A not-so-secret dirty little secret is that many of the reputation management agencies also own many of the public records websites that publish mug shots, court records, and so on. When you hire them to remove that information from the internet it puts you into a cycle of being removed from one or two of their website and added to something else.
You end up in a never-ending game of whack-a-mole. Complete with monthly fees.
I can’t give specifics, I know someone who had to deal with “delete me” requests from these “privacy” companies. The privacy company would literally take your personal info (name, email), and _email it to every company they could think of_ asking the company to delete your account _even if you didn’t have one_.
I had a suspicion these services actually do more harm than good, even if they're well intentioned and not actively running a data collection scheme.
But this is really a chicken-egg situation. How do you tell companies to delete your information without telling them what identifies your information? It's in these companies' interest to make this as difficult as possible, so a solution based on data hashes is highly unlikely to appear out of their good will alone. This requires strict regulation and high fines.
There's also the issue of proving ownership of the data requested for deletion. Even in the EU with the GDPR, which is arguably the most progressive data privacy regulation we have, companies routinely violate this by requesting even more personal information from the requester.
Ideally a regulator would intervene, demanding that the data provider prove that each person in their database has explicitly opted in. That should be really easy for these companies -- it's just another record to include in our files. If they can't prove it, they must delete all related data.
And when they autofill that value with 1, because they obviously got all of that data legitimately? Will consumers be asked to prove a negative?
Even test cases will run into data sharing issues.
And when they autofill that value with 1,
amazingly enough the law is more clever than programmers assume it is, and the clever dodges programmers come up with tend to be seen through and just lead to jail time.
Prime Exhibit - https://en.wikipedia.org/wiki/Hans_Reiser
I don't understand how Hans Reiser is an example of this. He was convicted of murder and nothing about his case (that I could find) seems to indicate that he used "clever dodges" to skirt the law.
if one followed the case at the time Reiser seemed very much the stereotype of the really superclever person who figured they were smarter than all those dumb folks who were never going to catch him and it all fell apart real quick.
Then when it fell apart he dropped back to arguing he just looked guilty because he was too smart to look innocent or something https://yro.slashdot.org/story/08/02/23/2218256/hans-reiser-...
https://www.eastbaytimes.com/2010/08/02/review-from-a-report... >He thought he was smarter than everyone else, but ultimately he was not
I see what you mean. There is some nuance to that which wasn't captured in the Wikipedia article or my general awareness of the details about the case.
What does proof look like?
On past projects we've recorded the time the user submitted a from (with a checked consent checkbox), but this doens't feel like rigorous proof.
A scanned signature would work, I think, on a form mailed in by the user. The form would need to be clearly identified as coming from the data broker but could be provided by the company ultimately seeking your data.
Why not just outlaw data brokers entirely?
Because they need them for their stupid election campaigns, surveys and crap like that.
Ah, the evil bit.
actually do more harm than good
I've wondered about this too.
I have a common enough name that about 2/3 of the info data brokers have on me is garbage.
If every data broker could be relied on to faithfully delete my info I would sign up for Optery or Incogni today. I don't, because if even one of those 2/3 is a bad actor I'm just expending effort to clean up their data.
Specifically, the data I don't want them to have.
My impression is that it depends what company you use. I don't really trust them but at the same time, there are a lot of other companies. All I can really say is that Optery will give you a free report with very minimal information and on a test they dug up far more information that I provided (the minimum).
Given that these companies, like Incogni and DeleteMe, are now sponsoring big time YouTubers I'd imagine they are soon going to get a much closer look. At minimum, they are making far more people aware of the situation and data out there. Even though many of the VPNs fall far short of the promises, it is setting a strong signal that people care about privacy and entering the public lexicon is the first step. I hope these can be a catalyst towards more state or federal privacy protection.
When you use these ‘delete me’ services to remove your information from a platform like Dropbox, there’s a hidden catch. These services are often linked to companies that trade in email addresses. By submitting your email for deletion, you might unwittingly end up having it sold to marketers or data brokers, potentially leading to even more spam and unwanted contacts. Or maybe nice target ads … depending who bought your email address
Devil's advocate here, n=1 is just a data point is rarely the whole story. I would assume, but obviously I could be wrong, that the legit ones actually can check if your info exists in a company before they send a take down request. I have no proof of that but it's probably nearly as good as n=1.
