Your data, their profit: the data brokers you know nothing about

Dozens of companies collect data about me even though I’ve never used their services. In most cases, I’ve never even heard of them. I wanted to delete myself from their databases but found it to be a tedious journey with many unchecked boxes.

MaxMind, Pipl, Comscore, Shopalyst, and Alesco are just some of the company names that completed data removal requests on Incogni, the personal information removal service from Surfshark. There were dozens more names that I heard for the first time.

“Uncover the entire digital footprint of any person, anywhere,” one of them boasts on the website. Another will check for your ex-spouses, finances, and even traffic tickets.

What do data brokers know about us? More than our relatives and even ourselves, sometimes having over 1000 data points on a single unaware individual, an interview with Darius Belejevas, CEO of Incogni, reveals.

Some siphon data from the web by scraping public records and social media, and others buy it from apps and services that have loose privacy policies. The most advanced data brokers aggregate data from our every digital footprint to build detailed personal profiles.

The data can end up in the hands of marketers who use it for targeted digital advertising or on people-finder websites. However, some data brokers even take money from scammers who bombard people with SMS and robocalls or even sell data to someone more nefarious.

How do data brokers work?

Someone secretly collecting and selling your data is one of the scariest things currently happening to people, Belejevas believes. Incogni itself originated from a survey of Surfshark users on what they needed to be helped with.

“The most voted-for issue was the need for help with deleting user information from data brokers. So we started looking into the whole data broker market and realized what a quagmire we're getting into,” Belejevas said. “I had never heard of these companies in my life either. But as you start to approach them, you begin to understand how much data they have about us.”

Darius Belejevas

Data brokers often boast in their marketing materials and websites about hundreds of millions of users, and some even count in the billions. The information collected can include the most sensitive details, starting from demographic info, addresses, phone numbers, Social Security numbers, location data, beliefs, political affiliations, web browsing, or shopping habits.

Most of those services do not offer any value to the individuals about whom they collect data. On the contrary, it exposes them to targeted advertising, stalking, scams, or robocalls.

“There are companies that know more about us than our family or friends. I am not even sure if I know 1,500 things about myself. This is probably the biggest mystery and problem – these companies can collect a lot of personal information about a user, about us, without actually appearing anywhere publicly on how they do it,” Belejevas said. “And the data collection methods are also very diverse.”

Scraping from LinkedIn is one way to get some private information. However, users also give away data on many apps and services that collect and share information with their partners, affiliates, and other third parties. Then there's the data science level.

“Someone buys your LinkedIn information, someone else buys or collects your place of residence, then models what your income might be based on your zip code. They buy your shopping and browsing habits, which technically should be anonymized. However, a lot of research has shown it can be de-anonymized and linked. You end up with an entire ecosystem where some companies collect, analyze, and sell, and others can buy and supplement their data to get complex profiles about us which we don't even know ourselves,” Belejevas described.

Who are the clients of data brokers? Doing business is not the sole application.

“Often, it's the governments themselves. Even in America, there have been quite a few instances where federal agencies, instead of formally requesting the right to collect certain information about targeted individuals, simply go through data brokers and purchase that information. Because it's easier.”

I didn’t agree to any of this

Europe has GDPR, a strict privacy law that requires companies to acquire my consent to manage my data. Canada has PIPEDA, and some states in the US also introduced similar laws, such as CCPA in California. How do data brokers still do that without me knowing?

“The problem with these laws is that there are still gray areas where no clear precedent has been set,” Belejevas explains.

There are loopholes when acquiring data outside a user’s jurisdiction. Also, some individuals may unknowingly consent to their data being collected. For example, a loophole in Swedish law allowed data brokers to bypass GDPR by obtaining a media license.

When testing Incogni’s service, I noticed it sent removal requests on my behalf to 42 data brokers. After a month, 29 requests were completed. Among them, 11 companies kept some information about me for the suppression lists so they would never recollect personal information. And 13 data brokers were still “in progress.”

