I was shocked that they had so much data on me -- I have no debt, no credit cards, no house, no car, no bills, and I had always entered informal rent agreements (I was poor) up to that point -- yet the rep was easily able to list all the places I had resided from college to present, along with a host of off-the-books housemates.

"Where the fsck did you get all this?!" I demanded.

"Have you ever ordered a pizza?"

Turns out, some fast food chains do a brisk business in reselling customer data. I had ordered from Domino's once, but that was enough to link my name to a specific location.

This experience has made me extremely sensitive about the information I give while making a purchase. When I lived in the US, I stopped having food delivered, paid in cash, and never signed up for branded credit cards. I rented informally and, whenever possible, tried to just pay the landlord my share of utilities in cash. Anything to keep a lower profile.

Far more companies than you realize are collecting as much data as possible about you, your habits, and your relations. So I'm afraid your search for a canonical list of data sources is ultimately fruitless. In this new economy, you are always the product.

Those systems were analog and could only be scaled to a certain extent, after which you ran into management overhead.

So in the example given by the OP, dominoes would not be updating your name in the directory.

That would be data that evaporated and never made it to record.

To increase the contrast - whole new types of clustering and analysis are now possible, at the moment a new data point is received.

Dreeben cited United States v. Knotts as an example where police were allowed to use a device known as a "beeper" that allows the tracking of a car from a short distance away. Chief Justice Roberts distinguished the current case from Knotts, saying that using a beeper still took "a lot of work" whereas a GPS device allows the police to "sit back in the station ... and push a button whenever they want to find out where the car is."

Edit: add citation [1] https://en.wikipedia.org/wiki/Google_Groups#Deja_News

The numbers weren't widely cross-referenced across multiple other identifier databases: shopping, driving, voting, location to 1m accuracy and 30s time precision.

Every household, small business, mafioso, or political operative didn't have a full copy of the archive, and the ability to deploy it at a moment's notice.

Or in short: scale and costs matter. In fact they dominate all other effects.

Your objection is both meaningless and betrays a profound failure of undrestanding and sympathy.

The phone book is an opt-in system, with the ability to remain "unlisted". There's absolutely no such choice, though, from these modern, private data collectors. And they're everywhere.

Consider the following hypothetical: A battered wife flees her husband and takes shelter in a shared house run by a women's organization.

In your phone book world, she didn't need to dramatically alter her existence to stay safe. She could continue to maintain a reasonable subset of her professional and social relationships. She could get a new job in a new city. She could buy groceries. She could pay her own electricity bill. And she definitely didn't need to take her life in her hands to order a cheese pizza.

In this brave new world, though, her ex can track her with the utmost ease. She has to shed nearly every piece of her modern identity -- reconfigure apps, wipe her phone/laptop/tablet, stop using sites that geolocate via IP, and halt nearly all interactions with the modern economy -- at significant social cost.

The sheer number and diversity of data collection points -- and their increasing necessity to participate in the digital economy -- makes opting out orders-of-magnitude more difficult. Yours is a false comparison.

https://news.ycombinator.com/item?id=13734768

Not saying this is the one true answer, but I don't find it hard to imagine why.

USPS NCOA (Change of Address) file is another major data source.

https://www.forbes.com/sites/adamtanner/2013/07/08/how-the-p...

I still get mail for the last folks who lived here and they moved out 13 years ago.

But anybody willing to pay the post office for the data can find out your new address.

And then there's how we pay higher rates for first class mail so that junk mail can be cheaper.

It's almost like the government doesn't work for the people.

"There is, however, a loophole that keeps data brokers from accessing your updated address. When you fill out the online form to change an address, you can indicate a temporary change that provides six months of forwarding that can then be extended for another six months. That information, unlike the changes marked as permanent, is not included in the master list sold to data brokers."

And the online link for online change of address with the loophole:

https://moversguide.usps.com/icoa/home/icoa-main-flow.do?exe...

(I've mentioned the temporary forwards tip elsewhere in the thread myself.)

https://www.dominos.com/en/#/content/privacy/

Odd how I always seem to get more spam, but from different companies, after I click one. Almost as though all I've done is confirm that the email address actually exists, and is therefore more valuable to sell on to others.

Regardless, that data is out there now, and no change in privacy policy is going to put that cat back into the bag. Besides, someone else is surely acting as a new source for current data.

It wasn't just my location information, though. They were able to ask detailed questions about my personal social network, before Facebook was ubiquitous and LinkedIn was a thing. They were clearly joining several disparate datasets together to discovery relationships.

https://xkcd.com/327/

Depending on the product you purchase the data comes from multiple sources. Also these companies have sophisticated machine learning capabilities to build a profile based on various attributes found in seemingly unrelated pieces of data.

So the list consists of credit reporting agencies, public records, your online profiles with public access, court records, aggregators like LexisNexis and dozens like them.

This heavy lifting you speak of is done differently by each company and consists literally based on multiple sources to enrich your profile. These companies spend millions on data and engineering and make even more, and whatever preconceived notion you have about courts ordering to seal your records, it doesn't happen in a centralized fashion, you would need to contact each data vendor individually to be removed. But it would be like playing whackamole.

