Hacker News new | past | comments | ask | show | jobs | submit login
Mozilla Monitor Plus: automatically remove your personal info from data brokers (blog.mozilla.org)
288 points by mikece 10 months ago | hide | past | favorite | 201 comments



Not sure if dumb question:

If they use the data you provide (such as your address) to search other data brokers, doesn't that potentially give the data broker MORE information than they already had on you? Do the companies in this space prevent this somehow?

Edit: Lest people think this is somehow impossible otherwise - all it should take would be to search for just your name + location, get the query results, then filter on the client side. Which is exactly what a human would do for the brokers that have a "remove this entry" option when you see (presumably) yourself in the search results. However, this not only requires the data brokers to support such an API, but also requires the deletion services to actually put in the effort to do it this way for every broker they can, which seems nontrivial. Hence my question of whether these services make such an attempt at all.


Not a dumb question at all. Yeah, in the process of finding you within a data brokers system and sending a removal request, they need to send that broker your personal data... it's a bit awkward. Optery, another PII removal service has a whole section about this in their privacy policy (section 7 of https://www.optery.com/privacy-policy/):

> Optery, Inc. must send your PII to the data brokers and information aggregators included in the Removal Lists... We cannot control, guarantee or warranty how these third-parties will treat your PII or what they will do with it.


Optery also has a Help Desk article on this catch-22 where in order to opt out of data broker sites, you must first tell them who you are, otherwise, how else would they know who to opt out: https://help.optery.com/en/article/what-information-does-opt...


They could use a bloom filter with some sort of a cryptographic hash. On a hit, the data broker could challenge them to compute a salted hash of the "matched" data. If the salted hash matched, the data broker would remove the data.

I think the same algorithms that are used for password storage would work for this without modification (except the data broker would pick different salts during each session, and you'd send the hash over the network).


No company wants to implement this. I've been involved in efforts to use this approach with hospitals -- a perfect PII-preserving situation -- that went nowhere. We got it working with a startup once where we published the bloom filter to reduce the traffic load for the counterparty. Do you know what they did? They reverse engineered the filter by blasting it with every key and cached the result.


its called a ZKP


And you need to enter all of the information that you're trying to protect into one central location that is probably heavily targeted. These types of services never made sense to me.


Nothing is impossible in tech. (Rhetorical hyperbole!) But seriously let me give you an analogous example, with its pros and cons.

DNS now has something widely deployed called "query name minimization". For no particular reason other than it made server's lives easy (which it does, as we will explain) the recursion process historically sent the actual qname (what was asked for) to each nameserver contacted.

Much was made of this in recent years, that this leaked potentially important information to servers which demonstrably couldn't have the actual answer for the qname (even if they could provide a useful referral).

Two flavors of qname minimization exist in the field. One flavor asks qtype A questions of the form "_.example.com" until it triangulates on the server with the answer; the other asks qtype NS questions (regardless of the actual qtype). (In case you've noticed a change in the mix of your DNS traffic.) In a nutshell, qname minimization asks questions which enable it to triangulate on the server which can potentially answer the question, before sending the actual question to it.

A good rule of thumb is that with a cold cache qname minimization will result in nearly twice as many queries being issued / answered during the resolution process, assuming nothing goes wrong. Both of these approaches are prone to mistakes when servers don't conform to assumptions about how proper DNS should operate.


Any 3rd party service or individual doing opt outs should limit data sharing as much as possible. Steps to do that include setting up email aliases, searching data in separate queries, using a proxy or VPN, verifying data exists before sending a data deletion request with all your pii in it, pushing back on any invasive requirement for govt ID...

It's tempting to just automate sending a mass email to all the brokers with your full name, DOB, and address asking for deletion (some services actually do this - beware), but that exposes you to a bunch of new spam.

I've been building Kanary for 4+ years (we're a removal service & YC grant recipient) and we take a conservative approach to each site. I wrote a bit more about why this matters: https://www.kanary.com/blog/dont-get-spammed


Could there be some sort of Robin Hood action to all of this? What if you took all the leaked data about millions of people and used that to opt out them out of all the various services that buy and then sell the data?


That is a possibility. Another scenario is one in which you sign up to a service like Optery and submit a non-existent individual with fabricated information for PII removal; after about a month or so, this fabricated individual started showing up as a possible person that lived at my address when I was trying to get a quote from Progressive.

So, seems like somewhere in the midst of this process, one of the 240 brokers that Optery sends your information to get it removed, someone aggregated it, sold it to Progressive and in the underground realm of data brokers and buying and selling data, someone unfortunately (or fortunately?) is now targeting 'Paige Notfound' and 'Meg A. Byte'.

I got the last laugh! :)


Thanks so much for sharing this, I was wondering what would happen if I tried this. I guess this basically tells me to be weary of such services. Great info.

P.S. Just a heads up that you may have basically revealed your address by sharing those fake names (though I haven't tried to search), unless you also made up those names just now for illustration...


Thanks for looking out; those were not the actual names I used! I added those in for comedic effect ;)


With an American SSN, one could dump 1,000 queries of numbers with only 1 of them being the client's actual SSN so the logs don't reveal as much. Still, though, it's a Catch 22 to find the thing you don't want found by using that thing.


It feels weird, but this is how background checks work, and how the current removal process for data brokers works.

I can't think of other ways to verify yourself other than to verify yourself.


It seems to me like this is a core problem with the scummy nature of this business. I’d like to believe you’re weong but have trouble given the business model.


I wanted to try this, but it seems to be restricted to only people in the USA. It is impossible to enter a location outside the USA in the sign-up form, and it's impossible to skip that form. Please, Mozilla, make it much clearer which countries are supported to avoid causing this frustration and to give people a reason to come back once other countries are supported.


Sorry about that. The form should only be shown for people in the USA, but detecting the country you're in can't be done perfectly. Which is a good reminder - we'll look into making the US-only part clearer.

