"It's for an event newsletter. Won't say we got it from you."
This ask really bothered me, both from an ethics and pragmatic standpoint. Which got me thinking about the scandals and pressure larger companies, especially ones that are failing or have failed encounter with their user data. At non trivial quantities or certain domains this data must get extremely valuable. Combine this with the increasing likelihood that developers have access to production services and I was left feeling a little uneasy.
Have you ever been contacted as an employee/founder with an offer for your user's data?
What happens to user's data when companies die? Is it purged, sold off, dormant?
Slightly more advanced trick is exploiting the fact that Gmail ignores . in addresses, so that first.last@gmail.com, firstlast, fi.rst.la.st, firstlast.., are almost infinitely unique encodings of the same mailbox. But again, smart spammers can just remove all dots so that the spammee can't tell who sold the address.
Surprisingly I've only seen one misuse of email address doing this for a few years. And I sign-up to competition and the usual suspects quite regularly. The bigger one I find abused these days is phone numbers. I guess it's harder to track source hence more dodgy brothers activity here.
This evades sites that filter on +'s and spammers that strip them out to anonymize their list. Also if they strip out the dots to further anonymize it, they just create invalid email addresses.
Admittedly this only works because not everyone does it.
Then I setup an forwarding email server, which forward <anything here>@mydomain.com to my main email. So I would register at sites like sitename@mydomain.com. Sometimes, if required to send emails from registered email then I would create a new email and send.
Now, I have switched to Abine Blur and free version works fine for me. They have a chrome extension and it generates random email whenever you are filling the email field in web forms. (or you can generate random emails at will). Only caveat is, you cannot reply from that email. So, in such cases, I login to the site, change my email to something else and compose emails.
I suggest everyone to using Blur or similar tools. The guys who are running your site will ever know your real email.
... so imagine my surprise when I received an e-mail (at the abuse@ address, no less) offering to buy uploader/downloader info (IPs, file info, email addresses, etc.)
Imagine their surprise when I told them that I didn't have most of what they wanted in the first place, and that they could kindly go suck a pig. I checked out the company in question, and they seemed rather sparsely established, so my assumption was that they were a shell company for somebody. Never really looked into it after I told them to go to hell, and never heard back from them. AFAIK there wasn't a lot of pirate traffic (I shut that down and banned/reported aggressively whenever I found it/was notified about piracy or other illegal stuff), mostly just niche content that I assume was original... so I doubt it was an MPAA/RIAA thing. Odd.
(Sorry for keeping names out of it. The site was super well-known within the community, and I'd rather keep my involvement in said community quite isolated from my real life.)
Glad to be out of the file host business, that's for sure.
1. why did you get out of the file host business or why were you glad to?
2. how did you get out of it? sold, fizzled, etc..
Handling abuse complaints, wrangling bandwidth spikes, etc. ended up taking way more time than I wanted to give to it. This was before a lot of the modern easily-scalable hosting services were around, so it's not like I could just automagically spin up new instances.
So basically, I ran out of time in my day, and since I already had a good day job I figured "fuck it" and sold out.
I maaaaaybe could've gone full time with it, but it would have been really hard and I would have been competing against some already well-established players. I didn't have much presence outside a particular community, and growing it into a general-purpose thing would've probably killed the "one of us" karma that let me get popular in the first place... so... yeah, not a good plan.
> 2. how did you get out of it? sold, fizzled, etc..
Sold. The party that bought it promptly ran it into the ground in a rather impressively stupid series of decisions, and it was gone within a year. Oh well. Not my problem. I got a decent payout, which -- being younger and stupid -- I promptly blew. So basically in the end all I got was a year or two of really fun living. :)
I'm actually OK with that. It didn't start as more than just a way to serve a specific community's needs, it blew up in popularity and as a result I got some cool experience and some spending money out of it. Seems like a successful project in retrospect.
This is OK in 3 scenarios I can think offhand: 1) A company collects personal/contact information on behalf of another and is upfront about this at collection 2) A company contacts their list asking if these people would like to share their information with a company 3) Permission to sell information is in the T&C on sign-up of the original company.
If one of these 3 is not covered I image companies should purge data if the business closes. Option 2 would be good for companies that are looking for a cash bump on the way out.
At a financial level I see a bunch of people with lists in the 10's of thousands and they are surprised how little it is worth. To earn a western level income from a contact list you'd likely need a hundred thousand plus of contacts assuming a typical consumer audience and reasonable response rates. Lists are worth significantly more for specific hard to reach groups like CTO's or surgeons etc. For me these would be 15x what I pay against a standard consumer list as a massive generalisation.
Funny, it gave me the impression that I was the first to say no and that most people would gladly sell off people's privacy for a buck. Sad.
Many users have a different email for each service, for example username+yourservice@gmail.com (gmail will ignore the '+' and whatever is between it and the @) so you get busted.
I had a few people contact me and offer rather significant money for the info (in total over $10K) if I'd quietly sell them a copy before I deleted it - pretty disappointing to me that they thought I'd do that.
Google skip tracer, or skip tracer database, to see how much info is collected and sold, and that is just for one micro industry.
Everything is sold, everything. Maybe that mom and pop store is not selling your data, but that other mom and pop one is. And the bigger players certainly are.
With that said, this issue recently came up with Radio Shack and how they were planning to sell off their customer data.
Someone else gets their marketing message out to his list, but doesn't get his emails.
One possible defense is to use an open inbox, publically available. Perhaps?
