I've got my own personal story about a cold call revealing my personal phone number had been leaked by Lusha, a "GDPR Compliant" B2B tool that sourced data from shady apps.
On a day off work, I got a cold call to my personal mobile. This salesperson called me by my name and then tried to flog something relevant to my job. Being hugely irritated, I shared my thoughts with the caller demanded to know where they'd found my number. They were at least a little bit apologetic, and said they found it on LinkedIn using a plugin called "Lusha".
Lusha's website has claims about being GDPR compliant, but at the same time being a "crowsourced data community". They do at least publish a "Privacy Policy" and some contact details for a data controller.
I emailed them with a Subject Access Request, which they responded to two weeks later in a very cagey manner. Actually, I did some sleuthing of my own. I found an unlisted link for a broken OneTrust request form. This didn't seem to be linked anywhere on the website and I literally guessed the URL for it. After some poking around in the debugging console, I recieve a more fully furnished copy of my profile.
The data source for my email was... "Lusha's email guess algorithm" - now, one of the downsides of working for a small business and getting a firstname@domain.com is that guessing it isn't particularly difficult.
The data source for my phone number was more interesting. "L.S Mobile Apps Holdings Ltd." a company I'd never heard of, but eventually found an App Store[0] and Play Store[1] listing under a very similar name.
Looking at the apps published by this company, you can immediately see where this is going: a "Caller ID" and an even more transparent "Contacts Backup" app - both having complete access to all your contacts. At this point it becomes clear where my contact information has actually come from: someone I probably work with has created a contact in their phone with both my email and personal phone number, then used one or two of these apps.
I decided to pick the Contacts backup app to take a closer look. Installing the app on a wiped phone, I explored the UI, disassembled code and snooped the requests to their servers to see where exactly this mysterious "GDPR Compliance" was. The primary functionality is of course to create an account, upload all your contacts, and let you sign in on another phone to download them. There was some effort to make this work for most users, workarounds for edge cases, etc. It was more than the low-effort app I was expecting.
All the sharing functionality was checked behind a "consent" dialogue (and I use that term extremely loosely). The deal was that app would helpfully hydrate my entire contacts book with missing details! All I had to do was share it in turn. What I found peculiar about this was it simply didn't work. It seemed as through not only would the server not populate the missing data, but the code that handled this client-side was unfinished.
If you're wondering what the link between Lusha & L.S Mobile Apps is, they're effectively the same company. Yoni Tserruya, the co-founder of Lusha, has their fingerprints all over the the certificates used to sign the Android LSM Apps. It's clear this app's data is what they've built their company on.
Now, both Google and Apple have well known to display "Data Sharing" information as part of the store pages. The Play Store page explicitly says "No data shared with third parties", whereas the App Store omits the usual section you'd see when data is shared with third parties.
I contacted both Apple and Google with full details about what I'd found, and in the least surprising event to my saga, they did nothing.
Sadly, instead of having any satisfying conclusion, what I saw was what I already knew. I even got angry when reading their privacy policy, and how completely clear that all this "GDPR Compliance" labelling they have is there to sell their product to EU customers and they're clearly not compliant.
Here's some ragebait for the rest of HN who cares about their data:
- French DPA (CNIL) says Lusha is full of shit, but they can't do anything because they're based in Israel[2]
On a day off work, I got a cold call to my personal mobile. This salesperson called me by my name and then tried to flog something relevant to my job. Being hugely irritated, I shared my thoughts with the caller demanded to know where they'd found my number. They were at least a little bit apologetic, and said they found it on LinkedIn using a plugin called "Lusha".
Lusha's website has claims about being GDPR compliant, but at the same time being a "crowsourced data community". They do at least publish a "Privacy Policy" and some contact details for a data controller.
I emailed them with a Subject Access Request, which they responded to two weeks later in a very cagey manner. Actually, I did some sleuthing of my own. I found an unlisted link for a broken OneTrust request form. This didn't seem to be linked anywhere on the website and I literally guessed the URL for it. After some poking around in the debugging console, I recieve a more fully furnished copy of my profile.
The data source for my email was... "Lusha's email guess algorithm" - now, one of the downsides of working for a small business and getting a firstname@domain.com is that guessing it isn't particularly difficult.
The data source for my phone number was more interesting. "L.S Mobile Apps Holdings Ltd." a company I'd never heard of, but eventually found an App Store[0] and Play Store[1] listing under a very similar name.
Looking at the apps published by this company, you can immediately see where this is going: a "Caller ID" and an even more transparent "Contacts Backup" app - both having complete access to all your contacts. At this point it becomes clear where my contact information has actually come from: someone I probably work with has created a contact in their phone with both my email and personal phone number, then used one or two of these apps.
I decided to pick the Contacts backup app to take a closer look. Installing the app on a wiped phone, I explored the UI, disassembled code and snooped the requests to their servers to see where exactly this mysterious "GDPR Compliance" was. The primary functionality is of course to create an account, upload all your contacts, and let you sign in on another phone to download them. There was some effort to make this work for most users, workarounds for edge cases, etc. It was more than the low-effort app I was expecting.
All the sharing functionality was checked behind a "consent" dialogue (and I use that term extremely loosely). The deal was that app would helpfully hydrate my entire contacts book with missing details! All I had to do was share it in turn. What I found peculiar about this was it simply didn't work. It seemed as through not only would the server not populate the missing data, but the code that handled this client-side was unfinished.
If you're wondering what the link between Lusha & L.S Mobile Apps is, they're effectively the same company. Yoni Tserruya, the co-founder of Lusha, has their fingerprints all over the the certificates used to sign the Android LSM Apps. It's clear this app's data is what they've built their company on.
Now, both Google and Apple have well known to display "Data Sharing" information as part of the store pages. The Play Store page explicitly says "No data shared with third parties", whereas the App Store omits the usual section you'd see when data is shared with third parties.
I contacted both Apple and Google with full details about what I'd found, and in the least surprising event to my saga, they did nothing.
Sadly, instead of having any satisfying conclusion, what I saw was what I already knew. I even got angry when reading their privacy policy, and how completely clear that all this "GDPR Compliance" labelling they have is there to sell their product to EU customers and they're clearly not compliant.
Here's some ragebait for the rest of HN who cares about their data:
- French DPA (CNIL) says Lusha is full of shit, but they can't do anything because they're based in Israel[2]
- Lusha doesn't think consent is important[3]