If they use the data you provide (such as your address) to search other data brokers, doesn't that potentially give the data broker MORE information than they already had on you? Do the companies in this space prevent this somehow?
Edit: Lest people think this is somehow impossible otherwise - all it should take would be to search for just your name + location, get the query results, then filter on the client side. Which is exactly what a human would do for the brokers that have a "remove this entry" option when you see (presumably) yourself in the search results. However, this not only requires the data brokers to support such an API, but also requires the deletion services to actually put in the effort to do it this way for every broker they can, which seems nontrivial. Hence my question of whether these services make such an attempt at all.
Not a dumb question at all. Yeah, in the process of finding you within a data brokers system and sending a removal request, they need to send that broker your personal data... it's a bit awkward. Optery, another PII removal service has a whole section about this in their privacy policy (section 7 of https://www.optery.com/privacy-policy/):
> Optery, Inc. must send your PII to the data brokers and information aggregators included in the Removal Lists... We cannot control, guarantee or warranty how these third-parties will treat your PII or what they will do with it.
Optery also has a Help Desk article on this catch-22 where in order to opt out of data broker sites, you must first tell them who you are, otherwise, how else would they know who to opt out: https://help.optery.com/en/article/what-information-does-opt...
They could use a bloom filter with some sort of a cryptographic hash. On a hit, the data broker could challenge them to compute a salted hash of the "matched" data. If the salted hash matched, the data broker would remove the data.
I think the same algorithms that are used for password storage would work for this without modification (except the data broker would pick different salts during each session, and you'd send the hash over the network).
No company wants to implement this. I've been involved in efforts to use this approach with hospitals -- a perfect PII-preserving situation -- that went nowhere. We got it working with a startup once where we published the bloom filter to reduce the traffic load for the counterparty. Do you know what they did? They reverse engineered the filter by blasting it with every key and cached the result.
And you need to enter all of the information that you're trying to protect into one central location that is probably heavily targeted. These types of services never made sense to me.
Nothing is impossible in tech. (Rhetorical hyperbole!) But seriously let me give you an analogous example, with its pros and cons.
DNS now has something widely deployed called "query name minimization". For no particular reason other than it made server's lives easy (which it does, as we will explain) the recursion process historically sent the actual qname (what was asked for) to each nameserver contacted.
Much was made of this in recent years, that this leaked potentially important information to servers which demonstrably couldn't have the actual answer for the qname (even if they could provide a useful referral).
Two flavors of qname minimization exist in the field. One flavor asks qtype A questions of the form "_.example.com" until it triangulates on the server with the answer; the other asks qtype NS questions (regardless of the actual qtype). (In case you've noticed a change in the mix of your DNS traffic.) In a nutshell, qname minimization asks questions which enable it to triangulate on the server which can potentially answer the question, before sending the actual question to it.
A good rule of thumb is that with a cold cache qname minimization will result in nearly twice as many queries being issued / answered during the resolution process, assuming nothing goes wrong. Both of these approaches are prone to mistakes when servers don't conform to assumptions about how proper DNS should operate.
Any 3rd party service or individual doing opt outs should limit data sharing as much as possible. Steps to do that include setting up email aliases, searching data in separate queries, using a proxy or VPN, verifying data exists before sending a data deletion request with all your pii in it, pushing back on any invasive requirement for govt ID...
It's tempting to just automate sending a mass email to all the brokers with your full name, DOB, and address asking for deletion (some services actually do this - beware), but that exposes you to a bunch of new spam.
I've been building Kanary for 4+ years (we're a removal service & YC grant recipient) and we take a conservative approach to each site. I wrote a bit more about why this matters: https://www.kanary.com/blog/dont-get-spammed
Could there be some sort of Robin Hood action to all of this? What if you took all the leaked data about millions of people and used that to opt out them out of all the various services that buy and then sell the data?
That is a possibility. Another scenario is one in which you sign up to a service like Optery and submit a non-existent individual with fabricated information for PII removal; after about a month or so, this fabricated individual started showing up as a possible person that lived at my address when I was trying to get a quote from Progressive.
So, seems like somewhere in the midst of this process, one of the 240 brokers that Optery sends your information to get it removed, someone aggregated it, sold it to Progressive and in the underground realm of data brokers and buying and selling data, someone unfortunately (or fortunately?) is now targeting 'Paige Notfound' and 'Meg A. Byte'.
Thanks so much for sharing this, I was wondering what would happen if I tried this. I guess this basically tells me to be weary of such services. Great info.