Incogni requests

Belejevas assured me that an individual in America would see requests sent to more than 150 data brokers.

“There are far fewer data brokers in Europe, which has had GDPR since around 2018. In the US, it is more of a Wild West because not all states have privacy laws, and it's apparently easier for data brokers to operate,” Belejevas explained.

Incogni offers free opt-out guides for manual personal information removal. However, if I were to achieve the same result myself, it would take an estimated 22 hours to fill out forms, write emails, and communicate with each data broker.

“It can be painful,” Belejevas confirmed. “Still, at our core, we are privacy enthusiasts.”

companies Incogni

Why is it so hard to delete your data?

Data brokers protect their business by making the opt-out process as difficult as possible. Incogni’s CEO has observed many unethical “dark patterns” that data brokers use to avoid deleting data.

Demanding excessive identification to an uncomfortable level is one way. However, in the US, not all states have laws requiring the deletion of personal info upon request.

“Surprisingly, many of them will reply. They won’t directly refuse to delete, but they create conditions that will make you say, ‘Oh, forget it, it's not worth it.’ This usually starts with verification. A lot of them come back and say, okay, we need to make sure it's really that person, so send us some ID,” Belejevas said.

Others will ask for your phone number to call in a “12-to-36-hour period” for confirmation and will presume a change of mind if unanswered.

“There was a very tricky one – you submit a request and receive an email with the subject that your data has been removed. But only when you open an email will you find a link: press to confirm.”

However, some laws also include proportionality clauses on what companies can demand.

“When we come, we say, we don't care what data you have, we don’t need to know what you have. You delete it,” Belejevas said. “Three verification elements need to match, and we use email, full name, and address. The user must verify the email with us so no one is impersonating them.”

Even then, not all brokers will agree to delete the data. Incogni categorizes hesitant brokers as being in the “resistant” category, meaning there are disputes pending. Some inquiries may take months.

Detailed view at Incogni

“We have data brokers who say they'll delete data from California, Virginia, Utah, and Colorado because those are the states that have privacy laws, but with others, it's not their problem, so to speak,” Belejevas said. “But on the other hand, there are companies that cooperate.”

Data about Americans is also collected by data brokers in Asia and elsewhere, where almost no legal protection applies.

“When it comes to companies that are based ‘Hell knows where,’ we don't even approach them. Because it would be very difficult to ensure that no additional risks arise. We vet brokers as we want to be as safe as possible when working with sensitive user data.”

What about Facebook or Google?

Big tech can be considered as the largest data brokers, yet Incogni does not interfere here.

“Technically, we could go and say, Meta, delete what you have about this user. The problem is that it would mean the entire account would be deleted. Then users will come to us and say, wait, I can't log in to my Facebook anymore,” Belejevas answered. “We focused on those data brokers that brought no benefit to the user. We don't want to delete any information that would make it worse for the user.”

Facebook, Google, and other platforms declare they do not sell user data. Also, they offer multiple settings on their platforms to make accounts more private.

Many more data brokers track you without knowing your name.

“Gartner's study identified up to 5000 data brokers. Officially, data broker registries exist in Wisconsin and California, each containing around 400 companies, and most overlap. But again, there are loopholes that enable certain companies to avoid registration. We maintain a list of over 150, and this number is constantly changing. We have reviewed between 1,000 to 2,000 such companies.”

Most data brokers are ad tech companies that won’t know standard personal information, such as names or addresses, so it’s impossible to ask them to delete the information.

“They can tell where you work, when you eat, where you exercise, where you are. But they can't really tell your name.”

Resetting advertiser's IDs may help. However, sophisticated companies will still be able to track and link users to their datasets.

“Blocking tracking is a good practice. If it's not necessary, I won't use my real email or phone number. Likewise, when a ‘Do you accept’ pop-up appears, I go through the settings and cancel everything. The less of our information we give out online, the greater the privacy.”