How Companies Turn Your Data Into Money

The best description of the data economy comes from AOL, of all places. The once-mighty internet service provider now runs a tidy business in the ad-exchange space. The site promoting the service is hip and tasteful, showing happy, partying people and white text that spells out things like "Monetize your most valuable asset" in all caps.

"A publisher's audience is their currency," the site says. "No matter how they make money from content—be it through advertising, paid subscription or syndication, a publisher's core asset is audience and audience data."

This is weapons-grade marketing speak, but it's also a surprisingly honest assessment of digital media's beating heart—one that pumps out content and takes in reams of data from the people who consume that content. And somewhere, unseen, money is being made from what we see and do online.

Targeting and Retargeting

Bill Budington, a senior staff technologist with the Electronic Frontier Foundation, sees the avenues for data gathering everywhere: advertising identifiers in the headers of mobile web traffic, fingerprinting browsers, customer tracking in stores using Wi-Fi probe data, SDKs inside mobile apps, and ultrasonic tones from TV that are outside the range of hearing but can be detected by apps on smart devices to track viewing habits.

Some data isn't being used yet—he said, for example, that the genetic information gathered by 23andMe could one day be used for advertising or for discrimination. Genetics being used for advertising is something from a hyper-capitalist cyberpunk fever dream; and yet, it's plausible.

"There is no legal regime for the protection of that data, so consumers need to be on watch for it in the US and make those choices," said Budington. "The US is at the forefront of deploying those technologies, and the companies that are starting are going to target US customers first. In a lot of ways, the US serves as a playground for the big-data economy, which means that US citizens have to be more aware of the dangers."

The collected data has value because of how it's used in online advertising, specifically targeted advertising: when a company sends an ad your way based on information about you, such as your location, age, and race. Targeted ads, the thinking goes, are not only more likely to result in a sale (or at least a click), they're also supposed to be more relevant to consumers.

Budington pointed out that there's a dark side to this kind of advertising. "I have targeted ads that are more attuned to my desires and my wants... But if you have someone who has an alcohol abuse problem getting a liquor store ad…" He trailed off, letting the implication hang.

Your local liquor store probably isn't advertising in this way, but vulnerable communities are being targeted for specific ads. For-profit universities, for example, target low-income people, Budington said. "You pay thousands and thousands of dollars, and they give you a diploma that isn't worth the paper it's printed on. Targeted advertising has a really pernicious side."

A subset of targeted ads is ad retargeting. Retargeted ads take into account your previous online activity in order to push an ad your way. For example, tracking pixels can be added to a webpage. When the site loads, the owner of a tracking pixel will see that a computer requested said pixel and that it loaded at a particular time. It can even capture identifying information about the computer that visited the site.

This is what creates the unnerving experience of seeing an ad on one website, and then seeing it again on another site. The ad "follows" you across the web, hoping for a click.

This has given rise to a popular conspiracy theory: that phones and smart devices are listening in and then targeting ads based on what you're saying. One study debunked this claim, demonstrating that mobile phones didn't seem to be sending audio data—but some apps were found to be transmitting screenshots of device activity. Apps using the Silverpush software development kit (SDK) were listening for ultrasonic beacons (as mentioned above), but Google has worked to suppress the use of this technology on its Android platform.

Budington said that in some cases, app developers may be including tracking SDKs without fully understanding the privacy implications for users and perhaps without ever receiving the data themselves. Developers sometimes get paid for including the SDKs and may include them as tools for debugging or gathering analytics. The SDK operators, however, can then potentially receive information about people's behaviors and app usage.

As for devices with built-in digital assistants, such as the Google Home and Amazon Echo, it is true that these services send recordings of your queries back to the respective companies for processing. With the Google Assistant and Alexa voice assistants, you can even listen to recordings of every question you've ever asked. Budington said that while companies have been clear on what kind of data they're gathering with these devices and services, what they're using the data for is much more opaque.

