A long time ago I ran a file hosting service that almost exclusively served one particular "fringe" community (for some reason it got really popular on one site and spread from there). I was running it anonymously at the time (for both me and for the users), and logging was minimal...

... so imagine my surprise when I received an e-mail (at the abuse@ address, no less) offering to buy uploader/downloader info (IPs, file info, email addresses, etc.)

Imagine their surprise when I told them that I didn't have most of what they wanted in the first place, and that they could kindly go suck a pig. I checked out the company in question, and they seemed rather sparsely established, so my assumption was that they were a shell company for somebody. Never really looked into it after I told them to go to hell, and never heard back from them. AFAIK there wasn't a lot of pirate traffic (I shut that down and banned/reported aggressively whenever I found it/was notified about piracy or other illegal stuff), mostly just niche content that I assume was original... so I doubt it was an MPAA/RIAA thing. Odd.

(Sorry for keeping names out of it. The site was super well-known within the community, and I'd rather keep my involvement in said community quite isolated from my real life.)

Glad to be out of the file host business, that's for sure.

I might be a lil late reading this but I have a slightly off tangential question if you could have time to indulge me in.

1. why did you get out of the file host business or why were you glad to?

2. how did you get out of it? sold, fizzled, etc..

> 1. why did you get out of the file host business or why were you glad to?

Handling abuse complaints, wrangling bandwidth spikes, etc. ended up taking way more time than I wanted to give to it. This was before a lot of the modern easily-scalable hosting services were around, so it's not like I could just automagically spin up new instances.

So basically, I ran out of time in my day, and since I already had a good day job I figured "fuck it" and sold out.

I maaaaaybe could've gone full time with it, but it would have been really hard and I would have been competing against some already well-established players. I didn't have much presence outside a particular community, and growing it into a general-purpose thing would've probably killed the "one of us" karma that let me get popular in the first place... so... yeah, not a good plan.

> 2. how did you get out of it? sold, fizzled, etc..

Sold. The party that bought it promptly ran it into the ground in a rather impressively stupid series of decisions, and it was gone within a year. Oh well. Not my problem. I got a decent payout, which -- being younger and stupid -- I promptly blew. So basically in the end all I got was a year or two of really fun living. :)

I'm actually OK with that. It didn't start as more than just a way to serve a specific community's needs, it blew up in popularity and as a result I got some cool experience and some spending money out of it. Seems like a successful project in retrospect.

About 1: all of your experiences still hold today. A friend of mine started a file hosting business on the side when he was still in elementary school. Much like yours, it quickly became popular in one small community, and then spread out of that. Today, 8 or so years later, he has quit to work full time on it and he works on it... a lot.

"Easily scalable" only works to a point, then it quickly becomes expensive unless you create a solution tailored specifically for your problems, at which point you're negating the "easily" part again.

Haha that's not dodgy at all. There is a legitimate business around selling data;

This is OK in 3 scenarios I can think offhand: 1) A company collects personal/contact information on behalf of another and is upfront about this at collection 2) A company contacts their list asking if these people would like to share their information with a company 3) Permission to sell information is in the T&C on sign-up of the original company.

If one of these 3 is not covered I image companies should purge data if the business closes. Option 2 would be good for companies that are looking for a cash bump on the way out.

At a financial level I see a bunch of people with lists in the 10's of thousands and they are surprised how little it is worth. To earn a western level income from a contact list you'd likely need a hundred thousand plus of contacts assuming a typical consumer audience and reasonable response rates. Lists are worth significantly more for specific hard to reach groups like CTO's or surgeons etc. For me these would be 15x what I pay against a standard consumer list as a massive generalisation.

This assumes you have only US citizen's data. One Canadian in there for example and you're surely breaking the law.

I don't see why. Could you shed light on this view?

It's illegal to sell user data without explicit consent in a lot of countries. It should also be illegal in the US tho due to the Fair Information Practices.

What is defined as explicit consent? Most terms of service and EULAs on websites and software do explicitly give the company the right to sell your data.

Also aren't the FTC's Fair Information Practices just recommendations with no consequences for violating?

Probably "We are going to disclose your data to party X. Do you consent this?". Saying that you are going to share user information with undisclosed 3rd parties seems like a bit too broad.

Here is how it works in France:

http://www.cnil.fr/english/data-protection/rights-and-obliga...

Practically, if you operate a service in France, you need to have 2 checkboxes at user creation:

* I accept to receive commercial informations and advertising from the service

* I accept to receive commercial informations and advertising from third parties

If you don't have the checkboxes or the user unchecked, no sharing.

In the UK, even if you've managed to buy emails it's of no use, you aren't allowed to contact people unless you've had a business relationship for a related product in the last 12 months.

This is new to me. How does this exactly work? Can you report the email senders to someone, if you get spam or something?

You have to sue them yourself, in small claims court.

http://www.legislation.gov.uk/uksi/2003/2426/regulation/22/m...

http://www.legislation.gov.uk/uksi/2003/2426/regulation/30/m...

Judges range in how they feel about these complaints, generally you won't be able to claim just for the time they've wasted, you'll have to justify why you have suffered damages. Extreme cases are different, if they're truly wasting huge amounts of your time, but the occasional email is unlikely to be enough for wasted time.

Alternatively, you can get the ICO to tell them off even if you haven't suffered any damages, but that's not always easy…

Don't confuse facts with views.

Your friend could always fight shady with shady. Write a script to randomly generate a few thousand email addresses that look like they might be real. :)

Fighting a somewhat reasonable request with fraud seems right out of the gray zone and solidly in the territory of immorality.