(I'm an engineer on Monitor.)


I'm also not clear why this is US only. There's definitely a market in other areas of the world. I'd be interested to know why it should be US only.


They're likely starting with the US because either their partner(s) for this is US only and/or it's easier to start with a single large market. The US is about a 50% larger market in terms of GDP than all EU countries combined.


That is correct, and it's way more of a problem in the US (but also e.g. in Brazil).

Also: are you the JohnTHaller of PortableApps fame? If so: thanks for making my high school computer usage bearable, way back when!


I am indeed! Still supporting and growing it. You're welcome!


Or perhaps, just thinking out loud, you could extend support for the service to other countries. The EU would love you for this at the very least.


I'm sure if it was as easy as snapping their fingers, they'd have done it.

Time is a finite resource, and a lot of these data brokers seem to be very geographically-specific and have their own ways of requesting deletion.


I am from the EU, so tell me about it :) But yes, the sibling comment is right: this isn't something you can expand to other countries with the push of a button.

Personally, for this specific functionality, I don't think the EU wouldn't be at the top of the list though: these types data brokers are way more of a problem in other countries. We have laws like GDPR :)


What’s wrong with simply displaying/linking to a list of supported countries?


The "list" is:

- USA

It is listed in places, but clearly not explicitly enough in the right places.


Same with Optery shared below. I wonder if there are any European/International counterparts to these services.


Could just be in the short term they are limiting it to the USA and going global soon.


haveibeenpwned.com has been offering the same service for free for years.


It doesn't look the same to me.

haveibeenpwned will notify you if your email address was in a breach.

The Mozilla offering seems to include the same, but also cover other pieces of personal data, and the ability to request removal from data brokers.


That is correct, with the additional note that Monitor has also existed for a while providing that functionality for free (in collaboration with HIBP), and will continue to do so for free, and worldwide.

The new thing is scanning for your info at data brokers (for free, but USA-only), and automatically removing them and continuously checking that they stay removed (paid, US only).


That ability is not the product they're offering though, that's something you can already once you identify where your data is. And obviously that's if they have a way for you to do request removal and if they feel like doing it at all which are the same constraints for Mozilla. I think this is all purely for convenience of having it all done for you (which is okay)


Well, even if you consider the removal aspect of it useless since you could do it yourself, there is still value in knowing where your data is. Have I Been Pwned will tell you about breaches, but not about brokers reselling your data, and they only monitor email addresses.

And yes, you could probably go and ask the brokers directly, but that is certainly a lot of time and effort, so paying for it might make sense, assuming you trust the service provider.


That is correct, and we do help you identify where your data is for free. Many people unfortunately have their data exposed in lots of places,in which case manual removal is a PITA, and that's where the Plus plan comes in.


haveibeenpwned.com provides data breach monitoring, but does not remove personal info from data broker sites as Optery and Mozilla Monitor do.


Mozilla Monitor Plus - $14/mo, or $108/yr. Too pricey for most.

>Every month, we use the information you provided about yourself (name, location and birthdate) to search across ⁨190⁩ data broker sites that sell people’s private information. If we find your data on any of these sites, we initiate the request for removal. Data removal can take anywhere from a day to a month. This feature is available for ⁨Monitor Plus⁩ users only.

Anyone know if there are any local/open source tools to do this?


I have used Permission Slip by CR with limited success.

I use <website>@<personal-domain>.<tld>, and you cannot enter a wildcard in Permission Slip.


I use this pattern but I'm starting to move away from it. Some things just don't work (ex. linking accounts between companies) and it also throws customer service agents into a panic when they see their own company name in the e-mail address.

I'm also not sure it gets me that much. I do get to see how was compromised or sold my data, but most of that just goes to spam anyway. I also usually find out about the compromises from other sources anyway.


Sure some of the CSA's panic a bit, but I've never had one not go along especially after explaining my purpose. I've not seen too many compromises, but some of them were not public. Especially with small businesses like a car dealership, they may never know themselves.


Try just rot13 or hashing the website name.


Closest thing I can find to roll your own.

https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-Li...


Yael's resource is amazing. Highly recommend this open source guide. Also check out Michael Bazzell's how to disappear guides: https://inteltechniques.com/links.html


We are working on a fully local version of this @ https://redact.dev - Beta should be out within a month or so. Huge (obvious) advantages for doing it locally


I’m a happy, long term Optery user (not affiliated) and they take care of 100% of this for you. https://www.optery.com

The Mozilla offering looks somewhat comparable, but I do wonder if they’re going to beat a company which has the sole focus of solving this problem.


Also an unaffiliated, long term, and happy user of Optery.

If nothing else, I’m glad there are more offerings showing up on this space because of the competition this will hopefully generate.

Consumer Reports also has a semi-related offering called “Permission Slip” that is focused on opting out of data sharing with individual companies, e.g. Netflix, Home Depot, etc.


Haha wow it's actually asking me to sign over LIMITED POWER OF ATTORNEY. It's optional but says it's recommended. That's a nope from me.


Many data brokers will not permit third party services to remove the data without a signed limited power of attorney. Note that the power of attorney is limited to interactions for submitting removal requests and opt outs.


Isn't it to be expected? I guess that they have to make demands on your behalf to have your data removed. I guess that's optional because they can still work without it is some cases, and ask you on a case-by-case basis for others, but that's extra work for you and for them, so they may not do it, at least not on the lower tier pricing.


Why? You limit the power of attorney to the ability to remove your data from data brokers.


Blame data brokers for making such asinine restrictions.

You can also just use the free version to collect a list of brokers your self and manually contact all of them to find out how much of a pain in the ass it is.


I cleared my name from the net using another service that charged by the month. I paid them for three months, when their work clearing my data from about 100+brokers was completed, then cancelled. 2 years later, my name and personal data still remain no longer to be found like it once was before the scrubbing.


