Incognito — March 2023: How Data Brokers are Making our Identities More Detailed

Welcome to the March 2023 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• How data brokers build out our identities and sell them to third parties, from marketers to scammers.
• Recommended reads, including “TruthFinder and Instant Checkmate Breached, User Personal Data Leaked.”
• Q&A: Is it a good idea to flood the internet with fake data about myself?

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. 

Next month is Identity Management Day. Created to raise awareness about the increasing ubiquity of identity-related attacks, it’s a reminder to update our privacy settings on all accounts and use a password manager (among other things). 

But while being privacy-aware and protecting passwords is important, these things alone won’t keep our digital identities private. 

Here’s why. Plus steps you can take to actually protect your identity. 

Our Identities Are Being Packaged and Sold

We’ve all heard it: our identity is for sale on the dark web. 

Depending on who you are, that may or may not be true.

But what’s 100% true for everyone is that a) our identities are being sold on the surface web (i.e., the web we use every day and that is visible to everyone), and b) these identities are getting more comprehensive (and as a result, easier to exploit). 

This is due to data brokers. 

Once a way to get mostly basic directory-style data points on someone you may know, data brokers’ profiles have become much more detailed. In addition to names, phone numbers, and addresses, they now feature information about our families, past residences, employment, and much more.

So where do data brokers get the information that lets them build out our identities with such precision? 

Multiple Sources of Data Lead to More Risk

There isn’t just one source that data brokers rely on for information. 

Instead, data brokers get their data from various different sources, like public records (i.e., birth certificates, marriage licenses, court records, etc.) and social media.

• Data brokers also buy personal information from apps—even those you think would keep your sensitive data private. Earlier this year, Duke University’s Sanford School of Public Policy researchers shared how data brokers are selling information on Americans’ mental health conditions acquired through therapy and telehealth apps. 
• Loyalty programs, credit card companies, browser cookies, periodical subscriptions, and online surveys are just some of the other sources data brokers use to map out your identity. 

Who’s Looking You Up And Why You Should Care

You’d be surprised how many people, groups, and organizations want to use data brokers to buy your identity — and for how many purposes. 

Here are some examples:

• Law enforcement uses data brokers to locate potential suspects. This can exacerbate biases and, when data on our identities is inaccurate, result in wrongful arrests.
• Federal agencies like the U.S. Immigration and Customs Enforcement (ICE) and the Federal Bureau of Investigation (FBI) buy data broker dossiers to conduct deportations, criminal investigations, etc., without public disclosures or warrants. 
• Marketers can use our identity data to discriminately target goods and services, for example, exclude individuals who live in a less desirable location or target them with ads for low-income products and services.
• Criminals use data brokers and people search sites to conduct reconnaissance on potential targets, find personal details to include in phishing emails, guess passwords and security questions, and, of course, steal identities.
• Insurers purchase information on people’s identities to calculate costs. In 2018, ProPublica found that health insurers used personal data like a person’s education level, TV consumption, and net worth to assess their insurance premium.
• Employers and recruitment agencies look up people on data brokers to determine whether to hire them or not. The problem is that someone’s data broker profile may say they’re on a national sex offender list or has a criminal history, even though they don’t (data broker information is notoriously littered with errors).
• Landlords use data brokers to run background checks on prospective renters. In a recent investigation, The Markup found that people were denied housing due to erroneous criminal record data. 
• Politicians buy your identity from data brokers to determine what ads you will be most receptive to and whether they should bother targeting you in the first place.
• Abusive family members and other bad actors that can access your identity via data brokers can more easily harass, stalk, and intimidate you. 

4 Steps You Can Take to Protect Your Identity 

The first step for keeping your identity private is to opt out of data brokers. 

Even if you do nothing else, removing yourself from people search sites and data broker websites will help you protect your identity. 

The reason why is that data brokers sell your identity to third parties. This makes a bad actor’s job easy. 

On the other hand, if a bad actor can’t find your information on a data broker source, they’ll need to assemble your identity piece by piece. This is a much more time-intensive and complicated task. Not everyone will be willing to put in the time to find all your public records, social media accounts, etc. 

