Surfshark’s Incogni has taken on at least two ICE enforcement agents as clients, acting against ICE List on their behalf. In both cases, the agents in question had shared all information themselves, information that was then amplified on our website.

Last month, March, Incogni sent ICE List a deletion request invoking California’s Consumer Privacy Act, GDPR and other acts and laws that we are not in breach of on behalf of one of the agents. Unprompted, in the body of the same letter, it disclosed three home addresses to ICE List, the entity they accused of sharing the personal details of. We have never shared the addresses of agents, despite being accused of doing so by the U.S. government on a number of occasions, however, the privacy protection company has now crossed that red line that we refused to touch.

The privacy company shared home addresses to an entity they believe puts the privacy of their clients at risk, a monumentally stupid move. We have our standards, and will not share these addresses publicly. It seems that our standards keep Incogni’s customers better protected than the company they had entrusted with their private data.

At every step where the agent’s privacy was actually at stake, ICE List acted in his interest. Incogni did not. It is unbelievably clear that the privacy of their customers is not important to the company, despite charging a monthly fee to protect the very data they shared with us.

What ICE List is, and what it isn’t

ICE List documents named federal enforcement agents acting in their official capacity. Profiles are built from publicly available sources, overwhelmingly the agents’ own LinkedIn presence, and corroborated against independent sources before publication. We do not share data that is entirely “private”. We do not share data with brokers, and we hold no user logs whatsoever. Privacy for our volunteers is far more important than any profit we could take from sharing data with companies who actively trade data.

ICE List does not publish home addresses, it never has and never will. The addresses Incogni transmitted were not used, not retained as part of any profile, and have never appeared on the site. As you can see at the beginning of this piece, we have redacted the addresses here too, it will never be our policy to share these addresses.

ICE List is not a data broker, it is a journalistic effort to record the activities of the U.S. ruling regime’s private police force. The privacy frameworks Incogni invokes were written, in significant part, to protect activity exactly like it.

Incogni invokes Section 1798.105 of the CCPA and the CPRA. Three problems.

The CCPA only governs “businesses” as defined in Section 1798.140, for-profit entities meeting specific revenue or data-volume thresholds. ICE List is a non-profit public-interest journalism project. The statute does not reach it, even if we operated within the jurisdiction that the statute applied to.

The CCPA expressly excludes from “personal information” anything “lawfully made available to the general public by the consumer or from widely distributed media.” The bulk of the material on the profiles in question are derived from publicly distributed sources, including their own LinkedIn presence. Incogni is asking ICE List to delete information the statute does not classify as protected. The LinkedIn profiles in question also remain online.

Section 1798.105(d)(4) provides that a business need not comply with a deletion request where the information is necessary to “exercise or ensure the right of another consumer to exercise that consumer’s right of free speech.” Journalism documenting state enforcement agents is exactly that.

Incogni also invokes the GDPR but cites no specific provision under it. Every Member State implementation of the GDPR, including under Article 85, contains a journalism and freedom-of-expression carve-out. The Court of Justice of the European Union’s ‘Buivids’ judgment confirms those carve-outs are not limited to traditional newsrooms.

The legal architecture Incogni cites is the architecture that defeats Incogni’s request.

“Not a public figure”

I was struck by a specific claim in Incogni’s letter:

The information on the webpage is about our client’s personal life, and, since our client is not a public figure, there’s no public interest to have it available publicly.

In US First Amendment doctrine, public officials and government employees acting in their official capacity, and law enforcement officers in particular, are subject to a substantially reduced expectation of privacy in respect of their official conduct. Under European public-interest journalism doctrine, government enforcement agents are precisely the category of subject whose documentation the journalism exemptions are written to protect.

There is no recognised legal framework, in any jurisdiction Incogni operates in, under which a serving federal enforcement agent is a private individual whose role is shielded from public-interest journalism. Incogni is not making a legal argument. It is making a marketing argument: that anyone who pays for privacy is entitled to it, and that the public has no standing to know who is enforcing US immigration law against them.

The wider question for everyone else who pays Incogni

These agents paid for a service that, in the course of asserting his privacy, disclosed three of his home addresses to a publication that did not ask for them, to demand a takedown that had already happened, on grounds the cited statute does not support, against a recipient the cited statute does not reach.

He is the only party to this dispute who has been actively failed by Incogni. He hired the privacy company. The privacy company exposed him. The journalism outlet honoured the request his privacy company was trying to enforce, faster and more cleanly than the privacy company managed to ask for it.

There is no review at the start of Incogni’s pipeline, no check that the recipient is a CCPA-covered business, no check that the information falls within the statute’s protected categories, no check that the journalism exemption applies, no check that the data Incogni is itself transmitting is the minimum necessary to identify the data subject. There is no review at the end of the pipeline either — no check that the page they are demanding be removed still exists. What sits in between is a billing system.

That raises a question that does not depend on Aslam’s role or the merits of his case. How often does Incogni transmit client identifying information, names, home addresses, locations, unprompted, to the targets of removal requests issued on those clients’ behalf? How often does Incogni send statutory threats for actions that have already been taken? Is any human reading the requests before they go out, or the responses before reminders go out, or the underlying state of the page before deadlines are asserted?

Surfshark sells privacy as a brand. Incogni is one of its products. Anyone who has paid Incogni to remove their data from circulation has reason to want answers on the record.

What we are calling on Incogni and Surfshark to do

1. Disclose, on the record, whether transmitting client identifying details to third parties in the course of removal requests is documented practice.

2. Disclose, on the record, what review, if any, Incogni applies before issuing statutory threats on behalf of clients.

3. End service to any client identifiable as serving ICE in an enforcement capacity.

4. Publish a clear, public policy on government-agent clientele.

Incogni made a choice, they didn’t have to

Privacy, in any serious sense, is a shield for the public against power, not a service that power buys to shield itself from the public.

Incogni can continue taking money from federal enforcement agents seeking to scrub their public footprint, or it can act in line with the values its marketing claims.

It cannot do both.