How FamilyTreeNow Makes Stalking Easy

Last week, Anna Brittain, a young-adult author based in Birmingham, Alabama, got a surprising text from her sister. As a part of a routine search for her own internet footprint—Brittain’s sister works at a child-advocacy center—she had entered her own name into the genealogy site FamilyTreeNow she’d just read about on Facebook. Something unusual popped up: Her niece, Brittain’s kids, were listed as her “associates.”

Brittain was rattled. Her sister’s profession puts her at risk of retaliation, and Brittain didn’t want her young kids to be put in harm’s way, too. She followed a labyrinthine set of steps to remove her and her husband’s profiles from the website, and tweeted out instructions for others to do the same.

By the next morning, the first tweet in her thread had been retweeted more than 3,000 times. Replies ranged from disbelief to anger, as other users urged their friends and family to opt out, too. The site’s profile-removal tool soon buckled under the weight of the traffic, leaving people to send manual removal requests through the website’s contact form.

(I reached out to FamilyTreeNow through its website, and to its founder, Dustin Weirich, whose contact information I found on Whitepages.com—Weirich appears to have removed his information from FamilyTreeNow since Brittain’s tweets went viral—but I didn’t receive a response.)

But even those who were able to opt out of FamilyTreeNow were only barely less visible online than they were before. Trying to scrub your identity from the internet is like trying to drain a bucket of water with an eyedropper, while a dripping faucet slowly fills it back up again.

MyFamilyTree is just one site in an extensive web of online services that compile, store, and sell (or give away) personal data. It bills itself as a genealogy research site—a free, less powerful version of the dominant Ancestry.com service—that allows people to search for their family members and assemble detailed family trees. But there are dozens of general people-search sites out there, like Whitepages.com and Spokeo, that serve up personal information to anyone with some free time and a few bucks to spend.

Most of these sites are powered by large, shadowy data brokers without publicly accessible search features, which track the personal data of millions of people. Add in public information like birth, marriage, arrest, and court records, and incredibly detailed profiles begin to emerge.

There are legal limits on how people can use information gleaned from these sites—they can’t be used to evaluate a job candidate, for example, or to stalk someone—but there are few actual safeguards in place to keep a user from doing just that.

On people-search sites, a few clicks (and sometimes a small payment) will unlock information on just about anybody. All you need to know is a name—if it’s a common one, another detail like state or age will help narrow the search—and you’ll get back that person’s age, phone numbers, email addresses, current and past home addresses, as well as their family members and “associates,” which can include more distant relatives or roommates. (These details can lay bare the details to common security questions, like “What street did you grow up on?” and “What’s your mother’s maiden name?”)

Another small payment will buy you a background check that searches for the person’s criminal history, court records, properties, business licenses, and other details. Most sites let you perform reverse searches, too: Enter a phone number or email address and you can see who owns it.

If all this readily accessible personal information makes you uncomfortable, by all means, try to remove your records. It’s rarely as easy as it sounds: There’s no legal requirement for brokers to accept or honor requests for removal, and many go out of their way to make it difficult, if they make it possible at all.

In 2014, the journalist Julia Angwin tried to remove her information from the databases of every data broker and people-search engine she could find. Of the 212 brokers she came across, fewer than half allowed her to opt out at all, and most of those required her to submit identification, like a driver’s license. Twenty-four of the brokers required opt-outs to be mailed or faxed in.

I asked Tom Donlea, a spokesperson for Whitepages, what happens when people submit opt-out requests to his company. He said that people who ask for their information to be removed will no longer show up in search results on both the free and the paid “Premium” site, but that the record will remain available for its “Pro” business subscribers. (Companies that pay to access Whitepages Pro can use it to automatically verify information about customers, and prevent fraudulent sign-ups that use fake addresses or contact information.)

Few protections exist to prevent publicly available records from being abused. Data brokers don’t consider themselves to be credit reporting agencies, which means they can’t be used for screening potential employees or tenants. (Credit reporting agencies like the “Big Three” credit bureaus are subject to a law called the Fair Credit Reporting Act, or FCRA, which places limits on how they can collect and use personal information.) But beyond including language in their terms of use warning people not to use their service for those ends, there’s little sites like Whitepages.com or Spokeo can do to keep people from using them for unauthorized purposes.

Companies rarely get in trouble if someone the uses personal information they sell in an unauthorized way, creating a “Wild West” where data brokers and people-search engines aren’t closely regulated, says Danielle Citron, a law professor at the University of Maryland and the author of Hate Crimes in Cyberspace. “There are businesses that from low to high, small to big, that don’t care about FCRA,” Citron said. “They are scofflaws.”