Much of the public information is mined from sources like credit headers, your court records, utility bills, property and tax assessment records, voter registration lists, motor vehicle registrations, etc.

Unfortunately, the legal and technological landscape is such that 'hiding' from these kinds of services is effectively impossible.

How can there not be a public list of these data miners? When e.g. a court needs to control someone's information surely they know who these people are and they can let them know? Is there a secret list in every courthouse or something?

Or when someone wants to start another one of the higher-level companies -- how do they know which core aggregators to buy from? If that's a secret then how would they find out? Surely someone's gotta be willing to tell?

I think you have a misunderstanding of what a US court can do. A court can only tell a specific party to take some action, and generally only if that party is somehow related to the legal action (such as being a defendant). Generally, there is no judgement that a court can make that can effect unnamed parties (unless they are John Does, which later have to be named).

Theoretically, you could sue each company with your data, and a court could tell each of those companies to remove your information. But it would have to be for each one, and the judgement is only binding on those companies.

Surely someone's gotta be willing to tell?

The techniques used are generally trade secrets, and amount to competitive advantage. There is little incentive for a company to reveal this information (or for an employee to do so, and thus open themselves up to legal liability).

>> Or when someone wants to start another one of the higher-level companies -- how do they know which core aggregators to buy from? If that's a secret then how would they find out?

   > If that's a secret then how would they find out?

Companies in that space guard their upstream sources quite heavily, because they don't want to be cut out of the process. You won't find a centralized list of independent data feeds and providers specifically because of that. In one scenario, we were dealing with a substantial rate increase from one supplier. We spent time attempting to source an alternate supplier of that particular type of data, and could only find sources that were several months more stale than we were currently getting (i.e. these people were getting the feed several hops after we were). In the end we paid the rate increase because we couldn't find an alternate source that was as close to the original data provider as our current source. And without knowing who the original data provider was, we couldn't go around our supplier.

The lack of a centralized directory isn't just done to make things opaque for end users, it's done to make things opaque for business competitors as well. It's an industry that's very, very reliant on networking and introductions.

Edited to add: You're also asking a lot of people in here to name specific companies even if they can't give you huge lists. This space is super heavy on NDAs (and trigger happy on enforcing them). If you've actually worked in it, there's simply no way you're able to name drop legally.

And regarding this:

> Edited to add: You're also asking a lot of people in here to name specific companies even if they can't give you huge lists. This space is super heavy on NDAs (and trigger happy on enforcing them). If you've actually worked in it, there's simply no way you're able to name drop legally.

I understand that an NDA would prevent you from naming your own company or your suppliers and clients, but surely it doesn't prevent you from listing some other companies in this space that you know of (including but not limited to your competitors)? I don't understand why you shouldn't be able to name any company just because you've worked at one of them.

Just having that conversation required getting a mutual NDA in place, since the conversation involves revealing your capabilities (even if not your sources). And that's assuming you're even aware of all the NDAs your company has signed with other companies, which isn't always the case. Speculation or name dropping in public could violate an NDA you're not even aware of, then you find yourself having to defend your speculation as just that, rather than as revealing proprietary knowledge (that you didn't actually have but your company did).

At the end of the day, it's easier to default to speaking in generalizations rather than risk the potential repercussions of not doing that. :-/

Interesting. Eight years ago I worked as a buyer for the aggregator with the largest criminal database and I don't remember having to sign an NDA during those sorts of talks. It's possible I've forgotten, but I think it was more a matter of people wanting to know our coverage as much as we wanted to know theirs.

As an aside, the value of those talks wasn't usually in acquiring the data, except maybe in the short term. We always preferred to go directly to the source. The value was simply in learning that the data from a specific source was even available. In a few instances, that got pretty frustrating, since I knew that the seller of the data was scraping a given court's website against that court's wishes (and the TOS on the website), with all associated problems with accuracy and ethics that entails.

Those are provable damages, and maybe slander if they can convince the court they're a publication

Another reason to be NDAed up.

As an individual, that sounds like a lot of work for little gain, but if there were pre-filled out forms, and all I had to do was put in my name, I'd be willing to file lawsuits to get my name removed.

I'd expect going after such companies to be the state prosecutor's job.

What you're suggesting is more like a John Doe case where you sue a number of unknown entities, and that can be won, but at some point, the plaintiff has to name the John Does, so that they can defend themselves.

I'm pretty sure that if the named defendant coughs up an NDA that prevents them from disclosing the names of their business associates to a court, the judge is not just going to say, "I'll allow it."

The companies which furnish personal data aggregated from courts are legally required to stay on top of out-of-date records and purge records which are inaccurate. (it would be completely untenable for things to work the other way, with every court and agency which made records available being required to reach out to every recipient of the data. For one thing, in some cases the data can legally be resold.) They can be held civilly liable for distributing false information and might also be in breach of their agreements with the agencies which give them access to the data.

The urgency with which this is required under the law depends on the use to which the data is being put. It's really important to keep data used in pre-employment reports up to date. Marketing data can generally be full of garbage.

This is all generally governed in the United States under the FCRA. It's not an area of the law that you're going to get comfortably familiar with in just an afternoon of reading.

