@amrith I purchase the lists from conferences, meetups, web services and other profit-driven data collectors willing to sell them.
@amrith @bitfalls So, uh, you have an online list of emails that have been sold without the owners' permission, while you're actually purchasing emails without peoples' permission yourself? :D
And you're even buying said emails if I people end up on the list. You presumably doesn't use the emails for anything, but I think the service is contradictory in a way.
EDIT: Thanks for the elaboration below, makes sense!
@amrith @martinsanton I buy them because I'm sick of spam and because I want to out the data brokers and original sellers and put a stop to spam. I'm not sure what I can say about the service being contradictory, but given that there's not even analytics code on the page and the app itself is open source (just polishing some stuff up, will announce and add links in the coming few days), I think most people will find less of an issue with this app than with most email collecting apps. We'll see.
@amrith @martinsanton @bitfalls a lot like Thanos :D
@amrith @bitfalls Thanks for elaboration, makes sense!
@helloanselm How would one get the DPA from Google?
@bitfalls I’m not entirely sure. One way would be to contact their privacy support team https://support.google.com/policies/troubleshooter/7575787?hl=en or the design team who’s making the site https://fonts.google.com/about or view this issue about GDPR compliance https://github.com/google/fonts/issues/1495. There’s also https://privacy.google.com/businesses/compliance/?hl=en#?modal_active=none but all of that doesn’t offer directly a DPA.
There’s also the option to self-host the fonts which is then completely fine.
@helloanselm yes, due to these complications I also opted to self host the fonts
How do you get that kind of information?
@languages_ai I purchase the lists from conferences, meetups, web services and other profit-driven data collectors willing to sell them. I get offered this data because I run bitfalls.com and coinvendor.io, I imagine a lot of other more popular online portals do too and that's how you end up on newsletters you had no idea you were a part of
"Step 5: Use a new trap email for every service you sign up for": trap email addresses sound like a great idea! But it is quite inconvenient to set one up for every service we sign up for... it would be great if there was a LastPass kind of extension out there that automates the process once you are in the sign up form and creates a new address with your provider right away on the spot.
@marcbc I guess I should explain better - they are automatic! You just type them out as you wish, you don't have to set anything up. Because you have a catch-all address, ALL addresses on your domain are valid, so even sldfhlsdhfdkjshjksdhf@mydomain is OK. That's why you set up a filter to delete all except, for example, email@example.com and firstname.lastname@example.org, and all that begin with trap-*, but auto-delete all others. That way it's all automatic and instant for you.
@bitfalls ahhh! got you :) I didn't connect the dots there... makes sense now. Thanks! :)
@marcbc @mydomain @bitfalls If you're saddled with Gmail, you can also use email@example.com as a trap. The mail still gets to you but you can see who's using your address. Very few services validate against this approach.
Might also be worth checking if you've been pwned (i.e. your account passwords have leaked)
@rrhoover good call 😂
Great job !! 😊 very useful to check our Personal info ?
@ayush_chandra Did you find yourself in the lists? If so, anything you'd change?
I use firstname.lastname@example.org for every service I signup to. Could it be added that I can search all of those? You can do this on G Suite and Gmail (which also ignores dots for gmail.com).
@domain @andreasbackx I guess. Have to think of how to get around an attack vector that's potentially privacy sensitive and you end up being able to search other people's stuff. Some proof of domain ownership would be enough I suppose
Great idea and nice execution @bitfalls. Signed up for alerts. Thank you!
@larrykokoszka thank you!
Give us your email so We can help against those others that use your email.....
Almost got me.
@androidlove You vastly overestimate the value of your context-less email
From your bio, you are involved with Diffbot. Seems like diffbot is selling access to a pretty massive database of people https://www.diffbot.com/knowledge-graph/
How is that consistent with this project?
The tagline for Diffbot's knowledge graph product is:
The world's largest, most accurate database of people and companies
In that page it also states:
Each person has up to 90+ data attributes. Diffbot's records are the most diverse and comprehensive by merging data from person and professional social profiles, resumes, personal websites, biographies and more.
@cliffm35511967 I would also like a response to this.
@cliffm35511967 There is no affiliation whatsoever and the KG database does not contain people's emails at all.
@bitfalls I get that there is no affiliation (in the sense that this is not a diffbot product), but these two projects do seem to be at odds with each other. That is why I asked you.
"KG database does not contain people's emails at all."
is that true? I definitely remember the ability to get emails when I saw a demo few months back (I might still have some screenshots to show you what I'm talking about).
Also, in this project you are talking about reporting GDPR-violators. GDPR doesn't just protect email information. I'm not 100% sure here, but I think this quote from the Diffbot knowledge graph might be a strong indication that KG is a GDPR violator:
"Each person has up to 90+ data attributes. Diffbot's records are the most diverse and comprehensive by merging data from person and professional *social profiles, resumes, personal websites, biographies and more.*"
@cliffm35511967 At odds? How so?
