Spokeo, personal data aggregators, and your privacy rights: Xeni on The Madeleine Brand Show

Screen-shot-2011-01-03-at-12.56.jpg

[Direct MP3 link for audio] This morning, I joined the Madeleine Brand Show to talk about the latest personal data privacy aggregator that has many of us spooked: Spokeo.

Listen to the archived radio segment here.

Spokeo isn't new, nor is it alone: peoplefinder, pipl, spoke, zabasearch, Intelius, and many other internet companies exploit the same weaknesses in America's privacy laws. But Spokeo popped up in the news over the holidays after launching a "username search" feature. The focus of this morning's radio segment: what sites should be able to access your personal data, and what, if anything can you do to stop them?

So, about Spokeo. As Sean Bonner guest-blogged here over the weekend, you enter your name on the site, and if you're in its reach, the site freely returns data about everything from your religion to gender to marital status to hobbies to "wealth level." Oh, and your home address and phone number, even if you go to some effort to keep those un-listed. They apparently only traffic in US addresses, so those of you outside the states shouldn't end up in Spokeo's search results.

The project dates back to 2006, the dorm room brainchild of 27-year-old Stanford student Harrison Tang. He told the Los Angeles Times last June that Spokeo gets data from about 80 "public" sources, including LinkedIn, MySpace, Twitter and Yelp, and has been working with Facebook to open that door, too. Tellingly, Mr. Tang opted out of his own site over privacy concerns.

Spokeo claims not to possess Social Security numbers, driver's license numbers, bank accounts, or other private financial data such as credit scores. Despite this, they do report "wealth level," whatever that means, and this prompted a Federal Trade Commission complaint last summer by The Center for Democracy and Technology, alleging that Spokeo "purports to provide information about individuals' credit ratings and other financial data, but fails to disclose the source of the data or allow consumers an opportunity to dispute and correct false information."

Spokeo's offices are located in Pasadena, CA. The business address they publish is a small mailbox at a UPS Store in a Pasadena strip mall (though the LA Times also tracked down and published the company's physical address).

Peoplefinders and OptOut are owned by the same company, and share an address in Sacramento. Spokeo publicizes that they have a "partner" relationship with ReputationDefender, a site that, for a fee, promises to help "manage your reputation online" and deal with offending leakers like Spokeo. It's hard to ferret out exactly what the data publishing sites like Spokeo have with the privacy service sites like ReputationDefender, but it seems fair to at least characterize them as symbiotic.

As frightening as the prospect of having a satellite photo of one's home next to one's marital status, religion, and estimated income in one free search result may be— Boing Boing guestblogger Andrea James points out that Spokeo probably isn't the scariest data-monger in the room. "Information commerce company" Intelius bought people search site Spock last year, scaring the bejeebus out of a lot of people in the process. Who knows what may yet come of that merger.

I reached out to Sharon Nissim, a Consumer Protection Fellow from EPIC, to make sense of Spokeo and sites like it. Nissim said this felt "one step away from having someone's SSN," and is "indicative of a pervasive problem online: people really have no idea how much tracking is being done, because behavioral tracking services effectively track everything you look at online."

Regarding paid services that promise to "clean" the internet of your personal data, "You shouldn't have to pay to keep your information private," said Nissim, "privacy should be a default setting."

EPIC is among the privacy watchdog groups backing the idea of a "do not track" mechanism first proposed in 2007, which was initially modeled on the popular "do not call" database administered by FCC to limit telemarketing access. Nissim explained that while the two can't technologically can't work same way, and the idea of a government-maintained centralized registry of websites is a non-starter, there is hope. One solution under discussion with researchers at Stanford for "do not track" involves using HTTP headers on the browser side.

"For now, making sure to opt out of data sharing or data storing when given a choice by credit card companies, banks, and websites is one good thing to do," said Nissim. "We're also concerned about the privacy threat posed by mobile phone/smartphone data. We don't carry our computers everywhere we go, but we do carry these mobile devices. The location information that apps store and share will surely be of greater concern, as their usage grows."

"Online tracking is a huge problem, and while it is certainly good that some steps are being taken to try to crack down on some of it, we are really far behind where we need to be," adds Nissim. "The FTC is just waking up to the issue and strong enforcement of any do not track mechanism is imperative for it to succeed. That being said, I am hopeful that Congress will get behind the initiative and that movement will continue on protecting peoples' privacy online."


