When you search online for Maleeha Aziz, deputy director of the Texas Equal Access Fund, it’s clear she’s one of the many Americans who had an abortion. She testified in front of Congress about her experience traveling out of state to get the procedure and isn’t afraid of sharing her story as part of the work she does as a reproductive rights advocate.
But as the nationwide fight over abortion access becomes increasingly violent, Aziz is worried that if personal information such as her address gets into the wrong hands it could put her and her family in danger.
“Every time there’s a knock on my door, I’m stressing out and tensing up thinking is that an [anti-abortion extremist] or a solicitor,” says Aziz, who over the summer installed security cameras around her home. “It doesn’t make me feel good to know my address is out there and anyone can just show up at my house.”
To try and preserve some of her privacy, Aziz uses services that specialize in getting customers delisted from data broker sites. Most of those takedowns come from so-called “people search websites,” a segment of the data broker industry that includes companies such as BeenVerified and Checkmate. For as little as $10 a month, these services offer consumers quick and easy access to public records including phone numbers, addresses, marriage records and family information.
But what she and many other members of the reproductive justice community have found is they are fighting a losing battle against a vast data broker industry that has turned buying and selling personal information into a $200 billion dollar industry.
The Supreme Court’s Dobbs v. Jackson decision this summer to overturn the right to abortion set off a wave of concern about how everyday technology could be used to surveil and criminalize abortion-seekers, forcing reproductive health professionals and advocates to take greater precautions to protect their digital privacy. In, lawmakers have proposed legislation that limits how tech companies collect and use sensitive reproductive health data, including geolocation data that could tie individuals to procedures.
Last month, the Federal Trade Commission sued Kochava, a data broker it alleges sold geolocation data — sometimes without user permission — that could reveal visits to reproductive health clinics.
But so far, those efforts haven’t included data brokers trading in public records. The oversight, experts say, puts vulnerable groups like reproductive rights workers at risk.
“The fact that somebody could find me or my family members is something I think about a lot,” said Nikiya Natale, deputy director at We Testify, an organization focused on destigmatizing abortion with storytelling. “It’s not a baseless fear. Since Roe v. Wade was overturned people who are anti-abortion have been emboldened even more. And that means a sizable chunk of the country thinks that I’m a murderer or supporting people in murdering babies.”
Natale, who is a lawyer, got involved in reproductive rights because of her own experiences having two abortions in Texas, a state known for its restrictive abortion laws.
Data from the National Abortion Federation, a professional association of abortion providers, backs up those fears. Even before the Dobbs decision, the National Abortion Federation found a significant increase in violence against abortion providers between 2020 and 2021, including the number of assaults and batteries more than doubling and stalking increasing by 600 percent.
NAF offers members digital security training and encourages members to remove their information from data brokers or procure removal services, a spokesperson told CyberScoop.
Individual organizations, like the one Natale works for, have also become more hands-on in tackling the problem by paying for employees’ subscriptions to services that scrub sensitive data from the internet.
The increase in demand hasn’t gone unnoticed. Rob Shavell, CEO of DeleteMe, a subscription privacy service that helps individuals find and remove their personal information from major broker sites, says the number of the company’s clients coming from reproductive health nonprofits has tripled since the Dobbs ruling.
Anti-doxxing firm Brightlines has seen a similar increase. Founder Shauna Dillavou says roughly a quarter of her 60 clients connected with her company through abortion access nonprofits.
Those clients include Aziz, Natale and Alison Dreith, director of strategic partnerships at the Midwest Access Coalition, a group that provides funds for abortion-related needs, such as money to travel for a procedure.
Dreith, who has worked in reproductive rights for over a decade, has received multiple threats to her home address and work over the years. After an incident in 2019, she consulted her personal lawyer about what steps she could take to protect her home address.
“He said, because of voter records and other things, it would just be kind of too hard to really scrub me from the internet in a meaningful way,” she told CyberScoop. “And so I just took him for his word and left it at that.”
But the threats didn’t stop. In April, after appearing in a news article related to her work, she received a threat to her home again. But this time, instead of being told there was nothing she could do, a board member of her organization who works for the Digital Defense Fund, an organization devoted to providing digital security tools to the abortion rights movement, connected her with Dillavou.
Dreith said that, unlike her lawyer, Dillavou reassured her there were steps they could take to make her less easy to find, a promise that made her feel “more safe and secure.”
Dillavou says that many individuals, including in the reproductive justice space, already know to take precautions about what personal information they post online. The problem, she says, is that only covers the tip of the iceberg when it comes to resources that bad actors online can exploit.
“Most people have zero idea about the depth, the amount of data out there,” says Dillavou. “The damaging part is not what we post online, but what gets put out by our own government agencies or state and local agencies — what they sell about us to these data brokers.”
When public records become a private profit
The kinds of public records that comprise an individual’s digital footprint can vary based on factors including where they live, if they have a professional license and their marital status, Dillavou explained to CyberScoop. But often the records that are hardest to scrub permanently tend to be the same: property records, voting registrations and driver and vehicle data.
