Jul 19, 2009

Dirty Data Deeds

In recent days, yet another ProZ.com-related scandal has become public. As one upset site user wrote in the thread about identity theft:

I've also just found my details on Outsourcingroom.com

...including personal information I'd hidden on Proz.com. So much for Proz.com's guarantees about privacy and data protection.

I could understand it if my public data had been mined, but not the hidden data. Proz.com claims to know things about Internet security, so they should be on their guard against data mining.

I don't care if it's the weekend (I happen to be working) but I (and obviously a lot of another folk) want an answer from the Proz.com staff NOW.

I also expect Proz.com to take whatever action is necessary to remove our details from this intruder site - we individually did not cause the security breach and it's not up to us to sort it out.

Whatever you're doing, Henry, it's not as important as this is. Get off your butt and sort it out.
And yes, my data (some of them at least) are there too. I wrote a nasty note to the scamsters running the site, demanding that my name be removed; we'll see what happens. I tend to take a very extreme view of identity theft like this (this is not the first time it has happened either), and off-hand I can't think of any measures I would not consider applying to the perpetrators of such things in the fullness of time. There were a lot of things to be learned in early issues of Liebigs Annalen der Chemie before such information began to be restricted.


  1. Thank you for this posting, Kevin. I took the opportunity to look up my data on this site, and lo and behold - even though I left Proz.com almost two years ago, I am in their database!!!! What I found definitely points to Proz.com's system. It even shows my login name that I only used on Proz.com, preceded by 'xxx', which means that they got hold of the data after I've left Proz. Very disturbing!

  2. Fascinating. So what you are telling me, Sonja, is that ProZ keeps files on former users/members long after they are gone? Very interesting.

  3. Hmm - I don't know about the US data protection regulation, but I recently had to take an "exam" on UK data protection law (should be similar in most of EU) and something I clearly remember is that you can only hold data as long as it's relevant to your business operations in relation to that person.

    That Proz hasn't deleted Sonja's data after almost 2 years seems like a clear breach of these rules (assuming regulation is similar in the US).

  4. @Madeleine: I don't know where the servers are these days and which laws would apply, but even if not directly illegal I would say it is ethically dubious. The servers could be in that same Ukrainian office that offers all the hot women for sale AFAIK. And I wonder how safe the credit card transaction data for ProZ renewals are.

  5. Geez, talk about done dirt cheap. I hope you don't mind if I cite my comment here, because it's only a matter of time before it gets deleted:

    Marie-Claude Falardeau wrote:
    But how did OutsourcingRoom obtain such information, if not through a breach in security?

    It's interesting to note that proz.com set up an office in the Ukraine a year or so (?) ago, and outsourcingroom is also based in the Ukraine. Makes the proz.com invoicing tool look even more attractive, doesn't it? For the record, I found my username at that website too, but with just my city and country, no other details.

    (end of quote)

    In case that was too subtle, I believe the situation could be much more sinister, i.e. they may have SOLD or otherwise given away the data. IMO it ain't a coincidence that the company has offices in places like Venezuela and the Ukraine.

  6. I see that this has attracted a lot of attention on Proz.com, so I would like to clarify one or two things here (since I cannot write to Proz.com forums).

    I checked my information once more on that site, and it appears that all they have about me is:
    Proz.com login name, full name, city, country.
    They have no details about my language pairs, nor do they have my e-mail address or anything else that I had entered into my Proz.com profile.

    I think the reason why Proz stores this information is to keep forum postings of former members linked to their names. If you go through Proz.com's fora, you'll see that postings of former members still show their name and location, sometimes with a picture if they had one on their profile site, and can only be distinguished from active members by 'xxx' in front of their names. I don't know if this counts as violation of data protection laws or not.

    Personally, if I had the choice, I would rather have all my information removed from Proz.com, and my name next to forum postings replaced by an anonymous label (such as 'former member' or 'guest' or 'visitor'; this is what I have seen in other fora). Since I am no longer a Proz.com member, I don't think my voice will be heard.

  7. @Sonja: If you are right about only these data being retained by ProZ for purposes of keeping the forum threads straight or attributing an article or whatever, I don't see that as a problem, and I would support Henry & Co. on that score.

    However, I don't think you can judge the data actually stored at ProZ by what appeared on the other site. My data were also fairly minimal there, but after the incident in India last year where my entire profile was swiped and some grinning foreign face added to it along with Indian telephone numbers, I am a bit touchy about any of my data appearing in a place that I have not put it or permitted it to be placed.

    We'll see what staff says. Henry's initial response last night was reasonable. It's obviously in his interests to get to the bottom of this - you may have noticed that eLance got raided too. There was a newspaper article (Washington Post? I forget, have to look it up on the Twitter feed) last night.


Notice to spammers: your locations are being traced and fed to the recreational target list for my new line of chemical weapon drones :-)