That's great to hear, often they do show up again later, which is why it's a longer-term subscription service. OneRep is the provider for the removal functionality of Monitor, incidentally.


What is the service you used?


OneRep. I'm a once and former customer, otherwise unaffiliated.


I can't help but be a bit miffed that despite ostensibly being a privacy service, optery is still running a bunch of third party scripts on their site, including google...


I'm curious, what's the point of paying for Optery per year? Isn't removing your data be a one time request. Except for supporting new brokers that might appear.


Your point is spot on. Data removal services have an aspect where a ton of value is obtained in the first 1 - 4 months as the majority of profiles are wiped away, and then after that you're sort of in maintenance mode where the service catches profiles as they pop back up, or when new data brokers are added to the system for coverage.

Optery generally has 2 types of customers:

- The first type are those that care a lot about their privacy and the cost of an ongoing subscription is insignificant to them, so they keep the service running on an ongoing basis for the ongoing automated scans and removals and for getting new data brokers they get coverage for immediately as they are added into the system.

- The second type of customer is more price conscious and is basically looking back and forth between their credit card statement and their Optery dashboard each month and then they either pause or cancel the subscription when they feel they're reached a good stopping point. Optery's pause subscription feature is very popular for this type of customer and you can use it to automatically re-start the service in 3, 6, 9 months, etc.

- Another thing to point out is many other services only offer Yearly subscriptions, Optery offers Yearly or Monthly. If you're price conscious, the Monthly is nice because you can turn it on and off, or pause it as you wish.

More detail on the topic of keeping Optery running on an ongoing basis is on the Optery Help Desk here:

https://help.optery.com/en/article/why-should-i-keep-my-opte...


Have you considered adding a 3-months-every-year option? I wonder if automating the second type of customer would provide you a lift in revenue.


This is a great suggestion and we would like to add this. Not because it would provide any revenue lift though, but because it is what some Optery customers have been asking for, e.g. can I have a lower cost subscription that runs every other month, or every three months, etc. Technically, you can do this today by cancelling and re-starting a Monthly subscription at your desired cadence, or pausing and re-starting your subscription periodically, but that requires manual effort. A configurable cadence is definitely on our backlog though.


Also a satisfied Optery user. Been using their service for the past year, from what I can tell, they seem to have the most robust solution in the space.


Especially with a backend service provider (onerep.com) that is questionable at best.


What are the issues with Mozilla's use of onerep?


One of the issues are OneRep's affiliate partnerships with the very data brokers you're paying them to remove you from: https://imgur.com/a/juSC66b


I think "partnership" seems like too strong a word for what appears to be the simple use of an affiliate program. Why would OneRep know or care about an individual affiliate and the content of their site, as long as their behavior with regards to the affiliate program is above-board?


Affiliate programs have application processes intended to filter out bad actors and mis-alignment with a brand. To use an extreme example, a web site promoting terrorism would typically be rejected. Approving data brokers as affiliate partners for a data broker removal service is viewed by many as questionable. To use an another extreme example, how would you feel about an anti-virus software company that approved as affiliate partners creators and distributors of computer virus programs.


OneRep is the service I used, briefly. I have no Affilliation with them except as past customer. They delivered as promised and the effect has been persistent 2+ years since the time I discontinued the subscription.


Any other issues besides that possible conflict of interest? Also, you're the founder of a competing service, right?


They are. There's a flagged dead comment where they say so (I don't know if this link will work for a flagged dead comment):

https://news.ycombinator.com/item?id=39276106

beyonddd should really identify themselves as the founder of a competitor. Nothing wrong with posting, but pseudo-anonymously disparaging the competition seems very inappropriate.


Yes - I flagged myself as an Optery founder on my first comment, but as you mentioned the comment was subsequently flagged and hidden from view. It is also made clear here: https://news.ycombinator.com/user?id=beyondd


From my perspective, I'd put it in any comment mentioning Optery or criticizing competitors. People often read one comment; they don't read all your comments and your profile.

It also adds some credibility: You actually know what you're talking about in regard to this kind of service.


not affiliated with Optery but agree conflict of interest, also misleading by onerep and at best deceptive. take that potential lack of trust together with the several reports online that onerep's us operation is a sham and they are really operating out of eastern europe and sending user data there...seems shady. begs the question: what does a privacy-respecting org like Mozilla see in onerep and how is it better than what other companies offer?


Yes - I flagged myself as an Optery founder on my first comment, but the comment was subsequently flagged and hidden from view (https://news.ycombinator.com/item?id=39276106). It is also made clear here: https://news.ycombinator.com/user?id=beyondd


Discover bank also offers something like this for free, but I can't tell if it's as capable as other services. https://www.discover.com/security/online-privacy-protection/


Discover's service is limited to only a few sites (which is why it's free). And it is not transparent about progress of removals or requirements.

That might not be the most effective way to reduce spam or reduce targeted attacks, because it ignores many hard to remove exposures.

We have a similar price point at Kanary (I'm the founder) and it covers the resources we invest in the cat & mouse game required to escalate and complete removals on a wide variety of sites, not just a handful of easy ones.


Anyone have experience comparing this to Incogni? I’ve been an unaffiliated user for over a year now. While many brokers have replied, many never seem to.


Optery founder here. We did a deep dive comparison between Incogni and Optery (https://www.optery.com/incogni-review/). The biggest takeaway is Incogni, at this time, does not cover many of the most popular people search sites like Whitepages, TruePeopleSearch, Spokeo, RocketReach, ThatsThem, BeenVerified, TruthFinder, InstantCheckmate, and many others. Most Incogni reviews you'll find online are written by their affiliate partners.


beyondd, I've been reading through this thread and your comments about Optery and you got me to sign up for an account on your site vs Mozilla's service so good job. I was even going to pay for your Ultimate plan for a year. But.... you lost me when I got to the profile page. I have a handful of email addresses and a couple of phone numbers. I would want them all to be scanned for. I had previously been using experian's removal service and they allowed for 10 emails and 5 phone numbers.

