Data hawking and the economics of perversion
By Victoria Oloni, Ridwan Oloyede and Nurudeen Odeshina
Warning: this is a rant!
If you have stayed in Lagos long enough, you will understand the dependence of street hawkers on Lagos traffic and the vital role a chilled bottle of soft drink and sausage roll plays in the lives of average Lagosians. However, in this article, the “merchandise” is not a sausage roll and the ice-cold drink, it is personal data available for sale by hawkers.
Have you seen or received any of those adverts asking you to come buy 30,000 phone numbers or emails addresses? Or say 5,000 phone numbers specific to residents of a particular local government area Nigeria? We have received a number of those offers in recent months. You can find anything on the internet if you look hard enough and personal data “dealers” and “peddlers” are so easy to find you don’t even need the dark web.
This is one of such adverts.
The unsavoury world of data hawking
There is an entire enterprise and business model built on the sale of phone numbers, email addresses and other personal data. A model so sophisticated that the merchants are able to provide specific personal data across different demographics and geography to willing buyers for targeted adverts, campaigns, customer survey, market research and analysis etc. While there is a big world of data commodification, the focus of this article is the sale of phone numbers and email addresses in Nigeria.
Screenshots from chats offering to sell personal data to one of the authors
What is often the case is that personal information becomes available to these hawkers after it must have been collected for a legitimate purpose, and those who collected the data may have lost control of the data, or the data is compromised or wilfully sold or provided to the peddlers. The data could have been acquired through a data breach and sold for a few quid. The “merchandise” could also be found lying around physically or in a random cloud account accessible to anyone who knows their way around the internet.
Our findings revealed that personal data could be sold for as cheap as N20,000 ($55) for each state and all its local governments and as low as N5,000 ($13) per local government. One of the service providers offered a discounted rate of N48,000 ($133) for the entire country. Cheap right? For context, that is less than a kobo for each active phone number in Nigeria, which according to the Nigeria Communication Commission (NCC) is currently above 190 million.
One of the peddlers’ boasts of retailing “active” phone numbers database in Nigeria categorised into full names, state, local government area and gender, and it is available to registered users for free; with the capability to override Do-Not-Disturb (DND) restrictions to deliver spam text (DND is the directive by NCC, the telecom regulator in Nigeria which allows customers to opt out of receiving promotional messages of third party service providers). You would think that information that can identify a person would cost more but this is where we are. It gets even better! One of the data hawkers claims to give out the data for free, just download an app, click on a hamburger icon and get the personal data of millions of Nigerians at your fingertip, FOR FREE!
For context, think of every event you have signed up for, think of all the premises you have visited and provided your personal details as a condition to access the buildings, think of online service providers you share your details with, the membership of associations you belong to, the random jobs you apply for, the government mandatory data capturing, and all other places you have left your information. Also, there are instances of people buying devices and finding repositories of personal data on them.
This trend is so pervasive that there are reports of people and businesses that buy these “contact lists” to target consumers and politicians who do so to target constituents for seasonal “electioneering campaigns and political awareness” or religious groups who do so for outreach. We remember a former Presidential candidate called up random Nigerians to seek their votes during the 2019 election. More recently, we remember that just a few months ago, lawyers in Nigeria were spammed with texts, e-mails and calls from candidates in the NBA election; unsavoury times.
“But it is just a contact list”
Data subjects are either generally unaware or tend to trivialize the proliferation of their data on several databases. Data hawking raises more concerns than the colours of the rainbow. Aside from being targeted with unsolicited messages, data subjects are no longer in control of their personal information, which could be shared or sold to countless numbers of buyers. There is emotional distress and irritation that comes with robocall or getting spam text or emails and random phone calls; there is limitation on the exercise of your data subject rights due to uncertainty of the identity of the data hawker; the possibility of tracking and profiling; continuous unauthorised disclosure of your personal data; and in extreme scenario, you may be a victim of identity theft – ever heard of mule accounts? We can go on and on and on. Another pain point is that we are kept in the dark about what happens to the information, the duration of its retention, safeguards available to it and who it is being shared with.
Think of the day your biometric, genetic or health data could become available in the market square for haggling and sale. Well, that day is today, actually, yesterday and every other day before; the market square is just virtual. Recently, Mikko Hyppnopen, one of the leading Finnish Cybersecurity Experts reported an unusual ransomware case underway in Finland. According to this report on twitter, “a private psychotherapy clinic was hacked, and the therapist notes for maybe even 40,000 patients were stolen. The attacker has emailed the victims, asking each for €200 ransom in Bitcoin”. The attacker has already leaked the therapist session notes of about 300 patients.
Menace of data hawking marketplace in Nigeria
Often, commodification of personal data is seen through the lens of data brokerage or adtechs jostling for our attention through real time bidding, profiling or fingerprinting across the internet to target us with adverts. However, for data hawking, it is literally a marketplace where personal data is sold and bought. There is a buyer and willing seller – basic economic rule of demand and supply.
Our research into data hawking took us on a trip into the virtual market of personal data. We examined five of the service providers’ and the information available on their websites to understand the marketplace.
