It's not that difficult, actually. All data sent over the internet is sent using GET or POST, which basically looks like this:
A sample login:
name=Matt E
password=1234567
A sample registration:
email=matt.e@gmail.com
name=Matt E
password=1234567
Sometimes a website will have "E-Mail" instead of "email," but it's easy for them to interpret this. Since everyone always logins in via email, they probably use someone's email as a user ID, then try to associate information with that email by IP address, and then associate email addresses with SSNs by the data about the person. I told amazon that I am the Matt E who lives at 1234 Something Street, Town, Alabama, and also that my email address is
matt.e@gmail.com (not my real email). I told this forum that my email is
matt.e@gmail.com, and I voted "yes" in that poll asking if I want to support a revolution. Now they know to put me on a low level watch list. It's that easy, so long as they put a tap on the internet, and get SSL private keys. The taps just need to be installed in about 5 different locations, I'd guess. All the servers are in Dallas and Seattle (and a few other places)