Your documentation says:

"You can only select one email and one phone number for scans at this time. However, Optery's engineering team is actively working on providing more configuration options such as the ability to run scans on demand for multiple email addresses and phone numbers."

Any comments on when this will be an option? I would want automatic scans on all of my emails and phone numbers. Not very useful for me without this.


The core of Optery's search functionality is "person" centric. Meaning we start with searches by name, city, state, and age to find "you" regardless of which underlying email or phone number the data broker has on record for you. Because in many cases data brokers may have no email or phone on file for you at all (only home address), or they may have a really old phone or email you have forgotten about. When data removal service scans focus only on phone numbers and email addresses, a lot can get missed. Many people search sites are not even queryable by phone or email, and are only queryable by name, city, and state. Optery does search for phones and emails, but you are correct in that it currently limits them to just one each from the customer at this time. We plan to release the scan on demand feature you referenced in the next few months.

That said, Optery recursively searches through data exposed by data brokers to alleviate the need to input numerous old phones and emails by the customer. In PCMag.com review they said this of Optery's recursive phone number search functionality:

"It uses data found in data broker profiles to recursively expand its reach. For example, in my latest testing, I only gave it my current phone number, but it found records associated with an old number that I used for some 25 years."

source: https://www.pcmag.com/reviews/optery


Thank you for the reply! I suppose that does make sense, though it still doesn't give a warm fuzzy feel separating the functionality. While the average human might only have one email address they use, I'd venture to say people who would want a service such as this would skew more towards having many they use for privacy reasons.

I get what you're saying about how emails aren't the primary means of finding people, but it is a way, and something people often do have more then one of. I'd humbly request you reconsider and try to better incorporate support for automated scans on multiple emails/phones into the main product. For what its worth it looks like Mozilla's product supports 5 based on their docs.

That said, after submitting this comment I'm going to go ahead and sign up for the one year ultimate anyway in hopes that you will reconsider my request if I'm a paid user. :)


Thanks for the follow up! Scans for multiple phones and emails is something we're working on so stay tuned on that, and don't hesitate to contact customer support with any questions along the way!

Also, you mentioned using Experian's data removal service previously. Do you mind me asking how many exposed profiles the Optery scan located that Experian missed?


Optery founder here. If you're taking a look at Mozilla Monitor, I recommend taking a look at Optery too:

- Optery's Ultimate plan covers 300+ data broker sites and offers Unlimited Custom Removals providing the most comprehensive coverage in the industry. Optery has a variety of plans for different coverage needs (Free, Paid, Family, Business), and the ability to pause or cancel a subscription at any time.

- Mozilla Monitor Plus is powered by OneRep, which partners with data brokers through its affiliate program: https://imgur.com/a/juSC66b. This is a fine line most data removal services do not cross. Optery's removals are proprietary and are not powered by any other company.

- Optery (YC W22) was awarded the Fast Company Next Big Things in Tech in 2023 and PCMag.com Editor's Choice award in 2022 and 2023, over DeleteMe, Kanary, Incogni, IDX Privacy, etc.

- Optery has completed its SOC 2, Type II security certification. To our knowledge, DeleteMe is the only other data removal service with this certification. This is probably the most overlooked attribute when selecting a data removal service.


Wait what, why would a data broker partner with a company whose entire purpose is to reduce the completeness of their dataset?


If you ever do this manually, the data brokers that have data removal options will first show you an ad for using a removal site. Because that way, they at least get a cut of the proceeds when you sign up. Data brokers don't get much benefit from people doxing $some_random, other than a few dollars for every thousand people who do that. But, they can get $10s of dollars for when $some_random signs up with their affiliate link.

So, you have a clear conflict of interest with onerep not blocking data brokers from their affiliate. It probably doesn't go very deep, but with the subscription-based nature of these privacy services you start to wonder what happens when you churn...


money


> Optery (YC W22)

Nothing against your company specifically, but at this stage anything associated with YN is a negative.


I think if you express an opinion like that you ought to say why too. It could be you have a point. But you could also be (mis)interpreted as a critic who, instead of building things themself, finds imperfections in things the real builders make...


I really wish employers would pay for a service like this because a lot of spear phishing attacks start with data stole or scraped from brokers, LinkedIn, etc. If a company buys a service like this in bulk, it can get significant discounts. Personally I've resorted to hiding my information on LinkedIn and noticed that I've been passed over by attackers while my coworkers get spear phishing attacks all the time.


Many employers do - we work with plenty of teams and even have specific guidance for how members can ask their HR or Security lead to sponsor a membership.

(some basic info here: https://www.kanary.com/enterprise)


> Privacy starts with a Mozilla Account

I like how the solution to the privacy issue is _yet another account_. I don't know why, but I find it highly amusing. I do get it, you need to share your details with them so they know which details to delete, but I still can't help but laugh.


For something like this to work you have to trust SOMEONE. And Mozilla is definitely more trustworthy then others in the space.


Eh kind of. One of the recent themes at our all hands was “data collection for user benefit” which I’m sure is what every company says.


What does this even mean? How does Mozilla know what benefits me, the user?


For example, Firefox can collect quite a bit of data regarding what hardware correlates with what type of crashes on what code paths. It doesn't have to know anything about you to know that fewer crashes benefit you.


I attempted to use this, entered my email, was prompted with a "create your account" page, laughed out loud and closed the tab. This is a comical misunderstanding of what the product even IS or DOES.


How do they think they’re supposed to do their job if they don’t even have a way to identify you in the first place. What is comical is your blend of ignorance of the technical needs of the product and arrogance to suggest that it should be done in this “magical anonymous way” that nobody seems to grok.


competitors require an account too?


Capitalism's whole thing is create the sickness and sell the cure, right?


