Public Records and Privacy

Hi! It looks like I have since continued, updated, or rethought this post in some ways, so you may want to look at this after you're done reading here.

I recently got onto a minor privacy kick, after making the mistake of searching for someone’s name, and finding the search engine results filled with those shady public records sites. I won’t attest to the accuracy of what I saw for that person’s name or what I then found for my name, but I will say that there was enough accurate information available that it bothered me having it an easy web search away, with no control over it.

A woman scanning a computer screen for information

Granted, I’m not self-important enough to think that random people are going to track me down. It’s always a possibility for anybody, of course, but it’s unlikely enough for me that I can afford to mostly ignore the risk. No, this is more of a principled stand that I’d rather not have these companies profiting off my data.

Plus, I figured that the experience might be useful to readers, many of whom might similarly want to get their (presumably partial) address history, date of birth, and the most sensationalized versions of their legal histories out of easy public scrutiny. Whereas it’s unlikely that I am going to find myself threatened, it’s not difficult to find out that the same is unfortunately not true for women, gender and sexual minorities , people representing non-white ethnicities, and researchers. And, of course, people at the intersections of those identities are likely to find themselves facing greater risks.

Basically, we generally don’t go more than a few months, before there’s another community dedicated to harassing and threatening a person or a group of people—doxxing them, usually—into going into hiding. So, please don’t take my flippant attitude towards my own privacy as a model, if you’re at risk. Many people now consider death threats to be a routine part of their jobs. I may not take myself seriously, but I take them seriously, and I take you seriously. The more vocal that you are online and the less you resemble a cisgender, heterosexual, white man, the more care you probably need to take with your identity.

Disclaimers

I should be explicit that I do live in the United States, and I believe that all the relevant sites that I dealt with are headquartered here. There’s a legal regime in place for these companies to gather this information, and there are privacy laws mandating that they allow people to erase or at least suppress their data.

Similarly, my privacy requirements are fairly minimal. As I hinted above, I’m not trying to disappear or otherwise “go underground.” My goal is only to remove the trivial paths to finding my information. If someone is willing to put effort and money into a search, they’re going to find me, no matter what I do. Because of that, I didn’t get to a point where I needed to call, fax, mail, or pay anybody. I also haven’t (yet) taken on a search for sites that aren’t already on the lists that I used. I should mention that this hasn’t always been the case; there was a time in my life when someone who I didn’t want in my life put significant effort into trying to find me, but that hasn’t been the case in a long time.

Likewise, depending on where you live, there are some sources of information that are always public; voter registration and real estate ownership are the most common. If someone is sufficiently dedicated, you can just be followed home from somewhere that you’re known to go. There may also be people in your life willing to give out your location—or enough indirect information to narrow down a search—in hopes of being helpful or to show how proud they are of you, and I’ve been there. So, don’t make the mistake of thinking that even a complete list of data brokers will put an end to all harassment.

Lastly, the correct solution to dealing with this sort of nonsense is legislation. Nobody should be using your home address as a “teaser” to sell subscriptions. You shouldn’t be responsible for finding each of those companies, hoping that they abide by current privacy laws, and jump through the hoops that they put in place to request removal, while worrying that the request doesn’t convince them that you’re more valuable. Your local government shouldn’t be helping them, by providing information on everybody in the area to anyone who files a request. This business model simply shouldn’t exist; anybody who wants the information should at least need to go to their sources—like the aforementioned voter rolls and property listings—not have their choice of second-hand brokers.

Requirements

Is it too precious to tell blog-readers that they’ll need access to the Internet and a modern web browser? Probably. But some good news is that I never needed to turn off my ad-blocker, and never needed to change browsers, so this isn’t nearly as fussy as I would have expected. It doesn’t look like any company has made their sites look broken to scare people like us away.

Many articles on the topic mentioned needing to submit government identification. I didn’t find that to be true, so it may represent a special case, or it may be the nature of changing regulations. However, you should make a list of all names and addresses that you’ve used (marriages, gender transitions, the year you tried going by your initials, professional pseudonyms, etc.), as well as a list of anybody whose financial history is intertwined with yours—as in anybody with whom you’ve filed taxes, held a joint bank account, or similar—because your name and information may be mingled with theirs.

You’re technically only allowed to request removal for your data and the people for whom you act as a legal representative. So, you probably don’t want to go overboard, here, to make sure that the companies don’t start demanding proof or throttling requests. If you want to hide your friends and relatives, too, send them the relevant information and trust them to do it on their own time.

You’ll also need guides to the major companies in the space. I used the following two.