The courts don't control information in that way.

This is exactly what he's saying. There is no central node of control for this kind of information. You are operating from entirely unjustified assumptions.

Jurors' identities are not generally a secret.[0] There are exceptions, but those exceptions do not extend to wiping that person's data from things like pharmacy and gas station reward card databases.

Honestly your entire premise shows a lack of understanding of how the criminal justice system works.

> Are you literally saying they have no way to order all the first-level companies to stop sharing data on someone?

Sue all of them individually, win each case, and have them ordered to stop collecting data on you. Something tell me this is tantamount to "don't use a computer or a credit card. Ever."

[0] http://www.legalmatch.com/law-library/article/public-access-...

There is. They put them in a hotel, under police guard, for the duration of the trial. https://en.wikipedia.org/wiki/Jury_sequestration

2. They misunderstand German privacy laws.

After the trial is over, though, they are on their own. They will not continue to be protected, and could certainly suffer retaliation. It sucks, yes.

http://criminal.lawyers.com/criminal-law-basics/sequester-is...

* police 2 citizen (a platform many counties and municipalities use to report crime and accidents to the public)

* any public facing dataworks plus web application (or whatever various other municipalities/counties are running): the one for the county I live in lists the arrestee's employer

* district level and state level court dockets

* real estate records, which also link up to tax bills

* public voter records

Not surprisingly, only the information I've ever listed on my voter ID has ever showed up in Intelius/LexisNexis databases.

Any and every company selling data and there are thousands is in fact a source you would need to deal with to be removed from the sites that sell it. If you think this answer isn't specific enough, you're not going to achieve anything by me spoonfeeding you info for one such company.

Personally, I think this should be a requirement of the government: "HERE IS A LIST OF ALL PEOPLE THAT ARE COLECTING AND SELLING YOUR PERSONAL DATA, CLICK THIS BUTTON TO DELETE YOUR RECORDS" sort of thing... it should be a mandated public service of regulation.

Then, they have a list of all opt-outs from which companies you may have selected to opt-out from, and you can simply send them any further contact from the opted-out companies you may receive and the company gets a fine, you get a compensation fee...

e.g. In Sweden: http://www.datainspektionen.se/om-oss/historik/

2.) in western countries there are already laws that allow you as the consumer to remove any personally identifiable information from being shared. The ownus is on YOU to go do that, it's not hard but will require to track and follow up every year for ever. However you also have a choice of companies that you provide the information to, and what you provide. Any credit agency when you apply for credit asks if you would allow them to resell this. Opt out!

The fact that in most cases people are to lazy to read and understand what they are provinding and for what purpose is the real issue here. Government is not going to make things better or more secure or even be able to enforce this type of governance. Only you and the lawyers can do this.

(Data subject requests are a very powerful tool)

If you have an online profile, with any friends that aren't paranoid, and allow your friends to see any private information, then this can be collected/correlated by the various bot farms.

Sure there can. The sources include state, county, and local governments. There are a lot of those.

I would suggest anyone wanting to not be exposed to never use your real name or address online if you're not confident they won't share it. Introducing typos or initials or use a nickname for online orders that allow to list billing address separate from shipping address. Billing data typically has a better chance of not being resold, but there are no guarantees, read their TOS if not sure.

Financial ignorance is an exceedingly exploited issue in the US, and I do not think anyone is doing anything about this.

The value would depend on effectiveness, and on the degree to which the service clearly reported exactly what they did. Calling and unsubscribing from sources of junk mail would be a moderate time-saver, but finding out where they got their names and addresses from and destroying those would be far more valuable.

It'd take some optimization and batching of the process to figure out how to avoid taking an excessive amount of time per person.

There's also the problem that you'll often need to get the customer to "opt out" by providing their own information to verify they own it or they will need to click on a link from an email or receive an SMS text verification code. This gets really messy as an automated service.

They have largely pivoted since then, into a service primarily for reviews and feedback management. I don't have any insight into the quality of the existing service on either side.

But in the meantime, tens of millions of potential customers times any reasonable fee seems more than enough to build a substantial business on.

You could tempt people in with a cheap fee to let them send in a few pictures of junk mail and stop those. (As you get more, find the biggest sources and automate or batch them so that they cost you almost nothing, which will pay for the higher-effort ones. Have an upper bound on effort expended, and tell people that they don't pay if you can't remove them.) You could then track down the underlying sources, and if you successfully identify them, contact the customer, and give them enough information to decide to pay you for a higher-end service to get them removed from those sources (and keep them removed).

The value that gets people to keep paying you would be a steady stream of reports of "we found this source leaking/selling your information, here's what we did about it". It'll take you years to track down all such sources and find paths to remove them; you will likely end up having to fund some legal work and possibly even a lawsuit or two, which will give you a giant pile of publicity.

(As one example of something much easier for a company optimized for the process to do than an individual: the USPS has a detailed process for formally putting a company on notice for mailing someone who has specifically unsubscribed, and that process ends in massive fines for continued mailing to that person. I read a report of someone doing that to stop receiving persistent Dell catalogs.)

