Privacy Protection Through Regulation | Part 4
Jul 24, 2023
Background: In early 2023, we started preparing a public opinion on data rights and regulation for the Consumer Financial Protection Bureau (CFPB). Over the last few months, we've shared an overview of the CFPB's Request for Information (RFI), our perspective on the industry, and a few high level predictions.
For our final response, we summarized hundreds of pieces of feedback from our members who support stricter regulation on a harmful and creepy industry. We also summarized our data from sending millions of removal request and escalations to hundreds of data brokers. We shared our final response and a few recommendations with the CFPB publicly before the extended July 2023 deadline. In addition to the CFPB, we want to share our response and perspective on regulation with you.
Part 4 | Privacy Protection Through Regulating Consumer Reporting Organizations
We encouraged our members to respond to the CFPB request either directly or by providing us context for our response. We were shocked by the volume and vigor of replies. We’ve done our best to anonymize, organize, and present the most impactful testimonials about the harms caused by this industry. We grouped these broadly in to 3 sections, covering the second in this post:
Credit Reports, Debt Collection, and Housing Access
Stalking and Targeted Harassment
Frustration Toward Industry & Regulators
What Our Members Say About Harassment
A member of my family has previously been stalked. The fact that without preventative measures, their entire history of addresses/phone numbers/emails can be purchased for a stupidly small sum of money if we don't do something about it is beyond infuriating.
As a victim of stalking and harassment, with a protective order in place and as enrolled in the [state redacted] attorney generals address confidentiality program, and for the safety of myself and children, I depend on government policies in place that enforce rules to data brokers. Data brokers and publishers going through the motions on an opt out form on their websites with canned responses that my information has been removed is not enough. When clearly after checking through afterwards my information can still purchased and is visibly being shared really makes the process useless. Further regulation is needed with imposed fines to have these companies cooperate is much needed. Specific companies I have issues with are Radaris, whom I've contacted numerous times and Beenverified re-posting of information, making the information temporarily non-public but purchasable.
Data brokers are harmful to my privacy, professional and personal reputation, and extremely frustrating to get the information removed. I have been doxxed for nearly two years. Court documents about me have been removed for my privacy by the courts, but my harassers obtain the records from data brokers who deal in court records and then promote these documents as part of their doxxing. My harassers impersonate me and submit this as evidence in their cases brought against me in court. The court shielded these crazy claims but data brokers still obtained and published these records. It has been a never-ending nightmare to control my own personal information. It is impossible to work with the nearly thousand data brokers to remove my information. Once I sent each a request with the appropriate information, many data brokers sent reply emails requesting further details, such as a copy of my state driver’s license or additional personal information, claiming it necessary that I prove the request is for myself. The various replies can be many hundreds of email flooding my inbox each day, thus requiring untold hours of time just to weed through and file these replies or otherwise remove from inbox so that incoming email unrelated to data brokers can be found. Many data brokers require removal requests be made by filling out their own unique online form, thereby preventing batch email removal requests. Even if some data brokers respond with a statement of compliance, many of those companies appear to find some method to regularly side-step removal requests, possibly by programming a regular digital mutation, thereby retaining unfettered access to consumer data. It is an understatement to say that it is a full-time job to stay on top of the overwhelming task of contacting and responding to the various requirements of the approximate 1000 companies requesting removal of our own personal data; it is simply impossible for the average citizen to do so. As a result of the doxxing and distribution by data brokers, I’m blocked from financial products and have difficulty finding work. This has been both personally and professionally devastating to me and my family.
First, I have witnessed an increase in spam email, spam calls, and junk physical mail over the years. Opting out of services have become increasingly difficult, as companies add additional barriers to opting out. Second, data brokers threaten my privacy and anonymity by either freely publishing my information online, or selling it. I have little to no control over who knows where I live, what my contact information is, etc. Third, data brokering is increasingly becoming a national security risk. As a member of the Armed Forces, myself and many others are targeted by foreign adversaries via phishing scams, malware-laced email, to name a few. For example, we receive unsolicited smart watches through the mail. These smart watches are being sent to both physically track, and track their online activities among other things a smart device is capable of. I suspect their mailing addresses came from data brokers.
The people search brokers require people to “prove” stalking, domestic violence, and sex trafficking via submission of police reports and orders of protection. It is an impossible task for people to send individual emails to the privacy teams for each broker re: physical safety. No one should be required to disclose this information to data brokers.
One broker reported I was still married. Disputing this record via phone calls resulted in the removal of the marriage record, but when I checked again, there were new marriage records associated with past addresses! The broker claimed these entries are sourced through USPS. How insane that the postal service is leaking our data to these companies! Getting my former married name removed from these records was nearly impossible.
I left a cult that tends to hunt down ex-members, especially those who speak out. So I was terrified when I discovered my address, phone number, and other information was available on the web to anyone. They found me once, but I moved and was able to keep from being found again. Fortunately, I suffered no harm - that time. I frantically submitted removals to dozens of sites, it was a terrifying experience.
My information was used from online for extortion for something I didn't do. They had my information and anyone that lived in my house trying to get me to send money. I’m cleaning it up but it’s slow.
There is a broker in Annapolis, MD, which is somehow gaining access to states’ fishing and hunting license data (E- Merges) it has erroneously reported that individuals who have purchased fishing licenses have purchased hunting licenses. While blood sport and fishing are two different activities, firearm ownership can be inferred by reporting someone as a “hunter”. Unknown if this broker is also capturing disability information and associated driver license information (MVR, biometrics, images, prints).
As a domestic violence victim, this idea that people who have abused you just looking you up on the Internet and finding out where you live is hurtful, anxiety-inducing and feels like a betrayal of trust. I just learned that if I file a change of address with the government (USPS), that the government (supposed to be protecting the people) is selling my private information to greed and profit-driven businesses. This is a terrible and unconscionable thing to do. These data brokers encourage and enable identity thieves and malicious actors and it needs to stop.
Even our countries most important law makers are not provided protection from the internet mob. I’m appalled at the level of personal data that is aggregated for these data brokers. It’s a serious security issue for someone that worked for the Department of Justice as we take our privacy very seriously.
I've been stalked and harassed by people for no reason. It's made me depressed and paranoid. I'm really upset about companies selling my information without consent. Even my dad was getting harassed and stalked and had to relocate because he was fearful of internet stalkers.
I've had an online stalker for years who contacts me a few times a year, and it's distressing knowing that my address is easily found on the internet.
I had some legal trouble a long time ago, which ultimately after getting it finally off my record after years of dealing with lawyers and spending a fortune, I learned that getting it removed off my actual record was just the start. The data collection companies still had all this outdated information and had no incentive or regulation to remove it. It took awhile but eventually I had all my personal data removed from those websites and it was a monumental pain that I do not wish upon my worst enemies. Having a clean record and then ultimately having random people who want to profiteer off of outdated information that is not theirs is an absolute disgrace to this system, not to mention having my entire family's addresses exposed for the world to see is just plain creepy. I understand the need for a list or even a national registry for more heinous crimes, but anyone who had a drug charge, or even something less petty could be denied work because of these random websites is atrocious.
What's Next After The Request For Information?
Kanary believes our data about violations and sites compliance can be invaluable as the CFPB scales enforcement of existing FCRA violation. We expect to see them working with individuals and companies like Kanary to take the following next steps:
Track progress and flag ongoing violations to help consumers understand which enforcement is most impactful.