Every email address you type into a signup form enters a supply chain. Your name, phone number, browsing habits, and physical address get packaged, priced, and sold to anyone willing to pay. Synthetic identities are one way to stop feeding that pipeline with real information.
The Supply Chain Nobody Told You About
The transaction feels simple. You hand a website your email address. The website gives you access to a service. Fair trade. Except it isn't, because your email address doesn't stay with that service.
Within hours, sometimes minutes, your data enters a pipeline. The service shares it with analytics partners. Those analytics partners share it with advertising platforms. The advertising platforms share it with data brokers. The brokers aggregate your email with everything else they've collected from dozens of other sources: public records, other signups, social media profiles, purchase histories, location data from your phone.
The result is a dossier. Not a vague demographic segment, but a profile specific enough to include your name, home address, email, phone number, estimated income, recent purchases, health interests, political leanings, and the names of your family members. These profiles sell for between $0.005 and $0.50 per record in bulk, depending on depth and recency. A 2024 report from the Vermont Attorney General's office identified over 120 registered data brokers operating in just that one state.
The numbers are impersonal. The reality is not. Someone, probably hundreds of someones, has a file on you that they never met you to compile. They sell it to marketers, insurance underwriters, background check services, private investigators, or anyone else with a credit card and a mailing address for the invoice.
If this sounds paranoid, check for yourself. Have I Been Pwned will show you how many data breaches your email address has appeared in. Most people with accounts older than a decade are in double digits. That number doesn't include data broker acquisitions, which are legal and never get reported as breaches.
What They Actually Know
The detail level varies by broker, but the largest players maintain profiles that would unsettle most people if they could see them.
Acxiom, one of the largest data brokers globally, claims to hold records on over 2.5 billion consumers across 60 countries. Their product documentation describes segmentation capabilities that include household income estimates, vehicle ownership, magazine subscription history, charitable donation patterns, and "life event triggers" like recent home purchases or the arrival of a new child.
Datalogix, now owned by Oracle, built its entire business on connecting online advertising exposure to offline purchases. You saw an ad for a particular brand of coffee. You then bought that brand at a grocery store using a loyalty card. Datalogix could connect those two events. The company processed purchase data from over $2 trillion in consumer spending annually before the Oracle acquisition.
LexisNexis Risk Solutions compiles records from over 10,000 data sources and maintains files on more than 283 million unique consumers in the US alone. Their parent company RELX Group reported over £8.5 billion in revenue for 2023, a significant portion derived from selling access to personal information databases. Anyone who has applied for insurance, rented a flat, or undergone a background check almost certainly has a LexisNexis file whether they know it or not.
Smaller brokers specialise. Some focus on health data scraped from forums and app usage patterns. Some aggregate arrest records and court filings. Some track location data from mobile apps that users forgot they installed three years ago. The fragmentation doesn't reduce the problem. It makes it harder to know who has what.
Breaches Make It Permanent
Data that enters the broker pipeline is already difficult to retract. Data that gets breached is impossible to retract.
The 2017 Equifax breach exposed the personal information of 147 million Americans: names, Social Security numbers, birth dates, addresses, and in some cases driver's licence numbers. That data didn't appear on one forum and stay there. It got copied, repackaged, combined with other breach datasets, and resold across dozens of underground marketplaces. Seven years later, the same information still circulates.
AT&T's 2024 disclosure revealed that call and text metadata for nearly all of its 110 million wireless customers had been accessed. Not the content of calls. The metadata: who called whom, when, for how long. That's enough to map social networks, identify relationships, and infer patterns of behaviour that most people would consider deeply private.
The MOVEit vulnerability (CVE-2023-34362) compromised data across more than 2,500 organisations in mid-2023, hitting government agencies, healthcare providers, and financial institutions simultaneously. A single supply chain vulnerability in a file transfer tool that most employees at those organisations had never heard of. The scale demonstrated something the security community had been arguing for years: even organisations that invest seriously in defence can be caught by a vulnerability buried three layers deep in their vendor stack.
Each breach adds permanence to data that was supposed to be ephemeral. You might stop using a service. You might delete your account. The information you provided during signup is still sitting in a compromised database, and no amount of account deletion changes that fact.
What Doesn't Actually Work
Cookie consent banners don't protect your privacy. Clicking "reject all" stops some tracking cookies from being placed on your device. It does absolutely nothing to prevent the company from sharing the email address, phone number, and name you typed into their signup form. The cookie banner is compliance theatre: it addresses the letter of the regulation while leaving the actual data supply chain completely intact.
