Optery’s Statement Following Investigative Report on Onerep by Krebs on Security
On March 14, 2024 the security blog Krebs on Security published a blistering investigative report on the personal data removal service Onerep and its CEO. The post went viral as it provided a large body of evidence that Onerep’s CEO is also the founder of the people search site Nuwber and dozens of other people search sites. Krebs on Security also provided evidence that while the company represents itself as Virginia-based, it was founded in and operates out of the country of Belarus.
After tracking the situation ourselves for years, we were glad someone finally assembled the facts so rigorously. It corroborated several of the things we had been pointing out about Onerep since 2021, and that Will McAdam, the late founder of PrivacyDuck, pointed out from 2016 until his death in July 2021. While largely unknown to the general public, Onerep’s affiliations with Nuwber and other people search sites were an open secret inside the data removal industry. Prior to the Krebs on Security post there had been an air of fear about the topic and a reluctance to write about it.
McAdam was the original voice calling attention to the symbiotic relationship and strikingly parallel origins of Onerep and Nuwber. McAdam’s YouTube channel provided videos demonstrating Onerep’s founders were based in Belarus and that when Onerep originally launched, it displayed consumers’ personal information in plain text to the public in a remarkably similar fashion to Nuwber. He documented that the Onerep and Nuwber websites were seemingly mirror images of themselves run from the same origin code base.
(Note: The original PrivacyDuck website is no longer operational since Will McAdam’s passing, and another company named Privacy Pros scooped up the expired domain name to harvest the residual SEO traffic. It is unclear who runs the Privacy Pros website today.)
Onerep’s entire website history has been erased from the Internet Archive’s Way Back Machine and Onerep was able to successfully remove McAdam’s YouTube videos about Onerep claiming copyright violation. Without McAdam alive and able to defend his work, in 2023 YouTube removed his videos such as this one: https://www.youtube.com/watch?v=faTP4DaT0_w
We highlighted the connection between Onerep and Nuwber in June 2021 in our inaugural blog post, then again in August 2022 in a blog post titled “Data Privacy Double Agents – Can We Trust Onerep, HelloPrivacy, DataSeal and BrandYourself?”, and periodically on social media with comments like this on Hacker News: https://news.ycombinator.com/item?id=39276106. In our Security Professional’s Guide to Choosing Enterprise Data Removal Software, the first criteria we listed is to thoroughly investigate the credibility of each company you consider.
Given the revelations about Onerep, many people are understandably asking themselves, is it even possible to trust a data removal company anymore? And, is it inevitable that data removal companies will partner with data broker sites via mafia-style rackets? Our answer to the first question is Yes, and to the second question is No.
Onerep has been dogged by these allegations since 2016 and that has sometimes caused people to question the entire industry. But Onerep has always been a bit different. One of the big tip-offs that Onerep operated differently was that they openly worked with people search sites such as Nuwber and ClustrMaps as affiliate partners. This is something we highlighted a few times in the past as highly questionable (e.g., https://imgur.com/a/juSC66b). To use an analogy, how would you feel about an anti-virus software company working with the creators and distributors of computer viruses as affiliate partners? They’re just feeding the beast, or perhaps in this case, just feeding themselves.
What’s also incredible about this story is that Mozilla, with its strong brand and cachet in privacy and security circles, chose to partner with Onerep in the first place. The Mozilla Monitor partnership legitimized Onerep and anointed them in the industry as safe. The best way to sum up the collective feeling in the data removal industry when the Mozilla + Onerep partnership was announced was “Unbelievable”.
In an update to the Krebs on Security post, Mozilla was quoted as saying “We were aware of the past affiliations with the entities named in the article and were assured they had ended prior to our work together … We’re now looking into this further. We will always put the privacy and security of our customers first and will provide updates as needed.”
Optery has no such similar dealings as Onerep and based on our research and knowledge of the industry, we do not believe the conflicts of interest Brian Krebs highlighted at Onerep are widespread or endemic in the data removal industry.
In transparency, sometimes coordination and communication with the data brokers we cover is necessary. For example, sometimes the data brokers we cover request we format our opt out requests differently so they can process them more efficiently. This has resulted in collegial conversations with some of the data brokers that are more lean-forward on consumer data privacy rights. We welcome these conversations. Another example is for the opposite situation when we have to remind data brokers of their obligations and provide an escalation path to the authorities if they fail to comply. However, these coordinations are purely operational and there are no financial strings attached.
It is worth reiterating some of the most relevant points from the Optery Privacy Policy, that Optery does not sell or rent personal information to any third parties for any purpose, Optery is not a data broker, Optery does not have any financial relationship with any data broker it covers, and that Optery is not affiliated with any data broker.
In closing, our customers are at the center of everything we do at Optery. We value the trust you place in us when signing up for our services, and we take that responsibility and your expectations very seriously.