I've seen a demo where given my email address they could pull up my name, address, profession, age, and I forget what else. Yes, it's already in unscrupulous hands.
My data is empty, even though I'm not that paranoid about privacy (but I do take some care).
This specific API seems pretty innocuous. They're not doing black magic, it's just aggregating data that people willingly put out there about themselves.
I'm sure I'm out there in many datasets with stolen (or just "shared") information.
> This specific API seems pretty innocuous. They're not doing black magic, it's just aggregating data that people willingly put out there about themselves.
That's has always been illegal in my country though (you can't even keep a record of people with pen and paper), and now with GDPR would of course be illegal with actual consequences if it contains data about EU citizens.
Regardless, they're not based in Europe. Unless they do business in the EU, they can't touch them. This is due to the fact that extradition requires something to be a crime in both countries, so unless the EU has assets to seize, nothing they can do.
And if they try, any American court will be very leery of setting the precedent that Brussels can tell Americans what to do in any sense, particularly with respect to data stored on their servers.
Perhaps not directly, but if they're processing the information of EU data subjects on behalf of another company that does business in the EU, then that company will have to justify using this service, which is clearly not GDPR compliant.
I imagine the company using them will want to recover financial losses they incur after getting reamed by whatever european Data Protection Authority decides to go after them - especially if the culprits did promote themselves as being GDPR compliant.
The point of the EU's strong data protection rules is to have accountability - and it will fall on someone along the chain that caused the mess. Companies can't be allowed to completely disregard how they collect and store data and then go "Oops, haha sorry about that!" when the shit inevitably hits the fan, and just continue their business as usual.
Hi, Gilles here CEO of Livestorm. Thank you for surfacing this.
What is this URL: This is not a public API route, it is a proxy to a service called Clearbit to enrich professional emails with public company and person data from multiple public sources such as AngelList or LinkedIn (cf https://clearbit.com/enrichment and https://clearbit.com/our-data).
By using this route, you are using Clearbit with our credentials. Most importantly, we don’t store any data on our end when accessing this route. We don't own this data, it is stored on Clearbit servers.
Why are we using them: We entered in business with Clearbit to help our users get more insights on their webinar sign ups from public data sources.
We took all the steps necessary with Clearbit to ensure our process was GDPR compliant. However, this information makes us double guess it. Therefore, we are revaluating the compliancy of this specific process and in the meantime, we have deactivated this route.
Actually (after contacting their support because of wrong data that was returned for my contact), they seem to be using https://clearbit.com/ instead as backend.
What surprised my is that when you go to https://clearbit.com/ at "Understand your customers" it actually showed our company logo. Probably based on Ip address because I'm at the office right now and cleared my cookies.
Mine has information harvested (provided by?) from about.me. (I had a page there about my dancing activities) So this API tells anyone where and when they can meet me for a dance. (9 years ago, that is) :D
people were so afraid of BIGTECHs getting their hands on all your personal data. When in reality, a 13 year old can just ask around on some forums and get it.
