After reading a recent post by Antoine Neuenschwander, we wanted to share a similar experience from one of our consultants regarding the sale and use of their personal data, featuring many of the same players as Antoine’s post.
Part 1 – The Sales Call from Alsid
One of the many scourges of modern work is the fact that salespeople try to reach you all the time. In this particular case, our consultant was called on their work phone, via email and LinkedIn by someone from a French cybersecurity company called Alsid. Then to their surprise a call from France rang on their personal, US-based, cell phone and left a voicemail. That got them curious – how did this company get a hold of a personal cell phone number? Being that the company is French it is subject to GDPR so they asked for a copy of their data held by the company. The company did provide a fairly extensive GDPR response but the cell phone number wasn’t in it! After follow-up questioning, they eventually dug it out – their salesperson got it from Lusha.co:
There are several privacy concerns here:
- Why was the number not provided in the initial GDPR request?
- Did the caller check to make sure the number wasn’t a wireless phone AND wasn’t on the Do Not Call List (since it is illegal to place telemarketing calls to such numbers in the US)?
Part 2 – The B2B Contact Enrichment Tool – Lusha.co
Lusha.co provides a set of plugins that can enrich LinkedIn profiles – so if you are looking at someone’s profile, they can supplement that with the person’s phone number or email from another sources. The website, marketing materials and privacy policy are pretty explicit about this:
And (emphasis added):
Our Services are designed to help Users and vendors (e.g. HR professionals, B2B partners, sales platforms) validate and verify contact information and to find business profiles they seek in order to interact with relevant Contacts (as defined below), through access to business profiles retained in Lusha’s database (“Lusha Database”).
A data request sent to Lusha.co resulted in the response below. Note the language around Simpler – specifically the last paragraph. It seems that Simpler provides mobile apps to be used for “verification”, then those apps slurp up the user’s contacts and share them back with Lusha.co:
Excerpt of the text appears below:
Simpler also offers its users the opportunity to contribute to a collaborative security effort, meant to assist in authenticating the identifying attributes of an individual. This effort can assist in establishing a trusted channel of communication for online and offline interactions.
If a Simpler user consents to contribute to this effort, basic contact information (name and phone number) found within such user’s contacts may be shared with Lusha, which implements the security solution.
If you dig deeper into the Lusha.co materials, a lot of similar language appears there as well. Instead of a discussion of B2B contact data, it suddenly becomes a matter of “security“, “trust” and a “collaborative security effort“. When you look at their data page (emphasis added), note that the language quickly changes from “lead enrichment” or B2B data” to a “collaborative security effort”:
Lusha’s core purpose is to make online engagement safe and efficient. In today’s fast-paced and multi-layered world, one of the main challenges to online users is trust. A major risk in online interactions is the risk of encountering fraud, whether by phishing attempts or by identity theft. Widespread fraud can lead to the loss of customer trust, extra costs of time and money required to manage fraud incidents, damages to the reputation of individuals and institutions, possible legal costs and many more negative outcomes.
Lusha’s unique solution is based on a collaborative security effort, effectively utilizing information to verify online identities. The Lusha service provides its users with valuable insights and assists in authenticating the identity of individuals in the online sphere.
There are several privacy concerns here:
- Why is a tool that claims to provide B2B information obfuscated behind being “a security solution”?
- How can “security” and “trust” justify essentially taking users’ address books from their mobile devices and selling that data for marketing?
Part 3 – The Mobile Address Books from Simpler
The link provided by Lusha actually leads to the Google Play Store. This leads to two apps – Simpler Caller ID and Dialer, both apps with more than 5 million installations each. The link on the store listings leads to the company’s website where third app is listed – EasyBackup, a contacts backup manager (only for iOS). That one is owned by a different company called “Top Floor” which also makes an app called “Cleaner Pro” (for iOS) which claims to remove duplicate contacts. Mailing addresses for both companies go to co-working spaces: one in Brooklyn, NY and the other in Los Angeles, CA.
Here are the apps:
The Simpler Apps website still lists all of these apps as being theirs:
A request was sent to Simpler for copy of the data they collected, and the following response was received – no data. A follow-up response was sent and a response is still pending:
At this point we are at a dead end with Simpler, but further research reveals the following nuggets buried in the terms of use and privacy policy:
By using our Services, you acknowledge and agree that we will share contact information with other users our affiliates and business partners for the purpose of ensuring that their current contact information is up to date. You acknowledge that you have the rights and permissions required to allow us to share such contact information.
