Selling Other People's Identities

joeflies writes "The San Francisco Chronicle has an extensive article on the controversial site Jigsaw, which makes it easy to sell other people's identity information. Jigsaw encourages people to collect business cards and email signature blocks, which is compiled together into a searchable database. Participants earn points towards their own searches or earn money. Is this exactly what Scott McNealy meant when he said electronic privacy is dead?"

Private Business Cards

Can business cards be classed as private? Surely the idea of giving them out is so they get spread far and wide?

Re:Private Business Cards

Is it Jigsaw's responsibility to police how people use their service?

Now answer again, pretending that Jigsaw is an ISP or a filesharing software developer.

Re:Private Business Cards

Actually, now that I've read TFA (gauche, I know), the CEO is quoted as saying "Jigsaw doesn't touch non-business information with a 10-foot pole", lists examples of the type of information not accepted, and relates a circumstance in which inappropriate information was removed. So, yes.

Re:Private Business Cards

It may be true if you're in some kind of sales job or something where you want all the people who are interested in it to contact you. I give out my business card only to people who I want to give my contact information to. It's just an easy way of giving out contact info, that's all. If there was an easier way of transferring my contact details - may be a single button press on bluetooth phone to phone transfer, I will do that instead.

Nothing but public information

Jigsaw [jigsaw.com] isn't putting up your grandmother's Social Security number, nor is it hosting pictures of you and your dog. All they host (and all they want) is business contact information. This isn't a violation of privacy... it's a boon for businesses to contact other businesses. It has no desire to be a Zabasearch [zabasearch.com] clone.

If the submitter had bothered to read the article, they would've seen this very important message:

Jigsaw wants only business information. The company won't take home addresses, cell phone numbers or e-mail addresses from Gmail, AOL, Yahoo or other domains that are not identifiable business e-mails. "Jigsaw doesn't touch non-business information with a 10-foot pole..."

So there you go. Someone decides to conglomerate the information any moron can find in a "Contact" page on a corporate Web site, and the privacy nuts freak out — despite the fact that it has nothing to do with privacy. I love how some people commented about creating fake identites and submitting them. Well, unless Mr. John Doe has his own domain and business license, I don't think that fake info will do any good!

Perhaps CowboyNeal [cowboyneal.org] needs to see a psychiatrist about his manic-depressive and schizophrenic paranoia disorders. At the very least, he should apologize to Jigsaw (if not to all of Slashdot).

It's easy...

...conduct a concerted effort to steal the identy of jigsaw's CEO (Jim Fowler), then use that identity to sink his company.

Is it really?

Since this business contact information, be it on business card or in email signature is already willfully given out by owner I think it is not "selling out people identity" strictly speaking. It is a kind of mining and aggregating public data.

Re:Is it really?

Business cards are handed out by people to put their contact information out there for potential future business partners.

Talk for yourself, don#t talk for others.

Currently I run my own business, and I indeed give out business cards for the reason you mention. A couple of years ago however, I was a systems engineer for a huge IT company, and whenever I gave a business card to someone it was because of that specific individual having a need to contact me and me approving of him contacting me.

The morale of the story is that what you happen to do is first of all not representative, and second, might change over time.

A business card as such is copyrighted both in its design and its content. Taking that content and copying it is a violation of my copyright on my card, and you cannot do that without my permission.

The layers are going to love this one.

I am just waiting for the first law suit. This guy had better have some deep pockets, cause I am sure it will not be long before someone sues.

Very dangerous territory.

My secret identity is for sale???

Better stop handing out those Daily Planet business cards.

--Superman

Collaborative privacy destruction?

Wow, that's messed up.

Well, it's a double-edged sword

Fowler, the CEO of Jigsaw, is quoted as making an interesting comparison in the article. He likens Jigsaw to Wikipedia in so much as Jigsaw is a user-supported advertisment database, like Wikipedia is a user-supported encyclopedia.