In 2012, Spokeo paid $800,000 to settle a Federal Trade Commission lawsuit that alleged the company violated FCRA. The FTC said that Spokeo advertised its records-search services as a way for human-resources departments to “explore beyond the resume” and learn more about potential employees: a service that should only be offered by credit-reporting agencies. In 2010, the lawsuit alleged, Spokeo changed its terms of service to clarify that it’s not a credit-reporting agency, and that users shouldn’t use the site for vetting candidates—but it didn’t revoke or restrict HR departments’ access to its database.

Spokeo, like most other big people-search websites, now includes language on its website warning users not to use their service for FCRA purposes. But while the FTC lawsuit may have made those sites more vigilant about keeping large HR departments from using their service, individuals can still use them in illicit ways with little worry of getting in trouble.

When I asked Donlea, the Whitepages spokesperson, about some of the ways consumers use Whitepages Premium—which surfaces criminal, court, and bankruptcy records, for $30 a month—he said it might be used to investigate a child’s fourth-grade teacher, or a new nanny who’s looking after the kids. I asked him if researching the nanny would violate FCRA if, for example, a parent decided to fire (or not to hire) the nanny based on a criminal history that Whitepages helps unearth. “We don’t think so,” Donlea replied. He emphasized that Whitepages “cannot be used for credit decisions and hiring,” but said running a background check on someone who will care for your children is okay.

Under FCRA, credit-reporting agencies have an obligation to maintain accurate records, and have to launch an investigation if a consumer says their own report has errors. But since people-search websites don’t consider themselves to be credit-reporting agencies, they often don’t include a way for users to submit corrections or edits about their own personal information. Donlea says Whitepages doesn’t allow people to submit changes to their own profiles.

The prospect of an overzealous recruiter or parent misusing people-search sites is worrying enough. But the services, overflowing with readily available contact information, also make it easier than ever to stalk others.

In cases of harassment, stalking, or abuse, it’s not always easy to know where a perpetrator got a victim’s information. But in one unusually well documented case, details obtained from a people-search website led a killer straight to his mark.

In 1999, a stalker shot and killed 20-year-old Amy Boyer, a woman with whom he had become obsessed since attending high school with her. Liam Youens paid Docusearch about $150 for information about Boyer, including her Social Security number and her work address. He kept notes about his intentions on a public website before eventually fatally shooting her and then himself.

“It’s accually obsene what you can find out about a person on the internet,” Youens had written on his site, which was rife with misspellings, as he searched for details about Boyer online. “I’m waiting for the results.”

After Boyer’s mother sued Docusearch for invasions of privacy and wrongful death, New Hampshire’s Supreme Court ruled in 2003 that data brokers have a legal duty to the people whose information they sell. “It was groundbreaking,” Citron said of the Docusearch case. “It said, ‘Hey, data brokers, you should be forewarned that your business model puts people at risk for stalking and harassment and murder, because you’re trafficking in personal information.’” The company settled the lawsuit for $85,000.

Since the Docusearch case, the landscape for data brokers has shifted. The New Hampshire Supreme Court’s decision opened data brokers up to new forms of liability, and in 2007, a new federal law banned “pretexting”—the practice of approaching someone under false pretenses to obtain personal information—which is how Docusearch obtained Boyer’s work address.

But it’s still easy—perhaps easier than ever—to quickly find information online about just about anyone. Preventing every instance of abuse is “virtually impossible,” said Donlea. He said that 55 million unique visitors use the free Whitepages service every month, but wouldn’t reveal how many users pay for access to Whitepages Premium. “With that volume of visitors, we do our best to make sure we’re only offering up landline telephone numbers and addresses” to users who don’t pay for Premium, Donlea said.

Ultimately, it may be just too simple to look up someone’s personal information, Citron says. “Are there enough speed bumps? I think the answer is that there aren’t enough,” she said.

When I signed up for Whitepages Premium, I agreed to its terms of service, which includes a short section on abuse:

You will not use the Services in a manner that may cause emotional or physical harm to anyone, or to stalk, threaten, defame, libel, or otherwise harass another person. You may not use the Services for the furtherance of any criminal activity, including fraud and identity theft, or in the violation of anyone person’s privacy rights.

Then, before I ran my first search, I was asked why I was using the site. I chose “general research,” and wasn’t bugged any further. As I pulled out my wallet to pay for a full background check on myself, Whitepages assured me that my request would be “100% PRIVATE: Kaveh will never be notified of this search.”

And with those small speedbumps behind me, I was left to browse the sordid details of my past in peace.