Back in the spring of 2017, I wrote an article on doxxing and the types of reseller websites that often make it possible (“Your personal data – or is it?” May/June 2017). Doxxing is generally understood as the buying, selling, gathering, or other sharing of personal information online, often with malicious intent. With this private information in hand, individuals can threaten, stalk, harass, or damage the reputations of others. Members of the legal community are at particular risk of having their information accessed and used without their knowledge or direct consent.
As I described in my first article on the topic, personally identifiable information (PII) reseller websites make obtaining this information pretty easy. By visiting one of numerous sites, a person can find a wide range of private information that includes an individual’s address, phone number, criminal history, and employment situation, not to mention a slew of details about their spouse (past or present), children, and family members. I think most people would be surprised to learn the full scope of what’s lurking about them on the web. In response to the risks, people are often encouraged to complete opt-out requests through these sites. I have previously provided a short listing. The problem with opting out? Well, there’s more than one.
First, the sheer number of these sites makes it difficult if not impossible to fully monitor your personal information. It’s one thing to continuously opt out of one, two, or three PII reseller websites. It’s another thing entirely to pursue removing your information from a dozen or more sites, only to have new sites of which you’re unaware pop up within a month. And if the information you’re concerned about isn’t on one of these sites, it could very well be available elsewhere.
Second, these websites typically make it as difficult as possible to remove your information. There are opt-out pages (the links to which frequently change) for many of these sites. But they often require lots of additional information from the user to remove their details. For example, the website Public Records 360 “will only process opt out requests received by online submission, or fax, and no request will be processed without complete information (i.e., name, address and date of birth).” Official identification such as a driver’s license or passport is typically required; otherwise someone can send a notarized identification verification form.1 Providing this information also poses a security risk, and users are often left wondering if it’s worth the additional hassle and uncertainty.
Third, while some of these sites mention their turn-around time for removing your information once a request has been sent, others do not. In addition to monitoring a number of sites—the number of which changes continually as new sites are brought to our attention—users also have to follow up to make sure the requests that they have made are being honored. If a site doesn’t give a turn-around time, users will have to continuously check up on whether their information has actually been taken down from the site. These issues are only a small fraction of the larger problems that arise in trying to control your online presence.
While PII reseller websites are important culprits in disseminating the types of information that make doxxing possible, it is also important to remember the variety of data brokers to whom we routinely hand over private information. Earlier this year, Vermont passed the country’s first law seeking to manage “data brokers,” those companies that routinely collect and store our info. According to the Office of the Vermont Attorney General, “The new law requires Data Brokers to register with the Secretary of State annually and maintain certain minimum data security standards.”2 The law requires that data breaches be reported, that certain data security standards be enacted, and that opt-out information be provided if applicable.3 The types of data brokers that this law affects include websites like Spokeo, but they also include a wide range of larger and smaller data gatherers.
While securing compliance with laws like Vermont’s may prove difficult in the long term, the growing pressure for their passage certainly highlights growing consumer demand for transparency and control of PII. Hopefully, a growing body of legislation will assist with the lack of clarity that characterizes the buying, selling, and availability of our data online.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.publicrecords360.com/optout.html
2 https://ago.vermont.gov/blog/2018/12/13/attorney-generals-office-issues-guidance-on-data-broker-regulations/
3 https://ago.vermont.gov/wp-content/uploads/2018/12/2018-12-11-VT-Data-Broker-Regulation-Guidance.pdf