One of the ironies of these things is that they tend to map to a specific e-mail address, whereas the more paranoid of us who'd want to pay for a service like that tend to have different addresses, either entirely or something like Gmail with +filters.

HIBP supports domain searches[^1] at least, but part of the problem is also how we keep trying to reinvent the e-mail system to not fall prey to this, much how Fastmail have Masked Emails, and Apple have Hide My Email.

In a sense, it sounds like the advice of the services is less subscribing to them than trying not to have a few e-mails that map to your personal identity.

[^1]: https://haveibeenpwned.com/DomainSearch


> In a sense, it sounds like the advice of the services is less subscribing to them than trying not to have a few e-mails that map to your personal identity.

Firefox Relay is a great way to do that :) https://relay.firefox.com

Integrating that with Monitor is pretty high on at least my personal wish list.


The phone masking looks great, too. Like Privacy.com, it's awesome with virtual alternatives for PII, except they don't tend to be available here in Europe, but I'm definitely jealous.


If you need a privacy.com alternative for the EU, Revolut is a good option. They offer both one-time-use (disposable) cards, as well as normal virtual cards that are valid until revoked. They're not as advanced as privacy.com AFAIK, cards that only work for a single merchant but multiple transactions aren't offered for example, but they're good enough for most purposes.

Eu regulations on card networks make such a service much harder to offer, privacy.com makes money on card fees, which you can't really do here. Such a service would either have to be paid or bundled with other services which you can make money on, which is what Revolut does.


It’s an ok way to do it. And I’ve been subscribed (but not using it) for 2 years.

But until Firefox Relay supports custom domains, I am of the opinion that it’s not ideal.


As someone who also runs their own custom email domains, I agree it would be nice if I could manage those through Relay. That said, I'd still be giving out Relay addresses way more often, since those email addresses can't be linked to each other, or to me.

My personal domain is for things that are really important in the long term, but for things like concert tickets, I prefer having the added anonymity.


Sure. But I just have multiple domains for things like that. And you could always have the option to use a Firefox Relay domain as well.

Thats how it is with Simplelogin (which is a similar service).


Oh yes, I am not at all saying I don't think Relay should have that option. It's more that I like sharing a domain with many others, so I can blend in with the crowd.


With providers like Addy and SimpleLogin it is possible to use your own domain.

> https://addy.io/ > https://simplelogin.io/


+1 for Addy, been using it for ~2 years now with my personal domain and its been great.

I want with Addy over others because plans are per badwidth used instead of per alias, so one-time email verifications for some signup doesn't count towards a total limit.


Ive been using Simplelogin for a few years, and its totally fine.

Id just like it if Firefox Relay had these features.


addy is great - we've worked with them a bit on our alias backend


I find it kind of amusing:

The article mentions (obviously) Mozilla Monitor.

When I follow the provided link (leads to https://monitor.mozilla.org) in the default Firefox container and enter my email a new tab (now https://accounts.firefox.com) is created in a Google container (despite the fact that nothing suggests me leaving https://accounts.firefox.com)

Automatically remove your personal info from data brokers you say?


I'm willing to bet that this is a inference due to "Login with Google" being an option. Probably worth sacrificing a click in their sign-in funnel to prevent it though.


Do any of these offer family plans? I feel like At these price points, I would really like to sign up everyone in my household. The FAQ pages seem to all imply individual and I don't think I'm asking for a "business" or "enterprise" option.


Kanary lets you add family members at a 50% discount. Toggle up or down member #s to see pricing on our sign up page: https://www.kanary.com/#sign-up

And as Kanary scans, we suggest members that match your information too to make them easy to add (and these notifications are easily dismissable).


Onerep (another commenter believes this is Mozilla's U.S. partner) has a $15/mo family (paid annually, 6 people) plan.


Optery offers a family plan: https://www.optery.com/family/


As feedback for the CEO, that "family pricing" landing page really does you a disservice by obfuscating your pricing (unless that was the goal). At a minimum, add a pricing calculator with a slider for "family members".

For comparison, see Onerep's very clear pricing page here: https://onerep.com/pricing


That's great feedback! We'll add more pricing detail to the Family page. For comparison, here is the Optery pricing page: https://www.optery.com/pricing/


Does this support adding family members on a single account? I have some non technical family members who I'd like to manage it for them and giving them their own account is most likely going to be a major headache.


Yes - Optery for Family is very popular - here's how it works: https://help.optery.com/en/article/getting-started-with-opte...


> we can automatically and continuously request to remove your personal information with an annual paid subscription of $8.99 per month ($107.88 a year).

This is a lot of money for most people. What would the benefit be of doing this all the time versus just subscribing once a year? How quickly do details reappear in databases?


I'm given to understand these data broker services make it as painful and time-consuming to opt out as they can. Supposing you can even find all the places you're listed (Optery supports 305+ sites), it sounds like a substantial time commitment to follow through on all of them.


I'm confused how the internet is just ok with Mozilla engaging with these extortion websites. These sites are not legitimate and now that Mozilla and Google are engaging with them they just play into the protection racket.


I signed up, and Mozilla warns it takes 7-14 days for data on most of these sites to be removed. They must need to do a lot of things by hand. This would also explain why you get 1 scan per month.


These sites deliberately are slow in the removal of requests. So there is both manual sending but also needing to re-check if the site actually removed your info because brokers just kind of suck.


This really isn’t a lot of money for anyone in the USA, which is where the product is offered.

Hell with the current economic environment I unfortunately spend more than this on my morning coffee.


Over a hundred dollars a year? That's a lot of money to get people to pay for a product category that most people do not currently purchase.

Most people would also wonder why this is a perpetual subscription as opposed to something they can pay for one-off once every year or two.


I had this same question. What's the point of a removal request if the site can just add your info back in next month?

And if they can't, what's the point of a monthly subscription?