Budington doesn't expect this data economy to change, at least without external pressure. Most efforts by companies to improve user privacy typically don't solve what he sees as the real problem. "[Companies] are willing to set up privacy filters with regard to other users, because that doesn't affect their bottom line; but they're still getting that data themselves."

Budington also doesn't see fixes coming from Congress. "I don't see much hope for that in the US," he told me. "Often, I think, when regulation comes into play, it's ill-worded and misapplied. And because of that, you don't have the necessary protection, and [it] can often do more damage than it does good."

The argument against Budington's position on privacy is that targeted advertising and the data collection behind it are fair compensation for companies that provide free online services. Google, Facebook, and Twitter would likely not exist if they couldn't turn user data into cash. Not everyone has the money to pay for subscriptions or is willing to—but most people have value to advertisers as potential consumers.

That argument rings hollow to Budington. "People don't have a lot of options if they're going to interact with the world. Most people like to take pictures and upload them to Instagram," he said. The EFF created Privacy Badger—a browser extension that blocks ads and trackers—to address this lack of choice. It lets users toggle which trackers are allowed to interact with their web experience, and it replaces social widgets and embedded YouTube videos with badger icons that viewers have to click in order to activate (and then, in turn, information about the viewer is transmitted).

So for now, change is coming not from companies and regulators but from the people who are being advertised to in the first place.

The Data Must Flow

The founder of DuckDuckGo, Gabriel Weinberg, is not a huge fan of Google. That's not surprising, because DuckDuckGo is a competing search company—but one that has positioned itself as a search engine that won't absorb your data. Given Google's (actually, Alphabet's) numerous niches, it's easy to forget how the company has made its money. It's not primarily a smartphone operating system developer, a web browser, or even a search company. Google, as privacy advocates are quick to point out, is an advertising platform that takes advantage of the enormous insight the company has into the activities of users.

"What people don't realize is that there are these hidden trackers across the web that are scooping up your personal information," Weinberg told me. Facebook and Google have deployed most of these trackers. "That lines up with their dominance in the advertising market."

Weinberg isn't just concerned with the privacy implications of consumer data collection. He also worries about the social effects that have arisen as a result, in part because many apps and services gather data in exchange for services and also aid in advertising retargeting, which encourages people to buy more things. "You're paying with your data, but you're also literally buying stuff," said Weinberg.

He argued that Facebook and Google's business model is filtering what you see in order to drive clicks. "As a result, people get into these echo chambers," he said, recalling the efforts by Russian intelligence operatives to sow discontent among American voters online. "Those harms are somewhat unique to Google and Facebook."

"Facebook is a contained internet," Weinberg continued. "It's literally what they're trying to do in places like India. The internet is Facebook to them, in the same way as it was for AOL back in the 90s for the US."

And the consequence of that kind of containment, he said, is that people believe things they wouldn't necessarily believe otherwise. A deeply troubling example: the deaths by mob violence in India that were spurred by rumors spread via WhatsApp.

Weinberg believes the road to our current moment came through a lack of oversight or regulation for online tracking, at least in the US, which continues to this day. As long as websites and apps have a publicly posted policy, companies can do more or less as they please. He characterizes the data collection efforts of US companies this way: "Collect everything, and we'll figure out what to do with it later."

By contrast, the European Union recently introduced the General Data Protection Regulation (GDPR), which requires companies to get user consent for the collection of data, among other things. This was why many websites the world over simultaneously informed all of us that their user policies had changed. On this side of the Atlantic, it was a bewildering but minor inconvenience. In Europe, the enforcement of the GDPR has been a step toward putting people in control of their data.

Weinberg said US residents are subjected to a web of different tracking techniques. Cookies and IP address gathering track users as they move from website to website, but your own web browser can also give you away—in browser fingerprinting, configuration factors about users' device and software (such as the browser version number), are used to identify them.

More identifying information can simply be purchased. "Facebook is taking offline credit card data and mixing it with their site," Weinberg said, to illustrate the lack of transparency he sees in the data market. "You wouldn't expect that. The bigger the data profile . . . the better you can be targeted. They have incentives to buy and combine extra data." After our interview, it came to light that Google had penned a secret deal with MasterCard for data on offline spending habits.

