When the first phone book was published in 1878, it had only 50 entries, giving subscribers the names of fellow citizens privileged enough to have a telephone. Today, the ultimate privilege is being unlisted — but thanks to a complex ecosystem of online people search services, that’s nearly impossible. People search sites are a perennially controversial feature of the web, from the venerable Whitepages.com to the reviled upstart FamilyTreeNow, which was publicized and widely condemned earlier this year. They’re the perfect example of how scale and searchability can change the meaning of data: the contents of thousands of phone books accessible from anywhere in the world, with an unprecedented level of detail. It makes their data more useful, and more dangerous, than ever before. And after two decades, we still don’t know what to make of them.

“People search site” is a broad term for the dozens of search engines based on public (and sometimes private) data like DMV and court records. Some promise comprehensive criminal histories, others addresses, phone numbers, or familial relationships. Some are free and ad-supported; others charge money to unlock full profiles. Most allow people to remove their profile, although the process often varies. What unites them is the way they assemble data points into a sometimes eerily detailed dossier. Looking up your name can provide a jaunt through your life history, from your first college residence to the apartment you shared with your ex-partner — maybe with the odd roommate or sibling’s name thrown in the mix.

One of the first directory controversies actually involved CD-ROMs, not the internet

The name of a site like Whitepages suggests that people search engines are simply digital phone books, an idea that predates the World Wide Web — in the 1980s, you could look someone’s number up by name, address, and profession in France’s Minitel network. But historically, they’ve got more in common with the expansive credit check systems and other platforms that mined computerized records in the 1990s. One of the first major fights over personal data involved a planned Lotus CD-ROM product called Marketplace: Households, which paired names with addresses, income ranges, and other information. Even at the cost of $695 for the first 5,000 names, it would have democratized the distribution of personal data to an unprecedented — and uncomfortable — extent. Privacy advocates coordinated protest campaigns online, and 30,000 people contacted Lotus to opt out of the database. The outcry was loud enough that Lotus killed the project before it was set to launch in 1991.

When ordinary people got access to online directories in the mid-’90s, though, the response was more ambivalent. While news reports that covered Households warned of identity fraud or junk mail, stories about consumer people search platforms reported things like “playing high-tech Cupid,” as one article put it. People described rediscovering friends they’d lost touch with decades ago. Businesses cropped up to bridge the gap between online tools and non-internet users. The California-based Old Friends Information Services assigned internet-era private investigators to trawl public records, for example, charging $120 for successfully connecting two people.

Early search services weren’t immune to privacy concerns, but some claimed to make a point of vetting their clients. Old Friends got in touch with the subjects of a search and asked for permission before handing over details. A company called Dig Dirt dropped a client when it learned through “back channels” that the subject had a restraining order against him. These services positioned themselves not only as facilitators, but as gatekeepers — a fundamentally different role than the search engine model.

The whack-a-mole game of sending takedown notices has been around for at least 20 years

The consequences for failing in that role could be deadly. In 1999, investigation firm Docusearch provided information to a man who used it to track down a New Hampshire woman named Amy Boyer, shoot her to death, and then kill himself. When Boyer’s mother sued the company, a judge determined that data brokers could be held responsible for disclosing information in certain circumstances, and that “pretexting” — using deception to gather information, as one Docusearch investigator had done — could make them liable for damages. (The family eventually settled for $86,000.)

As University of Maryland law professor Danielle Citron told The Atlantic earlier this year, the decision put some data brokers on notice. At the same time, it was possible to get plenty of public information without any kind of false pretext, at low or no cost. And even in the 1990s, people lamented how difficult it was to hide from people search sites. The whack-a-mole game of removing phone numbers and email addresses from people search sites, familiar to anyone who’s tried to navigate the process, has been an issue for decades.

Our worries about privacy, though, haven’t stopped the people search industry from thriving. Rob Shavell, CEO of online privacy company Abine, estimates that there are over 100 people search sites. The biggest and best-known draw information from myriad public and private records, while others scrape data from them secondhand. Whitepages marketing VP Tom Donlea says that it uses a combination of public data like property or criminal records, paid broker data from sources like mobile carriers, and “proprietary data” that the company has gathered over the past two decades. Donlea declined to give revenue numbers, but he said the vast majority of visitors use Whitepages’ free tier, not its “premium” or business options. The same goes for one of the other major sites, Spokeo. “I can’t give you the exact number” of people who use its paid service versus the free one, says Spokeo CEO Harrison Tang. “But I can tell you that it’s a single[-digit] percentage.”

Both Donlea and Tang insist that the role of people search sites is generally helpful and innocuous. Donlea says the typical non-paying Whitepages.com user is looking up people to send birthday invitations or find a friend while traveling. Spokeo runs a grant program called “Spokeo Angels,” for people who help adopted adults find their birth parents through online search tools.