What he fails to realize is just how far this user-supportedness can go. Just like with Wikipedia, I imagine that Jigsaw will be hounded by vandals and the like, dumping loads and loads of false information into Jigsaw's database.

Moreover, since Jigsaw is going against basic principles of privacy, I can imagine that we're going to see a lot more problems than with Wikipedia from "vigilante vandals".

Very extensive article.

For anyone who hasn't RTFA yet, go do it now. The summary is a mess of paranoia, and, while there might be something to actually worry about with Jigsaw, TFA does a great job of showing how it works and what exactly could and could not happen. The creator likens Jigsaw to Wikipedia--and it's a pretty good comparison, in that both rely solely on users to edit and maintain information. No, Wikipedia doesn't aid in identity theft--separate issue entirely. Depending on how stupid your average Jigsaw user is, it could be a great tool or a dangerous advantage.

Given how stupid your average human is, though, there isn't much hope for the former.

Re:Very extensive article.

For anyone who hasn't RTFA yet, go do it now. The summary is a mess...

You must be new here. You've just described every summary ever created on Slashdot.

Contact information != identities

As posters already pointed out, there are no such things as private business cards. Besides, your local library probably has access to ReferenceUSA [google.com], which is a compendium of Personal and Business information extraordinaire. Opinion: overreaction.

Make money fast!

Sell your soul! Hell, sell someone else's soul! We don't care! We at evilpeople.com, we will buy souls wholseale!

Jigsaw? oh no!

Hello $FetchFirstNameFromIP, would you like to play a game?

The chickens have come back home to roost

To quote Kosh from Babylon 5, "And so it begins."

For ages, these same poor put upon privacy-deprived businesses have been pirating our personal information and trading it around.

Now it has come back home to bite them on the butt.

Maybe now we'll see them use their lobbyists to buy some privacy laws. Then everyone will want to participate in those protections. Hmmmmmm. Good idea, Jigsaw!

It is companies that should improve id checking!

The scandal is not that people are selling and buying that kind of information. The scandal is that companies accept that kind of information as identification information.

The scandal is that anyone can pretend to be me by knowing my name, address, phone number, and social security number, and little more sometimes, but not always. NONE of those pieces of information was EVER meant to be secret. We have to write our social security number in zillion of places, our employers know it - nobody in his right mind could trust that as a piece of identification information!

Yet this is exactly what companies do, because they bear little of the cost, and there is no legislation that forces them to be more selective with what they accept as identification information (read with what little info one could access the phone record of Thomas Perkins).

And all the while, better tools for identifications are widely available. I could identify myself to my bank simply by sending them a PGP-signed email: all that this requires of me is to click on the "sign it" button in Thunderbird - and I get incredibly better security than monkeying around with SSNs.

Yes, people with PGP tend to have small webs of trust - but this is because of lack of legislation that requires better identification for transaction, and also, for lack of public services. In my city, want to tell the tree pruners that the city tree next to my house needs some pruning? There is a phone number and a very kind and helpful employee on the other end of the line. Want to get your PGP key signed by a city/county officer that checks your papers thoroughly? No hope. You have to somehow know someone who is connected enough to others that need PGP (package maintainers, for instance). Tree haestetics surely ranks higher than basic identity security, even though our nation is more and more based on remote transactions.

Our legislation, and public services, are late some 20 years regarding identity management. The scandal is that they are not brought up to date faster, not that some people are selling email footers that we send around for free.

Jim Fowler sightings

Post your Jim Fowler sightings here!

• Picture of Jim Fowler with girls in bar [flickr.com].

Sign up now! Win valuable prices!

Sign up for my, euh, newsletter! Win valuable multi dollar prices!
(Winners must collect their price at our central office in North-Siberia. Offer void in your area.)

