[villgax]

This same BS is perpetuated by YC backed Apollo.io by simply scraping public LinkedIn profiles & then masking asterisked emails & numbers(usually your company public numbers) & asking people to sign up.

And when you do request them to remove the same, they ask you to provide ID proof. As if one would provide the same to a company which didn't take your consent for the initial profile data either.

I somehow managed to get hold of the CEO's mail ID got mine removed. But I can only imagine what everyone else would have to do when they want to control their web-presence.

[SippinLean]

There are at least 50 data brokers I've had my information removed from. They will say whatever they can--"we need proof," "it's just public information anyway."

Every time I insisted they take it down, right now. Every time they have complied.

There's so many it's basically pulling weeds at this point.

The scarier companies are the ones collecting pictures of your face to train their private facial recognition software.

(Hell I'm hesitant to post HERE because you can't manage the privacy, content or existence of your comments)

[rvnx]

Some data brokers are threatening you with "if you get removed from our database you will be marked as high risk of fraud and your transactions/orders you do online like hotel reservations will get rejected/put on hold for screening".

Well played. Absolutely legal but totally immoral

[throwaway_pdp09]

But is it true? If not then I'm pretty sure in the UK at least there's some law against it.

[Silhouette]

There are certainly rules in the GDPR about automated decision-making that might be relevant.

https://gdpr-info.eu/art-22-gdpr/

https://gdpr-info.eu/recitals/no-71/

[jan6]

I don't know, but I'd think it's slightly true I'd guess you'll be marked in THEIR database, so if the hotel happens to use that company's lists, you might be marked, but not be high risk in anyone else's books...

[nightcracker]

That's not legal, because that is still personal information being stored. They have to delete it all, upon request.

[JoshTriplett]

The implication (whether true or false) is that some company might treat the absence of a record in their database as suspicious.

[koheripbal]

> There's so many it's basically pulling weeds at this point.

...and they are often run by the same people. They use shell companies to basically avoid take-down requests.

Their goals is to make it sufficiently annoying to take down your information, that most people give up. While at the same time removing it (regardless of the process) for anyone that occupies them too much time - because your individual data isn't valuable enough to waste defending against a take-down.

I suspect a (faux) lawyers letter is easier to get these takedowns processed than the calls/emails that most people try.

[JoshTriplett]

I'd be interested to know if anyone has had success with any legal measure that would enjoin them or any other entity they're in any way affiliated with or that shares common ownership.

[gingerlime]

I've been in touch with a company called Acxiom, who shared my details on Facebook. I've never heard of it, so I submitted a Data subject request to see what they know about me.

They then asked me to provide my address to confirm my identity. Given that I moved quite frequently, and that I'm now asked to share more personal data with a company who's mishandling my data, I wasn't keen on it.

I mentioned that my full name is globally unique, but they refused. I tried to ask them to share some masked data that I can confirm in full (e.g. "give me a partial address and house number, I can give you the full address"). They refused.

They definitely try to make it hard for you, and to dodge responsibility.

[culturestate]

Acxiom is one of the largest (and oldest, they started in the 1970s) data brokers in the world. I think they, like a lot of other creaky corporations, don't necessarily make things difficult on purpose but they...don't go out of their way to make the bureaucracy any more navigable than it has to be.

In other words, it's not a bug, it's an accidental feature.

[heavenlyblue]

I am sorry, how does that resolve the issue of them operating illegally?

The fact that you’re a old mess means you should be destroyed as a business to allow for newer, more ethical businesses to pop up.

If this is an accidental feature it means you should be accidentally run out of business.

[culturestate]

> how does that resolve the issue of them operating illegally?

Which part of the process described is illegal? The GDPR explicitly requires[1] controllers to verify subjects' identities in an access request:

The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

1. https://gdpr.eu/recital-64-identity-verification/

[Silhouette]

That is true, but the word "reasonable" is significant. Taking reasonable steps to confirm a data subject's claimed identity is fair and necessary. Giving them the run around and hiding behind that verification obligation as an excuse is not.

[culturestate]

I mean, sure, but OP indicated that he didn't want to provide the info they requested for verification. I don't see how their action here could be considered unreasonable.

