Spokeo, personal data aggregators, and your privacy rights: Xeni on The Madeleine Brand Show


[Direct MP3 link for audio] This morning, I joined the Madeleine Brand Show to talk about the latest personal data privacy aggregator that has many of us spooked: Spokeo.

Listen to the archived radio segment here.

Spokeo isn't new, nor is it alone: peoplefinder, pipl, spoke, zabasearch, Intelius, and many other internet companies exploit the same weaknesses in America's privacy laws. But Spokeo popped up in the news over the holidays after launching a "username search" feature. The focus of this morning's radio segment: what sites should be able to access your personal data, and what, if anything can you do to stop them?

So, about Spokeo. As Sean Bonner guest-blogged here over the weekend, you enter your name on the site, and if you're in its reach, the site freely returns data about everything from your religion to gender to marital status to hobbies to "wealth level." Oh, and your home address and phone number, even if you go to some effort to keep those un-listed. They apparently only traffic in US addresses, so those of you outside the states shouldn't end up in Spokeo's search results.

The project dates back to 2006, the dorm room brainchild of 27-year-old Stanford student Harrison Tang. He told the Los Angeles Times last June that Spokeo gets data from about 80 "public" sources, including LinkedIn, MySpace, Twitter and Yelp, and has been working with Facebook to open that door, too. Tellingly, Mr. Tang opted out of his own site over privacy concerns.

Spokeo claims not to possess Social Security numbers, driver's license numbers, bank accounts, or other private financial data such as credit scores. Despite this, they do report "wealth level," whatever that means, and this prompted a Federal Trade Commission complaint last summer by The Center for Democracy and Technology, alleging that Spokeo "purports to provide information about individuals' credit ratings and other financial data, but fails to disclose the source of the data or allow consumers an opportunity to dispute and correct false information."

Spokeo's offices are located in Pasadena, CA. The business address they publish is a small mailbox at a UPS Store in a Pasadena strip mall (though the LA Times also tracked down and published the company's physical address).

Peoplefinders and OptOut are owned by the same company, and share an address in Sacramento. Spokeo publicizes that they have a "partner" relationship with ReputationDefender, a site that, for a fee, promises to help "manage your reputation online" and deal with offending leakers like Spokeo. It's hard to ferret out exactly what the data publishing sites like Spokeo have with the privacy service sites like ReputationDefender, but it seems fair to at least characterize them as symbiotic.

As frightening as the prospect of having a satellite photo of one's home next to one's marital status, religion, and estimated income in one free search result may be— Boing Boing guestblogger Andrea James points out that Spokeo probably isn't the scariest data-monger in the room. "Information commerce company" Intelius bought people search site Spock last year, scaring the bejeebus out of a lot of people in the process. Who knows what may yet come of that merger.

I reached out to Sharon Nissim, a Consumer Protection Fellow from EPIC, to make sense of Spokeo and sites like it. Nissim said this felt "one step away from having someone's SSN," and is "indicative of a pervasive problem online: people really have no idea how much tracking is being done, because behavioral tracking services effectively track everything you look at online."

Regarding paid services that promise to "clean" the internet of your personal data, "You shouldn't have to pay to keep your information private," said Nissim, "privacy should be a default setting."

EPIC is among the privacy watchdog groups backing the idea of a "do not track" mechanism first proposed in 2007, which was initially modeled on the popular "do not call" database administered by FCC to limit telemarketing access. Nissim explained that while the two can't technologically can't work same way, and the idea of a government-maintained centralized registry of websites is a non-starter, there is hope. One solution under discussion with researchers at Stanford for "do not track" involves using HTTP headers on the browser side.

"For now, making sure to opt out of data sharing or data storing when given a choice by credit card companies, banks, and websites is one good thing to do," said Nissim. "We're also concerned about the privacy threat posed by mobile phone/smartphone data. We don't carry our computers everywhere we go, but we do carry these mobile devices. The location information that apps store and share will surely be of greater concern, as their usage grows."

"Online tracking is a huge problem, and while it is certainly good that some steps are being taken to try to crack down on some of it, we are really far behind where we need to be," adds Nissim. "The FTC is just waking up to the issue and strong enforcement of any do not track mechanism is imperative for it to succeed. That being said, I am hopeful that Congress will get behind the initiative and that movement will continue on protecting peoples' privacy online."


EPIC page on online tracking and behavioral profiling

Stanford Do Not Track website

EFF on how to protect your privacy online