Ask HN: Have you ever been contacted to sell your user's information?
My friend who runs a student service with a couple thousand users was contacted today over Facebook with an offer for his user's emails:
"It's for an event newsletter. Won't say we got it from you."
This ask really bothered me, both from an ethics and pragmatic standpoint. Which got me thinking about the scandals and pressure larger companies, especially ones that are failing or have failed encounter with their user data. At non trivial quantities or certain domains this data must get extremely valuable. Combine this with the increasing likelihood that developers have access to production services and I was left feeling a little uneasy.
Have you ever been contacted as an employee/founder with an offer for your user's data?
What happens to user's data when companies die? Is it purged, sold off, dormant?
42 comments
[ 6.1 ms ] story [ 93.5 ms ] threadWith that said, this issue recently came up with Radio Shack and how they were planning to sell off their customer data.
This is OK in 3 scenarios I can think offhand: 1) A company collects personal/contact information on behalf of another and is upfront about this at collection 2) A company contacts their list asking if these people would like to share their information with a company 3) Permission to sell information is in the T&C on sign-up of the original company.
If one of these 3 is not covered I image companies should purge data if the business closes. Option 2 would be good for companies that are looking for a cash bump on the way out.
At a financial level I see a bunch of people with lists in the 10's of thousands and they are surprised how little it is worth. To earn a western level income from a contact list you'd likely need a hundred thousand plus of contacts assuming a typical consumer audience and reasonable response rates. Lists are worth significantly more for specific hard to reach groups like CTO's or surgeons etc. For me these would be 15x what I pay against a standard consumer list as a massive generalisation.
Also aren't the FTC's Fair Information Practices just recommendations with no consequences for violating?
http://www.cnil.fr/english/data-protection/rights-and-obliga...
Practically, if you operate a service in France, you need to have 2 checkboxes at user creation:
* I accept to receive commercial informations and advertising from the service
* I accept to receive commercial informations and advertising from third parties
If you don't have the checkboxes or the user unchecked, no sharing.
http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/m...
http://www.legislation.gov.uk/uksi/2003/2426/regulation/30/m...
Judges range in how they feel about these complaints, generally you won't be able to claim just for the time they've wasted, you'll have to justify why you have suffered damages. Extreme cases are different, if they're truly wasting huge amounts of your time, but the occasional email is unlikely to be enough for wasted time.
Alternatively, you can get the ICO to tell them off even if you haven't suffered any damages, but that's not always easy…
Funny, it gave me the impression that I was the first to say no and that most people would gladly sell off people's privacy for a buck. Sad.
I had a few people contact me and offer rather significant money for the info (in total over $10K) if I'd quietly sell them a copy before I deleted it - pretty disappointing to me that they thought I'd do that.
Surprisingly I've only seen one misuse of email address doing this for a few years. And I sign-up to competition and the usual suspects quite regularly. The bigger one I find abused these days is phone numbers. I guess it's harder to track source hence more dodgy brothers activity here.
Slightly more advanced trick is exploiting the fact that Gmail ignores . in addresses, so that first.last@gmail.com, firstlast, fi.rst.la.st, firstlast.., are almost infinitely unique encodings of the same mailbox. But again, smart spammers can just remove all dots so that the spammee can't tell who sold the address.
This evades sites that filter on +'s and spammers that strip them out to anonymize their list. Also if they strip out the dots to further anonymize it, they just create invalid email addresses.
Admittedly this only works because not everyone does it.
Then I setup an forwarding email server, which forward <anything here>@mydomain.com to my main email. So I would register at sites like sitename@mydomain.com. Sometimes, if required to send emails from registered email then I would create a new email and send.
Now, I have switched to Abine Blur and free version works fine for me. They have a chrome extension and it generates random email whenever you are filling the email field in web forms. (or you can generate random emails at will). Only caveat is, you cannot reply from that email. So, in such cases, I login to the site, change my email to something else and compose emails.
I suggest everyone to using Blur or similar tools. The guys who are running your site will ever know your real email.
Someone else gets their marketing message out to his list, but doesn't get his emails.
... so imagine my surprise when I received an e-mail (at the abuse@ address, no less) offering to buy uploader/downloader info (IPs, file info, email addresses, etc.)
Imagine their surprise when I told them that I didn't have most of what they wanted in the first place, and that they could kindly go suck a pig. I checked out the company in question, and they seemed rather sparsely established, so my assumption was that they were a shell company for somebody. Never really looked into it after I told them to go to hell, and never heard back from them. AFAIK there wasn't a lot of pirate traffic (I shut that down and banned/reported aggressively whenever I found it/was notified about piracy or other illegal stuff), mostly just niche content that I assume was original... so I doubt it was an MPAA/RIAA thing. Odd.
(Sorry for keeping names out of it. The site was super well-known within the community, and I'd rather keep my involvement in said community quite isolated from my real life.)
Glad to be out of the file host business, that's for sure.
1. why did you get out of the file host business or why were you glad to?
2. how did you get out of it? sold, fizzled, etc..
Handling abuse complaints, wrangling bandwidth spikes, etc. ended up taking way more time than I wanted to give to it. This was before a lot of the modern easily-scalable hosting services were around, so it's not like I could just automagically spin up new instances.
So basically, I ran out of time in my day, and since I already had a good day job I figured "fuck it" and sold out.
I maaaaaybe could've gone full time with it, but it would have been really hard and I would have been competing against some already well-established players. I didn't have much presence outside a particular community, and growing it into a general-purpose thing would've probably killed the "one of us" karma that let me get popular in the first place... so... yeah, not a good plan.
> 2. how did you get out of it? sold, fizzled, etc..
Sold. The party that bought it promptly ran it into the ground in a rather impressively stupid series of decisions, and it was gone within a year. Oh well. Not my problem. I got a decent payout, which -- being younger and stupid -- I promptly blew. So basically in the end all I got was a year or two of really fun living. :)
I'm actually OK with that. It didn't start as more than just a way to serve a specific community's needs, it blew up in popularity and as a result I got some cool experience and some spending money out of it. Seems like a successful project in retrospect.
"Easily scalable" only works to a point, then it quickly becomes expensive unless you create a solution tailored specifically for your problems, at which point you're negating the "easily" part again.
One possible defense is to use an open inbox, publically available. Perhaps?
Many users have a different email for each service, for example username+yourservice@gmail.com (gmail will ignore the '+' and whatever is between it and the @) so you get busted.
Google skip tracer, or skip tracer database, to see how much info is collected and sold, and that is just for one micro industry.
Everything is sold, everything. Maybe that mom and pop store is not selling your data, but that other mom and pop one is. And the bigger players certainly are.