Apparently it is also the same service that Mozilla Monitor uses, as per ToS. Big yikes.
https://www.mozilla.org/en-US/about/legal/terms/subscription...
Considering how much Firefox phones home, I daresay Microsoft and Google are more private than Mozilla because they're at least god damn honest about their practices.
I don't understand the logic. They're more private for admitting that they don't respect your privacy?
Microsoft and Google don't even try to hide the fact they will siphon your data, whether you like it or not. You can turn off some of the egregious siphoning, but that's about it.
Mozilla meanwhile claims to be the champion of digital privacy, marketing Firefox as the private browser of choice along with a host of ostensibly privacy products such as VPN, all the while also siphoning data. Turning it all off requires digging deep into about:config.
One group is honest (or at least relatively more so) about what they do. The other entity is a pathological liar led by a queen on Google's leash for controlled opposition purposes. As such, I daresay Microsoft and Google are more private than Mozilla because you know what you sign up for.
"siphoning data" is a pretty bold claim. you can't just type those words without being very specific.
For Google and Microsoft? That's literally their business model.
The other entity is a pathological liar led by a queen on Google's leash for controlled opposition purposes
Oh come on, Baker was around since the Netscape days. You just don't like her cause she was a Suit, and that's fine. But except for a bunch of engineers Netscape had a bunch of Suits. It's not some conspiracy that a Suit is still running things.
This is ridiculous. Firefox doesn't beat around the bush with telemetry and makes this clear when you install a new copy of it to your machine. It also does not require "messing around in about:config", this option is presented to the user in Settings, in plainly stated language and in a central location (unlike other browsers, particularly Edge, and Chrome, with privacy related settings in 40 different drop down menus).
I don't think that's what the word "private" means. It's not the same thing as "honest".
Compare the data. Mozilla may be less honest than Google and Microsoft (a premise I also disagree with), but they are demonstrably harvesting much less data.
God damn honest is maybe slightly exaggerated.
The amount of "phoning home" is not correlated to how bad an app is for the user's privacy.
Microsoft and Google are more private than Mozilla
Having used an app firewall, I have determined this to be false.
That is probably the bigger story right here. Not trusting scammy businesses is easy. Getting fooled by big name like Mozilla a different story.
Mozilla has never been trustworthy. The Mozilla Foundation is probably what most people are confusing it for, the nonprofit that actually cares, but Mozilla the corporation just wants money.
You’re partly right. MoCo only cares about money. MoFo though is/was Mitchell’s political slush fund. TBD how things will shake out once there is a permanent CEO but Mitchell is remaining chair of the foundation. She’s also got really deep ties to how MoCo is funded (google) so it’s likely the new CEO will be her puppet.
They should have definitely done a more thorough due diligence before partnering with them.
In my opinion, this is a failure of due diligence on behalf of the Mozilla Corporation. I'm sure their legal team is jumping into incident response mode right now.
I think this is one of the problems of organisations not doing anything themselves, and offloading responsibility and liability to both external partners.
If you trusted Mozilla Monitor with your personal data, their legal contact information is listed on their terms page: https://www.mozilla.org/en-US/about/legal/terms/subscription...
The same terms page you agreed to which both limited their liability to $500, and granted them indemnification from liability.
You see this a lot these days (though I suppose it's just more visible now). Another example is people selling political t-shirts (many offensive or obnoxious) to both sides of a partisan divide.
In the US, I feel like I only see one side buying merchandise. Especially offensive and obnoxious merchandise.
A few seconds worth of work reveals how false this is. Perhaps it's just that you find one type of merchandise offensive but find the other type pleasant. Perhaps this open bias is coloring your perceptions?
I’m mid 30s, and I don’t recall anytime other than the last 7 years in which I saw people wearing stuff that came anywhere close to “Fuck <president>”. Or chanting it at random non political sporting events with families with children in attendance.
And I don’t see the other party doing anything equivalent, from giant flags on pickup trucks, to roadside merchandise stalls, to pick up truck convoys that harass and bully other candidates on the road…
Don't forget people modding their trucks to roll coal.
I guess the liberal equivalent is driving a Prius or something. Both sides, right..?
Yeah nah, that's some sweet Dark Brandon merch out there.
Guarantee someone's already selling some Jacked Up Joe merch already.
There's always someone selling merch though, a few years back a rather famous/infamous politician in NZ, Winston Peters, came out of left field to win a by-election in the electorate of Northland that the ruling National party government expected to win easy, the same party that had snubbed his offers to work together.
