Published on

The Rise of Black Market Data: Consequences of Lack of Data Policies

Authors

Recently someone called on my mobile number, to check if I would be interested in talking about their daughter's profile, which is present on the same matrimonial website where I had registered. Let's call this person Prasad

I was surprised by this phone call, as I have kept my contact hidden!. The reason behind this was, I did not want to get phone calls during office hours.

Also, I wanted to communicate with people who are interested in my profile via text first, before talking on the phone.

So naturally I asked Prasad, how did they get my number? Prasad said, he got it from the matrimonial website.

I replied that I had kept my contact hidden and explained the reason for doing so.

Then he replied that, someone from the website had given them my number.

Ideally, it should not be the case as I explicitly kept my contact hidden.

However, I also understood that since Prasad works as an executive at a reputable company, and given that they may have paid for a VIP/Elite membership, the company employee who shared my contact details might have done so because the request seemed genuine.

But the story does not end here. A few minutes after this call, I received a message on WhatsApp that said:

Hi, if you are interested in the contact number of any profile on the following websites:

  • Telugu matrimony
  • Bharath matrimony
  • Arya Vysya matrimony
  • Doctor's matrimony
    Please send 150 rs to this number and let us know the ID!

Note that all these matrimony companies have the same parent company. Therefore, they may have assigned employees to take care of the operations of all these websites, instead of having separate teams for each website.

A few days later, while browsing profiles on Arya Vysya matrimony, where I was not a paid member, I wanted to check the contact details of a particular profile. I clicked on the "Contact" button, but these websites only show the contact details of the person if you are a paid member. As a result, I was unable to contact the person

Then I remembered the WhatsApp message I got a while ago, and sent 150 rs to the mentioned number, letting them know the ID of the profile I was interested in. Two minutes later, I received the contact information for the person!

I was surprised that this worked, as I was not expecting it to. This not only poses a threat to the privacy of the users, but also to the companies themselves.

Imagine, if there is a website that handled surrogacy and employees are selling the data of its users, the company could potentially be in trouble. The data could be used for illegal purposes such as blackmail.

I have also recently read about an incident involving OYO rooms, where someone called a customer who had booked a room before check-in time to cancel the booking and asked them to send money via UPI so the hotel could avoid paying OYO's commission. The customer asked, "How can I trust you?"

The scammer then replied with all the details of the customer, including their booking reference ID. The customer had no reason to doubt the scammer, as they thought only hotel staff would have access to the booking ID. As a result, the customer sent the money via UPI, only to find out later that they had been scammed

At this point, we have also seen incidents on Twitter and Instagram,

where you could pay 10 k USD to get a blue tick on your profile.

and pay a certain amount to get your profile unblocked on Instagram.

So the question is, how all these are happening?

A: The short answer is the lack of data policies in companies.

The way these companies operate is by hiring operations/support staff who are responsible for handling user queries and making updates as they see fit based on the policies. For example, if a user provides all the necessary proofs for a blue checkmark, the staff is empowered to enable the blue checkmark for that user. However, they could also flip this switch for any profile without any proof, provided that there is no one overseeing them.

Over time, operations staff may realize that with the sheer number of requests they are receiving, it is impossible for someone above them to oversee all of the things that are happening. Once an employee figures out this loophole, they may start to use it for their own benefit, as the wages for these roles in India, at least, are not very high and they may be tempted to make some extra money.

The question then becomes, how can we fix this? I will write another post with a solution to this problem. Stay tuned