, and the ability to request removal from data brokers.
>Every month, we use the information you provided about yourself (name, location and birthdate) to search across 190 data broker sites that sell people’s private information. If we find your data on any of these sites, we initiate the request for removal. Data removal can take anywhere from a day to a month. This feature is available for Monitor Plus users only.
Anyone know if there are any local/open source tools to do this?
I use <website>@<personal-domain>.<tld>, and you cannot enter a wildcard in Permission Slip.
I'm also not sure it gets me that much. I do get to see how was compromised or sold my data, but most of that just goes to spam anyway. I also usually find out about the compromises from other sources anyway.
https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-Li...
Deleted Comment
The Mozilla offering looks somewhat comparable, but I do wonder if they’re going to beat a company which has the sole focus of solving this problem.
If nothing else, I’m glad there are more offerings showing up on this space because of the competition this will hopefully generate.
Consumer Reports also has a semi-related offering called “Permission Slip” that is focused on opting out of data sharing with individual companies, e.g. Netflix, Home Depot, etc.
You can also just use the free version to collect a list of brokers your self and manually contact all of them to find out how much of a pain in the ass it is.
Optery generally has 2 types of customers:
- The first type are those that care a lot about their privacy and the cost of an ongoing subscription is insignificant to them, so they keep the service running on an ongoing basis for the ongoing automated scans and removals and for getting new data brokers they get coverage for immediately as they are added into the system.
- The second type of customer is more price conscious and is basically looking back and forth between their credit card statement and their Optery dashboard each month and then they either pause or cancel the subscription when they feel they're reached a good stopping point. Optery's pause subscription feature is very popular for this type of customer and you can use it to automatically re-start the service in 3, 6, 9 months, etc.
- Another thing to point out is many other services only offer Yearly subscriptions, Optery offers Yearly or Monthly. If you're price conscious, the Monthly is nice because you can turn it on and off, or pause it as you wish.
More detail on the topic of keeping Optery running on an ongoing basis is on the Optery Help Desk here:
https://help.optery.com/en/article/why-should-i-keep-my-opte...
That might not be the most effective way to reduce spam or reduce targeted attacks, because it ignores many hard to remove exposures.
We have a similar price point at Kanary (I'm the founder) and it covers the resources we invest in the cat & mouse game required to escalate and complete removals on a wide variety of sites, not just a handful of easy ones.
- Optery's Ultimate plan covers 300+ data broker sites and offers Unlimited Custom Removals providing the most comprehensive coverage in the industry. Optery has a variety of plans for different coverage needs (Free, Paid, Family, Business), and the ability to pause or cancel a subscription at any time.
- Mozilla Monitor Plus is powered by OneRep, which partners with data brokers through its affiliate program: https://imgur.com/a/juSC66b. This is a fine line most data removal services do not cross. Optery's removals are proprietary and are not powered by any other company.
- Optery (YC W22) was awarded the Fast Company Next Big Things in Tech in 2023 and PCMag.com Editor's Choice award in 2022 and 2023, over DeleteMe, Kanary, Incogni, IDX Privacy, etc.
- Optery has completed its SOC 2, Type II security certification. To our knowledge, DeleteMe is the only other data removal service with this certification. This is probably the most overlooked attribute when selecting a data removal service.
So, you have a clear conflict of interest with onerep not blocking data brokers from their affiliate. It probably doesn't go very deep, but with the subscription-based nature of these privacy services you start to wonder what happens when you churn...
Nothing against your company specifically, but at this stage anything associated with YN is a negative.
(some basic info here: https://www.kanary.com/enterprise)
I like how the solution to the privacy issue is _yet another account_. I don't know why, but I find it highly amusing. I do get it, you need to share your details with them so they know which details to delete, but I still can't help but laugh.
HIBP supports domain searches[^1] at least, but part of the problem is also how we keep trying to reinvent the e-mail system to not fall prey to this, much how Fastmail have Masked Emails, and Apple have Hide My Email.
In a sense, it sounds like the advice of the services is less subscribing to them than trying not to have a few e-mails that map to your personal identity.
[^1]: https://haveibeenpwned.com/DomainSearch
Firefox Relay is a great way to do that :) https://relay.firefox.com
Integrating that with Monitor is pretty high on at least my personal wish list.
But until Firefox Relay supports custom domains, I am of the opinion that it’s not ideal.