How did my phone number end up for sale on a US database?

Getty Images WhatsApp logoGetty Images
My search to track down my own telephone number began with a WhatsApp message

A few months ago, I received a pitch for a story - nothing unusual there, as I am a journalist and receive a lot of pitches - but what set this one aside was the story idea arrived as a flurry of WhatsApp messages.

And I was surprised, as I've never been approached by a stranger via the messaging app before.

I found it unusual and a bit invasive, so I asked the person sending the messages how they had obtained my phone number.

She said she had bought it from a company called RocketReach, which, on its website, promises users can "get email and direct dial for any professional" via their service.

This was the first I had heard of what turns out to be the somewhat opaque, if lucrative, world of contact selling.

Getty Images Phone bookGetty Images
Phone numbers used to be collected in a database known as a phone book - but people could opt out

US companies that collect and monetise personal data are on the rise.

It is scraped, they claim, from public sources, such as Twitter and LinkedIn, as well as corporate, media, and people and phone directory websites.

So I thought I would do some web scraping of my own, found RocketReach chief executive Scott Kim on LinkedIn and sent him a message.

He immediately agreed to remove my personal data - but finding out how it came to be there in the first place turned into something of a mission.

Awkward questions

At first, I was told it was impossible to trace the source, because my phone number had now been deleted.

But Robert Romain, of privacy campaign group Noyb, told me: "You cannot just answer the person having their data processed by telling them that their data were deleted and pretend that the problem disappears."

And when I told Mr Kim I planned to write a story about my attempts to track the digital footprint of my own telephone number, I received a slightly different answer to my questions.

Getty Images PhoneGetty Images
Some people are happy to put their phone number on social media - but I never have

The RocketReach response was marked "Not for publication," so I am not going to quote it directly, but the company basically said it had reverse-engineered my profile and decided it was most likely obtained through my Twitter feed, via a service it uses called Pipl.

So I immediately contacted Pipl chief executive Matthew Hertz, who replied, very succinctly: "The source of the data appears to be Sync.me."

Sync.me is a public telephone-directory service, which I then reached out to via a form on its website.

'Mistakenly identified'

"We have checked our records and your details do not appear in our service," Sync.me replied.

"We may have mistakenly identified your number in the past as a phone number of a business.

"However, since we applied GDPR [General Data Protection Regulation] regulations, we removed such numbers from our service."

Mystery solved, I guess - but what is less clear is whether it was lawful for RocketReach to sell my telephone number, especially if it had been gathered from a pre-GDPR database.

'Possible sensitivity'

RocketReach said it was committed to protecting privacy and keeping data secure and complied with its obligations under the law.

And Pipl told BBC News: "We respect your and others' right to privacy.

"The information was found in a public source and hence was not treated as private information.

"Even though as a non-EU company, GDPR does not apply to us, we understand the possible sensitivity of personal information and allow you or anyone to removed information about themselves."

Getty Images Silhouettes on top of codeGetty Images
GDPR rules were meant to give people back control over their data

The General Data Protection Regulation is a massive piece of European legislation intended to hand back control to users in an age when data has become a commodity.

Similar rules now exist in post-Brexit Britain.

And they apply just as much to data that has been gathered from the public domain.

"Saying the data is publicly accessed is not good enough," Mr Romain says, "just because you put your phone number on a website doesn't mean that you're OK for someone to scrape it and put it on a database to be sold."

Daisy chain

Rafi Azim-Khan, data privacy head at the Pillsbury law firm, agrees.

"Even if company 'A' has legal grounds to process your personal data, that doesn't doesn't mean that company 'B' or 'C' does," he says.

"There is a daisy chain of data being passed along and each business becomes a separate legal controller under the law.

"If a business got hold of your details and allowed others to contact you in a way you didn't want to be contacted, that begs the question - is that business compliant with GDPR?"

Web scraping

The UK's Information Commissioner's Office suggested I make an official complaint, which I did.

Meanwhile, it said: "In the case of data matching and web scraping, data-protection law does not stop you processing publicly available personal data - but you must do it in compliance with the law.

"For example, if you scrape publicly-available personal data from social-media profiles, you become the controller for that data.

"You therefore need to ensure you comply with data-protection requirements, including having a lawful basis for processing and providing privacy information to individuals."

'Slightly ridiculous'

US-based companies must have what is called an Article 27 representative in Europe if they are processing European data, someone regulators can deal with if there is a data breach or other issue.

But Pipl told BBC News it did not have one.

The Luxembourg data-protection authority ruled that Noyb's complaint against RocketReach, and a similar company, Apollo was unfounded, in part because they did not have this point of contact, so the case could not be pursued.

Data-protection consultant Dyann Heward-Mills says this is a slightly ridiculous catch-22.

"They were saying we don't think what these firms are doing is right - but we can't act because they don't have the contact," she says.

Companies will often have a "legitimate business interest" in using individual's data - but they must balance this with the rights of individuals, who definitely have a "right to know" how the information was acquired, Ms Heward-Mills says.

Getty Images Phone with numbers pouring outGetty Images
Can we ever really know what happens to personal data, even if we haven't shared it online?

Newcastle University law professor Lilian Edwards says the example highlights some of the challenges of GDPR.

"There's no real way to enforce GDPR outside of the EU, either information rights or erasure rights," she says.

"In the US, what really works is copyright takedown notices - but your telephone number isn't copyright.

"It really points up the differences between our systems."

Money gained

Ms Heward-Mills, though, is more optimistic action is coming.

"Scraping data to profile an individual is something that European regulators are coming down very hard on," she says.

"There is definitely a case to answer."

As for me, I feel none the wiser and am also wondering if I am entitled to some of the money gained from selling my phone number.

But that question has so far gone unanswered by RocketReach.