Unfortunately, I wasn’t able to find a list or comprehensive article with a Free Culture license on it, but you’re mostly just going to follow the links. At some point, I may try to contact Grauer—an investigative journalist at Consumer Reports among other outlets, by the way, so definitely not some random person new to technology or community—to see if she’d be interested in giving her list a civilized license.

Regardless, the other thing that you’ll need is time. Estimates are going to vary based on how many names you care about, and possibly those special cases that might require an ID. Experience with the process probably counts for something, too, because it went much faster for me over time, and I doubt that I just happened to have started with the harder sites. However, I can tell you that it took me around three hours of distraction-free time, split over two days.

However, you will also need time of a different sort, because many—not all, surprisingly—will drag their feet and schedule you for deletion a day or two after you confirm your request. The law gives them that time, because it was designed for a world with paper files and tape backups, but they’ll happily take that time to wring every last penny that they can from your data. So, the kind of time that you’ll need here is time when you’ll be safe. If you’re already receiving threats of violence, this process probably isn’t good enough.

Set a Goal

I alluded to this earlier in the disclaimers, but you should be clear on your purpose, here. If you fear being attacked or watching your friends and colleagues harassed, that’s a more intense and sustained effort than my wish to stop companies from using my home address to tease—gasp—a phone number (usually wrong) and what I assume are some traffic tickets.

As I mentioned, I didn’t find any sites that required payment or proof of identity, but you might, and will need to decide if that’s worth it for you. There are sites that aren’t (yet) on either list, however, that I’ll want to deal with, and you might, too. And maybe most importantly for anybody in immediate danger, I didn’t go to social media to pull down identifying information. You can still head over to LinkedIn to find out where I’ve worked, or—from basically anywhere—that I live somewhere in the New York metropolitan area. If you’re a careful reader of the blog, I’ve probably accidentally dropped enough clues that a sufficiently interested party could combine it with my work history to estimate where I live, in relation to New York City. A stalker with sufficient dedication could, in theory, even carefully comb through my other social media history and maybe even find a reference or two to my town; I know it’s there, because I can see it in the data export. Dig deep enough in the right places, and you might even find mention of a couple of landmarks that I consider to be within walking distance.

…Or maybe that’s exactly what I want you to think about where I live, as I play baccarat in Macau to launder money from a convoluted bank heist. I mean, I’m probably not doing that, but the same is true of the people who are doing it, no? They are also, on average, unlikely to launder money, considered as their population against the population of Earth.

Ahem. Anyway, my point is that you should consider what you want to protect and act accordingly. You might need to do less work than I did. You might need to create new social media accounts, delete the old, under a new name and point your close friends to the new. Maybe you’ll need to move, and get a friend to sign the lease for you. Some people need to hire screeners to only let through the non-threatening comments and pass the worst of it to law enforcement. Or you might mostly need a new identity after you take care of everything else. If you don’t keep your goal in mind, you’re going to get pulled down the wrong path.

…Or Describe a Model

A useful term and concept, here, is threat model. You have—maybe real and enumerable, maybe hypothetical—attackers. You probably have some idea of what information these attackers already have, what resources they’re willing to bring to bear against you, and the danger that they most likely present. Based on that analysis of the threat, you want to cut off as many routes to finding you as seems reasonable.

As a real-world example, when I had (simplifying, because this isn’t about me) a stalker, it was basically pre-Internet, for most purposes. The threat model was someone with some money and free time to burn, and knew most of the people that I knew.

I moved. I abruptly cut all ties with people from my prior life—which, I do apologize, if you knew me back then—and carefully explain my situation to every organization that I interacted with that’d be likely to know my name, to make sure that they didn’t release any information without my explicit consent. But, I overlooked that I was indirectly still in contact with certain people, and I made the mistake of pre-ordering books at a local shop where the instructions on secrecy were apparently not clear enough.

At any rate, my threat model was flawed. Things didn’t end too badly, but there was a lot of stress that I didn’t need. If I needed to do it today, I’d need to hide/erase my recent work history online, to protect recent colleagues from harassment and risk their providing information. It’s an extreme case, admittedly, but may be a part of what you need to deal with to protect yourself or your family, or it might be too paranoid for your situation. It depends on the threat that you’re dealing with.

Make a Plan

Use the two lists above to decide where to start. If you get interrupted, it’s far better to have finished the high-traffic, well-connected sites than the sites that are just early in the alphabet. Grauer’s list marks some as high priority, the article groups sites together when they share a database.

Likewise, for each site that appears in both articles, look at the two processes presented. It may not always be true, but my own experience was that the simpler of the two choices was the correct option. The wrong steps were invariably obsolete and now send you down the path to a long sales pitch that doesn’t remove you or provide you with any useful information to aid removal.

