Selling Other People's Identities

joeflies writes "The San Francisco Chronicle has an extensive article on the controversial site Jigsaw, which makes it easy to sell other people's identity information. Jigsaw encourages people to collect business cards and email signature blocks, which is compiled together into a searchable database. Participants earn points towards their own searches or earn money. Is this exactly what Scott McNealy meant when he said electronic privacy is dead?"

It's easy...

[Anonymous Coward]

...conduct a concerted effort to steal the identy of jigsaw's CEO (Jim Fowler), then use that identity to sink his company.

Is it really?

[TVAFR]

Since this business contact information, be it on business card or in email signature is already willfully given out by owner I think it is not "selling out people identity" strictly speaking. It is a kind of mining and aggregating public data.

The layers are going to love this one.

[threeofnine]

I am just waiting for the first law suit. This guy had better have some deep pockets, cause I am sure it will not be long before someone sues.

Very dangerous territory.

It is companies that should improve id checking!

[poliopteragriseoapte]

The scandal is not that people are selling and buying that kind of information. The scandal is that companies accept that kind of information as identification information.

The scandal is that anyone can pretend to be me by knowing my name, address, phone number, and social security number, and little more sometimes, but not always. NONE of those pieces of information was EVER meant to be secret. We have to write our social security number in zillion of places, our employers know it - nobody in his right mind could trust that as a piece of identification information!

Yet this is exactly what companies do, because they bear little of the cost, and there is no legislation that forces them to be more selective with what they accept as identification information (read with what little info one could access the phone record of Thomas Perkins).

And all the while, better tools for identifications are widely available. I could identify myself to my bank simply by sending them a PGP-signed email: all that this requires of me is to click on the "sign it" button in Thunderbird - and I get incredibly better security than monkeying around with SSNs.

Yes, people with PGP tend to have small webs of trust - but this is because of lack of legislation that requires better identification for transaction, and also, for lack of public services. In my city, want to tell the tree pruners that the city tree next to my house needs some pruning? There is a phone number and a very kind and helpful employee on the other end of the line. Want to get your PGP key signed by a city/county officer that checks your papers thoroughly? No hope. You have to somehow know someone who is connected enough to others that need PGP (package maintainers, for instance). Tree haestetics surely ranks higher than basic identity security, even though our nation is more and more based on remote transactions.

Our legislation, and public services, are late some 20 years regarding identity management. The scandal is that they are not brought up to date faster, not that some people are selling email footers that we send around for free.

Re:Private Business Cards

[wannabgeek]

It may be true if you're in some kind of sales job or something where you want all the people who are interested in it to contact you. I give out my business card only to people who I want to give my contact information to. It's just an easy way of giving out contact info, that's all. If there was an easier way of transferring my contact details - may be a single button press on bluetooth phone to phone transfer, I will do that instead.

Re:Well, it's a double-edged sword

[dan828]

And just like Wikipedia, the info has to be taken with a grain of salt. I just looked up my company on Jigsaw-- the only thing that they had correct was the name and phone number. Number of employees, industry, and everything else was wrong. The info would be entirely useless to anyone using it to try and make sales contacts. I have to think that the crap factor is pretty damned high for most of the data.

Re:Private Business Cards

[Sam Ritchie]

Is it Jigsaw's responsibility to police how people use their service?

Now answer again, pretending that Jigsaw is an ISP or a filesharing software developer.

Nothing but public information

[Riding Spinners]

Jigsaw [jigsaw.com] isn't putting up your grandmother's Social Security number, nor is it hosting pictures of you and your dog. All they host (and all they want) is business contact information. This isn't a violation of privacy... it's a boon for businesses to contact other businesses. It has no desire to be a Zabasearch [zabasearch.com] clone.

If the submitter had bothered to read the article, they would've seen this very important message:

Jigsaw wants only business information. The company won't take home addresses, cell phone numbers or e-mail addresses from Gmail, AOL, Yahoo or other domains that are not identifiable business e-mails. "Jigsaw doesn't touch non-business information with a 10-foot pole..."

So there you go. Someone decides to conglomerate the information any moron can find in a "Contact" page on a corporate Web site, and the privacy nuts freak out — despite the fact that it has nothing to do with privacy. I love how some people commented about creating fake identites and submitting them. Well, unless Mr. John Doe has his own domain and business license, I don't think that fake info will do any good!