If you're sufficiently creative, you could even pitch this as a service to marketing companies. You have a list of people who will not buy anything via direct mail, and who will despise any company that they receive such mail from. Convince the sources of postal spam that removing those people from their list makes the rest of their list more valuable. Convince the downstream customers of those sources that using your list directly is far more convenient for them than dealing with opt-outs from every individual on it.

That also gives people a continued incentive to pay to remain on that list.

I would love to learn this process! I've repeatedly asked for a certain mailing to stop and it hasn't ceased.

For example, I'm currently getting no less than 3 letters per week from Spectrum (formerly TWC) promoting their new triple-play plans. I drop all of them in the recycling bin.

I couldn't care less about their bottom line, but I do care about the environmental impact.

At 3x per week, it probably costs them around USD$0.80/week (postage, paper, printing, etc.) to send those 3 letters. Call it USD$1 to make the math easier. I currently pay about $9.03/week. If I upgraded, it would be at least 3x that amount.

I'm not sure how to calculate the profit they would gain after an upgrade, but I can't imagine it would take more than 2-3 months for the new rates to more than cover the mailing fees for an entire year of their letters.

And yet, I'll never upgrade and I hate the waste caused by their practices.

In the ones like Dell (which I've also experienced in the past), I suspect there's some metric involved for getting the most contacts for "coverage". The reality is unless they were tracking my moves to different companies, there could be different people with the same name. In that sense, I'm very glad they can't correlate with employment data.

There's also the idea that sending to multiple people within a company means someone may see something they want and try to go through the procurement process because of the catalog, rather than because "IT" says it's time for a refresh.

Not that I agree with any of those practices, for a number of reasons, but I could understand the case for them.

Putting on my cynic hat, buying lots of newspaper, television and radio ads is a good way to keep the media on the sidelines instead of criticizing the incumbents.

https://web.archive.org/web/20090201192037/http://junkbuster...

I am doubting this is enforced in any meaningful way. I don't doubt there is a well-detailed process however the US Post Office's bread and butters seems to be Dell Catalogs and Southwest Airlines credit card offers. This fact is what killed Outbox:

http://www.insidesources.com/outbox-vs-usps-how-the-post-off...

We don't even want _one_ of them. It's not like we're going to see a new printer in a catalog and say "hey, sounds like a great buy!"

I only know of Instant Checkmate because my fiancé uses Mint Credit Monitoring and they notified her that her info was available on that site. I promptly helped her opt out of the site. I would have loved if Mint just had a 'Help me purge my info from this site' button, because I felt dirty just having to confirm my Fiancés info was on that site and then go through their process to remove it.

I would be interested in hearing what are you basing this on? Did you do some market research?

My feeling is that there is money in privacy, people seem to have no problem paying 5 or 10 dollars a month for a VPN provider for instance.

I had some other ideas to differentiate, which were a bit of a gray-area hack. This included pulling from the same data sources that Spokeo and similar services use to be able to search for that data. That way, the user wouldn't have to enter any personal information other than say an email address.

You could then offer a free service that let users enter their email address and they would find all the sites you've crawled where you found their information (similar to haveibeenpwned.com), with an upsell to automatically remove it.

Once a subscriber was signed up or previously had used the free service and hadn't opted out, I would keep crawling services for additional data and then give them a warning email when their data popped up again.

It seemed like a semi-reasonable business model at the time, but just a really small market, and I had other business ideas I wanted to pursue.

Also about the market size I imagine the market is just US? It seems other places, at leas Europe anyway has better laws to protect against these kinds of invasive services.

This seems like a good idea; I'd happily support such an endeavor.

* You're found on sites 1, 2, 3

* Nuking site 1 is $10.00

* 2 is $1.50

* 3 is $22.55

---

Or something like that?

The more you'd pay for privacy, the more it would be worth to violate it.

$5-10 a month right here, and I am not rich (yet). Time is valuable. My offer goes up with assurances/contingencies if my name is still on the lists/I am affected (e.g. LifeLock's $1M backing guarantee).

the new generation grew up with spam and giving out private info like there's no tomorrow.

I may sound like a pessimist, but try to talk to any 14-16 year old and see for yourself.

We'll see where it lands.

I personally would also pay for this sort of service.

How...? Or do you just mean sites like InstanCheckmate themeselves?

> They offered a way to "correct" the record, so I added a car that I don't own

That's amazing! They didn't need proof? How did you convince them? Is this legal?

IANAL

That said, fraud is usually defined as "An intentional misrepresentation of material existing fact made by one person to another with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage."

So, in order for such misinformation to be illegal, the data broker needs only to demonstrate injury or damage. Unless the data broker makes assurances to their customer about the truth of the information and gets sued by one of their customers for providing false information, I find it hard to believe that the data broker will be able to demonstrate injury or damages.

I think the data broker knows better than to make such claims about their data but who really knows. And it isn't like the downstream customers are going to independently verify all the information.

What's the name of it?

Edit: Maybe it was a different site that needed your license (I thought it was SafeShepherd but I can't find it anymore). I know I've definitely come across ones that do.

Also note that SafeShepherd has this fine clause right at the end [1]:

"You agree that Safe Shepherd isn't liable for any failure to comply with these Terms."