"I promise you that I am the only person on earth with this name" doesn't really seem like a sufficiently secure attestation.

[shostack]

This. I would go out on a limb and offer that Axciom has likely invested more in compliance in this regard than most other companies on the planet.

People may not agree with their stance, but it has yet to be successfully challenged in court to my knowledge.

[Silhouette]

One good thing about the GDPR is that it was basically designed to allow the regulators to beat up businesses that do that. If you're too old or inflexible to live up to your obligations, congratulations, it's now a liability that could into substantial fines.

[Lio]

Has the EU actually shown any teeth to these outfits?

It's one thing to say something is illegal but if you don't enforce that these firms will be able to operate with impunity.

[Silhouette]

Has the EU actually shown any teeth to these outfits?

It's starting to.

https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2...

There are 7-8 figure fines already this year, and two 9 figure ones that the UK regulator has given notice on.

[gsnedders]

Note that in principle it's not up to the EU to enforce because the GPDR is a directive; it's up to the individual member states to enforce the directive as enshrined in their law.

[Silhouette]

GDPR isn't a directive, it's a regulation. It's literally what the R stands for.

The major difference between the two in terms of how the EU makes laws is that directives are the indirect one: individual member states are required to incorporate the provisions into their own legal systems to give them force of law. An EU regulation is the direct equivalent: it carries force of law across all member states immediately. In the case of the GDPR, the UK government has also stated that its provisions will continue here after Brexit and the related transition arrangements.

However, you're right that enforcement will normally be done by an individual member state, because it is typically the national data protection or privacy authority in each state that acts as regulator and has enforcement powers under the GDPR. In theory, there's supposed to be some coordination so one of those regulators will take the lead on any given investigation or enforcement action instead of 28 different organisations all diving in at once, but it doesn't seem to be clear yet how that aspect will work post-Brexit.

[gingerlime]

In theory, yes. In practice... I'm not so sure. These processes are slow and I imagine that the regulators are drowning in complaints and are hugely understaffed.

And there's no recourse besides filing a complaint. Even if I'm legally right, what damage was caused to me that I can seek compensation for? (assuming I go and try to take them to court directly).

[Silhouette]

Isn't the difficulty in proving actual damages in a personal claim one of the main arguments for making this a regulatory matter?

As mentioned in my other comment near here, the regulators have started issuing some reasonably substantial fines already.

[gingerlime]

Yes, absolutely. Yet the likelihood of Acxiom being fined anything other than some token amount in a case like mine is virtually zero.

[icedchai]

There's so many copies of personal data all out there, it would blow your mind. I have a friend who works in this industry. Brokers sell to other brokers who sell to other brokers, who might even sell it back to the original broker after it's been "enriched" with more detail from additional brokers.

I'm a pessimist. You will never remove your personal data. If you get it removed by one company, the others will pop up like mushrooms. Also, from what I've seen, a lot of this information is out-of-date or crap that is just plain wrong.

[koheripbal]

They obviously need to have a process to validate identity, and it's ridiculous to think that they would tailor that process for every request.

It's also odd that you would want to give them your NEW address if they are likely validating against your OLD address.

Why didn't you just give them your OLD address to check against?

[fmajid]

In fact identity verification is one of Acxiom's lines of business, but that is US-centric and probably doesn't work very well for EU or global persons.

Disclaimer: I worked for Acxiom 2007-2009, but not in the data brokerage core business.

[Ntrails]

> They definitely try to make it hard for you, and to dodge responsibility.

Yes, but at the same time you do not want them handing over all your data with zero checks on identity right..?

[lucb1e]

My ID contains: first name, last name, date of birth, place of birth, length, issuance and expiration, document number, citizen service number (~SSN), citizenship, photo (2x), gender, issuing authority (in my case: a municipality so small that it's more specific than geoIP), and in some countries it also contains your place of residence.

If they just have my name, now they have a lot of extra information. That's why my government recommends[1] to both watermark the copy and blacken unnecessary fields like the citizen service number and your photo. Such fields don't help them identify you, so you shouldn't share it with them. But imagine actually doing that: the only non-black parts (the parts they can actually match against their database) would be my name. Or in the case of WiFi tracking: nothing. I had to submit ID but really they just looked up whatever MAC address I claimed; I could have claimed my ex girlfriend's MAC address for all they knew. It's also trivial to photoshop a document if all you need to swap around are a few letters.