Why would you use Mozilla Monitor Plus when onerep.com offers the same service for a lower cost? (And from other comments, I’d actually the same underlying service)


Because I've never heard of onerep.com before while I have a history of using Mozilla products for decades at this point. If the service is exactly the same, it's a no-brainer, even if it costs slightly more.


The price on onerep for monthly payment is $14.95 vs Mozilla's $13.99. Both offer discount for yearly payment and they will be almost the same. Of course, this is the price for individual. onerep offer better, cheaper plans for family (6 for $28) but Mozilla doesn't offer that (yet at least). So I'm not sure if it is a lower cost.


Can confirm it is just one rep


Which laws are Mozilla using to get the data brokers to remove personal info in the US. I know there is such a law in California but is there also a federal law?


No federal law in the U.S. yet unfortunately, but more states are passing laws by the day (fortunately): https://iapp.org/resources/article/us-state-privacy-legislat...


Our representatives can't even comprehend that Google doesn't make the iPhone, so I personally wouldn't expect any federal legislation any time soon.

https://www.youtube.com/watch?v=wmuROTmazco


Pricing should be way more obvious and up front. I had to search the comments here to find pricing.

Do I really need to login to get pricing information?


It should be listed in the pricing table on the front-page, but it's only available in the US, so we only try to show that to people there.


Found the choice of words "Get a free scan" on their website button funny. My first involuntary thought was - it is a scam.


It's super annoying. We also have that when e.g. trying to emphasize what we're doing to protect your privacy, since "caring about your privacy" has become distorted to mean its opposite at least in my mind.


Put some dates on your blog posts Mozilla!


I like this in theory, I don't have time to chase down every data broker to opt-out on my own. I'm just wondering how I can measure whether it's really effective or not.

Anyone have experience with this kind of thing?


This is always my pessimistic view of the world we live in today. Why in the world would they delete that data vs just putting it on mute/ignore/etc? The only "proof" you have is if you send a request to see the data they hold on you. If they send you an empty report because the ignore flag was set, you would only see an empty report. You have no evidence that the data was actually deleted.


And I've never seen a single stalker-corp ("data broker") executive serve prison time for failing to delete data that they claimed was deleted.

Either that has literally never happened, or there's inadequate auditing/enforcement, and I don't consider the former to be plausible.


> Why in the world would they delete that data vs just putting it on mute/ignore/etc?

If you're serious it's because having a fig leaf is useful to reduce risk in controversial business practices, especially if the vast majority of people don't take advantage of it.


I also wonder if it stops them from collecting it. Also, what are the legal requirements if a customer asks their data to be removed?

Still, I'm not giving up a plausible solution because potentially it's only a partial solution.


That's because this is actually a data validation service for brokers. Most of their data is junk or incomplete, but now they know which pieces belong to actual people who want to pay money for it to be deleted.


I get your point but also this is what whistleblower laws are for. A lot of times it’s in the company’s best interest to comply… until 50%+ of the population opts out


The data brokers that show your info will be listed, so you can spot check them yourself to see if they still show you. Not perfect, but should give you some confidence that if it says your data has been removed, it actually has been removed.

(You can scan for brokers before upgrading to Plus for automatic opt-out, so you can also check beforehand that you can see your data.)


That doesn't account for them retaining your data and simply toggling the 'Publish' flag from 1 to 0.


True.


Optery customers get Removals Reports every 90 days. PCMag.com wrote this about the Optery Removals Report: "With the Removals report, you see what was found along with a new screenshot demonstrating that the data was removed, and a link to verify the removal. No other personal data removal service I’ve seen gives you this level of verification."


For people who are the target market for such products- Can you explain to me the appeal of such products for you? Have you previously been the victim of any escalation resulting from a data breach?


Ironically, their page doesn’t seem to work on Safari. I get a 404 error after signing in, every time. Switching to Chrome on my desktop lets it work.


Thanks for sharing, we've seen some reports and logs of some people running into this issue with Safari, and we're investigating.


From my initial testing, the result quality leaves a bit to be desired. There are a lot of false positives.

For example, my info is definitely not on mugshotlook.com... And about 2/3 of the results I've clicked on have already been removed by Kanary (full disclosure, on the team, but was a happy customer before) or weren't real to begin with.


I wonder if they will bundle it with VPN, Relay, for a good and reasonable price. This would be an attractive bundle to subscribe.


There is a service I've heard advertised on twit.tv podcasts called DeleteMe that I've been interested in that does a similar thing and seems to cover way more data brokers: https://joindeleteme.com/sites-we-remove-from/

OpenRep is another one I've seen mentioned. Covers 190+ sites: https://onerep.com/sites-we-remove-from

One thing I can't find is a list of sites that Mozilla Monitor covers.

Here's a comparison. I only listed the individual plans since Mozilla seems to only offer that. The other 2 offer plans for multiple persons

DeleteMe: https://joindeleteme.com/

brokers: 750+ https://joindeleteme.com/sites-we-remove-from/

edit: I just realized looking through that list that they are a bit deceiving. They have qualifiers next to each website:

  * Included in Standard Plan and above (90 sites)
  ** Included in Business Gold, Diamond, Platinum and VIP Plans (27 sites)
  *** Included in Diamond, Platinum, and VIP Plans (1 site)
  ᵒ Exclusively in Platinum and VIP Plans (13 sites)
  ~ International requests (12 sites) 
  ^ Custom Requests (665 sites) 
Seems like the majority need a "custom request" which defeats the purpose of signing up for something that is supposed to handle things automatically

pricing: https://joindeleteme.com/privacy-protection-plans/

- individual plan: (they also have couples and family plans)

  - $10.75/month if you sign up for 1yr
  - $8.71/month if you sign up for 2yr
-------------

OpenRep: https://onerep.com/

brokers: 190+ https://onerep.com/sites-we-remove-from

pricing: https://onerep.com/pricing

1 person: $8.33/mo, they also offer family (up to 6 ppl) and teams (10+)

-------------

Mozilla Monitor: https://monitor.mozilla.org/

brokers: 190 data brokers (could not find a list of data brokers they cover)

pricing: https://monitor.mozilla.org/#:S1:

- "Monitor" - their FREE tier where they scan the data brokers and just inform you which ones have your info and you have to manually go in and remove your information from each one through whatever process each site uses.