I was approached a long time ago with an offer to pay for users' info on a forum I ran. You should have seen the shock at my refusal. The buyer just couldn't understand why I wouldn't want to make free money for just selling the list.

Funny, it gave me the impression that I was the first to say no and that most people would gladly sell off people's privacy for a buck. Sad.

I'd say the buyer's shock was just a negotiating tactic...I've seen this used in many different situations. That said, I certainly wouldn't be surprised that most people would gladly sell off people's privacy for easy money.

Yes, several years ago I ran a self-created political site in favor of a specific candidate. I stated in the Privacy Notice that all information collected would not be shared and be deleted after the election. As I recall, I collected name, birthdate, gender, email, address because I wanted to correlate and display the info in a summary fashion, and I allowed people to make comments and come back and edit them so I had a password system, and some other things.

I had a few people contact me and offer rather significant money for the info (in total over $10K) if I'd quietly sell them a copy before I deleted it - pretty disappointing to me that they thought I'd do that.

I've never been contacted to sell user information, but I have been contacted to purchase information. Before I purchased whois privacy on my email's domain, I was frequently propositioned to purchase lists of users and emails relevant to information security and general SaaS products. It was pretty sad, actually. The emails never explained where or how they got the list of users, they just promised I would have an incredible ROI from these "qualified leads."

I've never been contacted but here is a #lifehack if you use gmail sign up with youremail+domain to track who is selling your info.

Yeah, if you ignore the corollary #shadybusinesshack, which is to strip + suffixes from @gmail.com addresses, or any other domain with gmail MX records.

Slightly more advanced trick is exploiting the fact that Gmail ignores . in addresses, so that first.last@gmail.com, firstlast, fi.rst.la.st, firstlast.., are almost infinitely unique encodings of the same mailbox. But again, smart spammers can just remove all dots so that the spammee can't tell who sold the address.

In a similar vein, I keep a domain set up with an open mail address for anything at that domain. I sign-up with the format of the domain and date as my email prefix.

Surprisingly I've only seen one misuse of email address doing this for a few years. And I sign-up to competition and the usual suspects quite regularly. The bigger one I find abused these days is phone numbers. I guess it's harder to track source hence more dodgy brothers activity here.

Could a smart marketer simply query the list for all emails with "+" and truncate from there?

Yes and some websites refuse + in email.

That would be preferable to what happened to me once. I tried using a + filter and it was accepted but I never received booking information for my trip. When my trip was getting closer I realized I didn't have a confirmation number, and after a long conversation with customer service, it turned out that instead of "<email>+<filter>@gmail.com" my email address was saved as "<email> <filter>@gmail.com", so nothing ever made it through to me.

I'll bet that's a URL-decoding bug -- space gets encoded as plus, so if they decoded an extra time your plus would turn into a space. I've made that mistake a few times myself.

Even better if you run your own mail server, have it use . as the suffix character instead of + e.g. you+comcast@domain.com becomes you.comcast@domain.com

This evades sites that filter on +'s and spammers that strip them out to anonymize their list. Also if they strip out the dots to further anonymize it, they just create invalid email addresses.

Admittedly this only works because not everyone does it.

I used to do this when it was new and not many people were aware of it. Nowadays some sites don't accept emails with '+' at all.

Then I setup an forwarding email server, which forward <anything here>@mydomain.com to my main email. So I would register at sites like sitename@mydomain.com. Sometimes, if required to send emails from registered email then I would create a new email and send.

Now, I have switched to Abine Blur and free version works fine for me. They have a chrome extension and it generates random email whenever you are filling the email field in web forms. (or you can generate random emails at will). Only caveat is, you cannot reply from that email. So, in such cases, I login to the site, change my email to something else and compose emails.

I suggest everyone to using Blur or similar tools. The guys who are running your site will ever know your real email.

More than a few sites refuse '+' in their email address validators.

I've always wondered if those site inputs are due to ignorance of RFC 2822, or because they are aware of it and are basically letting you know that your address is going out the door. Bad either way :/

This is why I don't quite understand the common complaints about Google and data. Not that I don't understand the concern, but the unawareness that this happens everywhere. You order a pizza to be delivered? That info is sold. Magazine subscriptions? Info is sold. Order something from the Gap catalog? That info is sold. Signed up for a gym? Sold.

Google skip tracer, or skip tracer database, to see how much info is collected and sold, and that is just for one micro industry.

Everything is sold, everything. Maybe that mom and pop store is not selling your data, but that other mom and pop one is. And the bigger players certainly are.

Can't say I have ever been in this position. If I was approached like that though it would be an automatic delete anyway.

With that said, this issue recently came up with Radio Shack and how they were planning to sell off their customer data.

It is not uncommon to send chaperoned emails to your list; that's where your friend includes a message from the sponsor in his regular newsletter.

Someone else gets their marketing message out to his list, but doesn't get his emails.

Back on my first job, a small company wanted to use our software, but only if we copied their competitor's database (Their competitor was already our client)

"Won't say we got it from you" is not protecting you.

Many users have a different email for each service, for example username+yourservice@gmail.com (gmail will ignore the '+' and whatever is between it and the @) so you get busted.

This is so well known that places that care will strip it out at the signup process. Also, they will use a simple regex check with their company/service/product name to see if the user is using a highly probably unique email address.

I'm developing GPS based mobile games and I've been curious about being approached for this -- from advertisers or governments.

One possible defense is to use an open inbox, publically available. Perhaps?

I have been contacted about embedding ads which I consider almost as bad on my user's privacy.