So, take your prioritized list and set aside a block of time when you can get through a block of them. Like I mentioned before, the first few are probably going to be slower; I don’t think I finished even ten of them in my first hour, though I admittedly went down a couple of blind alleys.

Measure Twice, Cut Once

This is now mostly just a matter of executing the plan. Visit each site, and follow the instructions.

However, search the sites for your name(s) before you follow the directions to remove your information. Scrutinize the results to make sure that they’re from the site that you’re visiting, rather than sponsored entries from partners. If you don’t take this step, it looks a lot like most sites will start importing your data from partners to sell you, exactly the opposite of what you want them to do.

As you go, many sites—especially when they undertake these fake searches—will start asking you to help them narrow down their search. Do not answer any questions posed by the website. At best, it’s marketing to make you feel some ownership to the data that they’re (almost certainly) about to try to sell you. At worst, they’re trying to trick you into cleaning up your profile for them, which—again—is the wrong direction from what you want to happen to their data. Don’t confirm your relatives, your age, or anything else. Your best bet is to start over, and make sure that you need to do anything with that database.

Other than those issues, there are three general approaches to removal that you’ll find, so that you can prepare yourself.

  • The site doesn’t seem to know who you are, except when it searches other public records sites. You should ignore these, for now, because they don’t have you in their database.
    • Depending on your needs, you might choose to include any sites that mostly have incorrect information about you in this category. I decided to leave some misinformation.
  • Delete from the dossier, usually—not always—confirming the deletion via e-mail.
  • A search for deletable records, sometimes needing e-mail confirmation, again.

With a couple of sites, you’ll need to create an account to “claim” your profile, before you can deal with it.

Two variations stand out as worth mentioning, both changing the use of e-mail as the medium to confirm. Whitepages required a phone number during the deletion process; their system calls you with a confirmation code, which I mention because (a) their outgoing phone system appears to be shaky, with some calls not going through and sometimes providing the wrong message—one started to ask me about a walk, then hung up—and (b) my phone system kept dropping the calls as spam, until I found the number in the logs to allow it to go through, then re-banned them afterward. Similarly, Radaris requires a cellphone number to text the confirmation code by SMS; I don’t use a cellphone, and Radaris wouldn’t send to Google Voice, so after a couple of false starts, I went with a temporary number at SMS24, since the code or any future spam isn’t going to do anybody else any good.

Then, there are several more significant exceptions to be found.

Tell Us What We Know

One company, giant data broker Acxiom, will only delete specific, enumerated details about you, with no visibility into what the company already has. As you can probably guess, this is frustrating, because there’s no way to tell whether this will remove you from sites in the future or just provide them with a more thorough view of your life, instead. I chose to give it a couple of recent addresses—the few that were common on other sites—and no phone numbers.

On the other hand, it’s possible that this might rank as a low-priority platform, for this purpose. They seem like they could be the more legitimate form of the business, selling companies lists of addresses for advertising, rather than catering to stalkers and private investigator wannabes. Your underlying goal might include reducing direct advertising, but it presents far less of a danger.

Automation is for Wimps

Another major exception was MyLife. Their opt-out process requires sending them a specific and detailed e-mail, which they apparently review and process manually.

Unlike Acxiom, MyLife is fairly high-priority. They not only provide home addresses to anybody who might wander through, and sponsor their results on other sites, but they try to sensationalize the information that they have. After talking to a few people about their experiences compared with what they saw on their profiles, it looks like every parking ticket and every missed credit card payment is spun into alarming facts (conveniently hidden behind a paywall) about the person that you’ll need to know as soon as possible…for a price.

In any case, I got a polite response a couple of days later, notifying me that I have been removed from their database. It’s bad design, meant to scare people away, but at least they fulfill their responsibilities.

Nuwber gets special honors, here. Following any process that I could find for deletion just gave me the run-around, basically an animated sales pitch about how they were busy searching billions of records—and seeming to animate each one—until finally dumping me off at a page to subscribe to their services. There doesn’t appear to be any way to opt out from there, and the URL isn’t the format that their opt-out page expects.

However, when I went back to them at the end, I no longer appeared in search results. All I can figure is that their information came from some other database, which I deleted in the interim.

I sent an e-mail to their customer service account, anyway.

Customer service’s response was to copy and paste the instructions I worked from—because they didn’t read my message, apparently—and also offer to remove a profile based on a screenshot sent by e-mail.

Never-Ending Struggle

Of course, I need to point out that I have removed my information for now. Odds are good that these companies will go right back to work trying to build up a profile for me.

So, for the next year, I have a monthly appointment on my calendar to check the websites on their progress, so that I can make a real schedule for repeating the deletion process.