And:
We do not share your Personal Information with third parties except:
The Services are based on contact management and Caller ID (if applicable), therefore, we will use your number and contact for this purpose. This disclosure is also important to individuals that are not our users which may be identified by the caller ID. We enable an easy opt-out in the event you no longer wish to be identified, for more information see the User Right section below.
We may also share Personal Information with (i) our subsidiaries and business partners if needed; (ii) subcontractors and other third party service providers (e.g. payment processors, server, cloud management, etc.); and (iii) any potential purchasers or investors of the Company.
There are several privacy concerns here:
- Why is a tool that claims to provide tools for making sure contact information is correct, selling data for marketing?
- What is the connection between Simpler and Lusha.co?
Part 4 – Tying It All Together: Lusha.co and Simpler
At this point, it is fairly clear what happened – a bunch of mobile apps slurp app contacts from their users’ address books and provide it to Lusha.co to be used by marketers and recruiters. This is being presented as a “collaborative security solution” while it is essentially just selling personal data, albeit with an opt-out available. What is frustrating about this, is that regular users who are friends with the people being targeted are installing these apps, thinking it is just a simple utility while all of their contacts are actually being sold behind their back. At the same time, Lusha.co is claiming to be a security solution while they are clearly not.
But, there is more … a set of simple Google searches shows that one of the co-founders of Lusha.co (“Yoni Tserruya”) is actually the original app developer for all four of these apps (here, here, here and here). Furthermore, if you download the Android apps provided by Simpler and look at the signing keys via jadx, they are issued to the same person as seen below:
Now these apps are being published by companies other than Lusha.co – Simpler Apps and Top Floor, but are they subsidiaries or related to Lusha.co? If they are, then the privacy policies seem to allow them to transfer data from these apps back to Lusha.co. Overall, the arrangement may be legal but perhaps unethical.
Bottom line: this example highlights yet another way personal data is harvested, sold and re-used for commercial purposes.
Vendor Responses
We reached out for comment to all of the companies mentioned in the article and will update the blog post with feedback or comments.
Nightwatch Cybersecurity 
I received similar information from a lusha subject access request, leading to simpler. Interestingly the apps no longer appear to be listed under the publisher in the Google Play Store. Simpler Apps inc. make their contact details incredibly difficult to find, so I have raised a further subject access request using the zendesk form. Will see how that goes!
The same happened to me this week. Lusha DPO redirected me to Simpler, an app that I have never used. It seems to me that they are trying to play with loopholes in GDPR. Getting their contact information is extremely confusing. I will forward my Data access request to Simpler. In France, this has been investigated by our data privacy protection office (CNIL) : https://www.nextinpact.com/news/107130-la-cnil-enquete-sur-extension-lusha-qui-affiche-telephone-et-email-sur-profils-linkedin.htm The story does not say if the investigation is still in progress.
Same story here. I cannot comprehend how the supervisory authorities are not ending this show instantly. The more I read the GDPR text, the more I realize how shamelessly it is violated here. This is not least as I never gave anybody any permission to share my personal data with those folks and I question that they actually can construct any legitimate interest to process it.
It appears so obvious that it should be trivial for the supervisory authorities to pull the plug, and at the same time confiscate all earnings from GDPR violations. But efficiency of German authorities and their sense of duty isn’t what it used to be; the whole country seems to be on its way to become a failed state.
One of the most horrifying details I figured out is that the Simpler apps in Google Play are marked as PEGI 3, what shows how ridiculously nonexistent their attempts are not to harvest data from below 14-year old children – and also how little Google cares.
A job recruiter called me on my personal phone, they advised Lusha provided them the number.
Lusha in turn said the source of the information was Simpler Apps. Simpler in turn said it came from a user who had me saved in one of their apps.
Simpler refused to identify this user for “privacy” reasons. Bloody ironic. Their users privacy is worth protecting but mine isnt?
I have reported both companies to the OAIC in Australia for breaches of the privacy act.
Similar story here, I was contacted by a video conference solutions company, which apparently acquired my data from Lusha, However, in my case the data origin seems to be ‘the community’, which is even more shady than pointing to sub-companies. This basically gives no idea about who and how delivered the data, one can always claim it was ‘community based, public information’ delivered anonymously.
“The Community is comprised of multiple individuals and the information they provide is sometimes combined with publicly available data. ”
At the same time, I believe that GDPR requires the data owner to agree with such data collection, here it clearly had no place. Very doubtful business, also annoying one.
It is possible that the harvesting of data from people’s contact lists is now called “community” by them
I got an email off Lusha telling me I could opt-out… by… drum roll… filling out a form giving them the information I want removing. Meanwhile, I am also waiting for my $52,000,000 from a Nigerian prince.