
Ask HN: Have you ever been contacted to sell your user's information? - jtgi
My friend who runs a student service with a couple thousand users was contacted today over Facebook with an offer for his user&#x27;s emails:<p>&quot;It&#x27;s for an event newsletter. Won&#x27;t say we got it from you.&quot;<p>This ask really bothered me, both from an ethics and pragmatic standpoint. Which got me thinking about the scandals and pressure larger companies, especially ones that are failing or have failed encounter with their user data. At non trivial quantities or certain domains this data must get extremely valuable. Combine this with the increasing likelihood that developers have access to production services and I was left feeling a little uneasy.<p>Have you ever been contacted as an employee&#x2F;founder with an offer for your user&#x27;s data?<p>What happens to user&#x27;s data when companies die? Is it purged, sold off, dormant?
======
atinoda-kestrel
A long time ago I ran a file hosting service that almost exclusively served
one particular "fringe" community (for some reason it got _really_ popular on
one site and spread from there). I was running it anonymously at the time (for
both me and for the users), and logging was minimal...

... so imagine my surprise when I received an e-mail (at the abuse@ address,
no less) offering to buy uploader/downloader info (IPs, file info, email
addresses, etc.)

Imagine _their_ surprise when I told them that I didn't have most of what they
wanted in the first place, and that they could kindly go suck a pig. I checked
out the company in question, and they seemed rather sparsely established, so
my assumption was that they were a shell company for somebody. Never really
looked into it after I told them to go to hell, and never heard back from
them. AFAIK there wasn't a lot of pirate traffic (I shut that down and
banned/reported aggressively whenever I found it/was notified about piracy or
other illegal stuff), mostly just niche content that I assume was original...
so I doubt it was an MPAA/RIAA thing. Odd.

(Sorry for keeping names out of it. The site was super well-known within the
community, and I'd rather keep my involvement in said community quite isolated
from my real life.)

Glad to be out of the file host business, that's for sure.

~~~
kinkora
I might be a lil late reading this but I have a slightly off tangential
question if you could have time to indulge me in.

1\. why did you get out of the file host business or why were you glad to?

2\. how did you get out of it? sold, fizzled, etc..

~~~
atinoda-kestrel
> 1\. why did you get out of the file host business or why were you glad to?

Handling abuse complaints, wrangling bandwidth spikes, etc. ended up taking
_way_ more time than I wanted to give to it. This was before a lot of the
modern easily-scalable hosting services were around, so it's not like I could
just automagically spin up new instances.

So basically, I ran out of time in my day, and since I already had a good day
job I figured "fuck it" and sold out.

I maaaaaybe could've gone full time with it, but it would have been really
hard and I would have been competing against some already well-established
players. I didn't have much presence outside a particular community, and
growing it into a general-purpose thing would've probably killed the "one of
us" karma that let me get popular in the first place... so... yeah, not a good
plan.

> 2\. how did you get out of it? sold, fizzled, etc..

Sold. The party that bought it promptly ran it into the ground in a rather
impressively stupid series of decisions, and it was gone within a year. Oh
well. Not my problem. I got a decent payout, which -- being younger and stupid
-- I promptly blew. So basically in the end all I got was a year or two of
_really_ fun living. :)

I'm actually OK with that. It didn't start as more than just a way to serve a
specific community's needs, it blew up in popularity and as a result I got
some cool experience and some spending money out of it. Seems like a
successful project in retrospect.

~~~
kqr
About 1: all of your experiences still hold today. A friend of mine started a
file hosting business on the side when he was still in elementary school. Much
like yours, it quickly became popular in one small community, and then spread
out of that. Today, 8 or so years later, he has quit to work full time on it
and he works on it... a lot.

"Easily scalable" only works to a point, then it quickly becomes expensive
unless you create a solution tailored specifically for your problems, at which
point you're negating the "easily" part again.

------
Gustomaximus
Haha that's not dodgy at all. There is a legitimate business around selling
data;

This is OK in 3 scenarios I can think offhand: 1) A company collects
personal/contact information on behalf of another and is upfront about this at
collection 2) A company contacts their list asking if these people would like
to share their information with a company 3) Permission to sell information is
in the T&C on sign-up of the original company.

If one of these 3 is not covered I image companies should purge data if the
business closes. Option 2 would be good for companies that are looking for a
cash bump on the way out.

At a financial level I see a bunch of people with lists in the 10's of
thousands and they are surprised how little it is worth. To earn a western
level income from a contact list you'd likely need a hundred thousand plus of
contacts assuming a typical consumer audience and reasonable response rates.
Lists are worth significantly more for specific hard to reach groups like
CTO's or surgeons etc. For me these would be 15x what I pay against a standard
consumer list as a massive generalisation.

