How does the data market profit from your personal information?
The data broker market is a large, global industry. Your average user profile sells cheaply per lookup. Richer profiles (finance, health, real-estate intent) are worth a lot more. You receive none of this. The whole value chain runs downstream of the blind consent you gave in long T&Cs you accept in seconds.
The data broker market rivals the revenues of big consumer brands. It's not some backwater of digital capitalism. It's a whole industry that turns your traces into money.
Here are the numbers. An average user profile is worth only a small amount per lookup for second-tier brokers (Acxiom, LiveRamp, Experian Marketing Services). Some segments show high buying intent: a detected real-estate project, a car purchase about to happen, or health markers guessed from purchase history. There, a richer profile is worth a lot more per targeted lookup.
You receive none of this. The whole value chain runs downstream of your first consent, signed blind in long T&Cs you accept in seconds. A legal framework is meant to bound this industry - GDPR in Europe, CCPA in California, LGPD in Brazil. But it moves more slowly than the cross-device matching that data brokers run.
Have you already been breached without knowing it?
If you have used the same primary email for years, it is very likely in at least one breached database. And if you reuse passwords across services, attackers running credential-stuffing can likely get into at least one of your accounts today.
If you've used the same primary email for years, it is very likely in at least one publicly breached database.
Have I Been Pwned (Troy Hunt's service) indexes a very large number of exposed records in total. Some well-known mega-leaks have flooded the credential-stuffing market: LinkedIn (2021), Cit0day (2020), the Collection #1-5 dumps (2019), and later copies.
Here is what it means. If you reuse the same password across many services, one is almost surely already breached. And an attacker who automates credential stuffing with these dumps can work it out fast.
What is the real financial cost of identity theft in 2026?
A resolved identity theft can cost the victim a lot in direct expenses. It also takes many hours of unpaid paperwork over several months. Credit fraud cases tend to cost more still. Later credit rejections and higher insurance premiums add lasting damage that rarely shows up front.
A resolved identity theft usually costs the individual victim on three fronts:
- Direct cost: bank fees, protection services, paperwork, re-creating documents - often a large sum
- Personal time: many hours of unpaid work over several months to fix the incident
- Indirect cost: later credit rejections, higher insurance premiums, and jobs lost to background checks - rarely measured, yet often the most lasting financial hit
Credit fraud cases usually cost even more, and the worst cases stack up several incidents in a row.
Cross-device tracking rebuilds your identity
Ad networks are slowly dropping third-party cookies. But even without them, modern identity graphs mix many signals to rebuild a single cross-device identifier within a few weeks:
- Hashed email (SHA-256) shared between apps and websites via UID2 / ID5 / Liveramp
- Browser fingerprint (Canvas, WebGL, available fonts, audio context, screen, language, timezone)
- Social-login tracking (one Google or Meta click = universal identifier across the entire ecosystem)
- Reciprocal pixel tracking between partner sites
- Acoustic sound watermarks between TVs and smartphones (technique used by some advertising-effectiveness tracking apps)
Here is the result. Even with a well-set-up VPN, your behaviour stays traceable if you log into services that share signals. The VPN protects your IP, not your behavioural identity. On untrusted networks (public Wi-Fi in cafés, hotels, airports), a VPN plus encrypted DNS is the bare minimum to cut passive collection by the network operator.
AI also absorbs your public data
Foundation models (ChatGPT, Claude, Gemini) are trained on huge public web corpora. Your personal blogs, public LinkedIn profiles, Stack Overflow posts, Twitter/X threads, and Reddit posts go into the training data unless you block them.
This doesn't mean models "remember" your exact name, which is usually filtered for uncommon names. But your writing style, technical opinions, and job specialties feed into the model's pooled statistics. For public figures, models can write in their style with uncomfortable accuracy.
The loop closes. Data brokers now buy AI model outputs to enrich their profiles. They pull behavioural and demographic odds that an LLM infers from a first name plus a company plus a city.
The 3 measures that cover 80%
The 2026 Pareto for digital privacy fits in three tools:
1. Audited VPN with system kill switch
Pick a provider whose audits are public and recent (< 24 months) - NordVPN (Cure53 + Deloitte), ProtonVPN (open-source), Mullvad (yearly Cure53). Turn on the kill switch in system mode, not application mode. Cost: $3-5/month on a 2-year plan. Before you finalize, check that your VPN doesn't leak with our complete VPN security audit.
2. Open-source password manager
The Bitwarden free plan is enough for the vast majority of users (E2E cloud sync, audited by Cure53 and Insight Risk). For self-host fans, there is Vaultwarden (Docker). For the most cautious, there is KeePassXC, which stays local-first. Cost: $0-$10/year.
For email, swap Gmail for an E2E zero-knowledge service. That closes the main path for unencrypted data collection. ProtonMail (Switzerland, CERN/MIT) has a free 1 GB plan to get started.
ProtonMail - E2E zero-knowledge email, Swiss servers
Free plan available · Google and Meta cannot read your emails · Proton Unlimited includes VPN
3. Encrypted DNS + anti-tracking filtering
The NextDNS free plan, capped at 300,000 requests/month, is enough for normal use. Quad9 and Cloudflare 1.1.1.1 are no-config options. Cost: $0-$20/year. Step-by-step per browser: DNS over HTTPS - Chrome, Firefox, Edge, Safari setup 2026.
Total digital-privacy stack in 2026: a modest yearly cost. That is far less than the possible cost of an identity theft you failed to prevent. The payback turns positive from the first incident you avoid. For each tool type (VPN, browser, email, messaging, DNS), our complete privacy tools guide covers the audited options by use case.
Going further. Related reading on these topics: what a digital footprint is, what incognito mode really hides and our VPN & privacy glossary.
Going further. Related reading: Tor over VPN, VPN, P2P and torrent and What Is an IP Address.
Continue reading
- →The 12-point checklist to verify a VPN isn't leaking - non-negotiable before any serious deployment.
- →How to enable DoH in Firefox, Chrome, Edge - protection level and limits.
- →The non-negotiable function of the modern VPN - system vs application modes, IPv6, tests.
- →Ranking of the 8 main VPNs across 24 measurable criteria.
- →VPN, browser, encrypted email, DNS, messaging: the best audited options.
Privacy-first VPN → Proton VPN
Audited no-logs · Swiss jurisdiction · open-source · free tier

