Who's behind the news?
Who's behind the news?
1.5.2
Newsjunkie.net is a resource guide for journalists. We show who's behind the news, and provide tools to help navigate the modern business of information.
Use of Data
1.5.2
1.5.2
The data broker industry is a multi-billion dollar ecosystem built on the continuous harvesting, aggregation, and resale of personal information—names, addresses, phone numbers, purchasing habits, political affiliations, health inferences, and social graphs. Thousands of companies trade in this data with minimal regulatory friction, feeding advertising platforms, credit agencies, background-check services, insurance underwriters, and increasingly, law enforcement.
For individuals, this means that a remarkable amount of sensitive information about your life is available for purchase by anyone with a credit card. For organizations—nonprofits, newsrooms, legal clinics, advocacy groups—it means that internal communications, staff data, donor lists, and source relationships can be inferred, intercepted, or compromised through the same commercial data pipelines that profile consumers.
Fortunately, a growing ecosystem of tools and legal mechanisms exists to fight back. This guide surveys the landscape as of mid-2026, divided into two tracks: one for individuals seeking to minimize their personal data footprint, and one for organizations building systemic privacy infrastructure.
No single tool is a complete solution. Effective privacy defense requires layering technical controls with behavioral discipline and, where possible, legal action. The sections below outline both the tools and the practices that, in combination, provide meaningful protection.
Note on scope: This guide covers data broker opt-outs, identity minimization, network surveillance, and organizational data hygiene. It does not cover device security hardening in depth — consult EFF's Surveillance Self-Defense guide for that layer.
👤
Personal data broker defense operates on two fronts: proactively removing existing records from broker databases, and reducing the surface area for future collection. Neither is a one-time task — broker databases repopulate regularly from public records, retailer data, social media, and data purchases from other brokers.
Paid Subscription, Automated Opt-Out
A subscription service ($129/year for individuals) that continuously submits opt-out requests to over 750 data broker sites on your behalf. DeleteMe sends quarterly reports documenting what was found and removed. It handles the laborious manual process of contacting sites like Spokeo, Whitepages, BeenVerified, and Intelius. Its limitation is that it cannot remove data from all brokers — some require in-person verification or government ID — and some records reappear within months of removal, requiring ongoing subscriptions rather than a one-time fix.
Low-Cost, Manual Assist
A lower-cost alternative ($20/year) that covers a solid range of the major people-search and data broker sites. Suited for individuals who want basic coverage without the higher-tier subscription cost. Coverage is narrower than DeleteMe but sufficient for most people's needs. Best used in combination with manual opt-outs for brokers EasyOptOuts doesn't reach.
IntelTechniques Opt-Out Workbook
Free, Manual Process
Compiled by privacy researcher Michael Bazzell, this free workbook — updated regularly and downloadable as a PDF — provides direct opt-out links and step-by-step instructions for over 200 data broker and people-search sites. It is the gold standard for manual opt-outs. Completing the full workbook takes 8–12 hours but results in substantially deeper removal than automated services, which skip many smaller brokers. Bazzell's accompanying Privacy, Security, & OSINT Show podcast is a useful supplement.
Free plans, Identity Compartmentalization
MySudo provides disposable phone numbers, email addresses, and virtual credit cards organized into separate "personas" (Sudos). The core strategy is identity compartmentalization: using different contact information for different categories of life (shopping, social, professional, medical) so that data brokers cannot aggregate a unified profile. If one persona's email is sold, it doesn't compromise the others. Plans start free for one Sudo and scale up for additional personas.
Free Tiers, Open Source, Email Aliasing
Email aliasing services that generate unique forwarding addresses for every site or service you sign up for. When a company sells or leaks your email, only the alias for that company is compromised — your real inbox remains insulated. Both are open-source; SimpleLogin was acquired by Proton and integrates with Proton Mail. Addy.io offers a generous free tier. This is one of the highest-leverage, lowest-effort privacy practices available and is recommended regardless of other steps taken.
Free Tier, Virtual Cards
Generates virtual Visa debit cards linked to your bank account, each with a unique card number. Cards can be locked to a single merchant, set with spending limits, and paused or deleted. This prevents retailers from building purchase-history profiles tied to your real payment credentials, and eliminates the risk of merchant data breaches exposing your actual card. The free tier allows up to 12 cards per month; premium plans offer more. Note that Privacy.com itself collects some transaction data — its privacy policy should be reviewed.
Free Tiers, Open Source, Password Management
Password managers that generate and store unique, high-entropy passwords for every account. While primarily a security tool, unique passwords are also a privacy tool: if a site is breached and credentials are sold to data brokers, the damage is contained to that site only. Bitwarden is fully open-source and self-hostable. Proton Pass integrates with the broader Proton privacy suite. Both support passkeys and two-factor authentication. Using a password manager is prerequisite infrastructure before addressing any other privacy layer.