To apply fill in this form:
Full name:
Adress:
Phone number:
Email adress:
Job title:
Name of Company:
Adress:
Phone number:
Religion:
gender:
Ethnicy:
Shoe size:
Blood type:
Sexual prefences:
Fetish preferences:
favorite color underpants:
Disorders (list not more than 4):
Genetic defects:
Credit cards owned (name, number, end date and security number):
Social security number:
Ilegal weapons owned:
List of people you don't want to see recieving this information:
Amount willing to spend monthly to assure this wouldn't happen:
How often do you cheat your wife/husband:
List the last 5 people you cheated with (include adress and phone number):
Likelyness your wife/husband would use violence against formentioned people:
Do these people know of your wife/husbands violent nature yet?
Other information that could lead to blackmail:

Thank you for cooperating.

Note: We will not share your information with thirth parties. In fact we don't share at all. Information could be sold to highest bidder (and probably will). Highest bidder might be a maffia member, however we of RipYouOffOnline(TM) can't be held responsible for violence as a result of not following your end of the blackmail.

Do I have to have a subject?

The title given to this section is misleading. My ID was stolen when I was 18, and I've lived the last seven years of my life as the victim of ID theft. Business information is not selling identities. Selling my driver's license number, social, etc., would be.

Although annoying, truthfully this guy isn't doing anything wrong and it seems he's compiling a database of business contact information accessible via a paid subscription or by adding business contact info. Only if he allowed personal or home information would this be wrong.

I always get this odd sens eo fpride at how much goes on in my own back yard, and it reminds me of part of the reason I love living in Silicon Valley and the Bay Area.

For my needs...

For my needs, I don't steal identities, I make [fakenamegenerator.com] them. :-)

Probably would be illegal in the UK

Quite a few times I've thought, wouldn't it be nice if America had the same data privacy laws... this is a good example of why they're needed.

In the UK a database of personally-identifiable information automatically needs permission from every single individual concerned, unless it's exempt for some reason. Even if it is exempt the data can only be kept for the purpose it was collected for, and not shared. Once it's no longer needed it has to be destroyed.

It's a good example of putting individual rights before business interests. Not something the USA excels at...

Don't count on it :-(

Our data protection laws in the UK aren't nearly as powerful as you (and most people) think, unfortunately, and while I think our current Information Commissioner is a pretty good guy, he can only protect our privacy with the powers he's given in law.

For example, take a look at the kind of data Transport for London have (or at least used to have) in their data protection entry, and tell me it's really all needed to meet the business requirements of that organisation.

Moreover, the number of exemptions is pretty staggering. Why are credit reference agencies permitted to keep vast amounts of personal data about me without my consent? (Don't tell me it's those signs at the shop counters; I read the small print, and I've read my credit report, and the two are not related in any meaningful way.) The last time I dealt with a credit reference agency (to clean up someone else's mistake that was black-marking my record incorrectly) I discovered that there were, quite literally, more inaccurate entries in my record than accurate ones. After waiting on hold for more than half an hour to speak to someone about them, I was asked after about five minutes "whether it really mattered", since "it's after 6pm and I'm supposed to be going home now". Seriously, that's what they told me, after a half-hour on hold, when the records they had on me that could directly affect my ability to get a mortgage or something were written in someone's dreamland.

Other legal powers aren't as great as you might expect, either. For one thing, while you can normally get bad information corrected, if you just don't want someone to store your personal information any more, you can't make them stop, as long as they're registered for that purpose. Take Amazon, for example. I bought from them using a credit card for the first time not so long ago. After going through the usual signing-up process and completing my order, I discovered that they are now keeping my credit card number on-file, and will use it any time someone makes an order from them using my login and password (which they control), without any further attempt to confirm my identity or intent to make that transaction. Can I make them drop that number from their database and opt to re-enter it every time I make a purchase instead? Take a guess. And this in a world where thousands of people's credit card numbers or other personal details have been "misplaced" by large businesses in the past year alone, and in a country where the law does not currently require a company making such mistakes to disclose them publicly or to pay any particularly heavy fines for doing so.

So while I agree we have better data protection laws than many, I think we have a long way to go before our data is protected as well as it should be.

How Prescient!

"Is this exactly what Scott McNealy meant when he said electronic privacy is dead?"

