Jake, you explained it all very well. The path to information makes very good sense.
I was stuck on the fact that the use of Grace's whole first name isn't on Social Security, IRS Taxes, Marriage License, Driver's License, etc. But it is on Catholic church & school records. That church can find anyone. My old Catholic grade school found my current address, so why can't hers know stuff too? (Although her parish is long gone, the archdiocese surely has the records.)
Pinning a 1950's female with "Marie" in her name to a Catholic church is easy, so that gives someone a direction in which to search for records. In Catholic grade schools, it was easy to figure out which girls belonged to the Catholic church. In my multi-ethnic Catholic school, we had Catholic, Jewish, Islamic students and kids from various Christian denominations- as well as non Abrahamic faith children. The Catholic girls all had Marie or Mary in their names. I think it was a law or something. (Oh yeah- And they all had at least 6 siblings...)
Grace's city of birth is Highland Park which is a separate city inside Detroit. Highland Park certainly has her whole name from birth records. I've heard of data leak notices from that city more than once. So her stuff is certainly out there somewhere, as well as at Highland Park & Wayne County data banks.
You used one key word: "Genealogy".
I asked Grace if she ever searched around on an ancestry site using her real first name. She said sure. (Makes sense) She also searches by both her married last name and her original last name. And she's searched with my name & her short name. I'm sure the ancestry sites, as well as Google are more than happy to sell what they find out.
Studying what you said above, Jake, here's my take on one path to invasion:
An ancestry site can link her real, full name & her short name to our IP address. They can also link her original & married last names to our IP address. They can link my name to the same IP address. My phone can link my name to the same IP address. Since AT&T knows my phone & hers (in my name) are at the same address, they have a match. If I picture all the above laid out on pieces of paper, it is easy to draw a line connecting the papers.
You also mentioned AARP. She is a member, but with her short first name. They have her address & our house phone number, but don't have her cell phone number. They know she is over 50 (to join up), but haven't been specifically given her birthdate by us.
Any hospital or doctor she has dealt with surely has her short name, age and address- another link in the chain-of-privacy. In the US, health care providers are required to comply with HIPPA privacy laws, so supposedly none of that is shared. Supposedly. (Check out openpaymentsdata.cms.gov Doctors are more than willing to accept money for other than healthcare reasons.)
So, when we add up what you said, along with what is in the paragraphs above, and consider how things can be narrowed down (as exemplified by Panopticlick) the snooping business is easier than I thought it was. My phone gets a lot of random texts for odd stuff, so your mention of that they might win sounds right. Maybe a dozen other people got the same "Grace-Marie we can sell you Medicare insurance..." text. It probably doesn't cost them anything to have the computer send the texts to many people.
Here, however, is the icing on the link-it-all-together cake:
Today MY phone number got a text message saying "Grace-Marie it's time to pick a Medicare Supplement Plan. Call us to ..." The names "Grace" and "Marie" appear no where on my phone or computer. These entities are mighty good a linking stuff together. Personally, I'd use those talents to get a real job.
So, in retrospect we would have been way better off sticking with two-tin-cans-and-a-string phones. They worked great when we were kids.
On the bright side, Grace doesn't have to be terribly concerned wth keeping her phone number private 'cause is sure ain't working!