Do Not Track headers were abandoned by every major browser. The fact that DNT became a joke is worth sitting with for a moment. A standard designed to let users signal that they didn't want to be tracked was ignored by the entire advertising industry without consequence. The W3C working group gave up on it. Apple removed the feature from Safari in 2019. The lasting contribution of Do Not Track was proving that voluntary compliance is not a privacy strategy.
Data broker opt-out forms exist, but they're designed to be painful. Each broker runs its own process. Some require postal mail. Some require uploading a photo of your government ID to verify your identity, which means handing a data broker more personal information in order to ask them to delete the personal information they already have. And opting out from one broker doesn't affect the other 119 in Vermont alone, let alone the thousands operating without registration requirements internationally.
Privacy legislation helps at the margins. GDPR gives EU residents the right to request data deletion, and companies do comply, eventually. CCPA offers similar rights to California residents. But exercising those rights requires knowing who has your data, which is the actual problem. You can't send a deletion request to a broker you don't know exists.
What Actually Reduces Exposure
No single tool solves the problem. A combination of approaches can reduce the volume of real data entering the pipeline significantly.
Email aliasing services like SimpleLogin, AnonAddy, and Apple's Hide My Email generate unique forwarding addresses for each service you use. If one address gets compromised or sold, you disable it without affecting anything else. The approach works well for services you trust enough to use long-term but want compartmentalised from each other.
VPNs mask your IP address and location data, removing one data point from the profiles brokers build. They don't affect information you actively provide during signup, but they reduce passive collection from advertising trackers and analytics platforms. Mullvad, Proton VPN, and IVPN are generally regarded as trustworthy by the privacy research community.
Browser-level protections address passive tracking. Firefox's Enhanced Tracking Protection, Brave's built-in blocking, and extensions like uBlock Origin reduce the behavioural data that advertising networks collect. Effective at limiting passive surveillance. Does nothing about the data you actively type into forms.
The gap in all of these approaches is the same: they address passive data collection but not the information you actively provide during account creation. Name, email, phone number, address. The data you type into signup forms feeds the broker pipeline most directly, and no ad blocker or VPN prevents you from typing it.
The Synthetic Identity Approach
This is where synthetic identities close the gap. Instead of providing real personal information to a service you don't trust, you provide generated information that belongs to nobody.
A tool like Another.IO gives you a complete synthetic persona: name, email address with a working inbox, phone number, physical address, date of birth. All internally consistent, all country-appropriate, none of it connected to a real person. The service gets the data it demands during signup. The data broker pipeline gets fed a fictional profile. Your real information stays outside the system entirely.
The working email inbox is what makes this practical rather than theoretical. Without it, you couldn't complete verification flows, receive password resets, or handle two-factor codes. With it, the synthetic identity functions as a genuine account from the service's perspective. You use the service normally. The only difference is that the personal information backing the account is fictional.
The approach scales naturally. Keep a bookmarked synthetic identity for low-trust services you use regularly. Generate fresh identities for one-off signups and free trials. Reserve your real information for services where legal compliance or genuine trust justifies it. Over time, the number of services holding your actual data shrinks to a manageable, auditable set.
Building the Habit
The practical shift is small, but the exposure arithmetic changes significantly. Before creating any new account, ask one question: does this service actually need real personal information to function?
Banking, medical services, government portals, and employers obviously need real data. A recipe website demanding your full name and phone number before showing you a pasta recipe does not. A SaaS tool that requires a complete profile before letting you see the dashboard probably doesn't either.
For everything in the second category, a synthetic identity works. Generate one. Use the email address for the signup. If the service turns out to be worth keeping, decide later whether to migrate to real information. If it doesn't, abandon the profile and move on. The service keeps its signup metrics. You keep your data out of the supply chain.
One practical starting point: audit the accounts you already have. Export the list from your password manager. Count how many services hold your real email address. The number is usually higher than anyone expects, and each entry represents a node in the broker network where your real information sits. Past signups can't be undone, but every future signup can use synthetic data instead.
The compounding effect matters. Every account created with a synthetic identity is one fewer data point entering the broker pipeline, one fewer email address surfacing in the next breach, one fewer phone number sitting in a marketing database. Over years of online activity, the difference between feeding the system with real data and feeding it with fictional data is the difference between being fully profiled and being functionally invisible.