A few months ago, I received a pitch for a story – nothing unusual there, as I am a journalist and receive a lot of pitches – but what set this one aside was the story idea arrived as a flurry of WhatsApp messages.
And I was surprised, as I’ve never been approached by a stranger via the messaging app before.
I found it unusual and a bit invasive, so I asked the person sending the messages how they had obtained my phone number.
She said she had bought it, she said, from a company called RocketReach, which, on its website, promises users can “get email and direct dial for any professional” via their service.
This was the first I had heard of what turns out to be the somewhat opaque, if lucrative, world of contact selling.
US companies that collect and monetise personal data are on the rise.
It is scraped, they claim, from public sources, such as Twitter and LinkedIn, as well as corporate, media, and people and phone directory websites.
So I thought I would do some web scraping of my own, found RocketReach chief executive Scott Kim on LinkedIn and sent him a message.
He immediately agreed to remove my personal data – but finding out how it came to be there in the first place turned into something of a mission.
Awkward questions
At first, I was told it was impossible to trace the source, because my phone number had now been deleted.
But Robert Romain, of privacy campaign group Noyb, told me: “You cannot just answer the person having their data processed by telling them that their data were deleted and pretend that the problem disappears.”
And when I told Mr Kim I planned to write a story about my attempts to track the digital footprint of my own telephone number, I received a slightly different answer to my questions.
The RocketReach response was marked “Not for publication,” so I am not going to quote it directly, but the company basically said it had reverse-engineered my profile and decided it was most likely obtained through my Twitter feed, via a service it uses called Pipl.
So I immediately contacted Pipl chief executive Matthew Hertz, who replied, very succinctly: “The source of the data appears to be Sync.me.”
Sync.me is a public telephone-directory service, which I then reached out to via a form on its website.
‘Mistakenly identified’
“We have checked our records and your details do not appear in our service,” Sync.me replied.
“We may have mistakenly identified your number in the past as a phone number of a business.
“However, since we applied GDPR [General Data Protection Regulation] regulations, we removed such numbers from our service.”
Mystery solved, I guess – but what is less clear is whether it was lawful for RocketReach to sell my telephone number, especially if it had been gathered from a pre-GDPR database.
‘Possible sensitivity’
RocketReach said it was committed to protecting privacy and keeping data secure and complied with its obligations under the law.
And Pipl told BBC News: “We respect your and others’ right to privacy.
“The information was found in a public source and hence was not treated as private information.
“Even though as a non-EU company, GDPR does not apply to us, we understand the possible sensitivity of personal information and allow you or anyone to removed information about themselves.”
The General Data Protection Regulation is a massive piece of European legislation intended to hand back control to users in an age when data has become a commodity.
Similar rules now exist in post-Brexit Britain.
And they apply just as much to data that has been gathered from the public domain.
“Saying the data is publicly accessed is not good enough,” Mr Romain says, “just because you put your phone number on a website doesn’t mean that you’re OK for someone to scrape it and put it on a database to be sold.”
Daisy chain
Rafi Azim-Khan, data privacy head at the Pillsbury law firm, agrees.
“Even if company ‘A’ has legal grounds to process your personal data, that doesn’t doesn’t mean that company ‘B’ or ‘C’ does,” he says.
“There is a daisy chain of data being passed along and each business becomes a separate legal controller under the law.
“If a business got hold of your details and allowed others to contact you in a way you didn’t want to be contacted, that begs the question – is that business compliant with GDPR?”
Web scraping
The UK’s Information Commissioner’s Office suggested I make an official complaint, which I did.
Meanwhile, it said: “In the case of data matching and web scraping, data-protection law does not stop you processing publicly available personal data – but you must do it in compliance with the law.
“For example, if you scrape publicly-available personal data from social-media profiles, you become the controller for that data.
“You therefore need to ensure you comply with data-protection requirements, including having a lawful basis for processing and providing privacy information to individuals.”
‘Slightly ridiculous’
US-based companies must have what is called an Article 27 representative in Europe if they are processing European data, someone regulators can deal with if there is a data breach or other issue.
But Pipl told BBC News it did not have one.
The Luxembourg data-protection authority ruled that Noyb’s complaint against RocketReach, and a similar company, Apollo was unfounded, in part because they did not have this point of contact, so the case could not be pursued.
Data-protection consultant Dyann Heward-Mills says this is a slightly ridiculous catch-22.
“They were saying we don’t think what these firms are doing is right – but we can’t act because they don’t have the contact,” she says.
Companies will often have a “legitimate business interest” in using individual’s data – but they must balance this with the rights of individuals, who definitely have a “right to know” how the information was acquired, Ms Heward-Mills says.
Newcastle University law professor Lilian Edwards says the example highlights some of the challenges of GDPR.
“There’s no real way to enforce GDPR outside of the EU, either information rights or erasure rights,” she says.
“In the US, what really works is copyright takedown notices – but your telephone number isn’t copyright.
“It really points up the differences between our systems.”