Mon Sep 23

How did they get my data? I uncovered the hidden web of networks behind telemarketers

Written by: Priya Dev, Lecturer & Academic Data Science, Digital Assets & Distributed Ledgers, Australian National University

Last year, I started getting a lot of unsolicited phone calls, mainly from people trying to sell me things. This came as a surprise because, as a data scientist, I am very careful about what personal information I let out into the world. So I set out to discover what had happened.

My investigation took several months. It eventually led me to the labyrinthine world of data brokers.

In today’s digital age, where personal data is a new kind of gold, these companies wield significant power, creating networks where our personal information is shared between brokers and telemarketers as easily as TikTok videos. Their businesses profit from the data they collect, and many of the calls they enable come from scammers.

This comes at an enormous cost: in 2023, Australians lost $2.7 billion to scams ^[1]. This highlights the urgent need for stronger privacy protections to limit how our personal data is collected and shared.

In an attempt to address this need, the Australian government this month introduced long-overdue privacy reforms. But these reforms are still inadequate ^[2] for the many privacy issues affecting people today, including targeting by data brokers and telemarketers.

Investigating the hidden web

One of the mechanisms designed to protect us from unwanted calls is the Do Not Call Register ^[3].

Managed by the Australian Communications and Media Authority, the registry holds more than 12 million phone numbers ^[4], including mine. The registry is supposed to block unsolicited calls. But last year, despite being on the list, I began to receive dozens of unwanted calls – on average, about three per day.

Curious, I started tracing the origins of these calls. What I uncovered was a network of hidden connections between data brokers, telemarketers and large organisations – including a major political party. It became clear that simply being on the Do Not Call Register wasn’t enough to protect my privacy.

I started by asking the callers what data they held, and how they had obtained mine. I requested details about the companies they represented, including their websites and Australian Business Numbers (ABNs) – the unique identifiers for Australian businesses.

Most callers hung up the moment I started asking questions, until one day I spoke with a man named Paul, who worked in the real estate sector – an industry worth more than $10 trillion ^[5] as of 2024. The high-value real-estate market makes our personal data especially valuable to businesses operating within the industry.

Digging deeper

The unique thing about Paul was that he knew my real name, whereas other telemarketers only had access to the pseudonyms I’d used to protect my identity online. Paul explained he had licensed my data from the real estate giant CoreLogic Australia ^[6].

This discovery pushed me to dig deeper. After a lot of back and forth, I finally obtained my data from CoreLogic. The amount of information was small, but surprisingly accurate – especially considering the steps I’d taken to hide my identity. It made me wonder where they got it from, as only organisations such as utility companies, banks or the government would hold that type of information.

CoreLogic told me in an email that:

CoreLogic gets data from a variety of sources … most of the information we collect comes from public records, which we license from government departments and agencies. We may also collect personal information from third parties such as through real estate agents, tenancy and strata mangers, financial institutions and marketing database providers.

This was a troubling discovery, because the institutions on which we depend for essentials such as public services, housing and finance – and from which we can’t hide our identities – may be selling our personal information to data brokers, who then pass it along to telemarketers.

What’s even more alarming is that the data is shared unmasked, meaning personal details such as our names, genders and phone numbers are fully visible. Once this information is out in the open, it becomes almost impossible to control how it’s recorded or shared.

It’s also nearly impossible to stop it being passed to overseas telemarketers, who aren’t bound by Australian privacy laws.

Real estate giant CoreLogic says most of the personal data it collects comes from public records. IgorGolovniov/Shutterstock ^[7]

Solving the mystery

My investigation didn’t end there.

Eventually, CoreLogic revealed it had purchased my data from Australian data broker firm Smrtr ^[8] in August 2023. This coincided with the surge in unsolicited calls.

Through Smrtr I learned they had purchased my data in 2016 from another data broker, EightDragons Digital ^[9]. Smrtr also admitted to selling my data to various companies – all without my consent.

Determined to investigate the origin of my online data trail, I contacted EightDragons Digital, which calls itself “a leading global consumer data agency”. It collects personal data ^[10] for big brands including Energy Australia, Vodafone, NRMA, Nissan, Johnnie Walker, American Express, The Good Guys, and even the Australian Labor Party.

The company claimed it collected my data in a 2014 marketing campaign, and likely passed it to at least 50 other companies. However, it had no records to verify the marketing campaign or prove that I had given consent.

A small step only

CoreLogic defended its practices as legal, saying it’s too difficult to verify consent or anonymise personal data.

However, with modern technology, it’s actually possible to track where data comes from, check consent, and share insights without exposing personal details such as names and phone numbers.

The government’s recent privacy reforms are a small step in the right direction. But until data brokers are required to obtain explicit consent before trading personal information, they fall far short of being a giant leap forward.