Scam Alert: iProfile / Vertifi / Jobzooma

Background

I've included two logos in reference to this article - one relating to iProfile Ltd (Australia) - who advertise "CV cleansing" services, which re-combines candidate data from other sources into the recruiters CV base; and iProfile (UK), which is / was part of the Vertifi brand house. Vertifi were also trading as "Talent Spa" and it's associated domains.

As you can see the logos are virtually identical and these companies share directors, despite the organisations protestations to me previously that they are completely unrelated. Even though they perform exactly the same operations & services (and more than likely share data to re-sell).

In essence, iProfile used to offer recruiters a platform that would "enrich their CV database", and allow them to utilise those candidate profiles more than one year old. This involved recruiters acquiring candidate (job seeker) profiles from standard sources - for example from the jobs boards on which they advertised live job roles - and then upload them into the iProfile system.

iProfile would aggregate data they had acquired from other sources with this candidate information, and help the recruiters verify and validate their candidates.

All fine, you might think - until you roll into this situation that the candidate has no idea that any of this re-combination and aggregation is going on. Neither the recruiters nor the iProfile owners (Vertifi, a UK-based organisation) were letting on that this was involved.

I'll circle back to Jobzooma towards the end of this post as that's even more astounding, but the corporate equivalent of the three-cups-one-ball shuffle...

Some History First

I first got involved with this situation where one of Vertifi's brands, "Talent Spa" (talentspa.co.uk), were taking the candidate details out of the back of this platform, and then spamming the candidates with offers of CV writing services.

When you upload your CV directly onto a jobs board, such as Monster, you do so either to apply for a live job advertised there, or to start looking for a new job. Your intent is to open up the opportunities to employers or agencies who have live jobs on their books, and who might match your details with those roles. Monster's terms and conditions are quite specific about this, and I've spoken to them many times about it - even providing evidence to them when I've found my details scraped, which they've then used to ban people & organisations.

What you're not consenting to in all of this - either in the pre-GDPR world or not - is to be subscribed to other jobs boards and platforms with which you've never had any contact, nor ability to review and accept their terms and conditions. This is the opposite of explicit consent and is a massive misinterpretation of a legal basis for processing under "legitimate interest".

When I started getting emails from Talent Spa I got them to detail how they'd acquired my details and under what basis - at no point were they able to provide evidence of consent at any stage.

With one of the unsolicited emails I followed the links within - I was forced to create a login before I could even accept - or  reject - the iProfile / Vertifi / Talent Spa terms of service, thereby consenting to allow them to acquire, store and process my personal data - including for unsolicited marketing purposes under PECR section 22.

Once logged in there was actually no way to refuse or decline, despite the implications to the contrary in the emails and on the login page. It was a data trading trap, pure and simple. I could unsubscribe from emails but that wouldn't actually remove my data.

A case in point was where it turned out that one of my email addresses existing on their system had been acquired in 2007 - I had no notification or idea that they had it until digging into it in 2015. Eight years without so much as a note. What had they combined this data with? What were they using it to validate against?

So I asked iProfile / Vertifi to explain what they do with my data. This is their response - note that they are required to explain the logic of any automated decision making which is performed on personal data, which is a requirement (if asked) in a DPA section 7 notice. They fail to provide any evidence of consent, seem to shoot themselves in the foot re: opt-in and refuse to explain the automated decision making logic. They also answer about specifics - "...we remove your details from the CV database..." - what about other data stores which aren't CV specific that they retain my data in?

Click to enlarge

So I took this to the Advertising Standards Agency in 2015 and they agreed with me in totality; and that Vertifi had breached sections 10.4, 10.4.2, 10.4.4, 10.13 and 10.13.3. You can read the live ruling here.

Whilst it did go quiet for a while, eventually they resurfaced again - having worked out how to appear comply with the ruling. This largely involved an intermediary step that, when a recruiter added candidate details to the iProfile system, iProfile were required to notify the candidate that they had their details. Only if the candidate subsequently followed the instructions to explicitly allow continuance of the process could iProfile / Vertifi then move the candidate data from a staging area.