What is this supposed to mean? Would you accept it?

[1] https://www.safeshepherd.com/tos

https://www.reddit.com/r/privacy/comments/3q0cfz/thinking_ab...

Wish Google would just kill their site rankings, that would largely make the problem go away. Google is allowed to de-list spam sites... why they haven't classified all this crap as spam yet is beyond me.

> Your information will show up on those sites sometimes - it'll pop back up after being removed.

That suggests that they're not actually tracking down the sources, just poking the downstream sites that get data from those sources. Much less useful.

There's a legal process to, for example, expunge a criminal record. On the other hand, most counties aren't going to seal the records associated with your house or other property you've bought just because you would like them to.

1) Segregating automated email to some @customdomain.com address (Yandex and Zoho host vanity domains for free)

2) Forward all email @ that domain to a common inbox

3) Sign-up with servicename@customdomain.com (e.g: facebook@customdomain.com)

You no-longer need to unsubscribe using dubious e-mail links, just automatically black-hole emails that come from spammer@customdomain.com

So, far, so good.

EDIT: List formatting

It is much easier to make your correct info difficult to ascertain, than it is to remove it all.

Back in the day, junk mail often had "Return Service Requested", and senders had to pay return postage. So we would tape address labels to cardboard-wrapped bricks, and mark them as "moved with no forwarding address". But that doesn't work anymore.

I've been using them since way back when they were on earlibird. It's not perfect, but it has reduced the amount of times I show up in these sites significantly. The only disheartening thing is that most of these operators seem to just dump in batches of data periodically, ignoring any prior requests to remove so it has to be done again (which is fine, that's what you pay their automated search and remove request feature for)

These guys don't do it for you? Basically it is there business plan.

Top US brokers:

- Acxiom

- Experian

- Epsilon

- CoreLogic

- Datalogix

- eBureau

- ID Analytics

- inome

- PeekYou

- Rapleaf

- Recorded Future

Protip: loyalty/reward cards are a gold mine, especially drug store purchase receipt data

Acxiom - https://isapps.acxiom.com/optout/optout.aspx

Experian - http://www.experian.com/blogs/ask-experian/credit-education/...

DataLogix Holdings, Inc. https://www.datalogix.com/privacy/#opt-out-landing

Epsilon Data Management, LLC http://www.epsilon.com/consumer-preference-center

Equifax, Inc - https://help.equifax.com/app/answers/detail/a_id/2/noInterce...

Fair Isaac Corporation http://www.myfico.com/policy/privacypolicy.aspx

Intelius, Inc. https://www.intelius.com/optout.php

LexisNexis Group http://www.lexisnexis.com/privacy/for-consumers/opt-out-of- lexisnexis.aspx

TransUnion Corp. http://www.transunion.com/corporate/business/datareporting/s...

The paranoid voice in my head is wondering if these forms don't actually opt me out of anything, and instead just confirm to these companies that the information they have on me is correct.

https://www.lexisnexis.com/privacy/for-consumers/opt-out-of-...

Also, the following can't hurt:

https://www.lexisnexis.com/privacy/directmarketingopt-out.as...

Here are some of the key articles but you can find more at https://www.nytimes.com/by/natasha-singer

Jun 16, 2012 | Acxiom, the Quiet Giant of Consumer Database Marketing http://www.nytimes.com/2012/06/17/technology/acxiom-the-quie...

Jul 21, 2012 | Consumer Data, but Not for Consumers http://www.nytimes.com/2012/07/22/business/acxiom-consumer-d...

Jul 24, 2012 | Congress Opens Inquiry Into Data Brokers http://www.nytimes.com/2012/07/25/technology/congress-opens-...

Dec 08, 2012 | Company Envisions 'Vaults' for Personal Data http://www.nytimes.com/2012/12/09/business/company-envisions...

Aug 31, 2013 | A Data Broker Offers a Peek Behind the Curtain http://www.nytimes.com/2013/09/01/business/a-data-broker-off...

Sep 04, 2013 | Getting a Glimpse of Your Own Marketing Data Online http://bits.blogs.nytimes.com/2013/09/04/getting-a-glimpse-o...

Sep 04, 2013 | Acxiom Lets Consumers See Data It Collects http://www.nytimes.com/2013/09/05/technology/acxiom-lets-con...

Dec 23, 2014 | Data Broker Is Charged With Selling Consumers' Financial Details to Fraudsters https://bits.blogs.nytimes.com/2014/12/23/data-broker-is-cha...

Jun 28, 2015 | When a Company Is Put Up for Sale, in Many Cases, Your Personal Data Is, Too http://www.nytimes.com/2015/06/29/technology/when-a-company-...

Pro tip: If you want to avoid giving out your purchase data, pay cash wherever possible.

Are they rolling their own JS API that developers roll into each page? I certainly have never put any of that into any site I've made or seen.

"Cross Pixel's DMP is powered by our proprietary data relationships with more than 5,500 web sites and mobile apps where we identify and harvest the shopping and researching behaviors on over 650 million unique browsers. Our data partners are leading e-Commerce sites, search directories, comparison shopping engines, coupon sites and toolbars across North America and Latin America."

