“If It’s Free, Then YOU Are The Product” An Exploration into Data Erasure Services

In 2024, it’s widely stated and understood that the most valuable currency of the world is your attention, followed by your data. The truth is, they are one and the same. What you give your attention to, specifically on algorithmic-driven platforms like Instagram, TikTok, Facebook, Twitter, Google etc, are data points to ensure you get ads specifically tailored to you. An anecdotal example, using myself would be the fact that I have recently gotten into Niche perfumes, from infamous brands such as Atkinsons, Nishane, Stephane Humbert Lucas, and Mancera and have added specific fragrances from these brands to my Wishlist. I have also searched for reviews of these perfumes on TikTok and on Instagram, especially the I want to indulge and purchase a 5ml or 10ml tester before purchasing the entire bottle as these perfumes tend to be notoriously pricey. As such it comes to no surprise that the ads shown on my timeline have switched from jewellery and travel discounts, to perfumery from these brands. It has been curated just for me. In the same vein you have the ability to curate the ads you see, if you don’t like what you see, then change what you search for.

There have been a few brands and products that haven’t necessarily been advertised directly to me, but have been advertised to me through the content creators I watch and follow on YouTube, TikTok etc. These are usually in the form of brand or sponsored videos. You may have seen a few of these brands sponsor your favourite creators such as Hello Fresh, BetterHelp, NordVPN, SkillShare etc. It usually starts along the lines of “…thank you to ___ for sponsoring this video…” and has a call to action with their referral code for a discount to the price. One of those platforms, and consequently the entire industry itself I wish to delve into is Incognito, DeleteMe, Aura etc, in essence, these platforms promise to communicate with data brokers and request on your behalf that your data be erased according to certain laws, generally called the Right to Erasure, or Right to be forgotten.

The Promise and Premise of Privacy

How it works goes as such, they say that it helps users remove personally identifiable information from the internet. They will work on your behalf to find your information online and help you remove that data. You can remove this information independently, but it will take much more time and energy. Simplified? You know that annoying website that you don’t remember signing up for that bombards you with emails and newsletters of products, discounts and offerings that you don’t need, want nor asked for? They would contact the company on your behalf and not only request that you be unsubscribed to the emails and newsletters but they go a step further and generate an email template that specifically instructs the company to erase any and all data they have stored about you. Could you do this yourself manually? Absolutely! However, it is the convenience of having them do this communication for you using technology that scours the entire internet in search of your data with the added convenience of the erasure request template that is effective at ensuring your data is removed. Some websites handle all the communications as soon as consent is given.

This is done by using the identifiable data that you provide them, such as email, phone number and sometimes even your home address. They use this to search amongst their library of data brokers and contact them to remove that specific data. At least that is how it’s supposed to work. In some cases, it just informs you that these are the websites with your data and gives you a template letter and an email address to send the letter to, in other cases it’s a one-click-and-done situation.

The Catch: You Pay For And Are Still The Product

There is a myriad of problems with these sorts of platforms. From limited effectiveness and the fact that while these services can help individuals remove personal information from certain websites or databases, they may not be able to guarantee complete removal. Some websites may continue to display or sell personal data even after removal requests are made, especially if the data has been shared with third-party data brokers. To exorbitant subscription costs considering that many of these privacy protection services operate on a subscription model, which means users need to pay ongoing fees to maintain their privacy protection. This can become costly over time, especially if users need to subscribe to multiple services to cover various aspects of their online privacy. For example, DeleteMe costs between $8-$27 per month, Aura costs $144 a year and Incogni costs $10.50 monthly or $63 yearly.

However, that is not the biggest gripe with these products that I wish to discuss. The problem comes about when you start to consider the fact that these platforms can very much transition to data brokers themselves. Here is how, these platforms often require users to provide personal information to sign up and utilise their services effectively. While their primary goal may be to protect user privacy, the data collected for service provision could potentially be repurposed or leveraged for other purposes.

Furthermore, the terms of service and privacy policies of these platforms may include clauses allowing them to use anonymised or aggregated user data for analytics, research, or marketing purposes. While users may consent to these terms, they might not fully understand the implications or extent of data usage. These platforms claim not to sell your data exclusively, however, in their terms and agreements that you consent to, they clearly state that they share your data with specific third-parties as to the “efficient and effective running of their site and protection of their users”

In regards to the free tiers of these platforms, as they amass a wealth of users and user data over time, they may identify opportunities to monetise this data by selling it to third parties. This could include marketers, advertisers, or other businesses seeking insights into consumer behaviour or preferences. Thus, if the service is free, then you are the product.

