A winding road and a dead end: A journalist traces the path of her stolen phone number
It's a dreadfully annoying thing to receive spam calls every so often, and then have to wonder how in the world the person on the other side got a hold of your personal phone number. No matter what we do, we've all been subjected to this torment at some point or another.
However, you may just be shocked to learn about the number of places your phone number could have been before it made its way to whoever it was that last spammed you.
UK-based journalist Jane Wakefield from BBC experienced a similar annoyance when a complete stranger messaged her on WhatsApp (which you can't do unless you have someone's phone number), and so she decided to perform an in-depth investigation to find out exactly how and where her private number had been compromised.
Where did the WhatsApp stranger get the number?
First, Jane questioned the WhatsApp stranger to find out where they got her contact info. Interestingly, the person wasn't a spammer, just a random woman who was trying to get in touch with Jane with a new pitch for a story. This woman answered that she had bought the phone number from a company called RocketReach, which promises it can instantly get you in touch with any professional via their personal phone number or e-mail.
RocketReach promises to find any professional's contact info
Where did RocketReach get the number?
It seems there are plenty of shady companies in the U.S. like RocketReach that make tons of money through selling contact information. Allegedly, they themselves obtain the info in question through public platforms such as any social media, or corporate, personal, and phone directory websites.
Naturally, Jane Wakefield headed over immediately to the mysterious RocketReach company to find out how in the world they had come to sell her private phone number to strangers. She managed to get in touch with the company's CEO Scott Kim via LinkedIn.
While he did not waste time in promising to remove all of Jane's personal information from the service's database, he more or less refused to answer her questions of how RocketReach had actually obtained said info.
The only substantial thing Jane was able to get out of Kim was that it was no longer possible to find out the how, since her profile had been removed. Unsatisfied, the journalist pushed more aggressively, telling the company that she was working on a story about tracking her stolen phone number's digital footprint. Eventually, RocketReach caved and told her they probably got it through her Twitter feed through a public identity service called Pipl.
So... How did Pipl get the number?
Jane was now far too deep into her investigation to slow down, and her efforts were only bringing up more questions rather than answers. What was supposed to be a simple question was turning into a seemingly never-ending game of tracking down the original thieving culprit.
When Jane reached out to the people at Pipl next, the company's CEO—named Matthew Hertz—replied to her questions with a simple sentence: "The source of the data appears to be Sync.me."
Where did Sync.me get it, then?
It turned out that Sync.me, this time around, was a caller identification service. Jane filled out a contact form on the company's website, and they surprisingly replied that they had checked the records and could not find anything on her profile.
However, they added that "We may have mistakenly identified your number in the past as a phone number of a business. However, since we applied GDPR [General Data Protection Regulation] regulations, we removed such numbers from our service."
The General Data Protection Regulation is a data regulation implemented in the European Union in 2018, which also addresses personal data transfer outside the EU but cannot be effectively enforced in the United States.
Jane's question, at that point, was: at what stage, if any, did this whole shenanigan become in any way illegal? Certainly it seems wrongful for RocketReach, which obtained her personal info from a database where it is now rendered illicit, to go ahead and sell Jane's phone number without so much as her knowledge.
When questioned by BBC News, Pipl said that "the information was found in a public source and hence was not treated as private information." Like the others, it went on to simply claim that it respected people's rights to privacy—and that was the end of it, apparently.
Following all this, Jane contacted privacy campaign group Noyb, a member of which provided his opinion that the behavior by these companies was wrongful in the way they handled her questions and personal data.
You cannot just answer the person having their data processed by telling them that their data were deleted and pretend that the problem disappears. Saying the data is publicly accessed is not good enough. Just because you put your phone number on a website doesn't mean that you're OK for someone to scrape it and put it on a database to be sold.
Even if company 'A' has legal grounds to process your personal data, that doesn't mean that company 'B' or 'C' does. There is a daisy chain of data being passed along and each business becomes a separate legal controller under the law. If a business got hold of your details and allowed others to contact you in a way you didn't want to be contacted, that begs the question - is that business compliant with GDPR?
Jane could do nothing further after the whole ordeal except file an official complaint and wait, as she was told by the UK's Information Commissioner's Office.
Things that are NOT allowed: