[Belated] Naughty List 2016

I know Santa's already been and gone this year but after last years interview successes he decided to review his options yet again this year. I've been swamped with solution design and development work since December so this article is very late.

2016 saw a marked decrease in spam from the 'major' jobs boards and some new comers then balancing that out by making up for it - Notably My Job Matcher Ltd, who still seem fine with buying your data from India data traders. More of that in the list (yes a spoiler....sorry about that).

2016 also turned up new vectors of spam and processors which are probably unsurprising to most. These new-ish vectors indicate that companies who have received subject access requests SARs from me in the past, decided to sell those details onto spammers and criminals.

Very funny. Should have seen that coming I guess, however I've started designing and writing an anti-spam solution - with help from Santa of course after he got so annoyed with the 2013.

Because of the way my email addresses are applied I can track where they were first used, who they were sold on to and so on. iProfile / Vertifi have largely gone quiet after numerous complaints via the ASA and ICO - and a number of open discussions with recruiters that used to use the platform.

All but two of last years nominees are no longer in the running - Jim Munday appears to have given up on his side businesses after being 'stung' by Alex Paterson in a database sale; My Job Matcher finally seem to have stopped unlawfully buying personal data to artificially inflate their candidate database (although they are now partnered with Alex Paterson and his businesses). It's a very small world.

Also of notable mention is DMR Financial Services and Donald Rees. DMR cold called me one day last year for PPI claim details. I gave them a false name and address to which they dutifully delivered paperwork disclosing who they really were.

I SAR-ed them to find out where they got my TPS listed phone number from in the first place. They tried to claim that my phone number was given to them as a number for a potential client in the West Midlands, and that it was associated with a different person. I then disclosed the made-up person and challenged their position: in that they were not provided my number by anyone and that they have to name their "DMA approved data source".

Of course they offered to send me a copy of their complaints procedure whilst they investigated. That was Q3 last year. Despite all of this they still didn't make it into Santa's naughty list for 2016. These companies did:

Number 5 - Teradata

New entry for 2016. These guys not only bought personal data where they shouldn't have but have ignored 3 SARs over the last 18 months. In fact, one SAR request was not only ignored, but the email address associated was then subscribed to their marketing lists.

Either they're scraping Jobsite.co.uk or a 'recruiter' is doing it for them. Either way they've been tagged for further investigation in 2017.

Number 4 - Jobsite.co.uk


Down three to 4th place this year. At least they're fairly consistent. They're now 'partnered' with a number of other jobs boards and data traders as the StepStone group.

It looks like their response to data protection issues has improved slightly although they need cajoling a lot. I still don't have any answers from them from a request in 2015 and they even tried to tell me that my account didn't exist, therefore the spammer in question had never seen my details.

I sent them a screenshot of both which contradicts their claims and haven't heard anything more from them since. It's difficult to track data scrapers it seems, even when they're scraping Jobsite.co.uk's candidate database to set up their own online jobs boards - and Jobsite.co.uk don't seem concerned that they're creating their own competition. Speaking of which...

Number 3 - MatchMeAJob.com

So they were caught red-handed scraping candidate details from Jobsite.co.uk and adding them to their own database. They don't offer jobs themselves but provide links to real recruitment agents job ads on other jobs boards to their 'candidates'. Every link I tried returned a "this job is no longer available" message, even clicking links from MMAJ emails barely minutes old.

They refused to respond to multiple SARs, an NBA and then - after they received a more official warning - sent me a terse one paragraph response which stated that they "...only viewed but never downloaded [your profile from jobsite.co.uk]". Strange then, if they didn't download anything, that they then spammed me nearly 100 times isn't it?

The case continues but I suspect a large number of people were forcefully subscribed to MMAJ's database without consent, notification or any discussion. Totally unrepentant and couldn't care less about data law - just making a fast buck. I suspect they're also selling candidate data out the back door to non-EU data traders for re-sale back into EU and US businesses. Expect to hear more posts in coming months.

Their director, Irfan Lohiya, also set up Top Resourcing and then gave himself a bunch of testimonials on the first page; using all the different job titles he has from each of his own companies. It looks like Jobsite.co.uk might ban MMAJ so he's got a couple more companies waiting in the wings.


Number 2 - UK Apollo Group

This one is far from dead and buried - after the results in and out of the court room in 2016 it appears that Apollo have again ignored multiple SARs and requests for information.

Keith Taylor, the 'head' of the group, admitted in court on record that they '...[could find my details] on several databases that they use...' on the morning of the trial: yet claimed in their response to my 2015 SAR that they could not identify the source by which they acquired my data. I have all that on record with the court along with other gems.

Of course I've now confirmed via three independent routes that the source is in fact Monster.co.uk, who have been especially helpful and supportive.

Expect more articles about Apollo this year - there's one case I know of which is yet to be heard and at least one more waiting in the wings.

Number 1 - Pulse Accounting / Umbrella

I've witnessed a lot of accountants doing things with personal data that you would not expect people you should trust with money to do. Some are innocent, others evade and lie to squirm out of their responsibilities. Guess which one of those categories Pulse fit in to?

This is an ongoing situation where The Burrows Machine offered my personal data for sale, Pulse bought it, failed to verify consent and then added me to their marketing lists.

They ignored SARs from three people - myself included - at first, then responded to one person but continued to ignore others.

Following on from that Pulse then ignored NBAs (attempts to impress upon them that their participation in data protection law is required), when summons were issued - instead of responding to the SAR raised a counter claim for twice the claim amount! They've since discontinued the counter claim but are still refusing to respond to my SAR. A belligerent response that was an attempt to bluff their way out.

ICO forced them to respond to the third individual who submitted a SAR, noting that Pulse have breached the DPA. Pulse claim that they are "only a small company" despite their director running a number of contractor umbrella, payment and collection companies, and having been registered as a data controller with ICO since 2009. They claim that they data trader "assured" them consent was in place, which admitting that they had no way of verifying whether it was the data subject who allegedly entered their details into the contractor-pay.co.uk website (since taken down but available in all its glory on the Tinterweb Archive).

Oh wait, it never appears to have existed at all. Surely it wasn't a lie?

Conclusion

With GDPR fast becoming an inevitability the noose is tightening around the data traders. In 2017 I'll release the anti-spam module Santa and I have been working on - since 2014 I've reduced spam from around 600 emails a week to roughly 100 a week - some of those are feeder account used for diagnostics on the anti-spam module though. At the moment I'm likely going to release the module as FOSS but keep the reporting and data-management as part of the LSP product range. However part of me thinks that there are already a number of similar COTS products out there (albeit working on different principals), so may end up FOSS-ing the data warehouse and reporting aspects too.

Inevitably better developers can take the AoD's and improve the codebase if I push ti GitHub or BitBucket.

I digress: If we already had GDPR these companies would not be able to support their current business model, and would be eligible for fines up to 20m Euros or 4% of EBIT revenue. However the usual wranglings from used-car salesmen lobby groups are attempting to reduce the size of potential fines. Knowing full well a lot of their members are going to be paying six-figure sums at best - possibly seven or eight figure sums.

EDC and DMA attempts to undermine GDPR failed as it's already been passed into law - which is great for individuals. Now companies have to actually take responsibility for their data practises and the regulator has the foundations to really make an impact.

I've personally seen companies horde data for decades, monetising it at the earliest opportunity (hoping the data subjects 'forget' they ever handed their details to the company in the first place); others have been asking how to comply with GDPR for over nine months.

Lets hope the future involves more of the latter attitude.


Comments

Popular posts from this blog

Scam Warning - SpellJobs.com

Scam Alert - Ian Burrows a.k.a. Alex (P) Haynes (Updated)