P.S. Just a heads up that you may have basically revealed your address by sharing those fake names (though I haven't tried to search), unless you also made up those names just now for illustration...
With an American SSN, one could dump 1,000 queries of numbers with only 1 of them being the client's actual SSN so the logs don't reveal as much. Still, though, it's a Catch 22 to find the thing you don't want found by using that thing.
It seems to me like this is a core problem with the scummy nature of this business. I’d like to believe you’re weong but have trouble given the business model.
I wanted to try this, but it seems to be restricted to only people in the USA. It is impossible to enter a location outside the USA in the sign-up form, and it's impossible to skip that form. Please, Mozilla, make it much clearer which countries are supported to avoid causing this frustration and to give people a reason to come back once other countries are supported.
Sorry about that. The form should only be shown for people in the USA, but detecting the country you're in can't be done perfectly. Which is a good reminder - we'll look into making the US-only part clearer.
They're likely starting with the US because either their partner(s) for this is US only and/or it's easier to start with a single large market. The US is about a 50% larger market in terms of GDP than all EU countries combined.
I am from the EU, so tell me about it :) But yes, the sibling comment is right: this isn't something you can expand to other countries with the push of a button.
Personally, for this specific functionality, I don't think the EU wouldn't be at the top of the list though: these types data brokers are way more of a problem in other countries. We have laws like GDPR :)
That is correct, with the additional note that Monitor has also existed for a while providing that functionality for free (in collaboration with HIBP), and will continue to do so for free, and worldwide.
The new thing is scanning for your info at data brokers (for free, but USA-only), and automatically removing them and continuously checking that they stay removed (paid, US only).
That ability is not the product they're offering though, that's something you can already once you identify where your data is. And obviously that's if they have a way for you to do request removal and if they feel like doing it at all which are the same constraints for Mozilla. I think this is all purely for convenience of having it all done for you (which is okay)
Well, even if you consider the removal aspect of it useless since you could do it yourself, there is still value in knowing where your data is. Have I Been Pwned will tell you about breaches, but not about brokers reselling your data, and they only monitor email addresses.
And yes, you could probably go and ask the brokers directly, but that is certainly a lot of time and effort, so paying for it might make sense, assuming you trust the service provider.
That is correct, and we do help you identify where your data is for free. Many people unfortunately have their data exposed in lots of places,in which case manual removal is a PITA, and that's where the Plus plan comes in.
Mozilla Monitor Plus - $14/mo, or $108/yr. Too pricey for most.
>Every month, we use the information you provided about yourself (name, location and birthdate) to search across 190 data broker sites that sell people’s private information. If we find your data on any of these sites, we initiate the request for removal. Data removal can take anywhere from a day to a month. This feature is available for Monitor Plus users only.
Anyone know if there are any local/open source tools to do this?
I use this pattern but I'm starting to move away from it. Some things just don't work (ex. linking accounts between companies) and it also throws customer service agents into a panic when they see their own company name in the e-mail address.
I'm also not sure it gets me that much. I do get to see how was compromised or sold my data, but most of that just goes to spam anyway. I also usually find out about the compromises from other sources anyway.
Sure some of the CSA's panic a bit, but I've never had one not go along especially after explaining my purpose. I've not seen too many compromises, but some of them were not public. Especially with small businesses like a car dealership, they may never know themselves.
Yael's resource is amazing. Highly recommend this open source guide.
Also check out Michael Bazzell's how to disappear guides: https://inteltechniques.com/links.html
We are working on a fully local version of this @ https://redact.dev - Beta should be out within a month or so. Huge (obvious) advantages for doing it locally
Also an unaffiliated, long term, and happy user of Optery.
If nothing else, I’m glad there are more offerings showing up on this space because of the competition this will hopefully generate.
Consumer Reports also has a semi-related offering called “Permission Slip” that is focused on opting out of data sharing with individual companies, e.g. Netflix, Home Depot, etc.
Many data brokers will not permit third party services to remove the data without a signed limited power of attorney. Note that the power of attorney is limited to interactions for submitting removal requests and opt outs.
Isn't it to be expected? I guess that they have to make demands on your behalf to have your data removed. I guess that's optional because they can still work without it is some cases, and ask you on a case-by-case basis for others, but that's extra work for you and for them, so they may not do it, at least not on the lower tier pricing.
Blame data brokers for making such asinine restrictions.
You can also just use the free version to collect a list of brokers your self and manually contact all of them to find out how much of a pain in the ass it is.
I cleared my name from the net using another service that charged by the month. I paid them for three months, when their work clearing my data from about 100+brokers was completed, then cancelled. 2 years later, my name and personal data still remain no longer to be found like it once was before the scrubbing.