RELATED READING:

EPIC page on online tracking and behavioral profiling
Stanford Do Not Track website
EFF on how to protect your privacy online

35

  1. KCPP rocks! Have to listen on the internet now because there is no reception in remote valley we live in now.

  2. I hear about all this info it pulls, yet when I’ve tested my name and a handful of others (girlfriend, parents, etc.) it doesn’t even find any of us as being in existence?

    Any ideas of why this could be, and what I’m doing right so I can keep it this way?

  3. Hahahaha

    Well using my real name it gets the street address right (and even pops up a google street view which is kind of creepy) but everything else is totally wrong. It has me listed as living with my parents (never lived at this address, also they are both listed as “unknown”) and has no record of my wife and kid. It also seems to think I am worth half a million dollars which I am guessing is just some kind of algorithm based on the mean income or net worth of my neighbors . . . too bad I rent and am very much in the hole and not worth a damn penny.

  4. Wow, that things doesn’t work any better than the majority of site just like it. For the few people I could find, the information was grossly inaccurate. Places they lived at over 4-5 years ago.

    Oh, and getting people’s financial information is much easier when someone is stupid enough to give over their credit card numbers to sites like this to see more information.

  5. Dunno why anyone would pay for access to Spokeo’s data; the quality is randomly terrible. It got my husband mostly right – married, age, address etc., but also seems to think he lives with his parents like Unmutual’s profile did (or I guess more correctly, that THEY live with him). I had no record under my current name but searching for my maiden name shows me ‘owning’ my first apartment (didn’t rent there until I was married), 10 years older than I actually am, *also* living with my parents and unmarried, and a net worth 4x what it actually is. About the only thing they got right is my gender – and they want someone to pay $35+ a year for that??

  6. so, how does one opt-out of this and other sites like it without being on some sort of opt-out list that you can’t opt-out of?

  7. As others have said – the information is way off. But it’s almost as worrying having people think the wrong things about me. Imagine that there was a government agency like this – in charge of collecting and organizing information. And this organization stated that another country was concealing weapons of mass destruction. Imagine what terror that could cause.

    It was freaky to see my 80+ grandmother listed who’s never owned a computer. How does she protect her information?

    1. She’s most likely been in a phone book at some point in here life, so if address & phone # are what’s listed, it’s a bit too late to worry about protecting it.

  8. Very interesting. I went on that website to see what’s up and found a bit of info that Spokeo could ONLY have gotten from the DMV. So, apparently the DMV is selling our information.

    How do I know this? Well, one year I registered my car at my grandmother’s address because she offered to pay my parking tickets. So the ONLY place my name + my grandmother’s address has ever been in the same place – the DMV.

    DMV selling personal info. That should be a news story too.

    1. Pretty sure that a Freedom of Information Act request could get that kind of info without too much trouble. The DMV is run by the government and as such there’s several layers of intentional transparency for anyone who wants to go to the work. I doubt the DMV is selling anything.

    2. Until about 2000, DMV data was considered public and could be purchased en masse. This became a big deal when a guy in Oregon bought the CD-ROM and made it available to all on the internet.

  9. This is pretty much what we, as internet lovin’ and internet usin’ people have created ourselves. A lot of the data it has comes from things we put online and expressively wanted others to see and have access to.

    LinkedIn is worthless unless you make your data public. Facebook is no fun if you don’t share and enter things like where you live, your age, your family, what music you like and so forth. Twitter is worthless if you don’t let anyone read what it is you post, including links to things you like, saw, did or otherwise wish to share.

    It’s like all this time we have been sitting around with headphones on talking on our phones to each other, thinking we were the only ones in on the conversation. Then we realize there are all these people around us who can hear everything we say.

  10. Hmm. The guys who bought my house for $480K four years ago are apparently now stuck with a house that’s only worth $329K. I’m feeling less bad about my privacy being at risk.

  11. I tried to remove my info (how the heck do they know how much money I have in the bank?!?) and I got this message:

    In order to prevent abuse, we must limit the frequency of privacy requests. Please try again tomorrow.

  12. Anyone else having trouble accessing Spokeo since this has been posted or did they stop taking payments for Wikileaks as well???

  13. FWIW, for the first 3 years of their existence ( or more ) Spokeo was a cross between friendfeed and flavors.me/about.me

  14. I was puzzled to see a large sum of money associated with my name until I figured out that it’s probably the value of my apartment, apparently computed based on some average value for my neighborhood (they put the same price tag on my girlfriend’s studio as on my 2-bedroom). If I owned the apartment, I suppose that might tell you something about my net worth – but I’m a renter with a roommate, so the figure is meaningless.

    I suspect that a lot of Spokeo’s data is of this order: semi-random data thrown together to suggest that they know more about you than they really do, in the hope of getting you to pay for an account.