In general, the 'marketplace' is usually the DMP (Data Management Platform) where two parties can meet and share segments without data leakage (for example - Krux is a DMP used by a lot of Fortune 500 companies).

However the lines between DMP and Data Provider are blurring in recent years...

http://www.krux.com/blog/general/salesforce-krux/

Yeah, I'm basically looking for the companies whose answer to this question is "by actually mining the data ourselves from your doctor, grocery store, Facebook, etc.".

As pointed out elsewhere, it's a marketplace, and as such there are going to be buyers and sellers. Some of those sellers are going to be primary sources themselves.

It's far too much repeated work

Companies will repeat work over and over again if it's cheaper than buying it, they have custom needs that aren't filled with the data available, etc. Businesses repeat work all the time, and this is not any different. Additionally, for many businesses in the sector, they themselves are the primary source for data. For them it's not repeated work.

a good business to just do the work and sell it off to others.

Yes, that's why some aggregators exist. They make money by brokering the data from multiple sources, some primary and some resold. But they are the tip of the iceberg.

You seem to be under the impression that there is some small list of companies who are all working from primary sources, and that everyone then gets feeds of data from those companies. This would make sense if gathering data was very difficult, or had a natural resource-like limitations. So that model works well for something like diamond mining (as compared to diamond growing), because the number of diamond mines are limited, and there is a natural entry barrier. However, that doesn't take into account the fact that gathering this data is generally easy. Sometimes it's very easy, such as a sftp feed of data from a government records database. Sometimes it's a bit harder, such as needing to physically be present to obtain the data.

That means there is very little barrier to entry, and thus generally there is going to be a lot of competition, and thus many companies vying to make money.

Personal data has value just like any other commodity. So a bit of economic theory goes a long way to understanding what the boundaries of a market might be. Low production cost, high profit goods generally have a large number of companies in the market.

You give it to them when you sign up for that stupid rewards card.

(This grocery store did not have a pharmancy)

Cellphone or MAC tracking.

In the near future if not already, facial recognition.

When I opened my first bank account they had a typo in my name, which I found out when I received my debit card. I asked them to fix it immediately, however, two to three weeks later I was already getting mail from stores addressed to the misspelled name.

When I was buying my first house I immediately started receiving mail from moving companies at my old address before I signed the closing. After I moved I got a lot of junk mail with other kinds of offers. I even started getting PHONE CALLS from a home monitoring/alarm company. When I asked them where they got my number they hang up.

It is like all the information is up for sale somewhere.

This is not true, at all. HN may provide that appearance, but the vast majority of people who live in the US do not care about their privacy, based on their actions.

I believe that is the location of your confusion, that is a Hollywood fiction, mostly. If a collections agency is bugging you there is a way to resolve it via the legal system, but its very much case by case and company by company business. A judge can order one company who's officer or agent is present in the courtroom to do something to one record. A judge can purge his own legal system's record of an arrest if he wants to. Belief in this in general is analogous to non-computer people believing in the CSI tv show or hollywood hacking

For physical address mailings, you can hyphenate (or use a middle name) as the service. So First Service-Last as the addressee name. While harder to setup "mail rules" for, at least you'll know who to never trust again.

I do the same with email addresses, but receive very little spam. Mostly I block addresses that start spamming me with newsletters. I've thought about keeping a list, but most companies actually stick to the Dutch anti-spam laws (which are quite good).

Only Dropbox and one personal contact ever actually sold/leaked my email address, and Paypal of course but they hand my email address out to all merchants so they're almost certainly not to blame themselves (not beyond the fact that they hand it out in the first place).

Also, out of curiosity, how long did it take these companies to leak your info, generally? Days, weeks, months, years...?

1 - https://support.google.com/mail/answer/22370?hl=en

First time I was on the phone with a customer service rep. after using the <website>@<domain>.com format I was asked if i was sure my email address was correct. I lol'ed and told them not to worry about it.

For smaller e-shops you might find some with actively exploited 0days this way. I did.

The best of both worlds would be random local part + a Chrome extension that manages the mappings. The Chrome extension can then replace the local part in Google Inbox with the corresponding site name.

Might not work for some services due to ignorance of the spec or to prevent users doing this.

For example if your gmail is root@gmail.com

You can do root+yahoo@gmail.com, root+reddit@gmail.com and such on.

So where do these sleazy companies get that data? The DMV?

This year, I'm getting two or three calls every week about a buying a home security system and monitoring.

I don't understand why these calls aren't easier to block. Somebody knows here they are originating from. Why can't I get that information too?

[0] http://www2.westlaw.com/CustomerSupport/Knowledgebase/Techni...

https://www.scientificamerican.com/article/how-data-brokers-...

http://triblive.com/news/allegheny/8690215-74/drivers-inform...

http://spectrum.ieee.org/riskfactor/computing/it/us-states-s...

The number almost always exists and is a valid account. Get the discount, don't get tracked. Thanks, Tommy Tutone.

https://en.wikipedia.org/wiki/Directory_assistance

I've yet to have a sales clerk question it (or perhaps they just don't care).

Since they're listening anyway. Cut out the middleman.

That's how they get your information.