That's great to hear, often they do show up again later, which is why it's a longer-term subscription service. OneRep is the provider for the removal functionality of Monitor, incidentally.
I can't help but be a bit miffed that despite ostensibly being a privacy service, optery is still running a bunch of third party scripts on their site, including google...
I'm curious, what's the point of paying for Optery per year? Isn't removing your data be a one time request. Except for supporting new brokers that might appear.
Your point is spot on. Data removal services have an aspect where a ton of value is obtained in the first 1 - 4 months as the majority of profiles are wiped away, and then after that you're sort of in maintenance mode where the service catches profiles as they pop back up, or when new data brokers are added to the system for coverage.
Optery generally has 2 types of customers:
- The first type are those that care a lot about their privacy and the cost of an ongoing subscription is insignificant to them, so they keep the service running on an ongoing basis for the ongoing automated scans and removals and for getting new data brokers they get coverage for immediately as they are added into the system.
- The second type of customer is more price conscious and is basically looking back and forth between their credit card statement and their Optery dashboard each month and then they either pause or cancel the subscription when they feel they're reached a good stopping point. Optery's pause subscription feature is very popular for this type of customer and you can use it to automatically re-start the service in 3, 6, 9 months, etc.
- Another thing to point out is many other services only offer Yearly subscriptions, Optery offers Yearly or Monthly. If you're price conscious, the Monthly is nice because you can turn it on and off, or pause it as you wish.
More detail on the topic of keeping Optery running on an ongoing basis is on the Optery Help Desk here:
This is a great suggestion and we would like to add this. Not because it would provide any revenue lift though, but because it is what some Optery customers have been asking for, e.g. can I have a lower cost subscription that runs every other month, or every three months, etc. Technically, you can do this today by cancelling and re-starting a Monthly subscription at your desired cadence, or pausing and re-starting your subscription periodically, but that requires manual effort. A configurable cadence is definitely on our backlog though.
Also a satisfied Optery user. Been using their service for the past year, from what I can tell, they seem to have the most robust solution in the space.
I think "partnership" seems like too strong a word for what appears to be the simple use of an affiliate program. Why would OneRep know or care about an individual affiliate and the content of their site, as long as their behavior with regards to the affiliate program is above-board?
Affiliate programs have application processes intended to filter out bad actors and mis-alignment with a brand. To use an extreme example, a web site promoting terrorism would typically be rejected. Approving data brokers as affiliate partners for a data broker removal service is viewed by many as questionable. To use an another extreme example, how would you feel about an anti-virus software company that approved as affiliate partners creators and distributors of computer virus programs.
OneRep is the service I used, briefly. I have no Affilliation with them except as past customer. They delivered as promised and the effect has been persistent 2+ years since the time I discontinued the subscription.
beyonddd should really identify themselves as the founder of a competitor. Nothing wrong with posting, but pseudo-anonymously disparaging the competition seems very inappropriate.
Yes - I flagged myself as an Optery founder on my first comment, but as you mentioned the comment was subsequently flagged and hidden from view. It is also made clear here: https://news.ycombinator.com/user?id=beyondd
From my perspective, I'd put it in any comment mentioning Optery or criticizing competitors. People often read one comment; they don't read all your comments and your profile.
It also adds some credibility: You actually know what you're talking about in regard to this kind of service.
not affiliated with Optery but agree conflict of interest, also misleading by onerep and at best deceptive.
take that potential lack of trust together with the several reports online that onerep's us operation is a sham and they are really operating out of eastern europe and sending user data there...seems shady.
begs the question: what does a privacy-respecting org like Mozilla see in onerep and how is it better than what other companies offer?
Discover's service is limited to only a few sites (which is why it's free). And it is not transparent about progress of removals or requirements.
That might not be the most effective way to reduce spam or reduce targeted attacks, because it ignores many hard to remove exposures.
We have a similar price point at Kanary (I'm the founder) and it covers the resources we invest in the cat & mouse game required to escalate and complete removals on a wide variety of sites, not just a handful of easy ones.
Anyone have experience comparing this to Incogni? I’ve been an unaffiliated user for over a year now. While many brokers have replied, many never seem to.