I reminded Weinberg of the argument in favor of this kind of data collection and advertising—that it allows companies to provide services and apps for free. He ruefully said he's heard a phrase that describes his feelings on it: "The best minds of our generation are being put to work on seeing if people will click more ads."

"I think it's a travesty and waste of innovation,' he said "I think it's manipulative, driving consumption and [making people] believe things that they don't want to believe."

"Some business models that are dependent on this need to change," Weinberg added. "Google and Facebook have sucked out the profits for organizations and media, and if those profits were better distributed, things would be better."

Weinberg considers monetization schemes like paywalls, in which visitors to a site pay to view some or all of the site's content. Turning back to Facebook, he said, "Their business models are such that they will be more targeted over time and more intrusive."

What's the fix? Voting with your feet—leaving a service with intrusive policies—does work, Weinberg said. But he notes the network effects of sites such as YouTube (which is part of Google) and WhatsApp (part of Facebook). "While I advise people to leave Facebook, I am also realistic, and I know people never will."

Both outside and inside forces seem to be the solution. Regulation is important, but Weinberg, like Budington at the EFF, is more focused on the actual tools that could solve the problem of intensive data collection and user tracking. Sites and apps need to offer users real ways to opt out, he believes, and companies should be prevented from combining data from other companies.

Inside the Ad Exchanges

Julia Schulman is the chief privacy counsel for the ad-exchange company AppNexus, and she speaks with easy confidence and the lung capacity of a skin-diver. Without taking a breath, she explained to me how AOL One, AppNexus, and ad exchanges like it connect people who have websites and want ads with people who have ads that want to appear on websites.

"We're the pipes," she said crisply. It's a carefully neutral position that emphasizes her employers' place in a larger web of interests. AppNexus and similar companies provide clients with a demand-side platform (DSP) that serves as a dashboard for buying ads. The people with the ads can then decide the audience for the ads: people in a particular geographic area, people browsing sites at a particular time of day, or determined by contextual information such as the kind of site a person is visiting. A car company might want to buy ads on a site that reviews cars, for example.

When someone navigates to a page that has that code, it wakes up AppNexus and checks whether there's a deal already in place. If there's not a direct deal in place, something more interesting happens. In this situation, services like AppNexus hold a real-time auction among potential ad sellers for the space. Advertisers duke it out with automated bidding—think eBay with its maximum bid thresholds—all before the site finishes loading. "It's happening in milliseconds," said Schulman.

This wouldn't be possible without consumer data, but Schulman said AppNexus doesn't want or even really need information on the people who end up seeing the ads. "We don't ourselves have data that we use for targeting; our advertisers bring that to the table," she explained. "We don't have names. We don't have email addresses."

Stockpiling that kind of information would expose AppNexus to risk should it leak out. But Schulman said huge piles of data are not useful for the company's purposes.

"We're looking to reach wide swaths—millions and millions of impressions," she said. It's also not particularly efficient to target individuals: "We receive very, very basic information. We don't know who these people are, and we don't care who they are," she said.

Instead of handling the information, the AppNexus system allows publishers to tie information to random IDs. Schulman said that even those within her company can't parse what these random IDs represent. That's on the clients. This is what Schulman means when she talks about privacy by design: "We prohibit our clients from sending us ID information, and we prohibit our clients from tying directly to identifiable information."

The fears about her industry, she said, are caused by a lack of understanding. She also pointed to the actions of the Network Advertising Initiative (NAI), a self-regulatory agency for online advertisers. The NAI publishes codes of conduct and guidelines for data handling that members agree to follow. She wryly noted that there are some actual teeth to this agreement: "If you are a member of the Network Advertising Initiative, you've committed to complying with this code, and a violation of that is a violation is of section five of FTC [Act]."

In total, Schulman doesn't see this model of advertising as problematic. "As a consumer who uses the web, and I'm privileged to know this business inside and out, I think it is more useful to see a relevant ad." She considers companies like AppNexus to be part of, in her words, a "virtuous cycle" that improves the web overall.