Paid, Network Privacy
VPNs mask your IP address from the sites you visit and from your ISP, preventing both from building a browsing history. Mullvad and IVPN are consistently recommended by privacy researchers because both accept cash and cryptocurrency payments, do not require account creation tied to a real identity, and have undergone independent audits. Crucially: most consumer VPNs marketed aggressively online are surveillance businesses themselves. VPN selection matters enormously. Neither Mullvad nor IVPN are affiliated with the VPN industry's problematic ownership structures.
OptOutPrescreen.com & DMAchoice
Free, Legal Opt-Out
OptOutPrescreen.com is the official opt-out registry operated by the major credit bureaus (Equifax, Experian, TransUnion, Innovis) for pre-screened credit and insurance offers. DMAchoice (Direct Marketing Association) allows opt-out from mail marketing lists. Both reduce the paper trail that feeds data broker address verification. Opting out of the National Do Not Call Registry is similarly basic hygiene, though enforcement is limited. These are free, legal mechanisms that take minutes and have lasting effect.
Use a PO Box or mail forwarding service (e.g., Anytime Mailbox, Earth Class Mail) as your mailing address for all non-essential registrations. Your home address is one of the most persistently distributed data points and the hardest to remove.
Audit your Google, Meta, and Apple data exports annually. Request a full data export from each platform (GDPR portability requests work globally) to understand what has been collected, then delete categories you don't need retained.
Never use "Sign in with Google/Facebook" for third-party apps. It creates identity linkages that brokers and platforms exploit to cross-correlate behavior across unrelated services.
Freeze your credit at all four bureaus (Equifax, Experian, TransUnion, Innovis) plus specialty agencies (ChexSystems, LexisNexis, SageStream). Freezes prevent identity theft and reduce the data broker market for your financial profile.
Search yourself quarterly on the major people-search sites (Spokeo, Whitepages, FastPeopleSearch, etc.) and re-submit opt-outs as records reappear. Treat it as recurring maintenance, not a one-time event.
Use a privacy-focused browser (Firefox with uBlock Origin, or Brave) as your default. Browser fingerprinting and cookie-based tracking are primary data collection vectors that basic VPNs do not address.
Organizations face a different threat model from individuals. The concern is not primarily one's own personal data profile, but rather the aggregated exposure of staff, sources, clients, donors, and members through commercial data pipelines that organizations have limited control over. A nonprofit's staff phone numbers, a newsroom's source contact list, a legal clinic's client records — all are potentially inferable through data broker aggregation even without direct breach.
Organizational defense requires institutional policy, vendor contracts, staff training, and technical infrastructure. The tools below address different layers of this challenge.
EFF Surveillance Self-Defense (Org Track)
Free, Policy Framework
The Electronic Frontier Foundation's Surveillance Self-Defense guide includes organizational and team security planning guidance. It provides threat modeling frameworks — a structured method for identifying what data you hold, who might want it, and which attack vectors are most likely. For newsrooms and advocacy organizations especially, EFF's materials on source protection and operational security are the baseline policy framework before deploying any technical tools.
Free, Open Source, Secure Communications
Signal is the industry-standard end-to-end encrypted messaging and calling application. For organizational use, Signal's Note-to-Self feature, disappearing messages, and sealed sender provide meaningful protection against metadata analysis. Keybase (now owned by Zoom but still functional) provides team-level encrypted file sharing and messaging. Organizations should establish Signal as the required channel for any sensitive internal communications, replacing SMS and consumer chat apps entirely. Both are free and audited.
Paid (Team Plans)/ Email / Calendar / Drive
Proton offers end-to-end encrypted email, calendar, VPN, cloud storage, and password management under one organizational account. Based in Switzerland (governed by Swiss privacy law, outside EU and US jurisdiction), Proton's business plans provide organizational-grade encryption for the full communications stack. Unlike Google Workspace or Microsoft 365, Proton cannot read its users' email contents to build advertising profiles or comply with broad surveillance requests. For organizations with sensitive data — legal, journalistic, medical — this is a meaningful infrastructure choice.
Have I Been Pwned / Mozilla Monitor
Free, Breach Monitoring
HIBP, maintained by security researcher Troy Hunt, maintains a database of billions of credentials from public data breaches. Organizations should query their domains to identify all staff email addresses that have appeared in breach data — which often means those credentials have been purchased and are circulating in data broker markets. Mozilla Monitor provides a more consumer-friendly interface to the same underlying data. Breach monitoring should be part of regular organizational security review, triggering mandatory password resets and account audits for affected staff.
