LAS VEGAS - Unsolicited e-mails, text messages, and phone calls from each website or online service you have an account with are wasting 90 minutes of your time a year, Virginia Tech researchers announced earlier this week at the presented at the Black Hat conference on information security here earlier this week.

In other words, if you're signing up for 30 online services (which is not uncommon), you're wasting almost two days worth of time each year.

Alan Michaels and Kiernan George of Virginia Tech's Hume Center for National Security Technology wanted to know how personal information is used and abused on the Internet. [So, with the help of 15 undergraduates, they created 300 fake personas and registered each persona with just one well-known brand or company website. (Some websites had multiple personas registered.)

The websites included those of online retailers, political organizations, news organizations, fast food chains, dating services, hotels, social media, and software and technology companies. For example, the "Ds" were Delta Air Lines, The Denver Post, DonaldJTrump.com, Domino's Pizza, Dunkin Donuts, Discord, Dollar Tree, and the Democratic Congressional Campaign Committee.

The researchers then spent nine months observing how many emails, texts, and phone calls the fake personas received and whether the unique personal data provided by each fake persona passed to third parties.

What was striking was the number of messages the online service sent to registered users. [This is by far the largest number of messages among the 188 online services for which the fake personas registered: on November 3, 2020, the day of the U.S. presidential election, Fox News sent 44 messages, or about one every 33 minutes.

In second place was direct sales site Wish, which sent 658 emails to account holders during a nine-month test period. The most text messages were from the Family Research Council, a conservative political group: 42 over the nine-month period. Right behind it was GoDaddy.com, a registrar and host of web domains, with 38 emails.

But the biggest time waster overall was PlayerAuctions.com, a website where fans of multiplayer online games buy and sell in-game items.

Assuming it takes five minutes to listen to a voicemail message, one minute to read a text message, and 15 seconds to skim an email, a PlayerAuctions account holder would spend 1,226 minutes, or 20 hours or so, to digest all the information received over the nine months. or 20 hours to digest all the information received over a nine-month period.

Delta Air Lines came in second for time wasted, spending 622 minutes (a little over 10 hours) of the account holder's time; Fox News came in third, wasting 582 minutes.

Personas were carefully crafted to be unique yet average and not linked to real people. Names were randomly generated and user mugshots were generated by the website This Person Does Not Exist. Addresses were created using real streets in real towns and cities, but no street numbers existed.

Persona age, ethnicity, place of residence, and political affiliation were distributed to reflect the demographic makeup of the United States.

The only fake personas that were authentic were 150 "borrowed" phone numbers, which were used when requested by the account during new user registration. This allowed half of the fake personas to be called or emailed by online services.

The persona provided all personal information requested when creating the online account. Personas provided all personal information requested when creating their online accounts. They did not use or further interact with the account and did not respond to texts, phone calls, or emails.

Some of the fake personas created browsing histories intended to be politically conservative or politically liberal. Other personas made financial transactions to make themselves appear more authentic.

However, creating fake accounts on Amazon, Facebook, and Google was difficult, especially involving renting phone numbers. Six of the eight attempts to create a Facebook account were immediately rejected, and the remaining two were flagged as fake a few days later. On the other hand, some Chinese social media websites only accepted phone numbers within China.

Of the 188 companies whose websites were registered, about 30 were foreign companies, ranging from Canada's Hudson's Bay department store to Russian Internet giant Yandex.

However, the researchers found that "there do not appear to be significant differences between foreign and domestic firms in terms of the number and frequency of emails sent, expressed interest in the election results, or privacy policies."

Somewhat surprising good news: personal information was shared far less than the researchers expected: of the 300 fake personas, only 10 had their email addresses passed on to third parties.

Also, there were zero malicious attachments to emails sent to registered users of the website, although there were tracking cookies embedded in email attachments.

"Respected companies generally do not share personally identifiable information," Michaels observed.

However, personal information provided to Twitter went to the Republican Party, while information provided to Ticktock went to the Democratic Party.

"The composition of these accounts and the seeding of their political identities suggest that the sharing occurred through cookie tracking and altered browser history," states a white paper on the study authored by Michaels and George.

Phone numbers were likely shared more than email addresses, but the researchers could not give an exact number because many phone numbers had previously been "rented" by others.

In addition, random number dialing by telemarketers and robocallers muddied the waters.

The biggest difference the researchers saw was party affiliation. Republican and conservative websites were more aggressive in reaching registered users than Democratic and liberal websites.

Fake personas created with very distinct political leanings received twice as many emails and 12 times as many texts from Republicans than Democrats, but about the same number of phone calls.

"We found that accounts signed up with Republican organizations received far more SMS texts than those signed up with Democratic organizations," the researchers' white paper states.

Interestingly, the number of emails and phone calls from Democratic groups dropped sharply about a month before the presidential election, and "Biden's traffic nearly stopped," the white paper notes.

The researchers attribute this to the fact that as the election approached, Democratic candidate Joe Biden solidified his lead in the polls, while the Trump campaign continued to fight from the bottom. [Michaels and George plan to continue their research with more personas and new phone number providers. They also saw the number of messages sent by many companies to registered users decrease over time.

"Lack of recipient activity is often a clear indicator of a ghost account, which influenced our study," Michaels said.

George and Michaels' Black Hat presentation slides can be found here.