Although she positions AppNexus and the like as neutral services in a larger industry, she believes that even the data brokers don't deserve their reputation. At least, not entirely. She pointed out that the publishers and advertisers are looking for that information in the first place. "They don't exist without clients. It feeds their business." The web of commerce that supports the industry, it seems, distributes the blame as well.

Dropping Out of the Data Economy

Some people are very knowledgeable, but in interviews, they speak with incredible care, perhaps too aware that their words could be taken out of context or twisted against them. And then there are people who know just as much, but throw caution to the wind and simply say what they think. These people are quote machines.

Rob Shavell is a cofounder of the privacy company Abine, and he is a quote machine. He's fast and direct with his comments, and he's biting in his criticism of the online ad industry.

"It's a specific problem, and the industry has made it very hard for consumers to put a value on privacy," he said. "The data mining industry [couldn't] exist if everyone really understood it clearly." For the everyday person, he said, it's very hard to not somehow be a part of this economy. "People are giving away information every day, if not every hour."

He frames the problem this way: If a company came to you and said "Fill in this form with all your personal information because we can sell it for $39," no rational person would agree to it.

Abine offers some unique tools to combat the rampant leakage of personal information. The Abine Blur service couples a tracker-blocking web plugin with the ability to disguise or "blur" your personal information. When a website requires an email address, Blur generates one for you and automatically forwards any messages to your real email address. It can do the same with your phone number, substituting a disposable number that keeps your real number private. Blur even generates virtual credit card numbers that decouple online payments from your true identity. The prepaid digital card is funded by your real credit card, but the virtual card's number and associated address are generated by Abine and have nothing to do with you.

Blur is designed to keep you from spreading your information across the web, and Abine's DeleteMe service cleans up what's already out there. For an annual fee, DeleteMe manages the arduous task of removing your personal information from data broker sites, which gather personal information such as your address, phone number, and so on, and make it available online for anyone to search.

According to Abine, public records are the biggest source of data for brokers. The company says that activities that are necessary to functioning in society—say, buying property, registering to vote, and even renewing a driver's license—can create public records that are mined by data brokers. Several brokers also collect information from court records, meaning that an individual's criminal history is potentially for sale.

In Abine's research, the company has seen the price of an individual's information drop dramatically. Peoplefinder, a company Abine considers a data broker, previously sold a basic background check for $40, but that price has now dropped to $20. Basic information, such as old addresses, current addresses, and family connections can be bought for as little as 95 cents. The implication is that this information is so readily available that its inherent value has dropped.

Similar price fluctuations can be seen in personal information for sale on the Dark Web. A report from the security firm Flashpoint showed that stolen bulk data can go for as little as 10 cents per person. The price goes up depending on how much information is available and what kind of person the information represents. The Social Security number of someone with good credit, for instance, can sell for between $60 and $80.

"It's cheaper to buy your personal information in 2018 than [it was in] 2016, sometimes 100 percent cheaper," said Shavell, based on data removed by DeleteMe—which, it should be noted, communicates only with data broker sites that have publicly available information removal mechanisms. There are likely other services that aren't so public-facing that DeleteMe does not engage with. But according to Shavell, DeleteMe found 1,000 pieces of information per person in 2016. By 2018, the service was tracking 1,500 pieces of information.

"That's not a great trend for privacy," said Shavell.

Personal data has value on its own. People, it seems, are willing to spend money to find out the real addresses of other people, or these data brokers would be out of business. But Shavell noted that there's a connection between data brokers and online targeted advertising.

Taking the information from these information brokers and making it useful for advertising is, Shavell explained, an entirely other piece of the business. He describes a "galaxy of companies" that play different roles in connecting user data from a myriad of sources and making it more valuable. The pipeline is familiar to me from my writing about how hackers monetize stolen information. One person might steal millions of records from a website and sell them cheaply to someone else who can add more to them or collate the information more efficiently, and then resell the data for a higher price.

