Incognito — September 2023: What happens when data brokers get your information wrong?

Welcome to the September 2023 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• What happens when data brokers get your information wrong? 
• Recommended reads, including “Cybercriminals Spreading Fake AI Bots.”
• Q&A: Can I just ask a company to delete my data?

That job you had all the credentials for but didn’t get. The rental application you were denied. An unexpectedly higher insurance premium. What happened? 

Maybe there was a good reason why things didn’t work out. Or maybe it was a data problem. 

From employers and landlords to insurers and law enforcement agencies, many of the third parties we interact with rely on information from data brokers to make decisions about us.  When this information is incorrect, it can lead to lost opportunities and even traumatic interactions. 

Most Data Broker Information Is Inaccurate 

It’s data brokers’ business to know everything about our lives and sell comprehensive profiles about us to anyone who wants them. The problem? A lot of the time, at least some of the information in these profiles is  “wildly wrong.” 

40% of information data brokers have on people is inaccurate or no longer accurate, according to one report, a finding confirmed by NATO. 

• All data categories seem to have mediocre accuracy, including financial information and other data that may be used in background or credit checks. 
• This finding appears to bear out in real life. After requesting her profile from a data broker, a reporter for The Atlantic found that nearly 50% of the information in it was incorrect. 

Why Wrong Data is Dangerous

For people who hate the idea of someone else knowing their business, the fact that data brokers have incorrect information about them may seem like a good thing. 

Sadly, that’s not true. The fact is that third parties use data brokers to make important life decisions on our behalf. If they have erroneous information on you, that could harm you. And the worst part? You never get to find out why. Imagine being not able to make important transactions, receiving higher premiums, or being denied service, all without reason. 

How Erroneous Broker Data Can Affect You

Here are some ways inaccurate or incorrect data broker information can affect your life. 

• Rising insurance premiums. Insurers use data broker information to predict costs and false information – like being placed in a “biker enthusiast” category when you’ve never ridden a motorbike in your life or having “smoker in household” on your report – could massively inflate your premiums. 

• Denial of rental application. One prospective tenant’s report said she sold meth, drove without insurance, stole, lied to a police officer, and engaged in other illegal activities. In fact, she hadn’t done any of those things, and the data was pulled from the records of four different women with the same name and one woman who used her name as an alias. 

• Lost job opportunities. In a hearing before the committee on commerce, science, and transportation, an attorney and privacy consultant described how one of her clients was laid off from his high-paying job and denied employment for two years, even though he had great recommendations. The reason: his data broker profile said he had three DUIs and an arrest for murder – none of which was true. A similar situation led to another person losing out on a job because his report falsely claimed he was convicted of drunk driving, attempted petit larceny and forgery, and had two stints in jail. Two data brokers even had to pay fines for sending employers reports saying an applicant could be on a sex offender list based on just their first and last name. 

• Wrongful arrests that are impossible to erase and incorrect application of force. Minor errors can lead to catastrophic consequences. Renata and Chris Simmons found this out the hard way when the police shot their dog after mistaking their home as the home of a man with a very similar last name (Simpson) when they were trying to serve a warrant. 

Correcting the Incorrect and Other Steps You Can Take

Some data brokers let you correct the information they have on you, but not all. Legally, your rights also depend on what state or country you live in. But even if all data brokers allowed you to correct your information, tracking all these companies down would be a massive feat. 

We also don’t necessarily recommend giving data brokers more data. It makes much more sense to opt-out, and keep opting out, of data broker databases. 

You can also take action to reduce the likelihood that incorrect data about you will find its way into data broker databases in the first place. Small steps like using a privacy-first browser and being mindful about the kinds of apps you download on your phone won’t make you invisible to data brokers, but they will help reduce the amount of data, including potentially incorrect data (like if you google a medical condition a friend has, and it suddenly becomes part of your profile) these entities can collect about you. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Cybercriminals Spreading Fake AI Bots

Criminals are buying ads for fake artificial intelligence (AI) bots. This was discovered by an ESET security researcher who saw an ad for the latest version of Bard, Google’s AI tool, on Facebook. Upon investigation, he found several discrepancies, including oddities in the ad’s language and a site hosted on Google’s cloud infrastructure but with content not related to Google. The researcher warned of other examples he has encountered, including “meta AI.”

Google Launches New Privacy Tools

Google is rolling out new tools to help users maintain their privacy online. This includes a “results about you” dashboard where you can see if your personal information appears on Google Search without having to do the search yourself and the ability to receive notifications when more information is uploaded. Google will now also let users remove explicit or graphic images of themselves from Google Search. 

LinkedIn Account Hijacking Campaign Underway 

Across the globe, LinkedIn users are losing their accounts to hackers who are using brute force methods or leaked credentials. While the motive for the campaign is unclear, LinkedIn accounts can be used for data gathering, phishing, and job offer scams. Researchers at Cyberint have also noted that some users had their LinkedIn accounts deleted while others received small ransom requests.

Elon Musk’s X Testing New Identity Verification Feature

X, formerly Twitter, is asking Blue (premium) subscribers to verify their identity with a selfie and a photo of a government-issued ID. In doing so, users must also agree to X storing their biometric and other data from their profile for up to 30 days for safety and security purposes. The personal information is handled by an Israeli identity verification and management company called Au10tix. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: What can someone do with my email address?

A: Great question! 

With just your email address, someone can:

• Find more personal information about you via people finder sites with a reverse email lookup feature.
• Spam you. 
• Make hundreds of accounts on different websites using your email. 
• Send you phishing emails. 
• Spoof your email, i.e., pretend to be you to someone else.
• Hack into your online accounts, including your email account. Many websites let you use your email address as your username, which means someone could log into your accounts if your passwords are weak or already available for sale on the dark web.

For this reason, it’s generally considered a good idea to use email aliases. You should also always use strong passwords and multi-factor authentication whenever possible and remove your personal information from data brokers and people search sites. 

Q: Can I just ask any company to delete my data?

You can definitely ask. But whether the company complies with your request will depend on where you’re based, the kind of data you’re talking about, how that data was collected, and the company in question. 

For example, under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California citizens can ask companies to delete personal information that the company collected about them from them themselves. If a company collected a California citizen’s personal information in some other way, such as buying it from data brokers or acquiring it from another third party, they wouldn’t be obliged to delete it.

Also, even if the data was collected from California consumers themselves, a business may still legally refuse to delete it under certain circumstances, like if they need it to detect fraudulent, malicious, or illegal activity or comply with legal obligations. 

An article from The Washington Post goes over the process of how you can go about requesting that a company delete your data. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.