- "Monitor Plus" - Automatic Data Removal - $13.99/month, or $8.99/month if you sign up for a year

Both tiers come with "Data Breach Alerts" which I guess is similar to haveibeenpwned's notify me.

--------------

edit: adding one more: https://www.optery.com/

brokers: 305+ https://www.optery.com/pricing/#data-brokers-we-cover

pricing: https://www.optery.com/pricing/ & https://www.optery.com/business-pricing/

will only cover the personal pricing:

free - self-service (similar to Mozilla's free tier)

3.99/month - removal from 110+ sites

14.99/month - removal from 200+ sites

24.99/month - removal from 305+ sites


It doesn't look like DeleteMe's individual plan covers 750+ sites. There are only 77 sites with a single asterisk on https://joindeleteme.com/sites-we-remove-from/


I noticed that as well after I posted, so I've edited it and added that in.


Thank you for the comparison. Perhaps someone who uses it can add info on Consumer Reports' Permission Slip?


Sorry for the typo of calling "OneRep" "OpenRep" (I wrote it twice). I can't edit my post anymore but just wanted to clarify that it is OneRep.

https://onerep.com/


Optery founder here. We did a deep dive comparison between DeleteMe and Optery (https://www.optery.com/deleteme-review/). The biggest takeaway is you have to scroll to the bottom of the DeleteMe Sites We Remove From page and read the fine print on what is covered by the plan you are purchasing. The "750+ Data Brokers" written across the top of the page is misleading. The standard plan covers about ~90 sites.


I noticed that shortly after I posted and have included that info now (edited the comment). Classic dark pattern. That info should be more prominently displayed in their pricing information.

So your service will handle (up to) 305+ data brokers automatically? depending on how much you are willing to pay of course


Agreed on the dark pattern, and yes, Optery's Ultimate plan currently covers 300+ data brokers by default and offers unlimited Custom Removals. Optery has a team that's continually testing and adding more sites to the coverage defaults. There are several options, Free, Paid, Family, Business at different prices. For full disclosure, I'm one of the Optery founders, as mentioned previously.


These services sure are the new sell it to everyone infinite margin after you built it once thing on YouTube sponsorships after everyone who was ever going to buy one has a VPN now.

What actually creates this cost, though? I was hoping it'd be free or at cost for the infrastructure and maintenance.


I'm not sure I want to give my information to Mozilla, should they get hacked, it's no different than my information being held by another entity. (I don't use pocket or Firefox sync, etc.)


Your Firefox Sync data is end-to-end encrypted and thus won't be leaked in a hack. (Unless you also leak your password.)


How do they get your data removed from the brokers' databases?


They submit an opt-out request on your behalf. Frequently, the data will not be removed entirely, or re-surfaces later on. You're entirely dependent on the good will of the data broker sites, who are likely trying very hard to stop automation like this.


> Frequently, the data will not be removed entirely, or re-surfaces later on. You're entirely dependent on the good will of the data broker sites, who are likely trying very hard to stop automation like this.

This was my instinctual, cynical assumption, too. Unless there's a GDPR-like law in place and some standard for differentiating identities, they're just going to find loopholes to recapture peoples' data (e.g. remove middle initial, modify address format, etc.).


I've used several of these services now and they all have the same issue - the thing is, the data brokers don't even use loopholes. They'll (sometimes) cooperate with removing the data, and then it just reappears in identical form sometime later, often very quickly. They pretend like it isn't their problem and the problem is their data sources that contain the data. It's the complete wild west.


onerep.com

"If you are located in the United States and have a Monitor Plus subscription, OneRep receives your first and last name, email address, phone number, physical address and date of birth in order to scan data broker sites to find your personal data and request its removal. OneRep keeps your personal data until you end your Monitor subscription in order to check whether your information shows up on additional sites, or has reappeared on the sites you’ve already been removed from."


I wonder how it works for people who use business-name@personal-domain.tld as their emails with whatever businesses.


How does Mozilla determine what 190 data brokers are relevant?


Doesn't look like there is a place to enter past addresses. In the last 15 years I've moved ~10 times. Would be nice to have a way to check those as well.


Anecdote: I provided one zip code and it found a past address in another zip code — but I've only ever had two addresses total under this legal identity, so that doesn't speak to how far back it goes.


What are the cons of data brokers having my info and does it outweigh losing $14.99 a month?


For many its just getting their home address, phone number and email off the web, which can make you less of an easy target by attackers. For others its something really specific, like someone who is divorced and doesn't want their name showing up next to their ex's name as a spouse or relative. For others, they want their age off the web to prevent age discrimination in a job search. Others may be hiding from an abuser or stalker.


How does this compare to Kanary?


Kanary members have our full support for all types of exposures, not just data brokers. To build a broader service, we rely on automation and human assistance. Mozilla is using OneRep to power this service, so comparing Mozilla to Kanary at this stage is comparing OneRep to Kanary. Here are a few considerations: https://www.kanary.com/blog/best-removal-service-onerep-kana...

We have a free trial that auto-downgrades into our free tier. We encourage everyone to compare services before joining. https://www.kanary.com/#sign-up


Not sure what I think about charging people to remove this information—are they not also just as bad? This seems like the sort of thing that shouldn't require a victim to pay for, but for law to enforce this not happening.

As with for-profit healthcare in the USA, just seems scumbag to profit off of misfortune and misery.


In fairness, Mozilla can't make a law.


Sure, but they are also treating it as a business opportunity, just like the people compiling the data are. They should perhaps be pushing on the legal aspect of what's wrong with the situation rather than making money from it.