Shavell described a similar arrangement in which data companies buy and sell data, slicing and dicing it in different ways in order to glean something new. "Each one of them has very sophisticated pricing," he said. "The prices go up and down depending on who we are, how recent the information is, whether it's from a mobile device, whether it's from iOS or not, what county you're in, and what you've searched"

One example Shavell gave is LiveRamp, which is owned by Acxiom. "What they specialize in is matching the cookies of where you visit that advertising networks place and matching it to your actual profiles from data brokers." This gives advertisers two critical pieces of information: a person and their intent.

"It's this incredible real-time stock market that combines information of what we're doing on our phones and websites we visit and then matches that to the personal information we've given out about us," said Shavell. The result is ads targeted toward what a theoretically receptive audience, based on information on consumers (that's us) pulled from several different sources.

The LiveRamp service says it can apply unique identifiers to user data: "applying individual-level identity resolution through a privacy-safe, deterministic (exact one-to-one) matching process." The blurb continues, "To ensure the highest level of accuracy, LiveRamp and Acxiom maintain consistent recognition on 98% of U.S. adults and nearly 100% of U.S. households."

Acxiom did not respond to my request for an interview, and I couldn't try out the service for myself. It's an odd feeling since, if the company's statistics are correct, they know who I am.

Each link in the chain gets something out of the arrangement, but Shavell contended that there's something bigger happening here. By avoiding centralization of this information in any one company, the individual companies get their cut, and they also avoid culpability.

"They will tell you that this information is anonymous in their little database, and it's always anonymous, but what these marketplaces do is they allow everyone to claim that their data is anonymous, and matched in a marketplace. It allows every individual company to basically claim that they're innocent when [they're] really completely guilty."

Noticeably missing from the galaxy Shavell described are the titans of the modern internet: Amazon, Facebook, and Google. These companies might seem an odd addition to the list of data companies, but each has enormous insight into what many—perhaps most—people do online.

While Google's most visible product is a search engine, and the company has expanded into just about every facet of modern existence, it has always been an advertising and data company at heart. "When you search, they know exactly what keywords you have, what history of keywords you've used," said Shavell. "They sell those to their ad networks, and people bid on them, and that's where they continue to make most of their money."

Facebook also has enormous reach, thanks to its size and to the captive audience that clicks on links shared in the news feed. Some of the credit also goes to the sites and services Facebook owns, as well as sharing links and buttons that appear on different websites outside Facebook. These can provide telemetry, allowing Facebook to track you even when you're not on a Facebook-owned site.

A 2017 study of 144 million page loads found that 77 percent of all page loads included some kind of tracker. Google was the outright leader, receiving data from 64 percent of page loads. A distant second, but still far ahead of the rest of the competition, was Facebook at 28 percent.

Recommended by Our Editors

Can Security Software Compromise Your Privacy?

Online Data Protection 101: Don't Let Big Tech Get Rich Off Your Info

Amazon, recently the second-ever company to be valued at over a trillion dollars (after Apple), is also looking to expand its reach into the advertising data space. "Amazon is making a lot of investments into ad tech and into becoming a player in this area, when they already have so much information about our ecommerce habits," said Shavell.

Google might know a lot, but its shopping efforts haven't gathered much traction. "Amazon is coming from a very entrenched position and is going to try to use some of the tools that Google is using to expand into this advertising business. That's a little bit nerve-wracking, in the sense that it hasn't really happened before. [Amazon is] the company that knows the most about our buying habits."

Data for Sale

Although the data economy is filled with intermediaries, Shavell reserves special ire for the data broker websites that collate and sell personal information such as phone numbers and addresses. He believes that the solution doesn't lie in products like DeleteMe but with government. "We think there should be more government regulation, not less, in this industry. We work with the FTC and the FCC when we can to make them aware of what we consider to be terrible behavior of these data brokers, and we will help to gather evidence and grassroots support for regulatory reforms that give consumers more power over these data brokers."