Even if a takedown request with an individual broker is successful, keeping information like home addresses and family connections from popping up elsewhere is a near-Sisyphean task. That’s because measures to seal public records, the root of this information, are rare. For instance, Colorado is the only state where a voter can opt to make their registration confidential. The state of Texas in June enacted a law stopping the department of motor vehicles from selling resident data, but that’s the exception. In fact, many states sell DMV data for a profit.
Without laws to prevent data brokers from collecting these records online and selling them on the cheap, Brightlines has had to get creative with its toolkit.
For instance, Brightlines has found some success with helping clients navigate state address confidentiality programs, which assign individuals a placeholder address that all state agencies must accept. The programs were originally created to protect domestic violence victims, another group for which experts and advocates say privacy is a life or death issue. Some states including New York and New Jersey already include reproductive health providers, volunteers and patients in their address confidentiality programs.
Other solutions are far more costly. Dillavou advises clients who can afford it to put their home in a trust to avoid public property records — a process that can cost more than a thousand dollars.
While DeleteMe offers free guides to helping individuals submit removal requests to major data brokers by themselves, the sheer quantity of information and number of brokers makes it difficult for the average person to monitor their online presence, says Shavell. “Very few people have the time, let alone the expertise to go do this themselves and do it on a continuous basis, which is probably the most frustrating part of this whole industry,” he said.
A standard version of DeleteMe costs $129 a year while Brightlines, which offers a more customized level of support, can cost up to $5,000 a year for an individual.
Spokeo, Experian and BeenVerified, three of the leading people-search websites, all told CyberScoop their companies consider harassment a violation of their terms of service and remove accounts that violate these terms.
Only Spokeo offered details on proactive steps it takes to prevent bad actors from accessing their product. The company requires users to self-report their intentions for using the product. “We respect every single opt-out request, and we’re particularly sensitive to individuals [at risk of violence,]” Harrison Tang, CEO of Spokeo, told CyberScoop.
Not every data broker makes it easy for consumers to opt-out.
It’s a problem that abortion nonprofit workers have come up against. For instance, Aziz has struggled to get real estate market service BlockShopper to remove her home address, despite repeated requests and a notice from a lawyer.
Shavell said that BlockShopper is one of the sites from which DeleteMe frequently struggles to get customers’ information removed. “They purposefully and have for many years have gone out of their way to trample what we at DeleteMe and what most would consider basic rights over your data, and they have been pretty successful at doing it.”
BlockShopper did not respond to CyberScoop’s request for comment by the time of publication.
Redefining ‘public’ data
In fact, because sites like BlockShopper are getting their information from public records, and not buying it from commercial entities or acquiring it through advertisers, they are often the beneficiaries of carveouts in privacy laws in America, says Justin Sherman, a senior fellow at Duke University’s Sanford School of Public Policy who runs its data brokerage research project.
He says that such exemptions point to a lack of understanding about how the internet has changed the nature of public records and their ability to facilitate harm.
“Those government records might be public in a filing cabinet somewhere or hidden on some extremely obscure website,” says Sherman. “But by scanning everything, digitizing everything, centralizing it and making it searchable, that is the level of targeting and identifiability that’s extremely dangerous.”
Sherman notes that there is a long history of data brokers playing a role in gender-based violence, some instances of which have turned deadly. In 2020, a man targeting federal judge Esther Salas found her address online and then came to her home and shot her husband and son, killing her son. More than two decades earlier, a stalker used a website called Docusearch to obtain personal information about Amy Boyer, including her work address, the location where he stalked and eventually killed her.
“In the face of this kind of harm, we have to be thinking about what public and private information means now,” said Sherman. “For a court filing to be public is one thing. For someone to be able to report on a politician’s activities is one thing. But for people to be able to go online and spend 20 bucks and hunt down someone they’re stalking at their home address is utterly unacceptable.”
DeleteMe’s Shavell agrees and says the kind of harm easy access to public records could enable shouldn’t be underestimated and could, in fact, lead bad actors to even more valuable information.
“If we find your cellphone number at these data brokers, you can assume that there may be a location-based data set that is not being shown but corresponds to the cellphone number, which can be very risky for people.”
As with many of the state privacy laws that have passed in recent years, the main privacy bill circulating Congress right now, the American Data Privacy and Protection Act, excludes government entities such as state and local governments from limitations on selling data for commercial purposes. Publicly available information is also excluded from protections outlined in the bill.
“It’s pretty shocking to me because your home is something that people are so protective about here in Texas and in America,” said Aziz, the abortion rights activist from Texas. While Aziz is aware putting her home in a trust is one option, she says it’s not fair for individuals to have to pay thousands of dollars to protect their privacy.
Moving isn’t an option either, especially since her husband is currently stationed in Texas with the military. “We’re building a life and a home and to just pack up and move isn’t an option for everyone,” she told CyberScoop.
Natale, who recently moved out of Texas, put it another way.
“I ultimately feel pretty confident that if somebody wanted to find me, they could find me, because the internet is a pretty powerful place,” Natale. “And that’s a shame but that’s a reality that a lot of us who do this work have to face.”