Email screenshot shows email from iProfile, but notes "The team at Circle Recruitment"

Let's put aside the fact they're sending credentials in plain text in emails, as this just highlights the poor opsec involved here. The notification + opt-in message would have been a reasonable way forward - I suspect they continued to retain candidate data if there was no response at all, but didn't add it into the main silo of candidate data. Perhaps adding it but marking it to ensure the data subject wasn't further notified.

However that wasn't what was implemented. As you can see from the email content above sent to me in January 2016, by the time consent is requested the data is already stolen. Despite not logging in or - in some cases of the above email - explicitly unsubscribing - Talent Spa continued to send me emails offering CV writing services and seminars for a price. If you read it carefully they're still not providing an opt-in prior to processing!

They changed domains to talenspa.info to try and evade spam blacklists - which I confirmed with Vertifi support that they owned and operated, as you can see below. Also note that the Talent Spa website seemed to raised support requests on Vertifi.me (owned and operated by Vertifi Ltd).


I started asking Vertifi who they share my data with via their support desk - no direct responses to questions but then I asked specifically about Experian and some other data validators when I found some Vertifi.me marketing material (I'm not sure they intended to expose this information but it was available in the public domain). They claimed that iProfile data is not shared with Vertifi.me - yet could not explain how my details entered into iProfile by recruiters ended up being used by Talent Spa for unsolicited marketing emails. All these companies are owned by or are trading names of Vertifi. Look at that email screen shot above just to tie those things together.

They then claimed they only share my data with Experian when I create an account. Which the recruiters enable iProfile to do without my involvement or consent every time the recruiters get an updated CV from the jobs boards, and which iProfile absolutely do not share with Vertifi.

Surely they didn't lie, did they? Talent Spa email me using emails only available to iProfile

Myself and at least one other person, James Wild, started really taking notice of their activities now. I think we both issued Vertify DPA section 10 & 11 notices - essentially requiring that they no longer acquire and process my personal data until further notice. I raised this notice on their support website, saw the system acknowledge the request but heard no more. There's just no way they can claim the message "got caught in our spam filters" as the inbound message was tracked and logged as a support request.

Section 10.3 notes that the recipient has up to 21 days to respond properly to this type of request - I take that to mean either reply in 21 days outlining the recipients plan (i.e. how they intend to start complying with the notice), or that they have and explain what they've done to do so.

Vertifi never replied to either mine or James' notices in 2016.

It did however go a little more quiet after we sent them more S10&11 notices and kept both the ASA and ICO up-to-date on the situation. Every time a recruiter added me to the iProfile leviathan I immediately "unsubscribed" and then spoke to the recruiter. These conversations were amiable and open, with no liability ever levelled at the recruitment agency.

In most cases the recruiters noted that they had "heard things" already about iProfile and were considering moving to other platforms. One actually told me about deep-seated legal concerns he'd had - he'd taken them to iProfile and he didn't like the responses he received.

Eventually either no more recruiters were subscribing me to iProfile or Vertifi had turned off the attempt at acquiring opt-in.

The Second Wave

With the imminently arriving GDPR in 2016 we data protection officers started reviewing the new articles of law, comparing current instruments of law and refined our advice to clients. It was largely straight forward - if you were already complying to the DPA and PECR you were likely within the law with regards to GDPR. You might have to change your T's and C's - perhaps tighten up some data retention periods. Most clients were being pretty sensible about their approaches to data protection.

Before strolling into the next chapter of the Vertifi story, it's worth noting something of my approach to jobs boards. I use derived email addresses which are only ever used on that platform or website. There's a bunch of older email addresses I used to use which are no longer on any site - every time a data trader pops up using them they stick out like a sore thumb.

In iProfile's case the email was:
iprofile@<a domain I own>
And also:
rex@<a domain I own>

Incidentally, I haven't used the last one on any websites since 2013. Obviously it was associated with my name in their database. In 2015 I changed the email address used by a recruiter to add me to iProfile to "iprofile@<mydomainname.com>". With me so far?

If we rewind the clock a little to the 13th of October, I got an email addressed to:
modified.iprofile17715@<a domain I own>

Addressed to "Not Tested", instead of my name and sent by GIOS Technology Ltd, Cubes Tech Recruitment and Ventula. I'm still getting unsolicited emails even now to this address after the inauguration of GDPR last week. The muppets had not only not removed my data, but had changed the meta-data (email address)...but hadn't even done that properly! They'd changed the mailbox (the bit before the '@') but not the domain!

