I just heard Eric Hughes give a talk about this and the non-regulatory solution was pretty simple, flood the field with so much bullshit that the data collected is worthless. Sadly most people happily give away their most personal information for "free" email, chat and search engine. I don't think most people are willing to actually pay for the services provided to them in exchange for their detailed personal information, maybe people's opinions will change but I wouldn't bet on it and meaningful regulation written by lobbyists and voted on by octogenarians probably won't happen either.
Do you have any examples of software that currently accomplishes this for any services that are based around user profiles, often tied to a phone number?
Especially for unilateral users of such software? (if I could convince fellow proprietary service-users to use some obfuscating software that generated/filtered a bunch of fake communications, I could just convince them to use Free software instead of the proprietary service)
Any details on that talk or the venue it was presented in? I don't find any likely recent context from a Web search (and Hughes's name is increasingly colliding with others).
That said, effective chaffing is difficult and does little to mask methods used to surveil or profile. It's also highly ineffective against strong-intent signalling such as purchase behaviours, unless someone is willing to buy items of little interest or purchase-and-return with sufficient aggressiveness to likely provoke not only vendor cancellation but fraud or criminal investigation.
Cory Doctorow from a Reddit AMA a couple of years ago on chaffing's ineffectiveness:
Chaffing turns out to be pretty easy to detect, because people aren't random - generating data that is both plausible and doesn't leak anything is really hard.
The most common solution to this from information theory is to broadcast a steady volume of noise that is sometimes mixed with signal: for example, you start a Twitter feed that tweets out exactly 280 characters of random noise every minute. Sometimes, though, you push ciphertexts into that stream. Your counterparty analyzes EVERYTHING you tweet, looking for data that decrypts with their private key and your public key. Adversaries can't tell who you're talking to, nor can they tell when you're talking.
This is much harder to do with something like your web traffic....
And it's even harder with purchase history, postal mail, or phone-call activity.
In practice, the method would be unavailable to much of the public, and of and by itself a strong indication of surveillance interest, much as use of, say, PGP is long reported to be.
