Privacy Protection Through Regulation | Part 2

Background: In early 2023, we started preparing a public opinion on data rights and regulation for the Consumer Financial Protection Bureau (CFPB). Over the last few months, we've shared an overview of the CFPB's Request for Information (RFI), our perspective on the industry, and a few high level predictions.

For our final response, we summarized hundreds of pieces of feedback from our members who support stricter regulation on a harmful and creepy industry. We also summarized our data from sending millions of removal request and escalations to hundreds of data brokers. We shared our final response and a few recommendations with the CFPB publicly before the extended July 2023 deadline. In addition to the CFPB, we want to share our response and perspective on regulation with you. Learn more in part 1.

Part 2 | Privacy Protection Through Regulating Consumer Reporting Organizations

In the first part of our blog series we shared our recommendations for the Consumer Financial Protection Bureau (CFPB) to evaluate three areas of the FCRA. Part 2 offers a deep dive into the challenges presented in getting private information off of data broker sites.

Our Challenges Fighting Data Brokers

Maintaining personal privacy and safety online should be much simpler and affordable than it is. The difficulty comes from how data brokers respond to requests for removal. We believe the CFPB can regulate three challenging behaviors from brokers:

• Whack-a-mole; brokers resurface information even after its removed.

• Traceability; brokers know their data sources but refuse to divulge sources so consumers cannot get to the root of their data exposure.

• Verification; brokers struggle to verify who is requesting deletion of data so they ask for proof like government ID, increasing the security risk associated with sending an opt out request.

• Escalation; when brokers do not comply with requests, escalating to state or federal regulators can be slow or ineffective.

a) Whack-a-mole / whack-a-data-broker

The current ‘opt out’ standard is only effective if four things are true:

1. The site responds

2. The site complies

3. The site does not require unreasonable verification (like government ID)

4. The site does not resurface information

Unfortunately, many sites fail at step 1. Some respond but never follow up or take months. Even if there is an auto-reply or automated system for removal in place, many fail on steps 2 and 3 by asking for invasive verification like government ID or recent proof of address. The GDPR defines these types of requests as ‘unreasonable.’ Almost all data brokers fail on step 4 and resurface data after an initial deletion or suppression. Kanary tracks this data for members and on average, every 4-6 months sites resurface information. In one case (see below), we’ve had to opt out the same member’s data 12 times over the last 3 years on radaris.com. “Exposures” are unique links on the radaris.com where this information is appearing. All unique links need to be referenced in opt out requests in order to be removed.

b) Traceability

A core challenge when working with data brokers and their customers/partners is identifying where the data comes from. Seeking answers from customer support or privacy contacts leads nowhere. For example:

1. Many political campaign call lists will text you. You can text them back and opt out. But if you inquire as to the source of the outreach, they will not or cannot point you to where they acquired your number.

2. A marketing data company like RocketReach may agree to remove your profile. But if you email them, asking for the source of the data they collect on you, the answer is “some sources may not be available for reasons beyond our control.” See below.

Excerpt from exchange with rocketreach.com privacy team, July 2023

This is deceptive. A multi-million dollar corporation like RocketReach has a data team dedicated to sourcing and managing this information. This should be a violation of the FCRA. Without this information, we’re left guessing. Exposures could come from hundreds of different sources:

• Public Voter Records https://voterrecords.com/

• Public Employee Pay Records https://www.federalpay.org/

• Public Marriage Records https://www.ancestry.com/

• Public Business Records https://opencorporates.com/

• Public Professional Certifications or Registrations https://opennpi.com/

• Public Social Media Profiles

• Data Breaches / Hacker Groups / Doxxing incidents

• Active or Dismissed Court Records https://courtcasefinder.com/

• Dropped or Active Criminal Records www.mugshotlook.com

• Personal or Business Directories https://people.yellowpages.com/whitepages/

• Business Software https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook

• Data Collected Through Offers, Rewards, Contests, Loyalty Programs

• Private Credit / Financial / Tech companies (Plaid, Robinhood, Paypal, Experian all have histories of creating ‘data products’ to sell to other companies either marketed as Risk/Security or Customer Segmentation products)

• Many many more …

c) Verification

Submitting a removal request may seem straightforward, though tedious.

1. Go to a data broker’s website and find their opt out form

2. Enter in your Gmail address

3. Add your home address and birth date

4. Solve a captcha

5. Click submit

6. Receive a confirmation link

7. Click confirm

8. Wait 3-14 days

9. Check the site to see if the data is gone

In this case, you’ve just opted out, but also just shared new information with a site that should have no right to your information in the first place:

• Your IP address (your current physical location)

• Your email address

• Your home address

• Your birth date

• Your browser fingerprint

If you wanted to submit a request to a site without exposing IP address, primary email, home address, birth date, and digital fingerprint, you would use the following tools.

• VPN

• Email alias

• Fake birth date

• PO Box or alternate address

• A Privacy Browser

These privacy-preserving tools should be allowed when dealing with a site that is actively causing you harm. But data brokers increasingly use firewall tools like Cloudflare to block access to their sites if you use a VPN, an alias email, a privacy browser like Tor, or an address or birth date that doesn’t “match” whatever they have on file (whether that is even accurate).

In worst cases like https://clicksearch.us/ or https://www.locatefamily.com/ they will require a government ID to ‘verify’ the information. Asking a consumer to make this security tradeoff when the company has no right to this information should be a violation of FCRA.

d) Escalation

When sites do not comply with requests, consumers are left with few options for escalation. People may email or call their state representatives, but hear nothing in response. Even enforcement of the CPRA was just delayed to 2024.

Another escalation is to other tech companies supplying services to brokers. Critical infrastructure providers like Amazon Web Services, GoDaddy, Vercel, and Google are enabling the storing and dissemination of this harmful information. These companies might pass along complaints and assist in escalation. But in most cases, they run into similar blockers when sites do not respond. They have no incentive to assist and so there is little progress.

Only in extreme cases of harassment like SWATTING (and when the victims are prominent, wealthy, or powerful) do federal law enforcement get involved. The FBI directs consumers to report serious incidents to the Internet Crime Center, but most go unacknowledged. Only in one case do we know of the FBI getting involved because threats escalated to the hacking of a major corporation. But even in the aftermath of this case, the victims are on their own, facing the same challenges as everyone else.

A response from 2023 from hosting platform, Vercel, who is hosting an unresponsive site posting material for spam and targeting.

What's Next After The Request For Information?

Kanary believes our data about violations and sites compliance can be invaluable as the CFPB scales enforcement of existing FCRA violation. We expect to see them working with individuals and companies like Kanary to take the following next steps:

• Gather data on the worst violators of the FCRA (Radaris, People Connect, LexisNexis, BeenVerified… many others) and determine appropriate enforcement.

• Track progress and flag ongoing violations to help consumers understand which enforcement is most impactful.

Learn more in part 3 where we share some of the member testimonials that were sent to Kanary in response to our request for experiences and opinions. These firsthand accounts provide powerful insights into the consequences of data mishandling, highlighting the urgent need for change.

For more information on the Consumer Financial Protection Bureau's Request for Information (RFI), check out our blog, The CFPB is Taking Aim at Data Brokers.