X

Easy Prey Podcast

Their Loss is Another's Gain

Navigating Data Brokering and Privacy

“More people are starting to realize that privacy matters. The way we share and protect our personal data today will shape what privacy looks like in the future.” - Darius Belejevas Share on X

In a world where data is more important than ever, understanding how it is acquired, shared, and misused is critical. Data brokers work behind the scenes, amassing enormous amounts of personal information from online activity, loyalty programs, and even public records, often without the users' knowledge. This data powers targeted marketing, scams, and even identity theft. But what can be done to regain control of personal privacy? Today we're diving deep into this topic with cybersecurity expert Darius Belejevas, who has spent years assisting folks in removing their data from these digital marketplaces. He is the head of Incogni.

In this chat, Darius is going to share how these sneaky data brokers operate. He'll break down why it's such a big deal when our data gets out there for all to see, and he'll arm us with some solid strategies to keep our privacy intact. We’ll also look at practical tactics that everyone can apply to limit their exposure to hackers. We’ll discuss data sharing, using privacy-focused products, and understanding legislation like GDPR and CCPA. We also dive into the shifting landscape of digital security, the role of AI in data collection and fraud, and what the future of online privacy may look like.

“The best way not to get affected by a data breach is to not be on the list in the first place.” - Darius Belejevas Share on X

Show Notes:

  • [01:01] We learn about Darius's background.
  • [02:16] We learn about the creation of Incogni
  • [04:04] Data brokers are businesses who collect data and sell it to other businesses. One problem can be lack of transparency of what is happening to your data. 
  • [07:19] There are probably a few thousand data brokers.
  • [09:36] Does removing your data get you out of a breach?
  • [10:48] Limiting what we share. Prevention, consequences, and clean up.
  • [12:22] When giving identifiers like your phone number, stop and ask if you really need to do that.
  • [14:10] Some brokers make it way more difficult to remove data.
  • [20:13] We talk about privacy regulations and how they can help you or make things more difficult.
  • [22:12] How AI will make malicious activities easier to scale.
  • [23:41] Have people given up on privacy? At the end of the day, it's about personal comfort. 
  • [25:00] Privacy laws are helping with data broker issues. 
  • [26:59] Being mindful about what you post online. Many people don't want to share too much.
  • [29:56] Physical junk mail has decreased. 
  • [30:52] What to do today. Think about what you want to share. Do you really need to subscribe?
  • [32:21] Use a service like Incogni to help you protect your data.
“Some companies make it easy to remove your data. Others will pull every trick in the book to keep it. It’s frustrating, but persistence is key.” - Darius Belejevas Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Darius, thank you so much for coming on the Easy Prey Podcast today.

Hey, Chris. Great to be here. Thank you for the invite.

I'm definitely looking forward to this. Can you give me a little bit of background about who you are and what you do?

Sure. Right now I'm leading Incogni, a data removal service. I've been in cybersecurity for almost seven years now. Before that, I finished my education in computer science. Funnily enough, in a few years, I realized that I'm not going to be a developer or engineer. I'm better suited for the business side of that.

I joined Surfshark cybersecurity company almost seven years ago. I joined as a specialist and had a chance to do quite a few interesting things around the company. For the last four years or so, I had this opportunity and privilege to take Incogni from an idea to now. I'm very excited about the number. Last year, we've completed over a hundred million data removal requests on behalf of our users.

What inspired the creation of Incogni?

Essentially, when we were thinking about it, with Surfshark, we cover the VPN side. We already had the Surfshark alert that provides monitoring into the data breaches. We were thinking about, “What else is out there in the market? What pains do we need to address on behalf of our users?” We were thinking about what's already solved well, what's not solved at all, what we have, the know-how, and the capacity to do.

We had a list of a few ideas. The way we think about it is we're building these products for our customers. We reach out to the customers with those ideas. “What would be most helpful to you?” At the time, we didn't have an aim, so it was just personal data removal from data brokers. It actually got the most votes. It was the most attractive and the most beneficial thing for our users. We know what we need to build, and then we need to figure out how do we go about it?