If you’re interested on the progress of that little side-experiment, I’ll write up any interim results that I discover in the Entropy Arbitrage Newsletter. If there’s enough content to stretch for a few hundred words at the end of the year, I’ll provide another blog post in July 2022, with whatever procedure that I’ll use in the future.

Discoveries

So, what’s the upshot to all this? At least for the moment—see the previous section—my private information is relatively secure. I know that there are always other, more obscure sites to deal with, but when my home address shows up in a web search, it’s either hilariously incorrect, or so old as to be irrelevant, which rather nicely poisons any future updates that may appear.

However, I’ve also learned a few things in jumping through these hoops.

This is a stupid and frustrating process. As I mentioned near the start of the post, somebody needs to legislate all of these companies and websites away, because there’s no legitimate value to any of them. The closest that they provide to a value is in catering to people who want to know where a celebrity lives or how old their neighbor is, but don’t want to know it enough that they’re willing to pay for that information. And their entire business is geared to luring in people who have any interest in a person, and trying to amplify that curiosity in hopes of making everything look like a potential scandal. For the right price, you can find out why your preschool teacher or prospective date was wanted by the law; the fact that it’s probably something along the lines of a decades-old ticket for a broken tail-light doesn’t make for compelling ad copy, though.

As a corollary, several of the sites have extensive animations pretending that they’re scouring extensive information sources, instead of just issuing a single SQL query as they clearly are. I don’t understand the actual value of this sideshow to them. It’s obviously to present an air of mystery, but I can’t imagine anybody bothering to pay more for a site that wastes their time so blatantly.

In addition, possibly the more entertaining—but also potentially worrying—parts of the frustration are linked to the bad information previously discussed. As mentioned, I left the information that portrays me as much younger or much older, at least a thousand miles from where I live. That’s chaff, in my opinion, and I suspect that I know how each got there. However, if I didn’t have a good idea of why my name might have been used in those cases, that could be a sign of identity theft.

Unrelated, something rather sad about the industry is how few different websites you’ll actually encounter as you go through this process. Almost certainly, someone is getting rich selling a turn-key business with a website, the data, and a business model, where the company dumps it on a server and pays a fortune on SEO in hopes of turning a profit. I’m tempted to research this, to see if I can find out how much it costs to become one of these sleazy clone websites…but I probably won’t, because that sounds like work, rather than entertainment.

As a corollary to that similarity between companies, these companies are utterly paranoid about robots. I have filled out more CAPTCHAs in the last few days than I have in maybe the last couple of years; I can only imagine that Google’s self-driving cars now rely significantly on my ability to distinguish a crosswalk from a staircase. Multiple sites have CAPTCHAs on multiple pages and then have a page that also has other human-proof systems active. This makes some—again, I’ll use the word “sleazy”—sense, since the entire goal of opting out is to deprive them of the information that they use to sell their services, so they want to make sure that nobody writes a program to automate the removal and make the process easy. It doesn’t make it any less irritating, however.

Finally, tying back to the idea of legislating this away, even without these sites, county and state governments are quick to provide information, if you know what offices to contact. While there are legitimate reasons to allow certain kinds of searches of the voter rolls—allowing citizens to look up their polling places, for example—it shouldn’t be possible for anybody to get the entire dataset. Likewise, it probably makes sense for the public to be able to find the owner of a specific property, but not necessarily to find the current ownership of all properties ever owned by anybody named “Smith,” without a court allowing it. As long as you’re contacting your representatives about these sites to begin with—and you are contacting them, right?—you should find the state/county sites relevant to you and mention that, as well. It’s hard to be safe, when the local government is all too happy to point people in your direction.

Credits: The header image is U.S.D.A. Deputy Press Secretary Stephanie Chan scans the computer screen in front of her for useful links to support people asking questions by Lance Cheung, in the public domain as a work of the United States government.

No webmentions were found.

By commenting, you agree to follow the blog's Code of Conduct and that your comment is released under the same license as the rest of the blog. Or do you not like comments sections? Continue the conversation in the #entropy-arbitrage chatroom on Matrix…

 Tags:   privacy

Sign up for My Newsletter!

Get monthly * updates on Entropy Arbitrage posts, additional reading of interest, thoughts that are too short/personal/trivial for a full post, and previews of upcoming projects, delivered right to your inbox. I won’t share your information or use it for anything else. But you might get an occasional discount on upcoming services.
Or… Mailchimp 🐒 seems less trustworthy every month, so you might prefer to head to my Buy Me a Coffee ☕ page and follow me there, which will get you the newsletter three days after Mailchimp, for now. Members receive previews, if you feel so inclined.
Email Format
* Each issue of the newsletter is released on the Saturday of the Sunday-to-Saturday week including the last day of the month.
Can’t decide? You can read previous issues to see what you’ll get.