The stakes for identity theft protection and data removal services are personal, yet the marketing is almost universally overblown. Every service claims to monitor the dark web. Every service promises to remove your data from hundreds of brokers. The differences that actually matter — how fast alerts arrive, how completely brokers are removed, how useful the service is when something actually goes wrong — rarely appear in a feature comparison table.
Finding those differences requires more than reading a brochure. Since 2018, Security.org has been enrolling in these services with real personal information, running real data removal requests, and tracking the results over time. This page explains exactly how we do that for identity theft protection services and data removal services.
How We Approach Privacy Products and Services
Testing identity and privacy products requires a different kind of commitment than reviewing a security camera or a VPN. You can’t evaluate an identity theft protection service over a weekend. Alert timing, broker removal persistence, and restoration support quality only reveal themselves over weeks and months of active monitoring. That’s the timeline we work on.
We enroll using real accounts with real personal data instead of running simulations. When we submit opt-out requests to data brokers, we track whether those requests are honored, how long they take, and whether the data reappears after removal. Similarly, we use real credentials and measure real response times when testing identity monitoring alerts.
Advertisers have no input into how we score or rank products and we don’t accept payment for positive reviews. Instead, we earn affiliate commissions when readers purchase through our links, but that has no bearing on our ratings. If a service doesn’t perform, we say so — even if it’s one of the biggest names in the category.
How We Review Identity Theft Protection Services
Identity theft protection is one of the few product categories where you hope you never have to use it. However, the quality of a service only becomes clear when something goes wrong — and by then, it’s too late to switch. We stress-test every layer of these services so you don’t have to find out the hard way.
1. Identity Monitoring and Alert Speed
We enroll in each service using our real personal data, including our name, address, date of birth, Social Security number, email address, phone number, and at least one financial account. Then, we monitor how quickly the service detects and alerts us to changes across credit bureaus, dark web sources, and public records. We measure alert delivery time from the moment a change is detectable to the moment a notification reaches our phone or inbox, and we run this across a minimum of five monitored data types per service. Anything over 24 hours for a high-priority alert gets flagged.
2. Credit Monitoring
We assess whether the service monitors one, two, or all three major credit bureaus (Equifax, Experian, and TransUnion). Then, we verify this by requesting a hard inquiry on a monitored account and measure how long it takes for the alert to arrive. We also evaluate the depth of the credit reporting included, including whether it surfaces new accounts, address changes, and credit score fluctuations, and how clearly that information is presented in the dashboard.
3. Dark Web Monitoring
For services with dark web monitoring, we verify what it scans for and determine how it communicates findings. That includes assessing whether monitoring covers email addresses, SSNs, phone numbers, financial account numbers, and medical IDs, or only a subset of those. We also assess whether alerts include actionable guidance — what to do next — or simply notify you that your information was found and leave it at that.
4. Identity Restoration Support
To assess support response quality, we contact each service’s restoration team through every available channel — phone, chat, and in-app — and present a consistent set of scenarios. Then, we measure first-response time and the clarity of the guidance provided. We also assess whether agents are trained on what to do after your identity is stolen for specific theft types (tax fraud, medical identity theft, synthetic identity fraud) or only general cases. Restoration support is one of the most consequential factors in our scoring, because it’s the part that matters most when things go wrong.
5. Insurance Coverage
We read the full insurance policy, not just the headline coverage amount. That allows us to note the specifics of what is and isn’t covered, including: whether lost wages, legal fees, and fraudulent withdrawals are included, whether the coverage applies to pre-existing theft events, and what the documentation requirements are to file a claim. Coverage amounts that sound impressive often come with exclusions that significantly limit real-world payout, and we flag those discrepancies.
6. Pricing and Plan Structure
We evaluate individual and family plan pricing at each tier and calculate the true annual cost including renewal rates. That cuts through the introductory discounts that most services offer. We also note which monitoring features, such as three-bureau credit monitoring or Social Security number alerts, are gated behind higher-tier plans and assess whether the price difference is justified by what you gain.
How We Review Data Removal Services
Data brokers collect and sell your personal information without your knowledge or consent. Data removal services exist to get that information taken down. Whether they actually do that consistently, thoroughly, and over time is what our testing is designed to find out.
1. Broker Coverage and Scan Depth
We verify the number of data brokers each service actually monitors against its advertised count by cross-referencing the broker list with known aggregators and people-search sites. To see the scan depth, we run an initial scan using a consistent personal profile. We record how many brokers return results, how many the service flags for removal, and how long the initial scan takes to complete.
2. Removal Request Execution
We submit custom opt-out requests through the service to a minimum of 20 brokers. Two weeks after submission, we independently verify the removal of our information by manually checking each broker’s database. We record how many removals are confirmed, how many require follow-up requests, and how many are not honored at all. Essentially, we treat all removal claims as unverified until we confirm them ourselves.
3. Re-Aggregation Monitoring
Removing your information is not a one-time event. Brokers frequently re-aggregate removed information from new sources. That’s why we measure how quickly services catch and re-submit removal requests when that happens. We monitor each service for a minimum of 90 days after the initial removal round and track how many records reappear and how long it takes the service to flag and address them.
4. Dashboard and Reporting
A service that does the work but doesn’t show you what it’s doing offers no accountability. We evaluate how clearly each service reports which brokers have been contacted, which removals are pending, which are confirmed, and which have failed. During this process, we flag dashboards that are vague, incomplete, or designed to look active without communicating real progress.
5. Manual vs. Automated Removal
Some services submit automated opt-out requests on your behalf. Others use human agents to complete the process manually, which is often more effective with brokers that require documentation or phone-based verification. We note which approach each service uses and assess whether automated-only services achieve comparable removal rates to manual or hybrid approaches on the brokers that matter most.
6. Pricing and Value
We calculate annual cost at each plan tier and assess whether the number of brokers covered, the removal rate we observed, and the quality of the monitoring justify the price. We note whether a free scan is available before purchase, whether family plans offer meaningful savings, and whether the service can be canceled without penalty if it underperforms. In our study of data removal service usage, we found pricing is a major consideration for most consumers.
How We Score Products
Identity and privacy products are harder to score than most because performance is measured over time, not in a single session. Our SecurityScore accounts for that. Every service receives a score out of 10 built from weighted criteria that stay consistent within each product category. That means every identity theft protection service is measured against every other by the same standards, and the same goes for data removal services. Criteria include monitoring coverage, alert speed, restoration or removal effectiveness, ease of use, and value.
Because these products change — services add brokers, restructure plans, and update their monitoring infrastructure — we revisit and update scores on a regular basis. A score reflects performance as of the most recent evaluation, not at the time of first publication. To see a full breakdown of how SecurityScores are calculated across every product category we cover, visit our SecurityScore page.
Who Does the Testing
Our identity and privacy reviews are written by Security.org researchers and editors who specialize in identity theft, data privacy, and digital safety. We even have dedicated identity theft experts on staff. Collectively, our team of 20+ security experts has logged over 25,000 hours of research and testing across 12 product categories since 2018. This is a category where the details matter enormously and the consequences of a bad recommendation are real. We take that seriously.
Questions about our process or our findings? Reach us at info@security.org.