At the time, there wasn't someone who already sold it to us, where you could just look over the shoulder and say, “OK, we need to build feature ABC.” We actually had to figure it out from scratch. We have the privacy laws; we have the issue. How do we combine it to be able to remove customer data on that scale? This is a very important aspect of it.

Let's take a step back. What are data brokers?

When we talk about data brokers, it's easy to think about this like some mythical villain organizations, but it's actually business. It's businesses that provide a service usually to other businesses. Again, it's important to understand that it is legal to collect data, to sell it. That's within the law.

When talking about data brokers, these are just companies that are doing their thing. What we need to understand here is that, when we talk about the privacy and security issues when it comes to data brokers, it's not about one, two, or five particular companies. We have the whole ecosystem that's a bit dysfunctional, I would say. We have companies that some will scrape your LinkedIn; someone will get your information from the app usage; someone will get your information from the loyalty programs that you use, your browsing history, will get your location data, and then you have essentially those companies trading in between to build elaborate profiles.

There are issues with that, but I think the very scary part is that first, we're talking about literally hundreds of millions, sometimes even tens of billions of data points in one place. That's essentially just putting a big target on your back and say, “Just come at me.” We did the research a few years ago. A lot of the data brokers, even the big ones, they get breached multiple times. Again, I think the reality of cybersecurity, that if you're a target, it's more of a matter of time than anything else.

The other part that's very scary is that there's a lot of lack of transparency that you don't know. At the end of the day, who gets access to that data? It might be someone who wants to send you a promotional email or promotional pamphlet. At the same time, it can be someone who's coding automated bots to call you with some scam. That's a big part of the problem.

How many data brokers are you aware of? Based on how we calculate, we're talking about a few thousand. From the way we approach it, a lot of them are not relevant to what we do. The way we approach data removal is we're going to data brokers that have personal identifiable information.

Let's say at that company, they have the browser ID and some associated list of websites or stuff like that. This is not something that we can target specifically. We're more into the organizations that have personal identifiable information. In that case, we're talking about several hundreds, I would say something like that. Again, I think Pareto Principle applies here very much. In many cases you have a few dozen companies that are feeding the smaller ones.

Got you. Are they just constantly refreshing their data? If you put in a removal, yeah, it disappears today, but it comes back tomorrow because they've got a new data set that they imported?

Oftentimes you have companies that will re-add your information every two months. -Darius Belejevas Share on X

That happens not to that extreme. From our experience, we encountered a few dozen companies that have suppression lists. They would leave a small bit of information not to re-add you again. With those companies, remove it and forget it. Oftentimes you have companies that will re-add your information every two months.  Again, it varies from company to company. It varies on the usage, like what we're doing online and how they collect the data. When it comes to people, find their sites; I think we're talking about roughly two months in many cases.

From a perspective of data breaches, because we were talking about that earlier, does actually having them remove your data from what they sell and trade, does that actually get you out of what might be breached? Because if they have to retain the information to know not to share it, then they're still retaining the information. It's still within their system.

Some of it. Again, we're talking about minority of data brokers that have those suppression lists. An example is national public data breach back in autumn. That was a big one and a very impactful one because it also included Social Security numbers among other things. In that case, the best way not to get affected is just essentially not to be in that list and to not be on that list. Sometime in the past, you needed to figure out, “OK, I need to remove that information.”

If Incogni exists to take care of something after something has been shared, so to speak, what can the consumer do to keep the data from getting in there in the first place? Obviously, we can't stop transacting in the world entirely. What can we do to limit what can be shared?

I think this is very important. Maybe to step back a bit, the way we look at it is essentially, we're dealing with three stages. One is prevention. This is  what you mentioned right now, and then essentially dealing with the consequence. Not exactly dealing with the consequences, but something that we can still do before something bad happens. This is the removal part, and then the cleanup. At the very least, using a tool that monitors dark web, at least you can get an insight if your data has been leaked, and then it's essentially just dealing with the consequence.

Going back to the prevention parts, I think a couple of things here. From our experience, the most common identifiers used to aggregate data across platforms is going to be either an email or it's going to be a phone number.  In that case, it's something I do in my own life. If there's an element where we need the registration, where we need to leave an email address or even more so on the phone number, I just ask myself, “Do I really want to do this? Do I really need it?” I think that's very important. If it's a 5% coupon for something, I probably just don't do it

From our experience, the most common identifiers used to aggregate data across platforms is going to be either an email or it's going to be a phone number. -Darius Belejevas Share on X

The most obvious one is not sharing. I think a more interesting element here is using alternative like emails, phone number, so masking. I think this is not well-studied yet, but it would be very interesting to see that it's happening at scale, how it would affect the data pollution when it comes to data brokers. In one dataset, you can be John, a 55-year-old from Minnesota. On the other dataset you can be Joanna, 33, from California. It makes things a lot more difficult for potentially someone who wants to collect, aggregate, and just use the information.

Also, more effort on the side of the consumer if they've got to maintain sock puppets.

Yeah. I would love to see this solved fully, engine with a good user experience.

Yeah. Once the data gets into the data broker ecosystem, do you find that there are certain brokers that are going to push, like, “Hey, we don't do removals,” or they make you jump through a whole bunch of steps in order to remove data?

Absolutely. For a bit of context, when we started Incogni, while we're figuring out the technical part and so on, we actually did some testing manually. We had volunteers. We made a big list of data brokers. We talked with our legal team and then just getting the authorization from those volunteers. We started sending their mobile requests to data brokers. We had a big board with hundred-plus flows.

One broker will say, “Sure, done.” The other one will come back with one argument. We go back to our legal team. They'll say, “OK, this is what we got. What we can do to leverage it?” That's all so far.

From that, what we found is that it's really a spectrum when we're talking about data brokers. On the one side, you have companies who are truly doing their best to comply. I have nothing but respect to them because they're doing what they're supposed to do according to the law. On the other hand, you have companies that will pull every card in the book. Every argument with them it's quite literally sometimes many months. We have in cases of years or just back and forth with legal departments involved, looking for arguments to make it work. Small amount of number of data brokers causes a lot of problems.

Yeah. There was a time in my history when every time you bought something, there was a mail-in rebate. That way they could advertise it at $49 after rebate, but you've got to pay $100 to get it. In order to be eligible for the rebate, you have to cut off a piece of the box. You have to mail it to this PO box within this date range. You have to use blue ink on the paperwork. I can see data brokers saying, “Well, we don't know if you're really who you claim to be, so in the way that you get an SMS PIN code, we'll mail you a document that you then have to turn around and mail back to us.” Do you get even those weird responses?

Absolutely. The one that's stuck in my mind was that—this was still in the testing phase with volunteers. We submitted a request. We got an email back saying, “OK, now we need to provide a phone number and a copy of utility bills.” I think one other was a copy of a birth certificate. “For this case, you then need to go to this link and resubmit the information, and then we will call you between 12 to 36 hours. If you don't pick up the phone and confirm it verbally via the phone, we will assume that you canceled your request.”

Wow.

Another one. It's not as complicated in how mischievous. I think it's even worse that you get the response and the email headline says, “Your data has been removed.” But if you click the body of the email, it says, “To remove your information, you need to click on this link.” A lot of those we've seen, and they can be very problematic. From that perspective, again, even before we started building Incogni, we did an exercise internally with the team that's like, “Let's try to do it manually. Let's try to do it on behalf of ourselves. Let's try to outreach.”

I don't think anyone made it passed the second week because it's just a miserable experience along the way. After a week, you have just a full inbox of back-and-forth communications. It's just like, “Screw this. I don't want to deal with it.”

If someone were to do data removal manually, what's the average amount of time that it takes per data broker to get a successful removal?

It varies tremendously. To be honest, I think for more than half of brokers that have decent close, it would take a few minutes roughly. A more difficult part here is just to find them because that's one of the shocking things. When you start using it, like, “Who are these companies that I have never heard about in my life that have my personal information?” Just finding those companies is a bit of a pain. What's great with California and Wisconsin, who have the data broker lists, where the companies need to mandatory register there. Then you have those frustrating ones, where it can literally take hours of your life just back and forth.

You talked about privacy regulation. Are there places where the privacy regulations actually help you and places where their privacy regulations actually make it more difficult?

I think Europe is a good example of privacy regulations done quite well. From our experience, there really aren't that many data brokers based in EU versus US because it's more difficult to operate here. They're under more scrutiny. Again, it's not perfect. There are still loopholes and problems. As a general standard, and we had GDPR for almost a decade now, I'm prepared to say that from a virus perspective, it works quite well.

I think California's CCPA is a strong law. They have a bit of an issue with one of the elements that a company can give. Two options on how to remove. Often, they can make both very frustrating, something like do a physical mail. Who does that anymore? There are some areas that could be improved, but overall it's pretty good. I'm not a fan, and I'm a bit worried with what's happening in Australia. In that regard, it feels like in some ways, they're moving in the right direction. Right now, as a consumer, you don't really have that many rights in terms of removal.

Do you see AI helping you, hurting you, or is it a little bit of both in this space?

From our service, not very impactful. What I'm generally worried, and why I think services like ours will become even more important, is that the kinds of malicious things you can do at scale using Gen AI. It really scares me to think how much data you can feed and then essentially just go out calling and imitate someone's family member's voice. The way I think about it is that the way to protect yourself, again in phone scams or something like that in the future, is going to be just don't get targeted. Don't be on that list. Be the one who has less information, making it a harder target, or maybe someone will figure out a better way.

Yeah. Definitely, I've had conversations with people who have given up on the concept of privacy in terms of they're like, “All my data is out there; why should I bother to do anything about it?” Do you have that as a challenge that Incogni has to overcome in selling their services?

To some extent. At the end of the day, it's about personal comfort. If someone is fine that their personal information is out there and can be used by whomever, then anyone can be a few dollars and gets information about your family members, where you live, or your phone number. It's up to them at the end of the day.

Where do you see data brokering and privacy going over the next few years? Do you see more data brokers coming into business? Do you think it's going to be massive consolidation and just down to a few players that play? Or is it going to be a bunch of people playing in the shadows?

I think a lot will depend on how the privacy loss will develop over the following years. Admittedly, the last five years or so has been pretty great from that regard. Every year we have new states coming in with their own privacy laws. The federal law, we still cannot get really up to the start line. Again, there are arguments to be made that maybe that's OK. Maybe it's better to have state-level laws that are actually strict versus a watered-down federal law. There are some  arguments there.

The direction we've been going on was very promising. If we continue on this, I would foresee that it will become more expensive and more difficult for the smaller data brokers to operate. That would lead to consolidation at the end of the day, but nothing is given. If the trend would change with the AI developments, we could see very weird things coming out. It would be very interesting to see how data collection and the whole concept of personal information will change in the next few years.

Yeah. I think 20 or 30 years ago, we never would have thought of people posting every detail about their life online for everybody to see. Maybe there's a little bit of a backlash to that now that people are starting to like, “I don't want my life to be detailed online for forever. I want to have some anonymity, some privacy. I don't want everyone to know everything about my life.”

Yeah, absolutely. Our service is built for this category of people who want to be mindful and just don't want to share too much. They want to mitigate the risks. Again, when we started building Incogni and when thinking about cyber security and privacy products in the first place, it's often the tendency that no news is good news. You haven't been in the next data breach; it's working. You did something right.

What I'm very happy is that we have users who come in, register, or use the service and say, “Wow, the number of robocalls I get decrease drastically. I'm getting a lot less spam.” Our goal from that perspective was always get so good at targeting the data removals so that people actually feel the benefit in their day-to-day life.”

Our goal from that perspective was always get so good at targeting the data removals so that people actually feel the benefit in their day-to-day life.” -Darius Belejevas Share on X

Is that one of the challenges that it's hard to measure the effectiveness in a way?

It is. When we're talking about robocalls and spam, we need to educate our audience on this as well. You will generally have three reasons why it's happening. You just register to it. You just went around your day, registered to different services. Over the years, just accumulate to what it is now. Everyone is  sending you a promotion, sending you something, and so on.

On the other side and often related to the first part is you have been affected by a data breach. Some of the services that you have registered on have been breached. It's now out there in the dark web. Unfortunately, to my knowledge, there's no way to put the cats back in the bag here. At this point, it's more about just dealing with the consequences of that.

There is this in-the-middle part of the “surprise, surprise.” A lot of the data brokers are working with marketing here. Companies come to them and say, “OK, I need a list of people who live in this county over in this age group and this financial situation. Can you get us the information?” They start sending you and so on. Surprise, surprise. When you remove yourself from those lists, you get a lot less of it.

Yeah. I have been an Incogni customer for some time now. One thing that I wasn't necessarily thinking about, and I think you've confirmed it to me, is that the amount of physical junk mail I get has decreased over time. I don't know, is that a result of Incogni doing a good job, is it because that's just getting less and less, or is that just the trend where companies just send less advertisements via mail? It was one of those things in my mind going, “Is it a happy coincidence, or is this actually the results of what Incogni has been doing?”

Yeah, I really hope we can figure out a more scientific ways to measure it. I don't know how to isolate it yet.

Yeah, it's hard to know because you're not the ones that are sending the advertisements out via mail.

Exactly.

As we wrap up here, obviously, people can go to Incogni and start the removal process. We touched on this at the beginning, but what are two or three things that people should be doing today to prevent information even getting to the data brokers to begin with, just behaviors that they should really change or reconsider?

I will go back to the first point. Really, I think about, if someone is asking for your email or your phone number when registering, just take another moment to think, “Do I really need to be there? Do I want to subscribe or whatever?” That alone over time will make a tremendous difference.

Another thing that I've started doing is when you get something unexpected email or call, you are quite welcome. Depending on where you live, you even have the rights to know or how that person or that company got your information. When I get something unexpected, I just reply with, “How did you acquire this information?” This also leads to interesting results and can lead to where you need to opt out.  The risk of shameless self-promotion, use a service like Incogni, and we can do a lot of that work on behalf of you.

When I get something unexpected, I just reply with, “How did you acquire this information?” This also leads to interesting results and can lead to where you need to opt out. -Darius Belejevas Share on X

Thank you. I know one of the things that I have started to pay more attention to is the US will send you a once-a-year privacy update or something like that. They talk about in these documents who we share data with and under what circumstances they share data. Surprising, a lot of them actually have an opt-out form or an opt-out process that they mail you. Even though they're not a data broker, they are a company that they have, “Hey, selling your data to other people is valuable to us.” But they give you an opportunity to opt out of that process, which is usually a little bit cumbersome, but it's definitely something that I've started to do when I get those notices. It's like, “Yeah, I don't want you selling my data. I don't want you giving it to any of your partners unless you absolutely have to in order to provide the service that you provide.”

This is absolutely a great point. Also, when filling out some forms, going to a dentist, or whatever, look for those checkmark forms. You don't necessarily need to check all of them. Often, they will have something like, “You agree that we will share your information with friends and affiliates.” Those are often the data brokers.

You're like, “No, I don't authorize it.”

Yeah.

I've also had some interesting interactions with some organizations that when I asked the person at the front desk, “What do I have to fill out in order to get the service? What do I not have to fill out?” Sometimes they're like, “Oh, we just need your name and address so we can send you a bill.” I'm like, “OK, you don't need these other 15 fields.” They're just generically on the paperwork.

Yeah. This is great.

Of course, some of them are like, “No, we need absolutely everything.” Again, where can people find Incogni online?

Incogni.com—the best way. We're also on the X and LinkedIn, but incogni.com is waiting for you.

Any new plans or features that you're planning on rolling out in the near future that you can talk about?

Yes, we have some cool things in the works. It's something that's about to launch very soon. A data removal scanner, as we call it. Essentially, we'll be doing a very similar free tool. It is a dark web monitoring. In this case, we're talking about the people finder side. You can enter your name and the city, and then we will send you a report where we found your information on people finder sites.

That's cool.

Yeah, and that's for free. This is going live very soon. Another cool thing we're working on is customer mobile. Essentially, even if you found your information on a site that's not a data broker, you submit the link for us and we will do our best to make it go away.

That's really cool. Darius, thank you so much for coming on the Easy Prey Podcast.

Thank you so much for having me.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Notified When We Release New EpisodesALERT ME

X

Logo

Get Notified

When we release
new episodes

We will only send you awesome stuff!

Privacy Policy

×

 
×

Easy Prey Self Assessment Cover

Are you safe or at risk? Find out.

We’ll send you instructions to download the self-assessment right away. It takes only a few minutes to complete.

We hate spam and promise not to spam you.
Unsubscribe at any time.

Privacy Policy

×

Hire Me To Speak

Privacy Policy

×

Privacy Policy

Your privacy is important to us. To better protect your privacy we provide this notice explaining our online information practices and the choices you can make about the way your information is collected and used. To make this notice easy to find, we make it available on every page of our site.

The Way We Use Information

We use email addresses to confirm registration upon the creation of a new account.

We use return email addresses to answer the email we receive. Such addresses are not used for any other purpose and are not shared with outside parties.

On occasion, we may send email to addresses of registered users to inform them about changes or new features added to our site.

We use non-identifying and aggregate information to better design our website and to share with advertisers. For example, we may tell an advertiser that X number of individuals visited a certain area on our website, or that Y number of men and Z number of women filled out our registration form, but we would not disclose anything that could be used to identify those individuals.

Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above.

Our Commitment To Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

Affiliated sites, linked sites, and advertisements

CGP Holdings, Inc. expects its partners, advertisers, and third-party affiliates to respect the privacy of our users. However, third parties, including our partners, advertisers, affiliates and other content providers accessible through our site, may have their own privacy and data collection policies and practices. For example, during your visit to our site you may link to, or view as part of a frame on a CGP Holdings, Inc. page, certain content that is actually created or hosted by a third party. Also, through CGP Holdings, Inc. you may be introduced to, or be able to access, information, Web sites, advertisements, features, contests or sweepstakes offered by other parties. CGP Holdings, Inc. is not responsible for the actions or policies of such third parties. You should check the applicable privacy policies of those third parties when providing information on a feature or page operated by a third party.

While on our site, our advertisers, promotional partners or other third parties may use cookies or other technology to attempt to identify some of your preferences or retrieve information about you. For example, some of our advertising is served by third parties and may include cookies that enable the advertiser to determine whether you have seen a particular advertisement before. Through features available on our site, third parties may use cookies or other technology to gather information. CGP Holdings, Inc. does not control the use of this technology or the resulting information and is not responsible for any actions or policies of such third parties.

We use third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. For information about their specific privacy policies please contact the advertisers directly.

Please be careful and responsible whenever you are online. Should you choose to voluntarily disclose Personally Identifiable Information on our site, such as in message boards, chat areas or in advertising or notices you post, that information can be viewed publicly and can be collected and used by third parties without our knowledge and may result in unsolicited messages from other individuals or third parties. Such activities are beyond the control of CGP Holdings, Inc. and this policy.

Changes to this policy

CGP Holdings, Inc. reserves the right to change this policy at any time. Please check this page periodically for changes. Your continued use of our site following the posting of changes to these terms will mean you accept those changes. Information collected prior to the time any change is posted will be used according to the rules and laws that applied at the time the information was collected.

 

×
close
Embed this image

Copy and paste this code to display the image on your site