[Direct MP3 link for audio] This morning, I joined the Madeleine Brand Show to talk about the latest personal data privacy aggregator that has many of us spooked: Spokeo.

Listen to the archived radio segment here.

Spokeo isn’t new, nor is it alone: peoplefinder, pipl, spoke, zabasearch, Intelius, and many other internet companies exploit the same weaknesses in America’s privacy laws. But Spokeo popped up in the news over the holidays after launching a “username search” feature. The focus of this morning’s radio segment: what sites should be able to access your personal data, and what, if anything can you do to stop them?

So, about Spokeo. As Sean Bonner guest-blogged here over the weekend, you enter your name on the site, and if you’re in its reach, the site freely returns data about everything from your religion to gender to marital status to hobbies to “wealth level.” Oh, and your home address and phone number, even if you go to some effort to keep those un-listed. They apparently only traffic in US addresses, so those of you outside the states shouldn’t end up in Spokeo’s search results.

The project dates back to 2006, the dorm room brainchild of 27-year-old Stanford student Harrison Tang. He told the Los Angeles Times last June that Spokeo gets data from about 80 “public” sources, including LinkedIn, MySpace, Twitter and Yelp, and has been working with Facebook to open that door, too. Tellingly, Mr. Tang opted out of his own site over privacy concerns.

Spokeo claims not to possess Social Security numbers, driver’s license numbers, bank accounts, or other private financial data such as credit scores. Despite this, they do report “wealth level,” whatever that means, and this prompted a Federal Trade Commission complaint last summer by The Center for Democracy and Technology, alleging that Spokeo “purports to provide information about individuals’ credit ratings and other financial data, but fails to disclose the source of the data or allow consumers an opportunity to dispute and correct false information.”

Spokeo’s offices are located in
Pasadena, CA. The business address they publish is a small
mailbox at a UPS Store in a Pasadena strip mall (though the
LA Times also tracked down and published
the company’s physical address).

Peoplefinders and
OptOut are owned by the same company, and share an address in
Sacramento. Spokeo publicizes that they have a “partner”
relationship with ReputationDefender, a site that, for a fee,
promises to help “manage your reputation online” and deal with
offending leakers like Spokeo. It’s hard to ferret out exactly
what the data publishing sites like Spokeo have with the
privacy service sites like ReputationDefender, but it seems
fair to at least characterize them as symbiotic.

As
frightening as the prospect of having a satellite photo of
one’s home next to one’s marital status, religion, and
estimated income in one free search result may be—
Boing
Boing guestblogger Andrea James points out that
Spokeo probably isn’t the scariest data-monger in the room.
“Information commerce company” Intelius
bought people search site Spock last year, scaring
the bejeebus out of a lot of people in the process.
Who knows what may yet come of that merger.

I reached
out to Sharon Nissim, a Consumer Protection Fellow from EPIC, to make sense of
Spokeo and sites like it. Nissim said this felt “one step away
from having someone’s SSN,” and is “indicative of a pervasive
problem online: people really have no idea how much tracking is
being done, because behavioral tracking services effectively
track everything you look at online.”

Regarding paid
services that promise to “clean” the internet of your personal
data, “You shouldn’t have to pay to keep your information
private,” said Nissim, “privacy should be a default setting.”

EPIC is among the privacy watchdog groups backing the
idea of a “do not track” mechanism first proposed in 2007,
which was initially modeled on the popular “do not call”
database administered by FCC to limit telemarketing access.
Nissim explained that while the two can’t technologically can’t
work same way, and the idea of a government-maintained
centralized registry of websites is a non-starter, there is
hope. One solution under discussion with researchers at
Stanford for “do not track” involves using HTTP headers on the
browser side.

“For now, making sure to opt out of
data sharing or data storing when given a choice by credit card
companies, banks, and websites is one good thing to do,” said
Nissim. “We’re also concerned about the privacy threat posed by
mobile phone/smartphone data. We don’t carry our computers
everywhere we go, but we do carry these mobile devices. The
location information that apps store and share will surely be
of greater concern, as their usage grows.”

“Online
tracking is a huge problem, and while it is certainly good that
some steps are being taken to try to crack down on some of it,
we are really far behind where we need to be,” adds Nissim.
“The FTC is just waking up to the issue and strong enforcement
of any do not track mechanism is imperative for it to succeed.
That being said, I am hopeful that Congress will get behind the
initiative and that movement will continue on protecting
peoples’ privacy online.”

RELATED
READING:

•
EPIC page on online tracking and behavioral profiling

• Stanford Do Not Track
website
•
EFF on how to protect your privacy online