The second step is to minimize how much data you personally put out on the internet. Do you share tidbits from your personal life and photos on social media? Contribute to online forums? All this activity leaves a trail of digital breadcrumbs that someone with enough time can follow. 

Remember, your online activities are also an important source for data brokers. 

So are public records. The third step is to reduce how much personal data can be accessed about you through sources like court records and marriage licenses. 

In certain circumstances, like if you’re a victim of domestic violence, you may be able to seal your records. Even if that’s not possible, you might still be able to change some personal data on certain public records, for example, swap out your real address for a P.O. box. 

Finally, the fourth step is to remember that you’ll probably need to make tradeoffs. 

For instance, if you want to get retail discounts, you’ll likely need to sign up for a loyalty card, but loyalty program data is often sold to data brokers. The same goes for free apps etc. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

TruthFinder and Instant Checkmate Breached, User Personal Data Leaked

The background check services TruthFinder and Instant Checkmate experienced data breaches that impacted more than 20 million customers. The breaches were discovered after databases of customer personal information (names, phone numbers, email addresses, encrypted passwords, and password reset tokens that are inactive/expired) were shared on the dark web. Only customers that created accounts between 2011 and 2019 seem to have been affected. 

Booking.com Customers Are Being Scammed, And No One Knows Why

Booking.com customers have been getting scam emails that look like they come from Booking.com and include their travel plans and other personal data. While the first incident was recorded in 2018, and the latest was in February 2023 (as of this writing), Booking.com says its systems have not been compromised. Instead, according to the travel marketplace, scammers have sent phishing emails to a number of properties that accidentally compromised their accounts. Affected guests have reportedly been contacted.

ChatGPT Is Being Trained On Our Personal Information 

ChatGPT was trained on information scraped from the internet, including people’s personal data, writes Ars Technica. This is problematic because a) individuals never gave it their consent to use their data, some of which might be sensitive and could identify them, and b) there’s no way for people to see if OpenAI (the company that owns ChatGPT) stores their personal data and no mechanism to ask for them to remove it. By using ChatGPT, people may also inadvertently feed it more sensitive data. 

Reddit Confirms Breach, Says Users Are Not Impacted

The forum and social news website Reddit confirmed that it was breached and that threat actors accessed its internal systems. The breach happened after a Reddit employee clicked on a targeted phishing email. Attackers were able to access internal documents, dashboards, business systems, and code, as well as some information on current and former employees and other contacts. However, Reddit user data was reportedly not exposed.

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Is it a good idea to flood the internet with fake data about myself? 

A: Yes. but it shouldn’t be relied on for privacy.

Data poisoning (or OSINT poisoning), as the practice you’re talking about is sometimes known, can confuse data brokers and algorithms that serve you personalized ads. 

The practice can involve things like:

• Adding fake information to your online profiles. 
• Trading accounts (like Spotify) with someone else (or, in the physical world, even trading loyalty cards).
• Using a browser extension that automatically clicks on every ad shown to you. 
• Watching videos you don’t actually like.
• Searching for content you’re not interested in. 
• Using location-spoofing software.
• Following people you don’t know/are not interested in on social media. 

Those who engage in data poisoning attest to its effectiveness. 

“You’d be surprised what sort of coupons CVS prints for me on the bottom of my receipt. They are clearly confused about both my age and my gender,” said one The New York Times reader in an article from a few years ago on how not to leave tracks around the internet. 

At the same time, those determined to figure out who you are will find ways to do it (“monitor/update/wait because one day someone might slip and it all falls together,” said one person in a forum thread asking how to overcome data poisoning). 

And even though some of the information a data broker has on you might be incorrect, a lot of it will be accurate. 

As such, it’s best not to rely just on data poisoning but also to take the time to remove data about you from the internet that is correct. 

Q: How can I find all of my old accounts? I want to delete them but can’t remember everything I ever signed up for. 

A: Consumer Reports has a great article on this, with tips like:

• Look through a list of popular apps and services to see if any jog your memory.
• Google any usernames you can remember.
• Use HaveIBeenPwned to see if your email has been in any breaches and if the breach happened at a service you’ve forgotten you had an account at. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.