removal-research.jpg

Kanary’s Guide For Removal Research

September 2022 by Jamie W.

How To Contact Websites To Remove Data

If you’re reading this, you’re looking for guidance on how to get a site to remove your information. It can be difficult to find the right starting point because most sites don’t want to remove your information. They might obscure a removal link, not be well maintained, or require unreasonable identification.

Kanary sent its first removal request on August 29, 2019 on behalf of our founders, and since then, have spent hundreds of hours researching sites. We understand the frustration! Our goal is to figure out the best approach to mitigate potential harm and push sites to respect people’s privacy. That’s why we put together this guide to save you time and stress. We'll cover Do Not Sell links, Privacy Policies, Embedded Opt Outs, and Escalation To Hosting Providers.

Hopefully the guide below maximizes your chances of getting your information removed. Please let us know if you’ve discovered your own tips & tricks. We’re always improving: [email protected]

Do Not Sell Links

If you’re trying to remove yourself from large data aggregators or advertisers, you can look for a “Do Not Sell” link. The link should lead to a form where you can send three types of requests: a request to delete, a request to not sell, or a request to access. Since your goal is to remove data, submit a “request to delete.” For some major data brokers like Clearview AI, Do Not Sell requests will be limited to California residents. For other sites, they respect these requests regardless of state of residency. So whether you’re a California resident or not, we recommend exploring this path to see if you can submit a request.

Our first step to find a removal contact is to follow the Do Not Sell link as far as we can. Typically, the process involves submitting a form with proof of residency or ID, confirming the request via email, then following a tracking number on the request. Some sites will send you a confirmation once the opt out or deletion request is complete.

do-not-sell-form.png

Privacy Policies

Due to increased privacy regulation (CCPA & GDPR), websites changed how they update and present privacy policies. What used to be boilerplate legal jargon, now includes elegant graphics and friendly language. (ie Old Twitter Privacy Policy vs New Twitter Privacy Policy) Social media sites, new outlets, and people search sites list their privacy request processes and removal guidelines here. First try to follow a site’s process to be efficient with removal requests - going outside the process can be slower and time consuming for the site admins who are responsible for your requests.

A link to a privacy policy is typically on the footer of the website. The privacy policy itself sometimes doesn’t show exactly where to submit a request or how, but it will link to other pages if you search the page for keywords like “Opt Out”, “Remove”, or “Delete”. It also helps to look for a general email to reach out to if steps are unclear. Search the page for “@”, “[at]”, “support”, “help”, “legal”.

Embedded Opt Outs

People search sites like Xlek have automated opt out processes tied to the records listed on their sites. They’ll require you to go through a multi-step process like the one below:

1. Search for your information by name and location

2. Find the listing you want removed

3. Find the opt out link on the listing

4. Go through and submit a form to request the removal

5. Receive and click a confirmation email from the site to verify that request

While this approach is efficient for the site, it’s time consuming. Most sites that use this approach also have quick removals 1-2 days, but for some, this process can be slow and difficult to follow to see if any progress is being made.

xlek-optout.png

Sending The First Request

If you find guidelines for data removal on the site, your fastest path will be to follow their defined process. If there is a way to contact the site but it’s not a data removal process, that’s your next best option. This might be a customer support form, a chat bot on the website, a harassment/platform abuse report. Sending a first request should always include the link to where you found your information.

If you’re unsure of the site’s process, the process isn’t working, or they’re asking for unreasonable information, it’s time to write an email to them. Use clear, friendly, and informal language rather than aggressive or overly formal legal language. Support teams or admins are reviewing these requests and tend to respond more quickly to requests that seem and sound human.

Most importantly, only share the information you know the site already has about you. For example, here is a request we’d send to a site that is exposing a personal email address. Notice that we do not share any additional personal information with the site:

To: [email protected]

From: [email protected]

Hello,

I’ve discovered your site is sharing my personal email without my consent and I’d like you to remove it. I’m making a concerted effort to improve my privacy and security.

[link to where the information was discovered]

I am emailing you from this email to provide all reasonable and required identification.

Please provide a prompt response with confirmation or justification for denying the request.

Thank you for your help,

[the username from your email]

Some sites will respond with additional requests for information. We always recommend pushing back at least once against unreasonable requests for more identification. In some cases, you will need to decide how much information you’re willing to supply in order to have the site remove the information.

Red Flags To Watch Out For

The internet is the wild west. Anyone with an email can purchase a domain and set up a website. You may find your personal information listed on someone’s wordpress blog, on a hacker forum, or on a site whose only contact listed is [email protected] You should be able to recognize red flags and know when to escalate.

Red flags include emails unaffiliated with the domain like outlook.com, hotmail.com, gmail.com etc. You should reach out to these types of contacts using an alias email to protect yourself. It is unlikely you’ll get a response, but it doesn’t hurt to attempt to safely contact a site owner before escalating.

Escalating Beyond The Site (Advanced)

When a site isn’t responsive, we recommend reaching out to their hosting provider. Hosting providers can be legally responsible under certain cases for copyright infringement or harmful material. Many hosting providers have abuse report systems set up so that people can report issues with sites using their infrastructure. Please note, this is not legal advice. Many hosting providers are unresponsive or can take months to respond to requests.

Going beyond the site should start with a ten second RDAP search on https://lookup.icann.org/en. ICANN organizes information about who is registering websites and how.

icann-lookup.png

Enter the site’s domain, “site.com”, and search. You should look under the Nameservers section. There will be a path showing you where the website is hosted. For example, if the site is hosted on cloudflare.com, it would be SOMETHING.XX.CLOUDFLARE.COM.

Once you know the hosting provider, you should google search for “[hosting provider] abuse report”. That should show exactly where you’ll need to report your issue. Cloudflare has this resource, for example: https://www.cloudflare.com/trust-hub/reporting-abuse/ Godaddy, Amazon, and Google all have similar processes in place.

In your report, reference the site and the specific link issue. If you’ve sent multiple requests, emphasize the amount of time you’ve spent trying to reach them. If the site is completely unresponsive or does not have a contact, be sure to to note that as well and ask the hosting provider to provide an alternate way to contact the site.

There is no guarantee they will respond. But some track sites that are not following the law and may take action to reduce their risk. In the past, Kanary has worked through hosting providers to force a site to improve their opt out process. In other cases, Kanary’s requests contributed to getting spammy websites taken offline entirely.

Being unable to remove sensitive personal information from a site is disappointing and discouraging. But keep in mind that even if your individual request is not successful, you’re participating in a bigger effort to let companies know that your privacy, everyone’s privacy, is important and needs to be respected.

Did this guide help you?

If you discovered a new way to contact a site or remove your information or if you have any other tips we might want to add, please let us know! [email protected]