Thorn built auto-identity-remove to call the bluff of 500+ data brokers who are legally required to honor removal requests but deliberately make the process tedious. The tool automates what is fundamentally a mechanical workflow — filling out forms, sending verification emails — that brokers bank on consumers never completing at scale.
The editorial argues that brokers have weaponized friction as a business strategy, making opt-outs deliberately tedious across different forms, verification steps, and timelines. An open-source tool that automates this process exposes the fact that the core workflow is 'browser automation 101' rather than anything requiring paid intermediaries.
The editorial highlights that services like DeleteMe, Kanary, and Privacy Duck have built real businesses around opt-out pain, but the core submission workflow is mechanical, not magical. auto-identity-remove does what those services do for free with readable source code, potentially undermining an industry built on a $240 billion data broker ecosystem.
Even while championing the open-source tool, the editorial acknowledges that paid services handle ongoing monitoring, re-removal (since brokers often re-list users within 3-6 months), and support for edge cases. The implication is that one-time automated opt-outs may not be sufficient given the adversarial nature of the data broker ecosystem.
A developer named Stephen Thorn published [auto-identity-remove](https://github.com/stephenlthorn/auto-identity-remove), an open-source tool that automates the process of submitting opt-out and data removal requests to over 500 data broker websites. The project surfaced on Hacker News where it collected 308 points — a strong signal that the developer community has been waiting for exactly this kind of tool.
The premise is straightforward: hundreds of companies — Spokeo, BeenVerified, WhitePages, Intelius, and their many subsidiaries — scrape public records, social media, and purchase histories to build detailed personal profiles. They then sell access to those profiles to anyone willing to pay. Most of these brokers are legally required to honor removal requests, but they've made the process deliberately tedious — different forms, different verification steps, different timelines — banking on the fact that almost nobody will follow through across 500 sites.
Thorn's tool calls that bluff at scale.
### The economics of personal data removal are broken
The data broker industry generates an estimated $240 billion annually in the US alone. Services like DeleteMe ($129/year), Kanary ($89/year), and Privacy Duck (up to $500/year) have built real businesses around the simple insight that opting out of data brokers is so painful that people will pay to avoid it. auto-identity-remove does what those services do, for free, with source code you can read.
That's not to say the paid services are worthless — they handle ongoing monitoring, re-removal (brokers often re-list you within 3-6 months), and support for edge cases. But the core opt-out submission workflow is mechanical, not magical. It's filling out forms with your name, sending verification emails, and waiting. That's browser automation 101.
### The technical challenge is real but unglamorous
Automating opt-outs across 500 sites is a fascinating engineering problem precisely because it's so messy. There's no API standard for data removal. Each broker has its own form layout, its own CAPTCHA approach, its own email verification flow, and its own definition of what "removing" your data actually means. Some require postal mail. Some require photo ID. Some have opt-out pages that are intentionally broken.
Building a tool that handles this heterogeneity means maintaining 500 site-specific adapters — essentially a hand-curated database of form selectors, submission endpoints, and verification workflows. This is the same class of problem that web scraping teams at companies like Diffbot and Apify deal with daily: the long tail of web structure is adversarial, and it changes constantly.
The maintenance burden is the real question mark. Data brokers routinely change their opt-out flows — sometimes to comply with new regulations, sometimes specifically to break automated tools. A project like this needs active contributors watching for breakage, or it'll rot within months.
### Community response signals deeper frustration
The 308-point HN score isn't just about one tool. It reflects accumulated frustration from a technical audience that understands both how the data broker ecosystem works and how little power individuals have within it. California's CCPA and the proposed federal American Data Privacy and Protection Act have created legal frameworks for opt-out rights, but the enforcement gap is enormous — the right to opt out is meaningless if exercising it requires 15 hours of manual form-filling across 500 different websites.
Several commenters on HN will inevitably raise the irony: to opt out of data brokers, you often have to provide them with additional personal information (name, email, address) to verify your identity. Thorn's tool presumably handles this, but users need to trust that the tool itself isn't logging or leaking the very data they're trying to protect. Open source helps here — you can audit the code — but most users won't.
### As a personal tool: use it, but set expectations
If you've been meaning to clean up your data broker footprint, this is the lowest-friction entry point available. Clone the repo, configure it with your personal details, and let it run. But understand the limitations:
- Coverage isn't completeness. 500 sites is impressive, but there are estimated 4,000+ data brokers operating in the US. The long tail is brutal. - Removal isn't permanent. Brokers re-acquire your data from public records continuously. You'll need to re-run this periodically — monthly or quarterly. - Some brokers will resist. Expect partial success rates. Automated submissions may get flagged, CAPTCHAs may block runs, and some brokers simply ignore requests until a regulator forces the issue.
### As a technical reference: study the architecture
For anyone building browser automation at scale against heterogeneous targets, this repo is a useful reference implementation. The pattern of site-specific adapters with a common orchestration layer comes up in web scraping, compliance automation, and any domain where you need to interact with hundreds of different web applications programmatically. The challenge of maintaining those adapters against a moving target is instructive — it's a microcosm of the broader fragility problem in web automation.
### As an industry signal: regulation is failing where code succeeds
The existence of tools like auto-identity-remove is an indictment of current privacy regulation. If exercising your legal rights requires either spending $129/year or running an open-source automation tool, the law isn't working as intended. The EU's GDPR, with its "right to erasure" enforced through meaningful fines, has pushed data brokers to be more compliant in Europe. The US is still playing catch-up, and tools like this fill the gap with code where policy has failed.
The durability of this project depends entirely on community maintenance. If it attracts a critical mass of contributors who keep the 500+ site adapters current, it could become the de facto open-source alternative to paid removal services. If it doesn't, it'll join the graveyard of ambitious scraping projects that worked brilliantly for three months. The data broker industry is counting on attrition — both from individuals giving up on opt-outs and from open-source maintainers burning out on adapter updates. Whether auto-identity-remove breaks that pattern depends on whether the 308 HN upvoters turn into 30 active contributors.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.