So people started selling "King in the North" t-shirts with ol Winnie photoshopped onto Jon Snow. I, being honest, nearly bought one, because you had to admire his schtick.
So yeah, there's always merch.
But, AFAIK, at least no-one is selling Joe Biden fan art NFTs yet. It's like a double grift.
And obviously Trump loves the merch far more because he gets a cut.
Winnie didn’t show up a few years ago, he was around in the 90’s. He’s like a comic book villain that the writers keep reincarnating.
I'm pretty certain that the other side of your political leaning would say the same thing about your party.
Ask anyone about there political merchandise and they will never see it as just "merch" but as a fundamental truth that is pivotal to there way of life they they feel is being threatened. It's much like calling someone's religious garments or iconography just merchandise and is a very closed minded point of view.
I don’t think that’s bad unless the seller claims to be representing the causes they’re selling for.
They do via their advertising copy, which strongly implies it. The productization of opinion is a Bad Thing in my view, for the simple reason that it becomes profitable to stoke conflict and commercial entities are therefore incentivized to do so.
Elvis’ manager did this with ‘I hate elvis badges’.
It’s not quite comparable though - this is deliberately deceiving a market into acquiring a service they didn’t need, which is basically racketeering.
that merch spam is so damn prevalent on Twitter right now! with hyperpartisanship and emotions so high i often wonder what the profits are like..
This kind of thing feels better left to trusted 1st parties, oneself. Link to a list of data broker opt out methods:https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-Li...
I used Onerep until I was told it was shady. I now use Optery (https://www.optery.com/) which is a YC company. I'd love to hear if there are any issues with it.
The problem is there are 200+ data brokers out there and I don't have time to deal with that many.
Yeah, I saw when they announced on here, I think.
One question: Do you know if they pay the data brokers a percentage?
I have no idea. I hope not.
They submit opt-out removals though, so one would think that if they paid the data broker they would not have to go through that trouble?
Why is it monthly? What happens if you don’t renew?
Yeah I have the same concern. Are there any better options, short of hiring a human secretary, which I don't have the money for?
My first priority is not having my personal info listed on the internet; ethics of where my money is going is second.
Great list!
My first thought was: "why stick all this info in a readme and not some nice json list I could scrape".
I then thought: "maybe I can just have my AI friend scan the readme and do all the opt-out work for me"
has anyone tried the service advertised by the author of the list? Looks interesting / useful. [1]
--
Yeah, I did this, following one of the guides (possibly the one linked in the parent). It definitely worked with the worst of these bottom-feeders: mylife.com
It involved phone call to an Indian call-center. While remaining polite (not easy) but persistent, I had to listen to multiple dumb pitches about their "services". I stuck with it and in the end they removed my name but indicated it "may" come back.
That was in 2018. My name no longer appears when searching their website. I do, however, get MULTIPLE garbage emails per day from mylife indicating "changes" about my profile and that of my family and neighbors.
I have avoided dealing with 3rd parties for this stuff. In addition to the fact that they may, as Krebs indicated, racketeer with the scummy brokers there's ALSO another concern: Some of them PAY the data brokers a percentage of the fees they collect to remove names. The last thing I want is for these bastards to get any money for their activities.
BTW, the founder and CEO of Mylife.com is Jeffrey Tinsley. He appears to have made quite a fortune doing this data-broker shit.
I wonder if there are reputation protection companies that try a different strategy: for every user that requests their service, prop up thousands of fake identities with the user's name, but each with some inconsistent profile that are almost, but not quite, entirely unlike the original user. So if someone search for a person, their search results would be flooded with garbage.
Since it seems very difficult to try to get a leaked identity removed, maybe try to hide a tree in the forest?
The former British prime minister executed a similar technique to hide his scandal by releasing search-engine chaff. He had a press interview where he claimed one of his hobbies was painting miniature red buses, and the scandal he was hiding was false and distateful ads on a (real) red bus as part of a campaign for Brexit.
TIL:
For example, the disaster surrounding London’s new Routemaster city buses disappeared into the depths of the web after Johnson made completely nonsensical statements in the media about building model buses from wine crates. Coverage of these statements triggered a flood of search queries on Google that displaced negative search queries and Google Suggest results related to Boris Johnson.
Research showed that before the wine crate buses interview, 100% of Google Suggest and search results on page one that were displayed in connection with Boris Johnson had negative connotations. After the interview, it was only 20%.
Additionally, when news broke that British Government members had flouted Covid guidelines to meet for wine and cheese during a ‘work meeting’, it was seized upon by the British press as “partygate.” Soon after, Johnson was quoted in interview saying, “I don’t work from home. The cheese will distract you.” As a result, negative coverage of the British Government’s party-gate incidents were glossed over by search suggestions and results, and keywords with negative connotations no longer appeared in Google Suggest prompts.
Source: https://blog.searchmetrics.com/us/cheese-wine-and-whistles-m...
He is a well known proponent of the technique: https://en.wikipedia.org/wiki/Dead_cat_strategy
There is one thing that is absolutely certain about throwing a dead cat on the dining room table – and I don’t mean that people will be outraged, alarmed, disgusted. That is true, but irrelevant. The key point, says my Australian friend, is that everyone will shout, ‘Jeez, mate, there’s a dead cat on the table!’ In other words, they will be talking about the dead cat – the thing you want them to talk about – and they will not be talking about the issue that has been causing you so much grief.
- Boris Johnson
Seems like a variation of starting a war to distract from domestic issues.
"Wag the Dead Cat?"
almost as if the public appreciated the diversion
Reputation management companies do this. It’s normally referred to as “disinformation”.
So on a serious note, we were discussing this in another thread about:
https://news.ycombinator.com/item?id=39698546
and using that to automate the unsub from trackers:
-->
This really needs to be used to make a tool to automate all the "delete my data" requests and have users map out deleting their data/PII etc from data brokers to a git something and people can submit the recipes to delete your personal data.
I just did so on one of the more terrible ones yesterday - and the dark pattern was it would put you in captcha-loops... and youd have to reload/retry several times before stopped asking you firehydrant bus traffic motorcycle crosswalk over and over.
but to save unsub/delete me scripts with this would be nifty.
A recipe bounty would be neat - for example - Optery found me in more PII dbs than I expected - and it would be cool for people to see which brokers they are found in and there is a bounty list for all the brokers people are finding for someone to create a Delete-Me for each thing, so that one hopefully has the help of many to navigate the minefield of dark patterns in such.
Your data is sitting in an unencrypted excel spreadsheet somewhere as it moves between entities. Good luck.
Your best bet is what the government minister mentioned elsewhere in this thread did. Generate noise. So much noise that none of your "PII" is even remotely accurate.
You can't hide, but you can paint an incredibly inaccurate picture.
You can't hide, but you can paint an incredibly inaccurate picture.
How do you reasonably do this? You would have to spend an incredible amount of effort creating fake data everywhere, without having any clue if what you're doing is even working. With new AI tools and technologies it's likely that someone with enough resources and motivation would be able to filter out the signal from the noise anyway.
I currently lean towards just minimizing my digital footprint, and carefully choosing the hardware and software I use. It still takes a lot of effort and sacrifice, and I don't expect this method to be foolproof, but at least it's reasonably manageable. At some point you do have to accept that absolute privacy is impossible in the modern world, even if you shun all technology.
How do you reasonably do this? You would have to spend an incredible amount of effort creating fake data everywhere, without having any clue if what you're doing is even working. With new AI tools and technologies
You answered your own question.
Not really. AI wasn't an option until very recently. How was this managed before?
And even with AI, it would take a considerable amount of effort to flood all public channels with fake data. Do you do this via APIs for every service? Do you generate image and video as well? You would still have no idea whether your efforts are actually working.
Not to mention that using this approach contributes noise to an already noisy medium. Your fight with an imaginary enemy worsens the online experience for everyone else. We have enough junk on the internet as it is.
How was this managed before?
By being rich enough to hire dedicated companies who provide this service. Reputation management it is sometimes called.
Use a different birthday for every service you sign up to, especially the ones like "restaurant wants you to enter details to use their wifi", same for other details that they don't need in order to offer you a service.
Gentle reminder that Mozilla Monitor is just OneRep, albeit marked up for Mozilla Corporation’s profits (yes Mozilla is a for profit, its foundation is not).
Non-profit doesn't mean no profit.
It is nuanced and not really well explained with a hot-take.
How about https://crscpa.com/blog/how-much-profit-can-a-nonprofit-make...
Indusrty connections aside, it's not a good look that thaf the CEO of a privacy company did not register domains with some form of Whois privacy.