Optery founder here. We did a deep dive comparison between Incogni and Optery (https://www.optery.com/incogni-review/). The biggest takeaway is Incogni, at this time, does not cover many of the most popular people search sites like Whitepages, TruePeopleSearch, Spokeo, RocketReach, ThatsThem, BeenVerified, TruthFinder, InstantCheckmate, and many others. Most Incogni reviews you'll find online are written by their affiliate partners.
beyondd, I've been reading through this thread and your comments about Optery and you got me to sign up for an account on your site vs Mozilla's service so good job. I was even going to pay for your Ultimate plan for a year. But.... you lost me when I got to the profile page. I have a handful of email addresses and a couple of phone numbers. I would want them all to be scanned for. I had previously been using experian's removal service and they allowed for 10 emails and 5 phone numbers.
Your documentation says:
"You can only select one email and one phone number for scans at this time. However, Optery's engineering team is actively working on providing more configuration options such as the ability to run scans on demand for multiple email addresses and phone numbers."
Any comments on when this will be an option? I would want automatic scans on all of my emails and phone numbers. Not very useful for me without this.
The core of Optery's search functionality is "person" centric. Meaning we start with searches by name, city, state, and age to find "you" regardless of which underlying email or phone number the data broker has on record for you. Because in many cases data brokers may have no email or phone on file for you at all (only home address), or they may have a really old phone or email you have forgotten about. When data removal service scans focus only on phone numbers and email addresses, a lot can get missed. Many people search sites are not even queryable by phone or email, and are only queryable by name, city, and state. Optery does search for phones and emails, but you are correct in that it currently limits them to just one each from the customer at this time. We plan to release the scan on demand feature you referenced in the next few months.
That said, Optery recursively searches through data exposed by data brokers to alleviate the need to input numerous old phones and emails by the customer. In PCMag.com review they said this of Optery's recursive phone number search functionality:
"It uses data found in data broker profiles to recursively expand its reach. For example, in my latest testing, I only gave it my current phone number, but it found records associated with an old number that I used for some 25 years."
Thank you for the reply! I suppose that does make sense, though it still doesn't give a warm fuzzy feel separating the functionality. While the average human might only have one email address they use, I'd venture to say people who would want a service such as this would skew more towards having many they use for privacy reasons.
I get what you're saying about how emails aren't the primary means of finding people, but it is a way, and something people often do have more then one of. I'd humbly request you reconsider and try to better incorporate support for automated scans on multiple emails/phones into the main product. For what its worth it looks like Mozilla's product supports 5 based on their docs.
That said, after submitting this comment I'm going to go ahead and sign up for the one year ultimate anyway in hopes that you will reconsider my request if I'm a paid user. :)
Thanks for the follow up! Scans for multiple phones and emails is something we're working on so stay tuned on that, and don't hesitate to contact customer support with any questions along the way!
Also, you mentioned using Experian's data removal service previously. Do you mind me asking how many exposed profiles the Optery scan located that Experian missed?
Optery founder here. If you're taking a look at Mozilla Monitor, I recommend taking a look at Optery too:
- Optery's Ultimate plan covers 300+ data broker sites and offers Unlimited Custom Removals providing the most comprehensive coverage in the industry. Optery has a variety of plans for different coverage needs (Free, Paid, Family, Business), and the ability to pause or cancel a subscription at any time.
- Mozilla Monitor Plus is powered by OneRep, which partners with data brokers through its affiliate program: https://imgur.com/a/juSC66b. This is a fine line most data removal services do not cross. Optery's removals are proprietary and are not powered by any other company.
- Optery (YC W22) was awarded the Fast Company Next Big Things in Tech in 2023 and PCMag.com Editor's Choice award in 2022 and 2023, over DeleteMe, Kanary, Incogni, IDX Privacy, etc.
- Optery has completed its SOC 2, Type II security certification. To our knowledge, DeleteMe is the only other data removal service with this certification. This is probably the most overlooked attribute when selecting a data removal service.
If you ever do this manually, the data brokers that have data removal options will first show you an ad for using a removal site. Because that way, they at least get a cut of the proceeds when you sign up. Data brokers don't get much benefit from people doxing $some_random, other than a few dollars for every thousand people who do that. But, they can get $10s of dollars for when $some_random signs up with their affiliate link.
So, you have a clear conflict of interest with onerep not blocking data brokers from their affiliate. It probably doesn't go very deep, but with the subscription-based nature of these privacy services you start to wonder what happens when you churn...
I think if you express an opinion like that you ought to say why too. It could be you have a point. But you could also be (mis)interpreted as a critic who, instead of building things themself, finds imperfections in things the real builders make...
I really wish employers would pay for a service like this because a lot of spear phishing attacks start with data stole or scraped from brokers, LinkedIn, etc. If a company buys a service like this in bulk, it can get significant discounts. Personally I've resorted to hiding my information on LinkedIn and noticed that I've been passed over by attackers while my coworkers get spear phishing attacks all the time.
