Big Ass Data Broker Opt-Out List that can Guide Opting out from Data Broker Databases

GitHub project title screen saying yaelwrites/Big-Ass-Data-Broker-Opt-Out-List and 8 contributors, one open issue, 3000 stars and 101 forks.

This list, also known as BADBOOL, was started on September 29, 2017 and was most recently updated in October 2023 to add PimEyes and to remove TruePeopleSearch and Cyber Background Checks, since those sites will automatically remove your data if you successfully opt out of Intelius and BeenVerified.

Some of these opt-outs take a long time to go through. Sometimes, information is pulled from other sources, and you’ll need to opt out multiple times for the same site. Data brokers come and go (and are bought out by others), and they also often change their opt-out pages.

In many US states, real estate data and voter registration information is public (or easy to obtain). And, of course, location data can be found by physical means (e.g. following you home) and through other people who know it (i.e., social engineering). That said, removing your home address from data broker sites can significantly lower your attack surface and make it harder for people to find it.

This is mostly US focussed, but does give some idea of all the data brokers tracking users’ data and behaviour, and that it is not easy to just opt out. The list is being managed as an open source project that it has community participation as well. So, it may also be possible to suggest adding resources for other countries too.

Unfortunately, if you’re on the Internet, you do leave many traces. Very few normal users actually boot clean from a Tails Linux on a USB stick in read-only mode, and use Tor Browser without any saved logins etc. Most users also carry a mobile phone with apps installed (no more needs to be said about that).

Your best defence is though to do some basics like using a privacy based browser with fingerprint protection, script bocking, unique secure passwords per site, sandboxing (or not using) Facebook and Instagram type sites, etc.

Just yesterday, I received a phishing mail that had spoofed my own private domain e-mail address (to imply they had hacked my e-mail). I realised that, although I had activated DMARC and SPF on my e-mail service, I had made one copy-and-paste mistake in the DNS records, and no error was shown. I’d not properly checked that the DMARC indicator was showing as verified green on my service. Doing it, and actually checking it, are two separate actions one needs to do. It’s the little things that trip you up.

So why are data brokers a threat to you? Well because they also collect a lot of related information which is often used to verify your identity to a call centre to have your password reset (one example).

See https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List