In the capitalist society with the fiduciary duty of providing returns to shareholder and these shareholders having an increased appetite for unlimited growth and higher returns every quarter, over time, the business models of these privacy protection services may evolve in response to market demands or financial pressures. They may seek additional revenue streams beyond subscription fees, leading them to explore data brokerage as a lucrative avenue. This would usually be in addition to the fact that they would still be selling the users’ data, In essence, you the user, pay for the product and are still the product.

Through the aggregation of user data from various sources, these platforms could inadvertently create detailed profiles of individuals. While they may claim to anonymise or pseudonymise this data to protect privacy, there's always a risk of reidentification or unintended exposure. This means that these platforms inadvertently, with your consent build a database of everywhere your email has been, the jobs you applied for, the websites you signed up for, the websites you make purchases from etc all of that identified aggregated up and categorised as you.

The shift towards data brokerage may not always be transparent to users, raising concerns about consent and informed decision-making. Users may be unaware of how their data is being used or shared, undermining trust in these platforms' privacy assurances. For example, while other platforms work with the data brokers they have agreements with, Incogni send opt-out requests to remove your details from a preset list of data brokers and people search sites. The problem is, that Incogni doesn’t actually know which specific sites have your data. Their requests blast your info out universally. It is the equivalent of posting your contact details online and saying “if anyone has details matching this one, please delete it.” You are more likely to garner more spam calls, emails and odd packages at your door as is the case with this Redditor who used their platform and now gets even more scam emails.

One can compare it to the problems that arise in the VPN industry. These companies say, “You are vulnerable to a cyber attack without one” or “Your browsing data is being sold on the black market, but if you use us we can protect you.” All the while aggregating and selling or rather “sharing” your data not to the highest bidder, but to any bidder. Compromising your cybersecurity and ensuring that they are the only sellers of your data. Think about it, if you erase your data from most of these sites, then it reduces the supply of data in circulation, ensuring a monopoly in essence of not only your data on one platform but one multiple platforms. Typical bait and switch. I do have to state that to my knowledge and research, even though DeleteMe’s parent company Abine and its sister company Blur had a massive cybersecurity attack that led to the loss of 2.4 million users’ identifiable data including passwords, they stated that DeleteMe was unaffected.

Navigating The Landscape

I do not wish to be a fear monger and I must state that these are merely opinions as to the possibility of what could happen with these Data Erasure platforms. However, to the myriad of problems I proffer a myriad of solutions.

First, we all have to be comfortable to an extent with the fact that a certain level of your data will be sold to advertisers. This is a good thing as it provides to you with services and products that are tailored just for you. Tailored advertising is a good thing and it makes the usage of these platforms enjoyable. It does take a certain level of discipline to be able to pull away from and detach from your devices and the platforms, in essence, it takes discipline to get off your phone and “touch grass.” It also takes another higher level of discipline to not pay for and purchase everything that is being advertised to you, treat yourself once in a while but do not clutter your house with things that you do not need and will not use. My rule of thumb is, that if I would not use it the number of times consistent with the number on the price tag, I do not need it. For example, if I buy something for $20 I must use it at least 20 times.

Second, it might seem obvious but read the fine print. Specifically the clauses on how they use your data, who they share it with and how they protect it. Be sure you are comfortable with who they would be sharing it with and you can actually write to these companies for a simplified version of their terms of service. Alternatively, copy the entire thing, paste it on ChatGPT and ask it to simplify it for you, raising privacy concerns and informing you who they share your data with and how it’s stored.

Third, have a burner email. Create a brand new email signing up under an alias (fake name), and other false details, and use that email for those websites that require you to provide an email for a discount code or those that require you to set up an entire account with them. This way it doesn’t necessarily get traced back to you.

Finally, this is for the readers who have an Apple device. Apple being a privacy-focused company has this brilliant feature called “hide my email.” This generates a random email that is different from yours and all correspondence that is sent to that email gets securely transferred to your real email without disclosing to the website your real email.

There is a need for stronger regulation. The EU seems to be ahead of the fold when it comes to international data privacy laws but there is more to do. For example, it can mandate that every time someone unsubscribes to newsletters, they must be provided with the option to have their data erased immediately, or that their data must be immediately erased after 6 months of unsubscribing to the newsletter.

Conclusion

In today's digital landscape, where data is currency and attention is prized, navigating data erasure services demands scrutiny. While these platforms promise control over our digital footprint, their efficacy is uncertain, and costs can be steep. Moreover, the very services meant to protect our privacy may themselves become data brokers, exploiting the information we entrust to them.

This raises critical questions about consent, transparency, and trust. To safeguard our digital autonomy, we must educate ourselves, scrutinise terms of service, and advocate for stronger regulations.

Ultimately, the path to digital sovereignty is fraught with challenges. Yet, by arming ourselves with knowledge and vigilance, we can reclaim agency over our online identities and shape a future where privacy is paramount.