Yes. This is exactly what he meant.
After leaving his job as CEO of Sun, McNealy went on to found Jigsaw.

Speaking of privacy..

Speaking of privacy, theres a much better way to talk online with people we already know and trust.Grupus [grupus.com]

Dunno..

Good. I see the connection: Scott McNealy is from Sun, Sun produced java, and Jigsaw [w3.org] was written in java. Glad there's no namespace confusion here.

There is no excuse for this not being opt in

They have the contact details by definition, so there's no reason they couldn't be contacting people and asking permission put them in the database.

Banned in the UK

This site would be illegal in the UK, thanks to the Data Protection Act - the data is obtained unfairly, it does not keep the data secure, it does not have safeguards for accuracy, the data is being used for purposes not disclosed to the data subject, etc.

If anyone wants to call this article an overreaction, reply with your real name, full address, telephone number, and employer. Or shut up.

How I discovered Jigsaw.

I received an e-mail one day from someone selling a how-to book. The advertisement had a plug for Jigsaw at the bottom citing it as the source, so I decided to check this out. The e-mail address it came to was one that I'd given only to HP for their reseller program. The address and other info Jigsaw had about me matched the mailing address I'd given HP, which was pretty new at the time and I'd only given it HP. I guess someone at HP decided to earn Jigsaw points by stealing HP's list.

I had no luck contacting Jigsaw or deleting my information from their site via their form, but I did complain about this to HP. HP contacted me the next day and appologized for letting this happen. Shortly thereafter my information from Jigsaw was removed.

I've also caught several other companies that promise to not share my contact information using the same method. It's pretty effective and I just redirect those stolen addresses to /dev/null. I just won't do business with them anymore.

Jigsaw may claim that their information is only from sources like business cards that are handed out, but I can say for certain in my case that they just got a stolen customer list. They have no way of assuring that the data comes from legal sources like business cards. I see lawsuits in their future as they get more publicity like this. "We didn't know it was stolen" is not an acceptable excuse.

Trading people's identities is legal ...

For better or worse, trading people's identity information is legal.

There is no sense in complaining about it since the whole US legal system happens to be designed to protect people's freedoms (such as the one to trade other people's identity information) from the snap judgement of their fellow man, especially when those freedoms are unpopular. And as we all know it's common business practice to disregard most "moral" considerations in the pursuit of revenues. Of course there is always the possibility of those revenues being affected by the backlash of being unpopular, but the decision criterion is always revenue, never morals or ethics. So impopularity only works if the backlash is large enough and inescapable enough. And that only for as long as the costs outweigh the benefits.

Which it probably won't be of course ... there are far too many issues clamouring for everyone's attention to guarantee that anyone who doesn't devote his whole spare time (or even his whole life) to being angry and upset about this or that abuse or scandal just won't have the time to much of an effective force. A handful of grumblers won't matter, but one powerful grumbler does. From the article it's interesting to see that when an individual complains to this company to have his own information removed, he is ignored. When HP complains, the information is taken down pronto. A clear case of cost-benefit tradeoff: an individual's ire (he hasn't got rights, but he might make a nuisance of himself) doesn't count for much. A large company's ire (they don't have any rights either, but they can afford a battery of lawyers to make life difficult for you) is something to be taken very seriously. Elementary economics.

Therefore, as I see it, new legislation is the only way to stop this sort of thing. Personally I would be in favour of legislation stating that you and you alone "own" your identity data, and that no-one (especially no companies) may hold or store any piece of it without your permission, and that they are obliged by law to fully disclose all information they hold on you upon first request, and that they are obligated to allow you to correct any information they hold on you, say within 20 business days. All of this enforceable on pain of say a 1000$ fine per case.

That would be too bad for companies that make a living from trading information, but I happen to rank my privacy over their survival and I wouldn't mind seeing them go.

The point is of course that the majority doesn't seem to support any such law. So unless there is enough political will to enact some legislation to protect our identity information from being sold it's no use grumbling. Unless you manage to grumble loudly enough to make an impact of course.