You're assuming they are driven by a business opportunity; I have no evidence of their motives (do you?), but another way to see it:

There is no law and no prospect of one soon. Mozilla can partially solve the problem by providing the service - I think that's great. Otherwise people would have less recourse.

And also, Mozilla must have money to operate; charging for this service seems among the least-bad options.


Well, we arrive at the whole "the optimal amount of fraud is non-zero" train of thought, otherwise there is no money-making opportunity.

They push on the legal aspects of other problems, but I don't see them pushing on the legal aspects of this.

Mozilla receives half a billion dollars per year from Google, making up most of their revenue. Mozilla's CEO is also paid millions of dollars each year. If they can't survive as-is whilst paying out those kinds of salaries with such revenue, that's a management problem.


> Well, we arrive at the whole "the optimal amount of fraud is non-zero" train of thought, otherwise there is no money-making opportunity.

So? Do doctors want you to have cancer? Do undertakers want you to die? Yet they still get paid.

> They push on the legal aspects of other problems, but I don't see them pushing on the legal aspects of this.

That's not persuasive, unless you are in that business. Where is a list of the things they do?

> If they can't survive as-is whilst paying out those kinds of salaries with such revenue, that's a management problem.

While I don't like the CEO's pay, competitors have far greater budgets - and pay CEOs far more - as do many businesses. The amount itself isn't evidence. Where is the evidence that Mozilla isn't allocating funds well?


We do also lobby for better legislation. And from what I've heard (I'm not personally involved with that works), our being present in the market does help us wield influence with legislators.


Does this cover spam-enablers like Zoominfo?


Snake oil at best


[flagged]


Not sure I understand how this comment follows the announcement. What about it makes you lose trust in Mozilla?


The consistent lack of focus. I should have elaborated in my comment.


This is a much better path forward than some of their other gimmicks. Hopefully it works as billed and is successful.

They could have been where Proton is -- offering a security/privacy-first suite of tools -- had they not spent time and resources chasing Pocket and invasive ad campaigns.


The deeds speak more than the words, so I'm highly skeptical of their stance on privacy and attitude toward their users in general. I fail to see how it's any better than your average corporate "we highly value your privacy here at $corpName". Yes, of course, they aren't as obnoxious as Google or Facebook - spam and big data hoarding is not their business. But it's not that they're any particularly good, the world-wide enshittificaton just made us move the plank so much lower, that anyone not blatantly trying to make buck from anything they can touch is considered "good" those days.

Heck, modern Mozilla seem to be very comparable to Apple - both use the same themes of "oh look we're so pro-privacy (when it makes sense to us)", while becoming increasingly user-hostile and "knowing better". Apple aren't my friends, so aren't Mozilla - yet I'm practically forced to use and trust them, because the competition is no better or, typically, even worse (and tech is too convenient to forgo entirely).

The most obvious example - and my favorite pet peeve - is how they dealt with sync. They went the most typical corporate road - made their own unique system, extremely poorly designed (I've mentioned this a few times, it's exceptionally bad engineering), requiring an account with them, somewhat documented but with zero practical chances of being interoperable. And the ability to self-host and have a separate account wasn't anything more than an afterthought - I'm 99% sure it's there only because they needed to test against non-production servers, not because anyone cared about end users the slightest tiniest bit. If someone would've cared, and their voice would've been heard, the world would've been a somewhat better place - most likely, we would've had a simple (or, at least, sane) interoperable standard on storing and synchronizing browser data, and praised Mozilla for it, like in the old good days. That hadn't happened.

They sure had some ideals, but they lost the sight of them, yet they pretend they didn't.

And I'm sorry for those folks at Mozilla who have those ideals. I'm sure there are decent, good people there, who care and are passionate about what they do. But talking about the company as a whole, I can't say I'm happy to trust Mozilla - I do so begrudgingly. Their interests are certainly not aligned with mine.


I always enjoy the vague yet threatening online comment. I'm of the opinion that this is from one of the better bot farms who have learned if you make people nervous, you can control their choices.


I see how I was too vague. I decided to post without elaborating because I thought the concerns were obvious from previous HN discussions about Mozilla announcements of different sorts, and because I was running out of time, which probably was a mistake.

The Pocket partnership and acquisition, the 250 layoffs with the 4x CEO pay increase, the Mullad partnership for a worse offering, are all concerning and they do destroy trust, but my primary concern is the apparent lack of focus. Can Mozilla sustain all these potentially positive initiatives (like this recent announcement or https://foundation.mozilla.org/en/privacynotincluded/)? I very much doubt it. And I hope this changes before Firefox usage drops even further.

I'm not a Mozilla hater. I have contributed Firefox translations in the past, built extensions, and I even collaborate actively with some of the projects that I think are distracting Mozilla.


Agreed. I ceaselessly flag comments like this online. Scary passive voice messages would be worthless even if they weren't from an influence campaign.

Say what you mean or hold your tongue! I have zero patience for cowards using vague passive voice.


I agree about vagueness, and it's great that there's more awareness about rhetorical technique. Still, it's written in active voice.


> I lose trust in Mozilla

Why did you lose trust in Mozilla? What other browser would you recommend instead?


Brave


Mozilla != Firefox

The ceo is a joke and the org sucks.


Not sure why this is downvoted. Mitchell has been a disaster for Mozilla (her only accomplishment is squeezing more money out of Google for the search deal despite an ever dwindling user base for FF - we measure DAU and MAU and the hemorrhaging hasn’t stopped).

Very few people in the org actually work on FF. It’s increasingly other bets that don’t pan out or weird acquisitions: Hubs, Pocket, FakeSpot, VPN, Relay, now Monitor. Eventually these lose enough money and they’ll cut them. Then inevitably Mitchell will run a surplus in the budget by cutting projects early and squeezing more money out of Google, funnel the money back to the Mozilla foundation which she also chairs, and then doll it out to her pet political projects.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: