I frequently get asked about paid privacy services. There are several such services out there. Unfortunately I have not worked with any of them, and cannot give a good answer. Until now, perhaps. As you know, last week I put out a call for a volunteer for the DeleteMe privacy service. Within just a few hours of last week’s post going live, I received a response from John (a pseudonym). John is a 30-35 year old male from the mid-western United States. He and I exchanged a few emails and got busy.
DeleteMe Privacy Service Review
John was kind enough to provide me with some light biographical details. I used this information to conduct a rather detailed search for his information on people-search sites like Spokeo, That’s Them, and Whitepages. John has a level of exposure that is pretty average for the typical American. Within just a few minutes I managed to locate fifteen instances of John’s personal information exposed online. This information included his home address, cell phone number and carrier, and the names of his spouse, parents and other family members. I was also able to locate several previous addresses, which we also want removed because they can be used to verify financial transactions.
I double-checked all of this information with John to make sure it was really him. The sum of this information would be enough to launch a social engineering attack against John or his family. It would also be more than enough for a stalker to physically locate them. I recorded all of the links so I can periodically check and see what has been deleted and what hasn’t. I also found a couple of mentions of John that may be challenging to remove. These are voter records on third-party websites; this will be a good test of DeleteMe’s abilities to remove information beyond the boilerplate opt-out forms.
With this in mind, John took the first step and set up his account with the DeleteMe privacy service. He reported the setup as fairly painless: create a username and password, pay for the service, and input some personal data. Many of you may be nervous about this: for the service to work, it has to know who you are. This means that you have to provide your full name (as well as any aliases used), current and former addresses, telephone number, date of birth and email address. Additionally, to prove to DeleteMe that you are who you say you are, you have to provide a photograph of your drivers’ license.
After submitting your information, there isn’t much to do. Within twenty-four hours of submission, DeleteMe had issued a “Report for John Doe”. Opening this report revealed the list of websites where his personal information had been found by the DeleteMe privacy service. Scrolling all the way to the bottom, it also enumerated a list of aggregators that collect information from the primary sites like Spokeo. The full list includes: 123people.com, 99lists.com, anywho.com, dexknows.com, emailfinder.com, freephonetracer.com, lookupanyone.com, peeepl.com, peoplesmart.com, phonebook.com, Private Eye, publicrecords.com, Public Records Now, spock.com, switchboard.com, thepublicrecords.com, toppeoplefinder.com, USA People Search, Wink.com, Yahoo People Search, and Yasni.
The next step is to wait. DeleteMe warns that although opt-outs are processed more or less immediately, some sites may take longer than others to respond. In 14 days I will search to verify the results of the opt-out.
The biggest reservation I have so far with providing this information is that your DeleteMe account cannot be protected with two-factor authentication. To use the service you have to place a great deal of very sensitive information into an online form that is protected only with a password. After speaking with a senior executive at Abine, I am told that two-factor authentication for DeleteMe accounts is planned for the near future.
A special “thank you” to John, without whom this wouldn’t have been possible. John has been very responsive to my emails and has helped me out considerably in this effort.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.