Time to stock false IDs

I actually have a few business cards, email addresses and other tracking sources that would most likely cause you to search in all the wrong places for me. It was actually for a LARP, but then again, why not use it to cover tracks? If you can't avoid data being collected about you, just make sure the data is false.

Obligatory post linking TFA Seinfeld

Woman walks up to man with Russian accent sitting in black van: "I'd like to buy an identity" Man hops out of van, slides open side door, there's just a computer inside. He points at an Excel sheet: "Ahh, yes! I have maaaany identities for sale, veeery cheap! Look at this one, the Silkwood: Visa Classic, SI number, excellent credit rating! It fell off back of truck." Woman points to computer screen Excel sheet: "No, I want something more powerful. Hmmm... what about that one?" Man pushes her hand away: "That's the Commando 450, I don't sell that one. Now-" Woman: "That's what I want! I want the Commando 450!" Man: "Lady, that one is is too powerfull. Platinum Corporate Amex, it's used in the circus trade to buy elephants!" Woman: "I'll pay you (takes out wad of cash) this much for it!"

Come on slashdotters do something

Please slashdotters, dont sit there just posting to earn Karma points. Write a bot to fill Jigsaw with tons and tons of bogus information. Write a bot to collect info from Jigsaw, randomly mutate the data by breeding one business card with another and resubmit. N sets of genuine data can be used to breed N^2 corrupt data and reduce the signal/noise ratio. If you corrupt the data enough before the advertising takes off, may be you can nip it in the bud.

Wait, there was this link to people willing to solve Captchas for 50 cents an hour. Hire them to fill it with bogus info.

You can edit your own info

Personally I don't see this as the privacy invasion of the century. But all the same I hate having to talk to cold calling sales people and I figure the less of them that I hang up on the lower my chances of one of them having the balls to call back and complain to my boss about my rude behavior. So I went in and edited my contact info. E-mail address is now bogus and the phone number goes to local time and temperature. If by some chance someone wants to send me a letter that is OK with me. As an added bonus if you edit your own info no other user can edit afterwards. I don't use the service but you can edit your own record (or any record you can check the e-mail for) without signing up.

Very misleading title

This is first time I hear about usage of that type of identity theft (business card information).

After I read the article, I realized that it is mostly not about identity theft, but privacy. Not about "identity" information, but "contact" information. The original title of the article says nothing about identity theft. It does mention it in general terms in the text.

Very misleading title. What is wrong, BTW, of copying the original title, if you are not sure you understood the article? Right. The problem is the submitter is always supersure that he understands the article.

In short. The article describes just another spammers database of contact information. Not identity thieves. Spammers.

street tombolas in germany

in germany it is illegal to pass someones name,adress,phonenumber,etc on without his approval...

thats why there are always guys on the street asking people if they want to win this and that - they only have to answer the quiz question (like 2+2=4 or 60000000000000?) where the damn answer is somewhere on the pamphlet and if you don't know, then they tell you the answer BECAUSE they only want you to fill out the form (name, adress, phone number) and SIGN that you agree to the conditions of the tombola

the conditions are on the back side of the form, written in light gray in font size 0.1 and CLEARLY contain the condition that they are allowed to sell your personal data....

A simple solution to this

There's a simple response to Jigsaw: just spam the database with invalid entries. Go there and type in as many made-up entries as you can. Or, better yet, write a sript to do it for you with randomly-generated names. Make the data useless to them because it has so many incorrect entries. Granted, that would take a lot of entries, but an automated system could do it pretty easily.

If they can break the "social contract" of keeping business card information semi-private, then we are perfectly within our rights to break the expectation that we will enter valid information. What's good for the goose, hoist them with their own petard, etc.