Many employers do - we work with plenty of teams and even have specific guidance for how members can ask their HR or Security lead to sponsor a membership.
I like how the solution to the privacy issue is _yet another account_. I don't know why, but I find it highly amusing. I do get it, you need to share your details with them so they know which details to delete, but I still can't help but laugh.
For example, Firefox can collect quite a bit of data regarding what hardware correlates with what type of crashes on what code paths. It doesn't have to know anything about you to know that fewer crashes benefit you.
I attempted to use this, entered my email, was prompted with a "create your account" page, laughed out loud and closed the tab. This is a comical misunderstanding of what the product even IS or DOES.
How do they think they’re supposed to do their job if they don’t even have a way to identify you in the first place. What is comical is your blend of ignorance of the technical needs of the product and arrogance to suggest that it should be done in this “magical anonymous way” that nobody seems to grok.
One of the ironies of these things is that they tend to map to a specific e-mail address, whereas the more paranoid of us who'd want to pay for a service like that tend to have different addresses, either entirely or something like Gmail with +filters.
HIBP supports domain searches[^1] at least, but part of the problem is also how we keep trying to reinvent the e-mail system to not fall prey to this, much how Fastmail have Masked Emails, and Apple have Hide My Email.
In a sense, it sounds like the advice of the services is less subscribing to them than trying not to have a few e-mails that map to your personal identity.
> In a sense, it sounds like the advice of the services is less subscribing to them than trying not to have a few e-mails that map to your personal identity.
The phone masking looks great, too. Like Privacy.com, it's awesome with virtual alternatives for PII, except they don't tend to be available here in Europe, but I'm definitely jealous.
If you need a privacy.com alternative for the EU, Revolut is a good option. They offer both one-time-use (disposable) cards, as well as normal virtual cards that are valid until revoked. They're not as advanced as privacy.com AFAIK, cards that only work for a single merchant but multiple transactions aren't offered for example, but they're good enough for most purposes.
Eu regulations on card networks make such a service much harder to offer, privacy.com makes money on card fees, which you can't really do here. Such a service would either have to be paid or bundled with other services which you can make money on, which is what Revolut does.
As someone who also runs their own custom email domains, I agree it would be nice if I could manage those through Relay. That said, I'd still be giving out Relay addresses way more often, since those email addresses can't be linked to each other, or to me.
My personal domain is for things that are really important in the long term, but for things like concert tickets, I prefer having the added anonymity.
Oh yes, I am not at all saying I don't think Relay should have that option. It's more that I like sharing a domain with many others, so I can blend in with the crowd.
+1 for Addy, been using it for ~2 years now with my personal domain and its been great.
I want with Addy over others because plans are per badwidth used instead of per alias, so one-time email verifications for some signup doesn't count towards a total limit.
I'm willing to bet that this is a inference due to "Login with Google" being an option. Probably worth sacrificing a click in their sign-in funnel to prevent it though.
Do any of these offer family plans? I feel like At these price points, I would really like to sign up everyone in my household. The FAQ pages seem to all imply individual and I don't think I'm asking for a "business" or "enterprise" option.
As feedback for the CEO, that "family pricing" landing page really does you a disservice by obfuscating your pricing (unless that was the goal). At a minimum, add a pricing calculator with a slider for "family members".
That's great feedback! We'll add more pricing detail to the Family page. For comparison, here is the Optery pricing page: https://www.optery.com/pricing/
Does this support adding family members on a single account? I have some non technical family members who I'd like to manage it for them and giving them their own account is most likely going to be a major headache.
> we can automatically and continuously request to remove your personal information with an annual paid subscription of $8.99 per month ($107.88 a year).
This is a lot of money for most people. What would the benefit be of doing this all the time versus just subscribing once a year? How quickly do details reappear in databases?
I'm given to understand these data broker services make it as painful and time-consuming to opt out as they can. Supposing you can even find all the places you're listed (Optery supports 305+ sites), it sounds like a substantial time commitment to follow through on all of them.
I'm confused how the internet is just ok with Mozilla engaging with these extortion websites. These sites are not legitimate and now that Mozilla and Google are engaging with them they just play into the protection racket.
I signed up, and Mozilla warns it takes 7-14 days for data on most of these sites to be removed. They must need to do a lot of things by hand. This would also explain why you get 1 scan per month.
These sites deliberately are slow in the removal of requests. So there is both manual sending but also needing to re-check if the site actually removed your info because brokers just kind of suck.