To Shavell, data brokers are equivalent to blackmailers. "There's no reason [individuals] shouldn't be able to tell these data brokers to take it down, and there's no reason they should pay DeleteMe." It's notable that the services DeleteMe engages with do, in fact, have mechanisms for individuals to remove their information. The function of DeleteMe is to offload the work, for a fee, to a dedicated staff.

"Regulatory reforms make sure data brokers are getting away with data murder, so to speak, and doing whatever they want. And ultimately, you want regulation to be so strong that [consumers] can do most of this stuff themselves, and services like DeleteMe become less and less necessary."

"Advertising is not evil," Shavell conceded. "But our position is that there need to be boundaries, and consumers need to have control over what information is out there specifically."

As for what individuals can do to protect their privacy, Shavell is surprisingly optimistic. "The more you talk about it, the more daunting it seems," he said, but he adds that individuals can take action to protect their own data. "Just installing an ad blocker and giving out a little bit less information—that stuff does a lot."

Crude Data

Ad targeting and retargeting aren't the only ways to monetize data.

If trackers and exchanges like AppNexus handle the refined, polished, and (allegedly) anonymized, data brokers handle the crude—the raw data, gathered not from Google searches or tracking pixels but aggregated from publicly available sources.

One such data broker has a familiar name: Whitepages. Although the name recalls a book of local phone numbers, the digital incarnation is a different beast. "With comprehensive contact information for over 500 million people including cell phones, the most complete background check data compiled from records in all 50 states, and much more, we're not your traditional white pages directory or phone book," its site reads.

Typing my name into Whitepages pulled up 77 results. I discovered that there was another Max Eddy living in my parents' town, less than a mile away. My grandfather, or rather a misspelling of my grandfather's name, was there, too. It listed his age as 80, although he's been dead for over a decade. I found a Maxwell A. Eddy who apparently lives close to my current address, which might explain why I've been receiving letters from The New York Times addressed to that name for several years.

I showed up under my legal name, along with my current domicile and the last three places I've lived. Next to that are both my siblings, my father, three cousins, and one uncle. To see more information, including my phone number, more previous addresses, and public records (such as arrests), I'd have to pay.

After I paid $1 for a limited trial, Whitepages obligingly delivered a report with my current address, several previous addresses, accurate phone numbers (including the phone number of my parent's home), along with even more relatives and their profile information.

A full background report would include criminal records, traffic records (tickets and such), bankruptcies and foreclosures, a listing of properties purchased in my name, liens and judgments against me, and professional licenses. This last one is interesting in that it apparently includes things like FAA-issued pilots' licenses and concealed-weapons permits. It appeared that Whitepages didn't have any information on me in these categories, but I'd have to pay $19.95 to get the full report and be sure.

I reached out repeatedly to Whitepages for an interview, but after much back and forth, no interview resulted. I also found my information (available at varying price points) on other data broker sites, including Intellius and BeenVerified.

To get an idea of the scope of what data brokers know about me, I asked Abine to provide me with access to its DeleteMe service. For $129 a year, real humans at Abine work to have your personal information removed from data brokers and public record sites. Because Abine looks into other services to find your information, you must, unfortunately, hand over a lot of personal information to Abine. I added my legal name, a few nicknames, my current and former addresses (that I could remember), phone numbers, and so on. I clicked a blue button and waited.

Initial results came back within a few days. Subsequent reports varied but showed that my information was definitely for sale. By July, 30 services were included in my DeleteMe report, and my information appeared on two them. A follow-up report in August showed 28 sites in my report, and my information on 19 of them. Nearly all of the data broker sites had my name, age, past addresses, and family members; some included phone numbers, photos, email addresses, and social media accounts.

Reports from DeleteMe include an indicator that an opt-out request has been sent and a note on how long such an opt-out takes. In some cases, it's instant; in others, it takes weeks. I asked Abine whether my information might appear on these services even after DeleteMe successfully had it removed. The answer was yes, it could.

It's remarkable how much of my personal information was available on these services, and even more remarkable how far back it went. For me, there's an implicit threat to this: Anyone could find it. Wouldn't I want to find out what's there, in case it's truly awful? To even see how much information a service had on me, embarrassing or otherwise, I would have to pay up.

