We’ve all received a scam call, where the mysterious number appears on your phone and you answer in a mixture of concern and intrigue, wondering who it is. Usually it’s someone trying to sell you something, ask if you were in an accident, or claim to be from Microsoft Tech Support. You know. The usual drill.
In a recent meeting of information security professionals, this was one of the subjects which came up in discussion. More specifically, if you experience one of these calls and then shared the number that the call came from, are you breaching data protection laws by doing this?
In the discussion, the person raising the point said “the ramifications could be dangerous” as you’re potentially exposing personally identifiable information, as you’re “technically doxing someone.”
Specifically, doxing is the practice of researching and publicly broadcasting private or identifying information (especially personally identifying information) about an individual or organisation. It’s been common among hacker groups, specifically when the Anonymous hacker collective exposed the details of 7000 police and law enforcement officers during investigations into hacking-related activities in December 2011. Membership details of both the Ku Klux Klan and Westboro Baptist Church were also publicly released by hacking groups.
Capturing how a scam call works is not new. Security researcher Troy Hunt is among many who have captured those types of calls and published the conversation on their websites, but is it a step too far to publish the details of the number and caller?
I asked Jonathan Armstrong, partner at Cordery, on what the legal perspective is in this case. He said “the simple answer is it could be” illegal to do this type of doxing, as “a phone number can be personal data and just because something is in the public domain doesn’t mean to say its free to use it.”
“In extreme cases there could be criminal offences too in sharing someone’s phone number, although this would be much less likely,” he said. “I think that there is a difference here between PII and personal data. In most US states the phone number may not count as PII but it will almost always be personal data for GDPR purposes.”
The best option here really seems to be one of taking care. The members of the meeting were warned to be careful anyway, as a phone number “could be used to link to a person’s social media and find a person’s profile.” This could cause issues for both the person posting the details, and the person who details they are, “and could by accident stir up a witch hunt.”
The number of scam calls you can receive can be an irritation, but the best action is to hang up and where possible, not even answer the call. Whilst the legality of publicly disclosing the details of who called you remain sketchy, it is best to err on the side of caution and keep the details offline.