Growing black market for stolen customer data

You are so right about the loss of privacy and the growing demand for sensitive customer data. In fact, Dark Reading just posted a comprehensive story on the black market for stolen data just last night: http://www.darkreading.com/document.asp?doc_id=103 198&WT.svl=news1_1 [darkreading.com] I was particularly surprised by the organization behind the criminals who buy the data, and the relatively low price they pay for it.

Personal Info Copyrights

When I publish some text, like this comment you're reading, it's copyright protected by me automatically. You cannot copy it outside of the transaction in which you're receiving it, except for explicitly limited "fair use" exceptions (like storing it for retrieval by the same recipient), and of course any expressly permitted uses stated by me, the copyright holder.

Personal info, including contact info, must be covered by the same kind of protection from copying. To legally protect the kind of discretion and confidentiality we're all familiar with as simply "good manners".

Corporate info is heavily protected by our current government. "Pirates" and "leakers" routinely get prosecuted, fined, even jailed. Humans are second-class citizens in the copyright regime. We need a new copyright law that protects us at least as much as the corporations producing merely commercial data.

Is Jigsaw Data following privacy standards?

Even though the company description of Jigsaw sounds nice and rewarding, other people have dramatically different opinions about what Jigsaw is doing.

Read More: http://techaddress.wordpress.com/2006/09/08/is-jig saw-data-following-privacy-standards/ [wordpress.com]

i 3 it...

I manage a 'sales' department for a HR agency, and this site is a recruiter's wet dream. Obviously this is no surprize, as such was the idea. I'm not sure if everyone knows (I imagine most people do) that its easy enough to get people's buisness contact info, even though most companies go through great lengths to hide the names of their employees from head hunters. The agency i work for, for example, has a databse of around 80k people. 80k is nothing compared to the ~4 million contacts already on that site, but the point is that recruitment agencies have been doing this for years - instead of buying contact info, they hire people to 'obtain' it. and instead of sharing that info w/ everyone, they each keep it in-house. Nothing revolutionary has been accomplished here, jigsaw has just opened up 'passive candidate sourcing' to the public (wiki-style) whereas it had previously been an isolated/privatized practice. Think of it this way: one recruitment agency has one database, another recruiter has another database, a 3rd agency has a 3rd database, etc etc...sure there might be some overlap (how much overlap would ofcourse depend on the agency's respective target industries) but all this information is already archived and searchable somewhere. Furthermore, the fact that jigsaw builds its database by 'buying' contact info is similarly meaningless. Recruitment agencies pay people to obtain contact info, jigsaw pays people to obtain contact info...the only difference is that jigsaw lets you do it 'freelance' lol.

Nothing new on this earth

It's called networking people. This same practice has been going on since the dawn of sales. A group of people with a similar customer base get together and share information to reduce their workload.

All over America, in Chambers of Commerce, Social Clubs and Grange Halls, people are gathering in the wee hours of the morning and trading your information. That's right folks, in PUBLIC! You thought your telcom guy was wonderful didn't you? Set up your whole office; you can even call your Shanghai office for next to nothing due to that nifty VOIP thing he hocked you. Well guess what: next Wednesday he's going to be handing out your contact information to his friends. Ever wondered why you always seem to get the most sales calls on Thursday? Now you know.

Obviously I'm being sarcastic; networking is part of the world. People are going to trade away your business information. Think about it: if a collegue of yours, someone you saw once a week every week, asked if you knew anyone at ABC Company, you'd give them that name. Now sure, you probably won't be giving them your brother/cousin/best friend's name, but someone who you know strictly on a business basis? It's not unethical, it's business.

Jigsaw is not an evil entity, it is someone's clever idea to widen their network. In my opinion, it was a long time coming.

back to its functions

i dont think that business cards can be clas as private..bcoz ther purpose of having business card itself to get spread far and wide business cards is a card on which are printed the person's name and business affliation including info like address and phone nmbr.. traditionally is just a printed paper,simple but it change now days depending on the business style itself.. but for sure it still have the same purposed..like during sales calls to provide potential customers with a means to contact the business or representative of the business.. somehow..there is CD ROM business cards that can hold more data..