Greetings. In a recent blog entry, I noted the existence of a site (which is interconnected with many other sites, as it happens) that allows for the direct and simple entry of landline telephone numbers, and in most cases will happily return the street addresses for those numbers -- even if the numbers are unlisted. It seems to return correct addresses about 80% or so of the time, perhaps more.

Already, a number of persons who have unlisted numbers due to various security concerns have expressed alarm over this situation. After all, phone numbers are much more easily obtained (caller ID, business transactions, etc.) than associated street addresses (at least until now), and just because someone provides a phone number doesn't mean that they want to have folks showing up at their front door or barraging them with physical mail.

The interesting questions associated with this situation include where is the unlisted number data coming from -- unlisted numbers are supposed to be held to a higher security and usage standard -- that's why people typically have to pay extra every month to be unlisted in the U.S. Possible sources are the telco databases and third party data miners, or some combination of the two (several phone numbers I've tested that are in the site's database have never been used in the course of business, so a telephone company source seems more likely in those cases).

By offering addresses for numbers rather than requiring the customer to enter an address and then confirming it, the company involved has made a fundamental data privacy implementation error of a sort I wouldn't expect from a first year programming student.

I have now received a reply back from the company's PR firm, which I will characterize as "we're not doing anything wrong and we're not going to change anything so tough luck and have a nice day."

I suspect that there are millions of people with unlisted phone numbers who are as concerned as I am about the easy availability of their street addresses on an open and free Web site. I'm in something of a quandary as to what to do next.
I am sorely tempted to simply reveal the site and company, and let the chips fall where they may. That may be the only way to get the company's serious attention to this matter. After all, it's almost certain that this site is already being exploited -- potentially for seriously bad purposes -- by persons who have already discovered the situation and are keeping their mouths shut.

On the other hand, I have no desire to see unlisted number addresses revealed en masse, which would likely be the immediate result if I identified the specific site(s) involved.

Suggestions as to what to do next are invited. I want to move on this one way or another as soon as possible.

Thanks.

--Lauren--
lauren@vortex.com

Blog Update (December 20, 2007): Details of Unlisted Number Address "Exploit" Revealed