Identification is completely useless unless done in person when they can actually hold the document against the light and compare it to the European database of what it should look like[2]. (I've never seen anyone do the latter; see also lichtbildausweis[3].) Online, the best you can do is ask to confirm data that you already have about the person. Asking to confirm that same data but on a photoshopped (watermarked and censored) piece of plastic doesn't help anything.

In conclusion, sure I agree that you shouldn't be able to request my data, but the point is about the means rather than the goal. Is providing a censored and watermarked picture of an identity document a means of reaching that goal a better means of reaching that goal than confirming some data like the calendar week during which I was in whatever hotel they have my data from (for example)? That's what GP was offering them: asking to confirm masked data rather than having to provide extra and unnecessary personal data.

[1] https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/v... In Dutch, but see the pictures near the bottom. This is the federal Dutch government's recommendation on how to provide a copy of your identity card.

[2] https://www.consilium.europa.eu/prado/en/search-by-document-...

[3] Original in Dutch: https://dewinter.com/2012/09/24/de-legitimatiecontrole-in-ne... TL;DR: a "lichtbildausweis" is the german word for "photo ID". But how many Dutch people know that? So when you order a photo ID from germany, for example from a website that sells company badges (like, upload your company logo and employee photo and they'll print a plastic card for you), make sure it contains all the fields that you'd generally expect on an ID card, and they'll take it for being a german ID.

[andyzweb]

Maybe post the CEO’s email here so we can all get our data removed as well?

[villgax]

tim

[privchek]

How does this apply to Clearbit which saves the Google Contact list of everyone who installs their extension [0][1] and then sells this data [2] ?

They have >150K extension users, so they are syncing a massive contact list with personal information that they are then selling via their different products like Prospector [3].

[0] https://connect.clearbit.com

[1] https://chrome.google.com/webstore/detail/clearbit-connect-s...

[2] https://clearbit.com

[3] https://clearbit.com/prospector

[Jommi]

Couldn't find anything on those links or Google about them scraping your contact list.

Would you have any proof or evidence supporting that statement?

[Aerroon]

>And when you do request them to remove the same, they ask you to provide ID proof.

On the other hand, imagine one day you try to log in to your Twitter/Facebook/whatever-the next-big-thing-is and you can't, because the company has deleted all your data upon your request. You didn't make that request though. Someone else did it, claiming to be you.

It gets even worse when you realize that people can request all the data the company has collected of themselves. What happens when somebody impersonates you and requests all of your data?

You need to have some kind of verification method that leads back to a real identity. Otherwise this can be massively abused. I doubt that even asking for a real ID is enough.

[lucb1e]

Twitter/Facebook/whatever-the next-big-thing-is doesn't have 9 out of 10 fields that are on my ID card. If I show them a piece of blacked-out plastic with only my first name visible, since that's the only piece of information they have about me, it won't help them identify me.

Yes, you need to prove that you're the data subject matching their records before they should act on your request, whatever that request may be. But uploading a copy of your ID card almost never serves that purpose. See also a bigger comment I wrote elsewhere in this thread with sources and examples: https://news.ycombinator.com/item?id=23957503

[1337shadow]

Ok but he didn't subscribe on that website.

[thierryzoller]

OP here - That's the point. They are not a data controller by that very simple fact. They are processing this data on an illegal basis. Any lawyer around that want to assist me suing in the US?

[1337shadow]

Did you reach La Quadrature Du Net ?

https://www.laquadrature.net/

Also check other CCC co-organizers & the political activist sphere.

[leereeves]

Would anyone actually be upset to discover that apollo.io was no longer tracking their information?

[rvnx]

Electronic signatures tied to your ID.

Don't delete instantly but after X days. Notify owner immediately.

Problem solved.

[jan6]

you mean like Estonia's digital signing? ;) and pretty sure that most sane-ish companies already delay and notify people of major stuff like account deletion and such, less hassle on both parts, company also benefits as it can just batch process requests weekly or monthly or so.

[thierryzoller]

I have a complaint sitting agains Apollo.io as well. I'll make sure to post the outcome here.