It’s a dreadfully annoying thing to receive spam calls every so often, and then have to wonder how in the world the person on the other side got a hold of your personal phone number. No matter what we do, we’ve all been subjected to this torment at some point or another.
However, you may just be shocked to learn about the number of places your phone number could have been before it made its way to whoever it was that last spammed you.
Where did the WhatsApp stranger get the number?
First, Jane questioned the WhatsApp stranger to find out where they got her contact info. Interestingly, the person wasn’t a spammer, just a random woman who was trying to get in touch with Jane with a new pitch for a story. This woman answered that she had bought the phone number from a company called RocketReach, which promises it can instantly get you in touch with any professional via their personal phone number or e-mail.
RocketReach promises to find any professional’s contact info
Where did RocketReach get the number?
Naturally, Jane Wakefield headed over immediately to the mysterious RocketReach company to find out how in the world they had come to sell her private phone number to strangers. She managed to get in touch with the company’s CEO Scott Kim via LinkedIn.
While he did not waste time in promising to remove all of Jane’s personal information from the service’s database, he more or less refused to answer her questions of how RocketReach had actually obtained said info.
The only substantial thing Jane was able to get out of Kim was that it was no longer possible to find out the how, since her profile had been removed. Unsatisfied, the journalist pushed more aggressively, telling the company that she was working on a story about tracking her stolen phone number’s digital footprint. Eventually, RocketReach caved and told her they probably got it through her Twitter feed through a public identity service called Pipl.
So… How did Pipl get the number?
When Jane reached out to the people at Pipl next, the company’s CEO—named Matthew Hertz—replied to her questions with a simple sentence: “The source of the data appears to be Sync.me.”
Where did Sync.me get it, then?
It turned out that Sync.me, this time around, was a caller identification service. Jane filled out a contact form on the company’s website, and they surprisingly replied that they had checked the records and could not find anything on her profile.
However, they added that “We may have mistakenly identified your number in the past as a phone number of a business. However, since we applied GDPR [General Data Protection Regulation] regulations, we removed such numbers from our service.”
Jane’s question, at that point, was: at what stage, if any, did this whole shenanigan become in any way illegal? Certainly it seems wrongful for RocketReach, which obtained her personal info from a database where it is now rendered illicit, to go ahead and sell Jane’s phone number without so much as her knowledge.
When questioned by BBC News, Pipl said that “the information was found in a public source and hence was not treated as private information.” Like the others, it went on to simply claim that it respected people’s rights to privacy—and that was the end of it, apparently.
Following all this, Jane contacted privacy campaign group Noyb, a member of which provided his opinion that the behavior by these companies was wrongful in the way they handled her questions and personal data.
You cannot just answer the person having their data processed by telling them that their data were deleted and pretend that the problem disappears. Saying the data is publicly accessed is not good enough. Just because you put your phone number on a website doesn’t mean that you’re OK for someone to scrape it and put it on a database to be sold.
Rafi Azim-Khan, Data Privacy Head at the Pillsbury law firm, expressed his own disapproval regarding the companies’ dealings:
Even if company ‘A’ has legal grounds to process your personal data, that doesn’t mean that company ‘B’ or ‘C’ does. There is a daisy chain of data being passed along and each business becomes a separate legal controller under the law. If a business got hold of your details and allowed others to contact you in a way you didn’t want to be contacted, that begs the question – is that business compliant with GDPR?
Jane could do nothing further after the whole ordeal except file an official complaint and wait, as she was told by the UK’s Information Commissioner’s Office.