Why would you use Mozilla Monitor Plus when onerep.com offers the same service for a lower cost? (And from other comments, I’d actually the same underlying service)
Because I've never heard of onerep.com before while I have a history of using Mozilla products for decades at this point. If the service is exactly the same, it's a no-brainer, even if it costs slightly more.
The price on onerep for monthly payment is $14.95 vs Mozilla's $13.99. Both offer discount for yearly payment and they will be almost the same. Of course, this is the price for individual. onerep offer better, cheaper plans for family (6 for $28) but Mozilla doesn't offer that (yet at least). So I'm not sure if it is a lower cost.
Which laws are Mozilla using to get the data brokers to remove personal info in the US. I know there is such a law in California but is there also a federal law?
It's super annoying. We also have that when e.g. trying to emphasize what we're doing to protect your privacy, since "caring about your privacy" has become distorted to mean its opposite at least in my mind.
I like this in theory, I don't have time to chase down every data broker to opt-out on my own. I'm just wondering how I can measure whether it's really effective or not.
This is always my pessimistic view of the world we live in today. Why in the world would they delete that data vs just putting it on mute/ignore/etc? The only "proof" you have is if you send a request to see the data they hold on you. If they send you an empty report because the ignore flag was set, you would only see an empty report. You have no evidence that the data was actually deleted.
> Why in the world would they delete that data vs just putting it on mute/ignore/etc?
If you're serious it's because having a fig leaf is useful to reduce risk in controversial business practices, especially if the vast majority of people don't take advantage of it.
That's because this is actually a data validation service for brokers. Most of their data is junk or incomplete, but now they know which pieces belong to actual people who want to pay money for it to be deleted.
I get your point but also this is what whistleblower laws are for. A lot of times it’s in the company’s best interest to comply… until 50%+ of the population opts out
The data brokers that show your info will be listed, so you can spot check them yourself to see if they still show you. Not perfect, but should give you some confidence that if it says your data has been removed, it actually has been removed.
(You can scan for brokers before upgrading to Plus for automatic opt-out, so you can also check beforehand that you can see your data.)
Optery customers get Removals Reports every 90 days. PCMag.com wrote this about the Optery Removals Report: "With the Removals report, you see what was found along with a new screenshot demonstrating that the data was removed, and a link to verify the removal. No other personal data removal service I’ve seen gives you this level of verification."
For people who are the target market for such products- Can you explain to me the appeal of such products for you? Have you previously been the victim of any escalation resulting from a data breach?
From my initial testing, the result quality leaves a bit to be desired. There are a lot of false positives.
For example, my info is definitely not on mugshotlook.com... And about 2/3 of the results I've clicked on have already been removed by Kanary (full disclosure, on the team, but was a happy customer before) or weren't real to begin with.
There is a service I've heard advertised on twit.tv podcasts called DeleteMe that I've been interested in that does a similar thing and seems to cover way more data brokers: https://joindeleteme.com/sites-we-remove-from/
edit: I just realized looking through that list that they are a bit deceiving. They have qualifiers next to each website:
* Included in Standard Plan and above (90 sites)
** Included in Business Gold, Diamond, Platinum and VIP Plans (27 sites)
*** Included in Diamond, Platinum, and VIP Plans (1 site)
ᵒ Exclusively in Platinum and VIP Plans (13 sites)
~ International requests (12 sites)
^ Custom Requests (665 sites)
Seems like the majority need a "custom request" which defeats the purpose of signing up for something that is supposed to handle things automatically
- "Monitor" - their FREE tier where they scan the data brokers and just inform you which ones have your info and you have to manually go in and remove your information from each one through whatever process each site uses.
- "Monitor Plus" - Automatic Data Removal - $13.99/month, or $8.99/month if you sign up for a year
Both tiers come with "Data Breach Alerts" which I guess is similar to haveibeenpwned's notify me.
Optery founder here. We did a deep dive comparison between DeleteMe and Optery (https://www.optery.com/deleteme-review/). The biggest takeaway is you have to scroll to the bottom of the DeleteMe Sites We Remove From page and read the fine print on what is covered by the plan you are purchasing. The "750+ Data Brokers" written across the top of the page is misleading. The standard plan covers about ~90 sites.
I noticed that shortly after I posted and have included that info now (edited the comment). Classic dark pattern. That info should be more prominently displayed in their pricing information.