I Don't Know You, but You Know Me

Harrison Tang is the CEO and co-founder of Spokeo, a data broker site similar to Whitepages and one of the sites that has my personal information displayed online. When I search my name on Spokeo, I find my address, my phone number, and much of the same information I found on Whitepages. Spokeo is a bit hipper: It also searches 104 social-media platforms, including Twitter and YouTube, and even dating services such as OKCupid. When I searched, Spokeo claimed it had 14 photos of me, along with nine social networks associated with a personal email address. It would cost me $7.95 to see what this all included.

I wasn't sure what to expect when I spoke with Tang. His office had been surprisingly forthcoming and engaging, unlike other data brokers. But I had a real sense of dread going into the interview—a holdover, I suppose, from seeing so many of my intimate details available for sale on so many websites.

On the phone, Tang was relaxed, and he spoke very deliberately. Right away, he pointed out that his company isn't part of the ad economy that I was asking about. "We're not in the ad industry; we don't sell our data to third parties."

Tang said that the signup process for purchasing information from Spokeo requires customers to declare what they intend to use the information for, and that the company actively screens out data or ad purchasers. The company offers no API to access its information, and it limits customer access to only a web portal and mobile app. "They can't download our data en masse," explained Tang.

When I ask whether Tang would be willing to give me the names of services that do sell data en masse, he politely declined. Rather than advertisers, he said his customers are people and companies trying to find other people—sometimes family members, sometimes for fraud detection.

While the privacy advocates I spoke with described data brokers like Spokeo as the source of personal data online, Tang considers Spokeo to be the end of the pipeline. Spokeo, he explained, aggregates data from more than 12 billion public records, including phonebooks, court records, public social media profiles, historical records, property records, and so on. "All this data, aggregated together. And we organize them into simple, easy-to-understand profiles so people can search connections and know who they're dealing with." Only publicly available data goes into Spokeo, Tang said.

The desire for this information is clearly there, as Tang points out several times that 8 percent of searches online are for first and last names. "Some people call data the third industrial revolution," said Tang. To him, Spokeo as well as Google and Facebook are "people-search companies."

While Spokeo does offer a one-step opt-out, Tang doesn't believe that is a good solution. "People mistake that privacy is about hiding your information, hiding from your world," he said. "We believe privacy is about control—it's about transparency."

According Tang, the future of Spokeo actually sounds remarkably Facebook-like. In the future, he hopes that Spokeo will be a platform where people claim their profiles and edit the available information. Verification that people are who they say they are, Tang conceded, is the biggest challenge. But this approach, said Tang, would put people in control of their information, rather than simply hiding it.

When I hung up the phone after speaking with Tang, I didn't think too much about this new privacy he describes. It sounded like a pipe-dream, the enthusiastic vision of a man who genuinely believes his service helps people. Only months later, when I revisited the interview, the sense of menace crept back in. The implicit threat, I realize, is still there, whether Tang realizes it or not. That future vision is a kind of nonconsensual Facebook, where we have to sign up—or else someone else is in control of our information. Ignore it at your peril.

A Galaxy of Ads

Looking at the data economy, it's hard to find actual bad actors. As weirdly threatening as data brokers are, most do include a mechanism to remove your information. Ad targeting and retargeting, meanwhile, isn't the product of a single company, but a concept that has invaded the foundations of just about every online service you can think of. And all of them get their information from somewhere else, and pass it on to someone else, and make a little bit of money along the way.

Shavell called the data economy a galaxy, and the metaphor is apt. From far enough away, a galaxy is just a single point of light among other lights; get too close, and you see just a lone star. It's only with the proper perspective that the full complexity is visible. And while I can watch the numbers tick up and down on my tracker blocker as I go from site to site, I still don't really know who's watching me, or how the money is flowing. Just that, somehow, it is.

This story first appeared in the ad-free, curated PCMag Digital Edition, available on iOS, Android, and other mobile platforms.

A Conversation with WNYC's Manoush Zomorodi on Digital Privacy