Check this out from February 2018:

Click to enlarge. Even references GDPR, but does not provide opt-in option

That was pretty stupid because now I'm able to follow the breadcrumbs. Which is even more deliciously ironic considering they're notifying me that they've still got my data in an email about legislation that expressly forbids them from doing so. They don't have a legitimate interests basis for processing either, as I'd never dealt with them before issuing a DPA S7 request, and because the way in which they're using my data is contradictory to my expectations of privacy, nor is it necessary processing. It's not necessary because I haven't entered into a contract with them - they've hoovered my data illegally and been told to remove it. This means iProfile, Vertifi, Jobzooma and anyone they offer or share my data with has no lawful basis of doing so.

Also worrying is that this email doesn't provide an "opt-in", or an "opt-out". I got one for each email I noted in this post above - don't forget my S10&11 notices in 2016 are still in effect. They're portable into the GDPR space.

So, Jobzooma is also now in the picture. After a bit of digging it looks like Vertifi went into voluntary liquidation in December 2017, with Mark Goldberg, Mark Callahan and Thomas Clegg the final directors responsible. So Jobzooma "acquired the business" of iProfile huh?

Of course; I clicked no links, made no contact and certainly didn't opt-in or indicate explicitly providing consent to Jobzooma. But I did have a rifle through their corporate details.

Just a second! Mark Goldberg is also the sole director of Jobzooma! What a co-incidence! And they've acquired iProfile - who were run by the same people as Vertifi above (less Goldberg), and with Glen & Nicole Perry and Conleth Murphy. The Perry's are also directors of iProfile PTY LTD in Australia, which appears to still be in operational according to ASIC. Of course iProfile (Oz) were absolute in their assertions that they were nothing to do with iProfile (UK).

Broad Side

Of interest is that I received a few cold calls from a barrister - Alexander Wilson - selling the services of Proxima Ltd. After complaining to the bar, it seems Mr Wilson relied on the consent provided to him by Vertifi.

In fact in his response to the bar complaints board he includes an invoice he paid to Talent Spa for a mail shot. He's now claiming that Vertifi,  and "Company A" - whom I take to be Jobzooma - provided him the consent. Slightly ironic isn't it?

I'll update when I know more but it looks like a link between the "Winchester Tax Boutique", "Company A" and Vertifi still exist.

Summary

So Vertifi transferred iProfile assets to Jobzooma, along with one of it's directors - perhaps staff as well. Amongst which assorted assets was the iProfile / Vertifi candidate database.

Included in this database were email addresses, CV's, aggregated data from other sources and god knows what else belonging to me that it had previously told me were deleted, in order to appease the regulator (ICO) and the ASA. They even told me that they'd deleted all my data at the time, although never responded to the DPA S10 notices from 2016.

A lot of the unsolicited emails I've been receiving in the last few months have come via a US-based platform called ZipRecruiter / ZipAlerts. Which means the Jobzooma platform is ex-filtrating my personal data outside of the EU & EEA and into the US. Despite the flimsy emperors clothes that is "Privacy Shield" it means my data is now probably being re-sold to "affiliates" and other "organisations in their group".

I didn't say "yes" to the GDPR email. GDPR is now in effect.

Perhaps they realised that operating their own software platform was too expensive and are now using other platforms as-a-service to continue their business. It's the typical "phoenix" approach to avoid either toxic brand like Cambridge Analytica / Emerdata or debt. iProfile Australia still seems to be operational, but iProfile UK is now Jobzooma.

The fact that they're still employing the same approach to data protection and privacy either indicates that they're driven by Goldberg, or that he's re-employed the iProfile & Vertify team who created it.

I've given the nod to both the ASA and ICO that there's something fishy going on, perhaps they'll find some time to look into it again. Whatever the outcome of those investigations you may find that other platforms are more in-tune with the protection of your privacy (and your CV).

Do you put your birth date and address on your CV? You do? Really? Have a think about what you do put on it now before you upload it to some dodgy "recruiter" website in future.

Comments

Popular posts from this blog

Scam Alert - DMR Financial

Scam Warning - SpellJobs.com

[Belated] Naughty List 2016