So your service will handle (up to) 305+ data brokers automatically? depending on how much you are willing to pay of course
Agreed on the dark pattern, and yes, Optery's Ultimate plan currently covers 300+ data brokers by default and offers unlimited Custom Removals. Optery has a team that's continually testing and adding more sites to the coverage defaults. There are several options, Free, Paid, Family, Business at different prices. For full disclosure, I'm one of the Optery founders, as mentioned previously.
These services sure are the new sell it to everyone infinite margin after you built it once thing on YouTube sponsorships after everyone who was ever going to buy one has a VPN now.
What actually creates this cost, though? I was hoping it'd be free or at cost for the infrastructure and maintenance.
I'm not sure I want to give my information to Mozilla, should they get hacked, it's no different than my information being held by another entity. (I don't use pocket or Firefox sync, etc.)
They submit an opt-out request on your behalf. Frequently, the data will not be removed entirely, or re-surfaces later on. You're entirely dependent on the good will of the data broker sites, who are likely trying very hard to stop automation like this.
> Frequently, the data will not be removed entirely, or re-surfaces later on. You're entirely dependent on the good will of the data broker sites, who are likely trying very hard to stop automation like this.
This was my instinctual, cynical assumption, too. Unless there's a GDPR-like law in place and some standard for differentiating identities, they're just going to find loopholes to recapture peoples' data (e.g. remove middle initial, modify address format, etc.).
I've used several of these services now and they all have the same issue - the thing is, the data brokers don't even use loopholes. They'll (sometimes) cooperate with removing the data, and then it just reappears in identical form sometime later, often very quickly. They pretend like it isn't their problem and the problem is their data sources that contain the data. It's the complete wild west.
"If you are located in the United States and have a Monitor Plus subscription, OneRep receives your first and last name, email address, phone number, physical address and date of birth in order to scan data broker sites to find your personal data and request its removal. OneRep keeps your personal data until you end your Monitor subscription in order to check whether your information shows up on additional sites, or has reappeared on the sites you’ve already been removed from."
Doesn't look like there is a place to enter past addresses. In the last 15 years I've moved ~10 times. Would be nice to have a way to check those as well.
Anecdote: I provided one zip code and it found a past address in another zip code — but I've only ever had two addresses total under this legal identity, so that doesn't speak to how far back it goes.
For many its just getting their home address, phone number and email off the web, which can make you less of an easy target by attackers. For others its something really specific, like someone who is divorced and doesn't want their name showing up next to their ex's name as a spouse or relative. For others, they want their age off the web to prevent age discrimination in a job search. Others may be hiding from an abuser or stalker.
Kanary members have our full support for all types of exposures, not just data brokers. To build a broader service, we rely on automation and human assistance. Mozilla is using OneRep to power this service, so comparing Mozilla to Kanary at this stage is comparing OneRep to Kanary. Here are a few considerations: https://www.kanary.com/blog/best-removal-service-onerep-kana...
We have a free trial that auto-downgrades into our free tier. We encourage everyone to compare services before joining. https://www.kanary.com/#sign-up
Not sure what I think about charging people to remove this information—are they not also just as bad? This seems like the sort of thing that shouldn't require a victim to pay for, but for law to enforce this not happening.
As with for-profit healthcare in the USA, just seems scumbag to profit off of misfortune and misery.
Sure, but they are also treating it as a business opportunity, just like the people compiling the data are. They should perhaps be pushing on the legal aspect of what's wrong with the situation rather than making money from it.
You're assuming they are driven by a business opportunity; I have no evidence of their motives (do you?), but another way to see it:
There is no law and no prospect of one soon. Mozilla can partially solve the problem by providing the service - I think that's great. Otherwise people would have less recourse.
And also, Mozilla must have money to operate; charging for this service seems among the least-bad options.
Well, we arrive at the whole "the optimal amount of fraud is non-zero" train of thought, otherwise there is no money-making opportunity.
They push on the legal aspects of other problems, but I don't see them pushing on the legal aspects of this.
Mozilla receives half a billion dollars per year from Google, making up most of their revenue. Mozilla's CEO is also paid millions of dollars each year. If they can't survive as-is whilst paying out those kinds of salaries with such revenue, that's a management problem.
> Well, we arrive at the whole "the optimal amount of fraud is non-zero" train of thought, otherwise there is no money-making opportunity.
So? Do doctors want you to have cancer? Do undertakers want you to die? Yet they still get paid.
> They push on the legal aspects of other problems, but I don't see them pushing on the legal aspects of this.
That's not persuasive, unless you are in that business. Where is a list of the things they do?
> If they can't survive as-is whilst paying out those kinds of salaries with such revenue, that's a management problem.