~~~
JupiterMoon
This assumes you have only US citizen's data. One Canadian in there for
example and you're surely breaking the law.

~~~
Gustomaximus
I don't see why. Could you shed light on this view?

~~~
mechazawa
It's illegal to sell user data without explicit consent in a lot of countries.
It should also be illegal in the US tho due to the Fair Information Practices.

~~~
gaadd33
What is defined as explicit consent? Most terms of service and EULAs on
websites and software do explicitly give the company the right to sell your
data.

Also aren't the FTC's Fair Information Practices just recommendations with no
consequences for violating?

~~~
mechazawa
Probably "We are going to disclose your data to party X. Do you consent
this?". Saying that you are going to share user information with undisclosed
3rd parties seems like a bit too broad.

------
bratsche
Your friend could always fight shady with shady. Write a script to randomly
generate a few thousand email addresses that look like they might be real. :)

~~~
Foy
Fighting a somewhat reasonable request with _fraud_ seems right out of the
gray zone and solidly in the territory of immorality.

------
joedevon
I was approached a long time ago with an offer to pay for users' info on a
forum I ran. You should have seen the shock at my refusal. The buyer just
couldn't understand why I wouldn't want to make free money for just selling
the list.

Funny, it gave me the impression that I was the first to say no and that most
people would gladly sell off people's privacy for a buck. Sad.

~~~
bsbechtel
I'd say the buyer's shock was just a negotiating tactic...I've seen this used
in many different situations. That said, I certainly wouldn't be surprised
that most people would gladly sell off people's privacy for easy money.

------
thrill
Yes, several years ago I ran a self-created political site in favor of a
specific candidate. I stated in the Privacy Notice that all information
collected would not be shared and be deleted after the election. As I recall,
I collected name, birthdate, gender, email, address because I wanted to
correlate and display the info in a summary fashion, and I allowed people to
make comments and come back and edit them so I had a password system, and some
other things.

I had a few people contact me and offer rather significant money for the info
(in total over $10K) if I'd quietly sell them a copy before I deleted it -
pretty disappointing to me that they thought I'd do that.

------
dsacco
I've never been contacted to sell user information, but I have been contacted
to purchase information. Before I purchased whois privacy on my email's
domain, I was frequently propositioned to purchase lists of users and emails
relevant to information security and general SaaS products. It was pretty sad,
actually. The emails never explained where or how they got the list of users,
they just promised I would have an incredible ROI from these "qualified
leads."

------
siliconc0w
I've never been contacted but here is a #lifehack if you use gmail sign up
with youremail+domain to track who is selling your info.

~~~
scintill76
Yeah, if you ignore the corollary #shadybusinesshack, which is to strip +
suffixes from @gmail.com addresses, or any other domain with gmail MX records.

Slightly more advanced trick is exploiting the fact that Gmail ignores . in
addresses, so that first.last@gmail.com, firstlast, fi.rst.la.st, firstlast..,
are almost infinitely unique encodings of the same mailbox. But again, smart
spammers can just remove all dots so that the spammee can't tell who sold the
address.

------
RogerL
This is why I don't quite understand the common complaints about Google and
data. Not that I don't understand the concern, but the unawareness that this
happens _everywhere_. You order a pizza to be delivered? That info is sold.
Magazine subscriptions? Info is sold. Order something from the Gap catalog?
That info is sold. Signed up for a gym? Sold.

Google skip tracer, or skip tracer database, to see how much info is collected
and sold, and that is just for one micro industry.

Everything is sold, everything. Maybe that mom and pop store is not selling
your data, but that other mom and pop one is. And the bigger players certainly
are.

------
jeffmould
Can't say I have ever been in this position. If I was approached like that
though it would be an automatic delete anyway.

With that said, this issue recently came up with Radio Shack and how they were
planning to sell off their customer data.

------
Frondo
It is not uncommon to send chaperoned emails to your list; that's where your
friend includes a message from the sponsor in his regular newsletter.

Someone else gets their marketing message out to his list, but doesn't get his
emails.

------
hudell
Back on my first job, a small company wanted to use our software, but only if
we copied their competitor's database (Their competitor was already our
client)

------
eloisant
"Won't say we got it from you" is not protecting you.

Many users have a different email for each service, for example
username+yourservice@gmail.com (gmail will ignore the '+' and whatever is
between it and the @) so you get busted.

~~~
mathrawka
This is so well known that places that care will strip it out at the signup
process. Also, they will use a simple regex check with their
company/service/product name to see if the user is using a highly probably
unique email address.

------
hellbanner
I'm developing GPS based mobile games and I've been curious about being
approached for this -- from advertisers or governments.

One possible defense is to use an open inbox, publically available. Perhaps?

------
lcswi
I have been contacted about embedding ads which I consider almost as bad on my
user's privacy.