I can tell you that in KG the only data sourced is the data that's publicly available, there's just aggregation happening just like with something like Google. And just like with Google, you have the right to be erased with KG too. But I would recommend talking to email@example.com for further clarification on those issues and any DPA you'd need signed.
@bitfalls With this website you just launched you are saying you are tired of getting unsolicited emails and want to crack down on people whose business might involve selling a dataset that includes information about you, even though you didn't consent to it.
The Knowledge Graph product by Diffbot is being sold under the tagline of "The world's largest, most accurate database of people and companies". And one of the main value props is:
"Say sayonara to manual list building. Diffbot's faceted search enables you to craft queries like: Software Engineers with machine learning and computer vision skills"
Don't you think this could be seen as selling people's information (which they did not actively consent to), to facilitate list building in order to send unsolicited emails?
Also, in the current KG product when you are in a person's profile there is a button saying "Lookup Contact Info" which when you click in it gives you the email of that person.
@cliffm35511967 I can guarantee that KG does not expose data that is not publicly available, including emails. If you put an email address in your Github bio, that'll get sourced as the email address, etc. KG is, in effect, a high quality paid search engine of public data and in this regard the two services are not at odds in my opinion.
@bitfalls "I can guarantee that KG does not expose data that is not publicly available, including emails"
I don't think this is true. I just asked a friend who has access to KG to press the "Lookup Contact Info" on a number of profiles and it is indeed exposing contact information that is not publicly available. My guess is that you guys are doing guess + check (via SMTP and other methods) to get the emails (in addition to scrapping personal websites, github, etc). It seems like you are aggregating this information at a large scale and selling it to companies. I invite you to prove me wrong about this.
If you read GDPR more closely, I think you will realize that there is a very reasonable chance that KG by diffbot is not compliant.
I just thought it was a bit weird for you to make this project given your association with diffbot's KG. In my view, it's rather hard to argue that diffbot's Knowledge Graph is not at odds with the motives you state for this project you just released. KG is a database of company and personal information (as clearly stated in its website). Diffbot makes money by selling access to that data, without active consent by the people in that dataset.
In this case it definitely seems like you should do the same and contact some of your colleagues to get more information about KG. In fact, you are in a much better position to do so than me. In addition, I think the right thing to do would be to better explain KG here, since you decided to launch this other project on PH.
You were making very assertive statements and it sounds like you don't have the full picture. For instance, you said:
"KG database does not contain people's emails at all"
You can very easily realize this is not true by just spending a few minutes playing with KG. You are indeed able to get contact information of people that is not public by just pressing a "Lookup Contact Info" button. I invite you to try it out.
@bitfalls Looks like you just deleted a couple of replies:
In one of them you posted a screenshot (https://imgur.com/a/g8Gd2Pe) where you were saying that you had tried to get an email via KG and it didn't return one.
I'm starting to get more suspicious Bruno. I just asked somebody with access to KG to try to get emails from a few contacts and they sent me a bunch of screenshots with emails. Here is an example: https://i.imgur.com/jSJayxs.png
If I didn't happen to know somebody with access to KG I might have given up a while ago after you said things like: "KG database does not contain people's emails at all". I was willing to give you the benefit of the doubt, but at this point I have reason doubt your intentions.
Which api being used to check the email? :) Thanks!
@naveenkumar Haveibeensold.app's api :)
@bitfalls Is it public? May I use it in my app? :)
@naveenkumar It's not really intended for that, but I can open it up for you if the use case is valid. Feel free to get in touch with more info via firstname.lastname@example.org and we can discuss.
@bitfalls Thanks. Thought of creating an app for Echo users :)
Interesting concept. I get emails all the time asking me to purchase email addresses of the users of XYZ product. What I'm more interested in is how to opt out of all these lists. Lists that I'm not even aware of that I'm currently a part of.
Is there a way to do something about it? This user information selling has become an industry in itself. Websites like DiscoverOrg, Zoominfo etc.
@with_farhan You can report them as GDPR violators now, yes. They are guilty by default if they sold your info after May 25th 2018 without your permission. If you can prove they sold it (by using this tool or by using unique emails as described on the tool's homepage), they're done for.
@with_farhan Btw, please contact me about those lists they're offering you. I might be willing to take a look, depending on context.
Jesper N. Qvist
Just implement the Clearbit API and you see they sell your email across the web
@jesper_n_qvist Are you guys using clearbit for salestools.io?
Does your app offer any further steps for those whose emails got sold? All mine are green, so I can't tell.
@dmitrizzle Nothing specific, you're just given the source of the data and the source of the list, and any action you take based on that is up to you. There's not much we could do, specifically, unless you have some ideas?
Was keen to check this out but the questions raised by other commenters have really given me pause for concern. It's a no from me dawg.
@taitems Same here.
So basically a way to find companies to report to your local GDPR watchdog?