Perhaps CowboyNeal [cowboyneal.org] needs to see a psychiatrist about his manic-depressive and schizophrenic paranoia disorders. At the very least, he should apologize to Jigsaw (if not to all of Slashdot).

How I discovered Jigsaw.

[Hovsep]

I received an e-mail one day from someone selling a how-to book. The advertisement had a plug for Jigsaw at the bottom citing it as the source, so I decided to check this out. The e-mail address it came to was one that I'd given only to HP for their reseller program. The address and other info Jigsaw had about me matched the mailing address I'd given HP, which was pretty new at the time and I'd only given it HP. I guess someone at HP decided to earn Jigsaw points by stealing HP's list.

I had no luck contacting Jigsaw or deleting my information from their site via their form, but I did complain about this to HP. HP contacted me the next day and appologized for letting this happen. Shortly thereafter my information from Jigsaw was removed.

I've also caught several other companies that promise to not share my contact information using the same method. It's pretty effective and I just redirect those stolen addresses to /dev/null. I just won't do business with them anymore.

Jigsaw may claim that their information is only from sources like business cards that are handed out, but I can say for certain in my case that they just got a stolen customer list. They have no way of assuring that the data comes from legal sources like business cards. I see lawsuits in their future as they get more publicity like this. "We didn't know it was stolen" is not an acceptable excuse.

Trading people's identities is legal ...

[golodh]

For better or worse, trading people's identity information is legal.

There is no sense in complaining about it since the whole US legal system happens to be designed to protect people's freedoms (such as the one to trade other people's identity information) from the snap judgement of their fellow man, especially when those freedoms are unpopular. And as we all know it's common business practice to disregard most "moral" considerations in the pursuit of revenues. Of course there is always the possibility of those revenues being affected by the backlash of being unpopular, but the decision criterion is always revenue, never morals or ethics. So impopularity only works if the backlash is large enough and inescapable enough. And that only for as long as the costs outweigh the benefits.

Which it probably won't be of course ... there are far too many issues clamouring for everyone's attention to guarantee that anyone who doesn't devote his whole spare time (or even his whole life) to being angry and upset about this or that abuse or scandal just won't have the time to much of an effective force. A handful of grumblers won't matter, but one powerful grumbler does. From the article it's interesting to see that when an individual complains to this company to have his own information removed, he is ignored. When HP complains, the information is taken down pronto. A clear case of cost-benefit tradeoff: an individual's ire (he hasn't got rights, but he might make a nuisance of himself) doesn't count for much. A large company's ire (they don't have any rights either, but they can afford a battery of lawyers to make life difficult for you) is something to be taken very seriously. Elementary economics.

Therefore, as I see it, new legislation is the only way to stop this sort of thing. Personally I would be in favour of legislation stating that you and you alone "own" your identity data, and that no-one (especially no companies) may hold or store any piece of it without your permission, and that they are obliged by law to fully disclose all information they hold on you upon first request, and that they are obligated to allow you to correct any information they hold on you, say within 20 business days. All of this enforceable on pain of say a 1000$ fine per case.

That would be too bad for companies that make a living from trading information, but I happen to rank my privacy over their survival and I wouldn't mind seeing them go.

The point is of course that the majority doesn't seem to support any such law. So unless there is enough political will to enact some legislation to protect our identity information from being sold it's no use grumbling. Unless you manage to grumble loudly enough to make an impact of course.

Re:Private Business Cards

[AngryNick]

What is to stop users from uploading information they've obtained by other means?

You mean from phonebooks, mailboxes, and tombstones? I assume they go by a stringent code of honor.

I fully support a person's right to limit the distribution of his contact info, however, my email sig and business cards are no longer mine when I publish them or give them away. It sucks that someone I don't know can send me an email or call me, but that's what I get for living in the world today.

Perhaps people could copyright and/or trademark their contact info so they can claim infringment when sites like Jigsaw publish them without permission.

-- AngryNick(TM), a product of AngryNick Identities LLC. Signature content (c)2006, AngryNick Identities LLC. All rights reserved. No part of this signature line may be reproduced, distributed, or otherwise used without express written permission from AngryNick Indentities LLC.