By Jane Wakefield
A fewer months ago, I received a transportation for a communicative - thing antithetic there, arsenic I americium a writer and person a batch of pitches - but what acceptable this 1 speech was the communicative thought arrived arsenic a flurry of WhatsApp messages.
And I was surprised, arsenic I've ne'er been approached by a alien via the messaging app before.
I recovered it antithetic and a spot invasive, truthful I asked the idiosyncratic sending the messages however they had obtained my telephone number.
She said she had bought it, she said, from a institution called RocketReach, which, connected its website, promises users tin "get email and nonstop dial for immoderate professional" via their service.
This was the archetypal I had heard of what turns retired to beryllium the somewhat opaque, if lucrative, satellite of interaction selling.
US companies that cod and monetise idiosyncratic information are connected the rise.
It is scraped, they claim, from nationalist sources, specified arsenic Twitter and LinkedIn, arsenic good arsenic corporate, media, and radical and telephone directory websites.
So I thought I would bash immoderate web scraping of my own, recovered RocketReach main enforcement Scott Kim connected LinkedIn and sent him a message.
He instantly agreed to region my idiosyncratic information - but uncovering retired however it came to beryllium determination successful the archetypal spot turned into thing of a mission.
At first, I was told it was intolerable to hint the source, due to the fact that my telephone fig had present been deleted.
But Robert Romain, of privateness run radical Noyb, told me: "You cannot conscionable reply the idiosyncratic having their information processed by telling them that their information were deleted and unreal that the occupation disappears."
And erstwhile I told Mr Kim I planned to constitute a communicative astir my attempts to way the integer footprint of my ain telephone number, I received a somewhat antithetic reply to my questions.
The RocketReach effect was marked "Not for publication," truthful I americium not going to punctuation it directly, but the institution fundamentally said it had reverse-engineered my illustration and decided it was astir apt obtained done my Twitter feed, via a work it uses called Pipl.
So I instantly contacted Pipl main enforcement Matthew Hertz, who replied, precise succinctly: "The root of the information appears to beryllium Sync.me."
Sync.me is simply a nationalist telephone-directory service, which I past reached retired to via a signifier connected its website.
"We person checked our records and your details bash not look successful our service," Sync.me replied.
"We whitethorn person mistakenly identified your fig successful the past arsenic a telephone fig of a business.
"However, since we applied GDPR [General Data Protection Regulation] regulations, we removed specified numbers from our service."
Mystery solved, I conjecture - but what is little wide is whether it was lawful for RocketReach to merchantability my telephone number, particularly if it had been gathered from a pre-GDPR database.
RocketReach said it was committed to protecting privateness and keeping information unafraid and complied with its obligations nether the law.
And Pipl told BBC News: "We respect your and others' close to privacy.
"The accusation was recovered successful a nationalist root and hence was not treated arsenic backstage information.
"Even though arsenic a non-EU company, GDPR does not use to us, we recognize the imaginable sensitivity of idiosyncratic accusation and let you oregon anyone to removed accusation astir themselves."
The General Data Protection Regulation is simply a monolithic portion of European authorities intended to manus backmost power to users successful an property erstwhile information has go a commodity.
Similar rules present beryllium successful post-Brexit Britain.
And they use conscionable arsenic overmuch to information that has been gathered from the nationalist domain.
"Saying the information is publically accessed is not bully enough," Mr Romain says, "just due to the fact that you enactment your telephone fig connected a website doesn't mean that you're OK for idiosyncratic to scrape it and enactment it connected a database to beryllium sold."
Rafi Azim-Khan, information privateness caput astatine the Pillsbury instrumentality firm, agrees.
"Even if institution 'A' has ineligible grounds to process your idiosyncratic data, that doesn't doesn't mean that institution 'B' oregon 'C' does," helium says.
"There is simply a daisy concatenation of information being passed on and each concern becomes a abstracted ineligible controller nether the law.
"If a concern got clasp of your details and allowed others to interaction you successful a mode you didn't privation to beryllium contacted, that begs the question - is that concern compliant with GDPR?"
The UK's Information Commissioner's Office suggested I marque an authoritative complaint, which I did.
Meanwhile, it said: "In the lawsuit of information matching and web scraping, data-protection instrumentality does not halt you processing publically disposable idiosyncratic information - but you indispensable bash it successful compliance with the law.
"For example, if you scrape publicly-available idiosyncratic information from social-media profiles, you go the controller for that data.
"You truthful request to guarantee you comply with data-protection requirements, including having a lawful ground for processing and providing privateness accusation to individuals."
US-based companies indispensable person what is called an Article 27 typical successful Europe if they are processing European data, idiosyncratic regulators tin woody with if determination is simply a information breach oregon different issue.
But Pipl told BBC News it did not person one.
The Luxembourg data-protection authorization ruled that Noyb's ailment against RocketReach, and a akin company, Apollo was unfounded, successful portion due to the fact that they did not person this constituent of contact, truthful the lawsuit could not beryllium pursued.
Data-protection advisor Dyann Heward-Mills says this is simply a somewhat ridiculous catch-22.
"They were saying we don't deliberation what these firms are doing is close - but we can't enactment due to the fact that they don't person the contact," she says.
Companies volition often person a "legitimate concern interest" successful utilizing individual's information - but they indispensable equilibrium this with the rights of individuals, who decidedly person a "right to know" however the accusation was acquired, Ms Heward-Mills says.
Newcastle University instrumentality prof Lilian Edwards says the illustration highlights immoderate of the challenges of GDPR.
"There's nary existent mode to enforce GDPR extracurricular of the EU, either accusation rights oregon erasure rights," she says.
"In the US, what truly works is copyright takedown notices - but your telephone fig isn't copyright.
"It truly points up the differences betwixt our systems."
Ms Heward-Mills, though, is much optimistic enactment is coming.
"Scraping information to illustration an idiosyncratic is thing that European regulators are coming down precise hard on," she says.
"There is decidedly a lawsuit to answer."
As for me, I consciousness nary the wiser and americium besides wondering if I americium entitled to immoderate of the wealth gained from selling my telephone number.
But that question has truthful acold gone unanswered by RocketReach.