While I don't like the CEO's pay, competitors have far greater budgets - and pay CEOs far more - as do many businesses. The amount itself isn't evidence. Where is the evidence that Mozilla isn't allocating funds well?
We do also lobby for better legislation. And from what I've heard (I'm not personally involved with that works), our being present in the market does help us wield influence with legislators.
This is a much better path forward than some of their other gimmicks. Hopefully it works as billed and is successful.
They could have been where Proton is -- offering a security/privacy-first suite of tools -- had they not spent time and resources chasing Pocket and invasive ad campaigns.
The deeds speak more than the words, so I'm highly skeptical of their stance on privacy and attitude toward their users in general. I fail to see how it's any better than your average corporate "we highly value your privacy here at $corpName". Yes, of course, they aren't as obnoxious as Google or Facebook - spam and big data hoarding is not their business. But it's not that they're any particularly good, the world-wide enshittificaton just made us move the plank so much lower, that anyone not blatantly trying to make buck from anything they can touch is considered "good" those days.
Heck, modern Mozilla seem to be very comparable to Apple - both use the same themes of "oh look we're so pro-privacy (when it makes sense to us)", while becoming increasingly user-hostile and "knowing better". Apple aren't my friends, so aren't Mozilla - yet I'm practically forced to use and trust them, because the competition is no better or, typically, even worse (and tech is too convenient to forgo entirely).
The most obvious example - and my favorite pet peeve - is how they dealt with sync. They went the most typical corporate road - made their own unique system, extremely poorly designed (I've mentioned this a few times, it's exceptionally bad engineering), requiring an account with them, somewhat documented but with zero practical chances of being interoperable. And the ability to self-host and have a separate account wasn't anything more than an afterthought - I'm 99% sure it's there only because they needed to test against non-production servers, not because anyone cared about end users the slightest tiniest bit. If someone would've cared, and their voice would've been heard, the world would've been a somewhat better place - most likely, we would've had a simple (or, at least, sane) interoperable standard on storing and synchronizing browser data, and praised Mozilla for it, like in the old good days. That hadn't happened.
They sure had some ideals, but they lost the sight of them, yet they pretend they didn't.
And I'm sorry for those folks at Mozilla who have those ideals. I'm sure there are decent, good people there, who care and are passionate about what they do. But talking about the company as a whole, I can't say I'm happy to trust Mozilla - I do so begrudgingly. Their interests are certainly not aligned with mine.
I always enjoy the vague yet threatening online comment. I'm of the opinion that this is from one of the better bot farms who have learned if you make people nervous, you can control their choices.
I see how I was too vague. I decided to post without elaborating because I thought the concerns were obvious from previous HN discussions about Mozilla announcements of different sorts, and because I was running out of time, which probably was a mistake.
The Pocket partnership and acquisition, the 250 layoffs with the 4x CEO pay increase, the Mullad partnership for a worse offering, are all concerning and they do destroy trust, but my primary concern is the apparent lack of focus. Can Mozilla sustain all these potentially positive initiatives (like this recent announcement or https://foundation.mozilla.org/en/privacynotincluded/)? I very much doubt it. And I hope this changes before Firefox usage drops even further.
I'm not a Mozilla hater. I have contributed Firefox translations in the past, built extensions, and I even collaborate actively with some of the projects that I think are distracting Mozilla.
Not sure why this is downvoted. Mitchell has been a disaster for Mozilla (her only accomplishment is squeezing more money out of Google for the search deal despite an ever dwindling user base for FF - we measure DAU and MAU and the hemorrhaging hasn’t stopped).
Very few people in the org actually work on FF. It’s increasingly other bets that don’t pan out or weird acquisitions: Hubs, Pocket, FakeSpot, VPN, Relay, now Monitor. Eventually these lose enough money and they’ll cut them. Then inevitably Mitchell will run a surplus in the budget by cutting projects early and squeezing more money out of Google, funnel the money back to the Mozilla foundation which she also chairs, and then doll it out to her pet political projects.
If they use the data you provide (such as your address) to search other data brokers, doesn't that potentially give the data broker MORE information than they already had on you? Do the companies in this space prevent this somehow?
Edit: Lest people think this is somehow impossible otherwise - all it should take would be to search for just your name + location, get the query results, then filter on the client side. Which is exactly what a human would do for the brokers that have a "remove this entry" option when you see (presumably) yourself in the search results. However, this not only requires the data brokers to support such an API, but also requires the deletion services to actually put in the effort to do it this way for every broker they can, which seems nontrivial. Hence my question of whether these services make such an attempt at all.