At least in the US, "going to the doctor" is encumbered by several laws oriented toward the protection of a person's information conveyed in the course of a visit.

What is the mechanism by which these laws are sidestepped in providing patient information to third-parties?

signed up for your local grocery store's membership rewards program?

Does e.g. Catalina give their information to Red Plum directly? Is it sold? How much?

I can only imagine all the location data Google, Apple and Facebook is collecting and what they're actually doing with it.

[1] https://www.mylife.com/john-smith

You clearly understand that you could get this data from various places, but maybe you don't understand how relatively easy this data is to procure (physical presence requests being the hardest). Why do you think there exists a "first layer" as some distinct class of business, and not a large number of primary source gathers, and a large number of aggregators.

There are a lot of business models here, and I think you may be underestimating the complexity. Like you want X number of companies to point the finger at, but that's not reality.

Instead, there are at least 3 axes. Does the company buy data from someone else, do they gather it in house, or both. Does the company sell data to other companies, or not. Does the company use data themselves. All of those combinations are going to be present.

1.) A company that generates it's own data, but never sells, and uses it itself

2.) A company that generates it's own data, but buys additional data, sells it's own gathered data, and uses the data itself

3.) A company that buy it's data, sells that data, and never uses the itself

etc for all of the rest of the combinations

I can say that within my sector, my company used to purchase data from a data broker (not PII, or anything you mention, but industry specific), then decided it was too expensive, and started gather our own data. Now we use the data we gather, and also sell it. Suggesting that there is some "first layer", and that you might be able to identify them all, is just a basic misunderstanding of the entire business of data brokerage.

Views & opinions are likely from member lists of organizations like the NRA. Again, these organizations will trade their data for valuable data on other people whom they want to reach.

Relatives is pretty easy to figure out if you have address history over time. People who are related tend to share an address at one time or another. Relationship status is similar when a couple moves in together. Obviously, there are also marriage records.

Education history is often verifiable by employers, even outside the country.

I worked for a telephone company that used a service like this a long time ago and we shoveled customer data back at the provider. We did NOT give them call records though.

Almost any medium sized company you deal with is selling your data.

I had an experience where I was shopping for car insurance, and just before I signed, my rate doubled from what was previously quoted by the same company. It turned out that a LexisNexis database had an erroneous record claiming I was at fault for an accident.

"Our Bodies, Our Data: How Companies Make Billions Selling Our Medical Records"

https://www.amazon.com/dp/B01EE08NXM

The short version is what you're asking for is going to be an uphill battle. Data aggregation companies don't want to disclose their sources because their services are often used by debt collectors and other organizations who want to find people who don't want to be found. If the sources were public knowledge, debtors could avoid them to escape debt collection agencies, for example.

The comprehensive list you're looking for doesn't exist. Each data aggregation company has a different list which is the result of many private agreements they have with their sources. If you want a list of the sources, you can't ask the data aggregators.

You can ask the sources themselves. Because you don't know who they are, you have to guess. Any company that puts a card in your wallet would be a good place to start. Under California Civil Code 1798.83, you can email companies and ask them to provide you with a list of all the direct marketing companies they sold your information to. Try making a request to your insurance agency.

1798.34 also allows you to ask California government agencies to provide you with an accounting of everyone they disclosed your information to. A 1798.34 request to the DMV should be a rich source of data providers.

There's also lists of companies involved in the data aggregation ecosystem in the consumer finance protection board's list of complaints:

https://data.consumerfinance.gov/dataset/Consumer-Complaints...

One surprising thing I found out during the talk is that pizza chains are a rich source of data for these companies. If you think about it, this makes perfect sense. The data includes a guaranteed link between a person, a place, payment information, and a phone number.

> when a court needs to order that someone's information be purged

I don't think this is a thing. A friend had to deal with a DV case and I got to see how all the legal machinery involved works. The court doesn't even bother trying to purge the victim's data when they move out and try to stay away from the abuser. The court simply moved the victim and the DV support organization told them to stay off social media and not to give the new address to anyone (including pizza places.)

That being said, the federal government does have a comprehensive list of all the agencies which are members of the federal privacy council. In theory, these agencies are supposed to have a data integrity board which provides oversight for any data they keep on Americans.

https://www.fpc.gov/federal-agencies/

The one question I have remaining though is: when these companies pop up, how do they know whom to buy your information from if there's no list and nobody tells them?

The other part of getting initial sources is probably calling companies in retail, insurance, etc and pitching them on how much they would make selling customer data to them. If I had to do it, I'd probably get industry reports, sort by annual revenue, start at the top and work my way down as I try to get a hold of the consumer data department at each company.

I've also been approached by these guys when I was part of shutting a company down. They wanted to buy our customer database. I guess when one of these companies shuts down, some new one can buy the database and use that as a seed for new operations.

That being said, is there a simple way to better obscure yourself? Like using a business name and a PO box instead of your personal name when it comes to bills/addresses?

Just your email address alone, let alone combined with IP information can result in being able to find a lot of information about you... then you take that and correlate it to public information, cc purchase history, online profiles, it's a treasure trove. That doesn't even count extra data gleaned from all the tracking cookies.

