Drowning in spam? A study presented at Black Hat USA 2021 examines if sharing your personal information with major companies contributes to the deluge of nuisance emails, texts and phone calls.

Every day my inbox seems to receive more and more spam. Understanding what generates it and how to avoid it is essential in the fight to limit my personal data from being overshared. A team of researchers at Virginia Tech Hume Center have dedicated a significant amount of time to find out if sharing your personal information with major companies causes an unwanted proliferation of spam. Presenting their research at Black Hat USA 2021, Alan Michaels, Director or Electronic Systems, and Kiernan George, Graduate Research Assistant, explained how their experiment unfolded and the conclusions that can be drawn from it.

They, along with a team of 15 undergrad students, created 300 fake profiles that impersonated real consumers with some background data such as street address, typical demographics and, in some instances, a political viewpoint. 150 virtual phone lines were configured to record inbound spam phone calls and text messages. Each identity was used for one single transaction or interaction with a major company and the team then sat back and waited nine months to see what emails, phones calls and text messages were generated from these single interactions and whether companies are sharing or selling personal information.

A whopping 16,346 emails and 3,482 phones calls were generated by the companies involved, the most prolific for email was Fox News accounting for 2,356; it was an election year. Most of the companies did slow down sending spam over time, probably due to the lack of interaction from the recipient as email messages were not opened in regular email programs to avoid further tracking that would indicate an active email address. Topping the phone call ranking was silence, and then the very annoying scam that offers fake car warranties.

There is good news – 290 of the 300 companies appeared not to share personal information with any other party. In some instances, it was apparent that cookie scraping had taken place and preferences had been stolen from the end user and abused by other parties. No malware-laden emails were detected, but the team concluded that the university’s own systems may have deleted them, and thus this part of the experiment is not conclusive.

The study also examined the relationship between privacy policies and actual company behavior, and the conclusion presented suggests that in most cases there was no such relationship. Shockingly, these policies and any linked pages took an average of 46 minutes to read, based on a reading speed of 250 words per minute. And the comment from the presenters suggested that company lawyers and data scientists in organizations appear not to have any relationship. Unfortunately, privacy policy length and readability is a long-standing issue and several organizations have attempted to drive the need to have understandable and short privacy policies; I hope this research will increase legislators’ willingness to tackle this problem, and to simplify this cumbersome and unneeded burden placed on consumers.

Facebook topped the chart of social media companies able to detect fake accounts being setup, either blocking them at setup or within a few weeks. This may, in part, be due to the virtual phone numbers used to create the accounts. WeChat, the China-based social network, did not allow accounts without a Chinese number.

The study showed that when judged against the value of a person’s time, each account generated, over the 9 months of the study, content that would take an average of 90 minutes to process; this does not include the 46 minutes to read the privacy policy. Next time you interact with a service that asks you to create an account, consider using the guest option and saving yourself a whole stack of time that will be wasted on managing the spam that it will create. Do something fun with the 90 minutes reclaimed.

The Virgina Tech research team has produced a white paper that is available from the Black Hat website, and made the data set available on GitHub. An extended research project is underway where they hope to conduct this globally with between 100-150 thousand participant – I know I will be signing up to get involved.

Great research and presentation by the team at Virginia Tech Hume Centre, well done.