Paid Tiers, Compliance Infrastructure
Data privacy compliance platforms that help organizations manage consent, generate compliant privacy policies, process data subject access requests (DSARs), and maintain records of processing activities as required under GDPR, CCPA, and state-level equivalents. Organizations that collect even basic user data — newsletter signups, donation forms, contact submissions — are subject to these laws and can face enforcement for non-compliance. Iubenda focuses on policy generation and consent management; Osano provides a more comprehensive consent management platform with vendor risk scoring.
Free, Open Source, High-Risk Operations
For organizations operating in higher-risk contexts — investigative journalism, legal advocacy, whistleblower intake — the Tor Browser provides anonymized network routing that defeats IP-based surveillance. Tails is a live operating system that runs from a USB drive, leaves no forensic trace on the host computer, and routes all traffic through Tor. The Freedom of the Press Foundation recommends both for journalists communicating with sources. These tools have a learning curve and are appropriate for specific sensitive workflows, not general organizational use.
Free (US Orgs), Vulnerability Scanning
The Cybersecurity and Infrastructure Security Agency offers free network vulnerability scanning and web application scanning to US-based organizations. These services identify attack surfaces that, if exploited, could result in data exfiltration that feeds broker markets. While primarily a cybersecurity tool, reducing breach risk is intrinsically a data broker defense — most personal data in broker databases originates in poorly secured organizational databases. CISA's services are underutilized by nonprofits and small newsrooms that qualify.
Enterprise-Grade, Data Mapping & DSARs
Enterprise data privacy management platforms that provide data mapping (understanding what personal data your organization holds, where it lives, and who has access), automated DSAR (data subject access request) workflows, and vendor risk management. Transcend's infrastructure allows organizations to honor deletion and access requests programmatically across all their data systems — not just databases they control directly, but also third-party vendors processing data on their behalf. For mid-to-large organizations, these platforms are increasingly necessary as privacy law enforcement expands.
Access Now Digital Security Helpline
Free, Human Rights / High-Risk Orgs
Access Now operates a free, confidential digital security helpline for civil society organizations, journalists, activists, and human rights defenders facing sophisticated surveillance threats. Staff provide tailored guidance on threat assessment, incident response, and operational security planning. For organizations facing state-level adversaries or targeted attacks — not just commercial data broker aggregation — Access Now represents a specialized resource unavailable elsewhere. The helpline operates in multiple languages and is available globally.
Conduct a data minimization audit. Map every category of personal data your organization collects (staff, donors, clients, subscribers) and eliminate any collection that isn't strictly necessary. Data you don't hold can't be breached, subpoenaed, or sold by vendors.
Review and restrict third-party vendor data sharing. Every SaaS tool your organization uses — CRM, email platform, donation processor, analytics provider — processes personal data under its own terms of service. Audit vendor data practices annually and negotiate data processing agreements (DPAs) with all vendors handling sensitive data.
Remove or anonymize staff data from public-facing directories and social media platforms. Staff phone numbers, home addresses, and secondary email addresses appearing in organizational databases are frequently scraped into broker systems.
Establish a data retention and deletion policy. Define how long each category of data is retained, automate deletion when possible, and document the process. Regulatory compliance aside, data you've deleted isn't available to adversaries or subpoenas.
Train all staff on phishing recognition and social engineering. The majority of organizational data breaches begin not with technical attacks but with staff being deceived into surrendering credentials. Annual security training with simulated phishing tests is the highest-ROI organizational security investment.
File data broker opt-outs on behalf of staff. Organizational HR or IT departments should run staff names and addresses through major people-search sites and file opt-outs as part of onboarding. Staff home addresses and phone numbers in broker databases create physical safety risks — for journalists, lawyers, and advocates especially.
Consider a privacy-preserving analytics platform (Plausible, Fathom, Matomo self-hosted) instead of Google Analytics for your public website. GA feeds Google's data ecosystem with visitor data; privacy-respecting alternatives provide equivalent traffic insights without the surveillance exposure.
The data broker industry operates legally, profitably, and largely without public scrutiny. Defeating it completely — for either individuals or organizations — is not currently possible. What is possible is substantially reducing your exposure, making aggregation harder, and ensuring that the most sensitive categories of information (home address, daily movement, financial behavior, health inferences) are harder to compile into a profile.
The combination of systematic opt-outs, identity compartmentalization, encrypted communications, and organizational data minimization is not a guarantee of privacy — but it meaningfully raises the cost and effort required to surveil you. For most people and most organizations, that is achievable protection worth pursuing.
© 2026 Newsjunkie.net