All said, I'm still far more concerned about government use of similar data than I am private businesses.

For example, my startup can pull information on ownership, mortgage and sales history, liens, and foreclosure records, among many other things, for a given property. If you were to cross-reference the data with other public and proprietary sources, it could get pretty, umm... what's the right word?, "interesting", in terms of accuracy and level of detail.

The companies you are interested in are in "DMP & Data Aggregators" and "Data Suppliers" section.

But this is only the largest, best known companies. There are many, many more.

I'm paranoid that USPS sells your info once you fill out their change of address form.

They do: https://www.forbes.com/sites/adamtanner/2013/07/08/how-the-p...

I just don't change my mailing address anymore.

So paying to delete your info from one site is useless, because the next site that somebody sets up will have your info, if they use the same public records as the others.

There are three main sources of ALL of the data:

1. Acxiom http://www.acxiom.com/ 2. Experian http://www.experian.com/ 3. Neustar https://www.neustar.biz/

Acxiom got it's big start by developing a way to copy phone books in the 90s and they won a court case that sided with them saying the name and address information was basically public info. Acxiom aggregates something like 800 different attributes for each named person at each address using third party vendors and then resells the entire consumer database to list brokers who often times will add additional detail for smaller subsets of the data. You can opt out of Acxiom by going here

http://www.acxiom.com/about-acxiom/privacy/consumer-data-inf...

2. Experian. Same as above but they have a lot more specific data about you because you probably fill out forms related to credit and loan applications correctly. Thus they know all of you previous addresses and they sell that to companies like Intellius.

3. neustar: ditto.

The main thing to keep in mind is that each of those three companies have slightly different channels through which they aggregate consumer data so your info comes out a little differently in each database.

Almost any list broker or mailing house or telemarketer that you encounter is getting their data ultimately from one of those three companies (and in many cases they would buy data from all three sources).

Finally, a company like http://www.criteo.com/ uses a process they call "database cookie-ization" to match your online browsing history (hence interests and business) to those three databases via your email addresses. So they know what you look at online, where you live, everything you have ever requested credit for, etc etc.

There are hundreds of smaller companies like these (below) feeding data into those databases too:

https://www.hgdata.com/ https://www.fullcontact.com/ http://zetaglobal.com/ https://www.lotame.com/

There's no value for society in these shit services that make people register and pay to have their profiles taken down.

https://www.lexisnexis.com/risk/

There's a large information-brokerage industry. If you want to find it, investigating the question from the consumption side (as in: who will sell me this information) should turn up the larger players, most of whom are already listed in this thread. https://news.ycombinator.com/item?id=13804795

The big players are much of the business: Power laws work here as anywhere else, and heading off the larger sources is pretty effective.

The value of individual data isn't all that great. Which leads to one of the major PITAs of this industry: there's a lot of invalid, false, or stale data around. The incentives to fix it simply don't exist.

The now-defunct Internet Junkbuster used to have a print-your-own set of letter templates which could be sent to various marketing organisations. Doing that in the early 2000s dropped my own junk-mail volumes tremendously, and for years afterward. I suspect SafeShepherd operates somewhat similarly. Finding and hitting the direct marketing association(s) was a big part of that.

Putting a fraud hold on your credit reports (TansUnion, EquiFax, Experian) is useful.

Any account-based activities or activities in which you are specifically identified are fodder for capture. Credit cards, checks (Luddite! ... hang in there), "loyalty" cards. Gyms and pizza, as noted.

Facebook, which should go without saying. LinkedIn profiles.

Any online information service which has ever been hacked. (For safety, assume all of them.)

Online purchases. Through both the marketplace and your credit card.

Court and other public records are manually reviewed and entered.

Various school and alumni associations. Organisations such as Classmates.com, MyLife, etc., front-ended to skip-tracing and similar organisations (info via direct communications).

Your auto smog testing station. There's an outfit known as ISO, Insurance Services Office, who has a unit that tracks down odometer mileage data. They glean that by buying the state smog check data, which is indexed by VIN and drivers license in mose cases. The notion is that miles driven is an excellent proxy for insurance risk. https://en.m.wikipedia.org/wiki/Insurance_Services_Office

The US Post Office NCOA (change of address) form, as noted. File a temporary COA to avoid getting listed.

Used to be you could submit a "pornographic materials" request to the USPO to have circulars and such removed from your delivery. Though online sources suggest it's possible to block 3rd class mail (Yahoo answers). That's more an annoyance than privacy issue.

Magazine subscriptions.

Request of any organisations you do business that they not share your information. Use telltales to determine which do (additions to your address, name, etc.).

And, if the state of affairs bothers you, get on your government representatives to do something about it. Data are liability, and there's far too much of it floating around. The US in particular has taken an exceptionally piecemeal approach to the problem (video store rental records are protected, bookstore and pharmacy records are not).

Request comprehensive data privacy regulations, with teeth.

They are potentially covered under trademark if you have a brand in a specific industry and others are using your name or a similar name in a way that could cause consumer confusion.

[0] https://en.wikipedia.org/wiki/Threshold_of_originality unrelated: the threshold for code is usually around 15 lines.