My Experience with PrivacyBot

Several people forwarded me a new site called PrivacyBot which claims to automate various online data removal requests per the California Consumer Privacy Act (CCPA). This would technically only be beneficial to California residents, but let’s wait to discuss that. This activity has always interested me because I have yet to find any reliable way to automate this process. I jumped in, but immediately had issues which prevented me from using their automated service.

Their software requires you to clone their Github code, activate a virtual Python environment, install all dependencies, and launch the app via Terminal. I had no issues there. I then realized that PrivacyBot forces you to authorize a Gmail account and send all sensitive data (and followup interactions) through Google. That was a deal-breaker for me and anyone else who wants to remove data associated with a non-Gmail account. However, there is still much value within this project.

My biggest concern is that the project encourages users to send their name, email, home address, DOB, phone number, and other sensitive details over non-encrypted (Gmail) email to hundreds of data-mining services. I find this to be reckless unless you are absolutely confident that this information is already present within all of these sites. During my own manual process, I encourage people to identify the details present within a site and provide ONLY that information. This new automated process blindly sends all information to hundreds of companies, which can be easily abused. However, I played along.

I abandoned the self-install requirements and took a manual approach. PrivacyBot is simply automating the process of sending emails to 471 accounts associated with various people search websites. I don’t need a Gmail account to do that. Further, the content of their automated emails is visible within their open-source code. Therefore, I conducted the following.

First, I created a new email alias and composed a new message. I did this through Protonmail, but any email provider would work. Note that free Protonmail accounts have a message send limit which would prevent this, so you may need to break the emails up over a few days. I created a new unique address in order to prevent spam from hitting my primary accounts. I also created a rule which forwarded any incoming email to that address into a new folder (optional).

I then BCC’d the 471 email addresses into a new email. For simplicity, I have copied all of these addresses from the PrivacyBot code at https://inteltechniques.com/data/privacybot.txt. I included the following in the body of the email.


I wish to exercise my rights under the California Consumer Privacy Act (CCPA). I request that your business complies with the following requests which are granted to me by the CCPA:

Right to Delete
Right to not sell my information

My details are:
Name: Michael Bazzell
Email: (My new email address)
Former Addresses: (Two old addresses which are publicly visible all over the web)
Current Address: 7101 South Central, Los Angeles, CA 90001-9999

Please remove any stored information about me within your systems. Please let me know if you have any questions. In the case that no email or user name information exists in your records, under the CCPA the above information can only be used for verification purposes and you may not collect it.


The Los Angeles address is the General Delivery USPS option for the greater LA area. It is legal to use this address for incoming packages if you are not a California resident. I believe this COULD pacify the requirements to qualify for the California Consumer Privacy Act (CCPA), however, your mileage may vary. I immediately received over a hundred automated messages confirming that my request was received. I then waited for replies.

The problems:

Most of the requests simply responded with directions for an online opt-out process. This accomplished nothing and I had to return to the manual process described in my workbook.

Many services only query the email address provided within their records. Since this was a new account, I received dozens of “we have no records about you” responses. I never provide a valid personal address for these requests, so that did not help.

Many services generated a new customer account portal for my address and asked me to log in to their services in order to complete the tasks. This returns us to a manual process. There is value in this, but I caution people on providing their true Gmail account. In my experience, whatever email you provide to them will be abused later with spam (hence the new email account I created which can be deleted).

Over fifty responses required additional information, all of which could have been better executed with a manual deletion request.

I have now sent my personal details via email to numerous websites which likely possessed no information about me. If (when) one of these companies suffers a data breach and their emails are published online, my data is exposed. I knew this going in, but I present it here for serious consideration. Manually removing these entries through various opt-out portals does not leave a permanent email trace which will be exposed eventually.

I have received emails from three people asking me to try PrivacyBot. All three of them believed that submitting the request was a one-time task and that all of their data was removed without any other requirements. This false sense of privacy may lead many users to think they no longer need to identify and remove information still present.

Successes:

Only twenty services responded that they had removed any information from their site. This is a “win”, but such a small number compared to the 471 submissions.

Summary:

This is an extremely ambitious project and I am impressed with the amount of work put into it. The list of email addresses is most valuable to me. Any time people explore new possibilities with online privacy, we all win. For that, I thank the team who made this tool. However, it simply can not replace the manual removal process at this time. I have hopes that this initial release turns into something which we can all use to reclaim our privacy later, but it currently generates more work with followup emails when an online submission would have been enough the first time around. For now, I believe the manual removal process is a better way to go. For those who are dedicated to extreme privacy, the direct email method explained in this post might be an appropriate compliment to the manual removal process. Many hardcore readers may think this is an awful violation of operational security. I respect both.

Any automated process, including paid premium services which remove some content, can never complete the process as well as you can yourself.