Some TLDs prohibit Whois privacy altogether; this stance isn't maintainable globally.
Why? I don’t understand this at all?
It’s largely unnecessary for corporate owned domains. You know who owns it from the website they publish.
Sell the disease, and then sell the cure. Capitalism at its finest!
rent the cure. FTFY.
big pharma entered the chat
Now do DuckDuckGo!
Tell me more
Gabriel Weinberg, DDG's solo-founder, previously co-founded NamesDatabase, acquired in 2006.
Asking as a complete amateur, how do these people databases & privacy companies work? They claim to get personal details, family connections, social media content and even court records etc for not-so-exhorbitant price ($30 per report as ballpark?)
Do they just scam people by compiling whatever is available on search engines? In one or two cases, I have seen them at least giving the house address or family member details right. So there seems to be more at play.
Even without using a paid service, if you know what state someone lives in and can narrow it down to a few potential counties, it's typically not that hard to find someone's address by searching online property tax assessment records which usually expose the full address of the property, the owner's name, and the assessed value.
Same for court/criminal records, marriage records (in some states), etc.
in the same category of "Best of the Internet", my favorite are the sites that claim every person on the planet has an "arrest record found" and you can see those records for $49. Or if you're that person, pay us $99 to remove it.
Well in the US we are on track for that to be true.
But seriously - trading both sides (or, selling protection, as the case may be) is quite a profitable business model.
sigh, i never trusted these sites and it never achieved anything for me.
One redeeming thing about the monetization of the Internet is that these deep web people search sites are generally not free any longer. There was a time when, for free, you could basically search a person who didn't have an especially common name with maybe a couple for tidbits about them and could you find a huge part of their life history and, of course, info like birthdays.
It's like the old days of Ironport. Ironport built a rack-mount spam filtering appliance for business. They also built a rack-mount spam-sending appliance for business. That blew their reputation.
I’m pretty sure Ironport getting bought by Cisco and then Cisco letting their product rot while simultaneously jacking up prices blew Ironport’s reputation. They were excellent appliances before the acquisition.
A bit off-topic, could someone explain how data brokers operate?
I've been involved in the development of B2B SaaS solutions, and there are a few providers, such as ZoomInfo, Apollo, and Clearbit, that greatly assist the sales team in gaining a deeper understanding of customers. It seems that venture capitalists love those businesses.
Has anyone attempted to create similar companies that offer Data as a Service?
Takes one to know one!
Genius. Makes the reason of the demand for his company!
You're fine if a search machine returns zero results about you. Never put your personal information out in the wild. This includes a linkedin profile. I haven't found a solution if you're a business owner but even then try to limit exposure as much as possible.
Good bussiness. He has a duty for profit to his shareholders yadda yadda yadda. Why even complain?
https://xkcd.com/250/ (Snopes)
There really is an XKCD for everything
Dirtbag.
I find it funny when things like these happen, while conspiracy theorists get lambasted for calling out much less nefarious schemes (with evidence), only to be proven right weeks or months later when a "more official" source confirms it after gaslighting them for that period in between.
Worth a mention here -- there's a YC company that submits opt-out requests and seems much less shady than Onerep to me:
(I'm just a user, not associated with them.)
Founder, CEO & Cereal Entrepreneur gunna do what they do best.
What's the best way to feed them fake data?
Prostitution is not the oldest profession. Racketeering probably is. Probably started with the most basic form: giving your food to Ugg to pay him to stop his brother Grug from punching you.
Aka taxation!
I'm pretty sure you can tell the difference between the two.
Banditry is when the baddies drop by periodically to demand a portion of your labor on threat of violence. Government is when they don’t leave.
the last guy who stole an Amazon box off my porch didn't put up a school for my kids, the road in front of my house, help the homeless guy I gave my second burger to the other day get out of the cold, make sure the water out of my tap didn't kill me, etc
Many large drug cartels pay for schools, give out food to the poor, and control some forms of crime to increase public support or at least prevent their protest.
Once organized crime gets big enough, it's really difficult to distinguish from a weak government.
Sure and many feudal warlords grew the same way but at some point the Castle decayed away and became a tourist destination and what was left behind was the community and governance.
Once organized crime gets really big, it stops being crime and persists on organization alone.
I agree, but I would argue that the label of "crime" is mostly semantics. The violence (or at least the threat of violence) of the crimes still persists, but whoever is the most powerful group gets to change the label of their violence from "crime" to "law enforcement".