They make a number of representations and give guarantees ranging from a higher text message opening rate, cost effectiveness, sales boost, connecting with the right people for electioneering campaign, state by state breakdown of phone numbers
One of the providers succinctly explains the importance of buying phone numbers in a few very enlightening words: “it is easy, quick and cheaper and you have 100% guarantee of effective communication” and later bragged that they “have over 130 million Nigeria GSM numbers sorted into Name, Gender, phone number, state and Local Government Area.” Our privacy notice search on these service providers also turned up interesting results. Of the five providers we looked at, we found only two with a “privacy notice” and these are some of the clauses we found:
“******* is committed to protecting the privacy and security of our customers and will like to certify that our users are fully informed about the way information is collected and used.” Seems transparent until you realise the data subjects whose data are being traded are not aware of the processing. Quick question? Who certified them to dabble in the data trade in the first place?
Another says we “******* will not sell out your personal information for any reason, as we understand the need for your privacy” and “we do not disclose or share your data with third parties”. The irony in this clause is pretty obvious and “that which is lucid needs no microscopic inspection”. Is that “disguising” that we see? Selling of personal information is the business model.
The failure of the privacy notice to accurately reflect the extent and details of processing is another sad tale of a privacy notice betraying consumer trust by failing to genuinely reflect how the organisation processes data. The privacy notices turned out to be Pandora boxes of irregularities. Our findings revealed the privacy notices were badly drafted, they failed to provide contact information of the controller, they insufficiently describe the processing, fail to stipulate the rights available to the data subject and fail to meet up with the basic requirements of the law. You can read our Guide on how to draft a standard privacy notice here.
We also found a service provider with an anti-spam policy; Shocking! The marketplace also suffers from misrepresentations by dishonest players. We found one of the hawkers with a guarantee that they have “about 80 Million numbers of real Nigerians that you can verify. These (sic) is different (sic) from the randomly generated numbers that some people are parading all over the place.” This is borderline dishonest and there is really no way to verify this statement.
We also found that there is a marketplace for “robocall-as-a-service”, where a provider offered that recorded messages could be sent to thousands of people at once. We also found an unverified screenshot that contained names, gender, phone numbers, occupation, date of birth, polling unit, local government and state of registration. This is consistent with the information requested for voters’ registration by the Independent National Electoral Commission (INEC), barring the biometric information.
NB: we have deliberately left out the names of the service providers because it is not our intention to shame or validate their business, but to create awareness.
A breach or not, why does it matter?
You might be wondering “I’m just a vendor and if you think I’m doing something wrong, sue me”. Oh, we will but before we do, let us explain why you should be concerned.
Buying and selling of phone numbers, email addresses or any personal data is a violation of the data protection rights of the data subjects. It amounts to unauthorised disclosure of data. Sending people unsolicited emails or text messages or robocalling or actually calling them without the data subject opting-in or where there is a legitimate purpose to contact them, is a violation of the data protection law.
Hawking of personal data is contrary to the principle of purpose limitation, which stipulates that data should only be processed for the purpose specified. It is also a violation of the principles of lawfulness and transparency, as there is utter absence of a lawful basis to contact the data subject, nor is there sufficient information provided to the data subjects.
While Nigeria does not have a Directive on Privacy and Electronic Communication Regulation like the European Union or an Anti-Spam Law like Spain and Australia, the Data Protection Implementation Framework stipulates that consent of the data subject must be obtained before direct marketing. Also, the NCC in 2016 outlawed the sending of unsolicited messages to customers. In addition, the Nigerian Court of Appeal in the case of Eneye v EMTS ruled that sending unsolicited messages is a violation of the data subject’s right to privacy. Interestingly, the draft Data Protection Bill 2020 criminalises this inglorious act.
Special “soro soke” Notice
Now we have your attention. Data hawking without the appropriate lawful basis is not just a hustle, it’s an illegal and unethical hustle that not only affects the data subjects but puts data hawkers in an unfavourable position with the law. This call is not just to the peddlers hawking phone numbers and email addresses, it is also a wakeup call to organisers of events or webinars, who send unsolicited mails to people who signed up for events or physically attend your events and add them to mailing lists without seeking and obtaining unequivocal consent or any other appropriate lawful basis to do so.
This is a call to data controllers to:
- Stop collecting excessive information for signing up for your webinar (why do you need an attendee’s phone number?)
- Stop adding people to your mailing list when they did not opt-in to receive it or where there is no legitimate purpose to receive email from you.
- Stop reaching out to people after they opt-out or unsubscribe from your marketing email – it is their right to object to your direct marketing persecution.
Here is a little love letter from us to you:
Dear Data Controller,
Don’t be a coconut head, don’t collect data that you do not need. Avoid buying phone numbers and email addresses for targeted campaigns; if you are deep into the rot, ensure you have the appropriate lawful basis to do so, let people have an option to opt-out, don’t use dark pattern to make opting out difficult and keep a list of those who have opted out of your campaign. And if you refuse the free advice and choose to buy, do not send them that message or harass them with a call without letting them consent to your harassment. You may be lucky, some of them may subscribe to this.
The lawyers might not save you. Actually, they do not have their house together either. Remember that they got calls and messages in the run up to the last NBA’s election and no one has been held accountable yet.
We are feeling really generous so here’s some extra advice:
Stop drafting privacy notices like it is a contract between you and a user! Your privacy notice is not an agreement, no one has to consent and no one in their right mind will consent anyway. That notice is you fulfilling your transparency obligation to provide a user with information about your processing.
So next time, before collecting that email address or phone number during your event and you start sending people unsolicited messages, you want to have a rethink.