    Obviously, we need to make the data a bit more random. One good way to do this could be to use their username search to find all the social services that you haven’t yet signed up for, sign up and start filling them with misleading personal information. Are you a 25-year-old yak collector whose native language is Estonian? Or an octogenarian windsurfer from Zaire? Let the data-miners figure it out …

  15. Hey! It turns out there is a Mr. H. A. Derp in Salina, Kansas. He made #215,000 last year….
    .
    .
    .
    .
    .
    .
    .
    .
    .
    Made you look! ;)

  16. This is ridiculous, my husband and I have gone to great lengths to avoid PSYCHOTIC exes, had to call police on his for trespass, mine beat the piss out of me and pushed me down a flight of stairs, etc. We have a young son and have been living in the country peacefully for over five years now without fear of being bothered but now that’s shot all to hell.
    I’d sure like to run into this fellow in person and be allowed to give him a piece of my mind uninterrupted face to face.

  17. Correction: There really is a Herp Derp at on Herpderp Dr in New York state. Really. Go look for yourself.

  18. After trying my name and several others, I took simple precautions and deleted cache and reset browser. I still had several emails waiting in the spam bin for Spokeo including Viagra, female implants, etc.

  19. The site ISN’T reporting YOUR income, home value, etc. It is reporting the average for a specific location. Try looking up a phone number that you know is used in your area, it doesn’t have to be yours.

    For example, 563-571-5564 shows as Muscatine, Iowa. Median income $53,000, median home value $114,000.

  20. I’m with Courtney. It got some things right, but other stuff wrong. It says I’m married and my hobby is cooking. Oh boy will my girlfriend be suprised if she reads that (on both counts).

    I’d like to find out more, but something tells me I don’t want to give these people my credit card details.

  21. Huh. Apparently, you can’t delete their aggregation of your username info – I tried going to the link to opt out, and it said there was ‘no profile’ associated with my username. Despite the search yielding results. Douchebags.

    However, my partner (who’s legal name does show up – mine doesn’t) found the site useful because he’s moved so much in the past 10 years that he couldn’t remember all of his addresses. The site was mostly accurate, so he’s planning to write down the info before deleting his listing.

  22. Oh boy. Another invasive and inaccurate tool for HR departments to use in order to exclude you from the candidate search.

  23. Whatever. Nothing about me or any of my close family members is close to correct. As posted, this site is nothing new, with hundreds of sites offering similar pay-for services that offer little else than poorly executed displays of the same dis-information. Barely worth a yawn… I’m sure they’ll get their Investment Cap and cash out like it’s 1999…

  24. WOW. I just looked myself up. My wife goes by a masculine version of her name, so Spokeo has her listed as male, and us in, apparently, a same sex marriage. Not that there’s anything wrong with that.

  25. I go to absolutely no lengths to safeguard my non-financial privacy. I am basically a public figure. Spokeo, however, thinks that I am a 60 year old man worth half a million dollars living in NJ when I am a 31 year old boy in a man’s body worth much less than that.

    +1 for pathetic tech.

  26. The small 2.95 per month charge has managed to put my bank account into the negatives in excess of 200 dollars in a matter of 3 days. I signed up for this site because my wife is the victim of domestic violence from her ex-husband. Unfortunately, she also needs to maintain an online presence for her career. I was hoping that we would be able to monitor exactly how much information was out there and make sure that her business contacts could still reach her without revealing information about our home address, activities, and children. After 10 minutes of using the service I would have cancelled anyway. The reports we old and out of date at best, and in two instances the site meshed my wife’s information with that of another woman with the same name. If my wife’s ex-husband would come after her using the info on this site my wife would be completely safe, however a completely innocent woman could possibly be injured just because she shares my wife’s name. Furthermore, the advertised monthly fee of 2.95 per month that is so obviously splashed over their plans page is charged at one time. This fact is not placed in any obvious place, in fact it is NOWHERE on the plans page at all. 35.40 will be deducted immediately. In our case this meant that several small charges handled via debit card bounced, netting us over 200 dollars in insufficient funds fees. When customer services was contacted the operator (quite rudely) announced that no refunds were given, ever, for any reason. She refused to allow us to talk to her supervisor. Basically Spokeo gave me an inferior product, used unethical advertising methods, provided poor customer service, and completely refused to stand behind their product. I wouldn’t recommend this company to my worst enemy, but if I chose to I could rest safely knowing that he would never find me using this service.

  27. Spokeo says I’m married… I’ve never been married. Where did they get THAT information?

Comments are closed.