We call those "paragovernamental organizations", for obvious reasons.
If they get too powerful, we just drop the "para" on that name.
Yeah, there is a huge difference between opportunist petty thiefs and organized crime bosses.
Of course, he left.
Paying money so you don’t get roughed up looks pretty much the same whether it’s a bandit or a king doing it.
Here in the US there aren't a lot of kings, but if you have the fortune of living in a commonwealth nation, you're free to get rid of yours.
Unless you're in the UK, though, King Charles is not exactly asking for anything from you.
Professional bullying
It’s racketeering
this seems to fit the definition.
In many cases, the potential problem may be caused by the same party that offers to solve it, but that fact may be concealed, with the intent to engender continual patronage.
https://en.wikipedia.org/wiki/Racketeering
See also https://en.m.wikipedia.org/wiki/Worldcoin
Lol those orbs! Oddly, Worldcoin's main exchange is Binance which stopped doing business in USA so I couldn't get a bag. Up almost 10x. Not bad for a sphere that proves "personhood". With AI making actual people vs machine created more difficult to discern, it may have evermore applications.
From "The Sopranos", Patsy and Burt failed extortion attempt at "Starbucks", https://www.youtube.com/watch?v=_Gsz7Gu6agA
I always loved that scene. The times, they are a-changin
It's been going on for years https://www.theguardian.com/technology/2018/jun/12/mugshot-e...
Watch these vultures frame it as clever vertical integration.
They control the supply (the sites with your info) and the demand (the sites you can go through to request it get taken down)
/s, obviously
The lesson for the modern ago. Don't put stuff into digital form if you want privacy!
Some places don't allow use of smart phone. They actually ask you check your phone into a coat check type thing at door! One journalist friend often leaves the smart phone at home.
Never did.
It wasn't paranoia it was a healthy dose of "if this is possible, someone is doing it"
Turned out they in fact were doing it.
More like : If it is not explicitly illegal and aggressively enforced by someone, a business will attempt it, regardless of whether it makes money or not.
Everything else is fair game apparently.
This sets a terrible precedent. For most, a phone is all or a combination of; house keys, car keys, bank cards, medical records, photo albums, etc. Giving all that up to a stranger (albeit behind a passcode) is a step backwards in security and privacy. An alternative that I have witnessed is places place your phone in a lockable bag that you then carry with you. They unlock the bag when you exit.
More theatre performances are doing this now.
Cabaret at the Kit Kat club in London places a sticker over any camera lens. The Burnt City, an immersive theatrical experience, makes you place your phone in a pouch that is then sealed with a tamper evident fastening before you enter the venue.
This lesson can't be bashed into children enough.
Related, proofpoint is notorious for this as well. They will block your mail server without cause, forcing you through their process of delisting.
Pay and your problems magically go away. Proofpoint was consistently the only block hit.
Tbf putting up cash is a great signal for 'not a spammer'.
Not really it's just a cost of doing business and if paying that cost "legitimizes" you then the ROI is probably significant.
True, but not the only method. You’d be surprised how many spammers drop with greylisting enabled.
That sounds like credit bureaus.
You know, those entities that hoover up any and all info on you, that you cannot opt out of, maintain information whether its accurate or not and refuse to delete obviously erroneous data, then release it *all* to the world by being extremely poor stewards of said data, then charging you for credit monitoring for the rest of your life, since your immutable info just got shared with assholes.
Guess who owns most/all of the credit monitoring entities?
Edit: typo...words are hard.
Luckily you can mail them a permanent opt out for most of that stuff. IIRC, it removes your name from the searchable list of info 3rd parties use for marketing.
Additionally, if you haven't, freeze your credit at all bureaus including LexisNexis.
I've frozen all of mine, because thanks to Equifax, I don't have a choice.
I wish you good luck opting out. I'm not talking about what the law says, I'm talking about how they act.
Technically, you can dispute incorrect info. What that dispute amounts to is the bureau asking the entity if it's accurate. No proof needed. If they say it's accurate, then you're stuck with it, until you jump through many, many more hoops.
Isn't this just a white-hat/black-hat hacker dynamic, except in this case the latter is legal?
Well, both hats ostensibly are at least doing real work (finding vulnerabilities).
Beyond about 150 people (and sometimes well below that number) reputation ceases to be an even loose correlate of character and becomes, instead, a platform through which the influential extort the rest in order to stay on top.