Tang says that Spokeo screens out anyone demonstrating “fishy activity,” but he was vague on what that constituted and how one might detect it. Some people search sites, including Whitepages, make visitors disclaim that they won’t use the data to perpetrate fraud or invade privacy. For most users, that’s the equivalent of an honor pledge, not a roadblock. The Docusearch case is a reminder that stalking and abuse were always a risk when making personal data easier to find. But as journalist Sarah Jeong writes in The Internet of Garbage, the dangers of “doxing” — posting details like home addresses online, usually to incite abuse — became particularly apparent starting in the mid-‘00s, especially after a massive harassment campaign against writer Kathy Sierra drove her to completely withdraw from the internet.

Donlea says that the focus on people search sites as privacy invaders is misguided. “People fixate on a landline phone or their address, which is important,” he says. “But [for] immediate whereabouts, they really need to pay attention to social media or other aspects of their life as well.” But social media is an affirmative, opt-in process, while people often don’t even know where people search sites are getting their details. And the bigger social networks like Facebook get, the less people search sites can argue that they’re providing a necessary way to reach old friends.

“People fixate on a landline phone or their address ... They really need to pay attention to social media.”

The other problem is that unlike with credit checks, the legal framework for people search engines is fairly threadbare. Pretexting, like that involved in the Docusearch case, was officially banned in 2007. Likewise, the Fair Credit Reporting Act prohibits employers from using people search site data in hiring. Individual states protect the addresses of domestic violence or stalking targets, and California’s version covers posting them online. Beyond that, though, sites’ responsibilities can be hazy. Spokeo narrowly won a Supreme Court victory last year after a man alleged that inaccurate educational and family details had damaged his job prospects. The FTC can punish sites for knowingly providing employee screening data, but if you’re having trouble getting a site to honor your takedown request, you may be out of luck.

Some lawmakers are attempting to directly crack down on people who use personal data for abuse. So-called anti-doxxing laws would ban posting information online if there’s a clear hostile intent — for example, if it appeared on a forum alongside an incitement to harassment. Like California’s confidentiality law, these proposals are good for extreme cases, says Morgan Cordary of the nonprofit Privacy Clearinghouse. “But they don’t necessarily get to the root of the problem, which is that these sites and the webmasters behind them probably should be regulated or held accountable.” They can also raise serious free speech concerns — a Utah anti-doxxing bill was withdrawn for this reason, although an updated version was reintroduced this year.

Ideal laws might be transparency regulations, not crackdowns

The ideal scenario for privacy advocates like Cordary isn’t outright banning people search sites or public record aggregation, although Cordary would prefer that services be opt-in rather than opt-out. It’s passing laws that require them to be transparent and responsive. Marc Rotenberg, president of the Electronic Privacy Information Center, says an ideal law would “give the individual complete access at no cost to any information that company collects or discloses to others.” It would also grant “a right to prevent disclosure to others, compensation for the sale of any information related to the person, and fines if disclosure causes any adverse effect,” including a loss of employment or credit downgrade. “Most countries in Europe follow this approach,” says Rotenberg. This would make it easier to figure out what’s online, codify the right to get it removed, and make anything-goes information-sharing riskier.

But that still leaves the problem of going through sites to remove that information. For now, there are several online guides for navigating removal, as well as services that will take care of the process for you, like Abine’s DeleteMe. (Disclosure: I’m a DeleteMe customer, as are some other Verge staff members.)

Donlea believes Whitepages is just reflecting the modern state of privacy. “Honestly, it’s a much broader discussion around our definition of privacy, right?” he says. “This information is available in so many places that the idea of being able to scrub our information off of the internet is almost preposterous at this point.” That doesn’t seem true for people with enough time or money; you won’t find FamilyTreeNow CEO Dustin Weirich’s phone number on his people search site, for example. But it does suggest that future battles over online privacy may involve making personal details harder to weaponize, not trying to erase them — whether that means increasing penalties for harassment, improving screening and privacy options, or improving our ability to find people who make threats.

Even as people search sites draw criticism, they’re still inarguably useful. For every story about the privacy issues posed by people search engines, there’s a guide to finding the most effective ones. As a journalist, I’ve written pieces that would have been impossible without the ability to track down sources with no online presence. “Unsurprisingly, we use the internet a lot to look for other people, find people, research people,” says Shavell. “In general, we’re social animals.” Back in 1998, The New York Times talked to an executive at Switchboard.com, a people search site that had recently added maps to home address listings. “We were concerned about privacy. Talking to users, we found people were split about wanting maps associated with their own house,” he said. “But they definitely wanted maps of other people's houses.”

But surveys show that people do care about privacy, especially as conversations around government surveillance, coordinated harassment campaigns, and the consequences of having a bad online reputation get louder. “It has become so so much more noticeable, I think. People have started to Google themselves,” says Cordary. “As privacy simply becomes more important, people are going to start to be concerned about what someone can find out about them online.” If anything, it seems clear that they already have.