Help Wanted — Scammer

Late last year, when I had listed my house for sale, a real estate agent rang me. He wanted to poach my listing from my current agent. I asked where he got my number. He told me that he subscribed to a platform called iD4me. I went and looked.

iD4me is an Australian data aggregation business. They market verified homeowner data to real estate agents — names, addresses, phone numbers, email addresses. They claim access to over 19 million mobile numbers and emails, which is approximately the entire adult population of Australia. I could not find my own entry on the site because the data sits behind a paywall, but my actual agent confirmed it was there. The record included my date of birth.

I had never heard of iD4me before this. I had never given them anything. I had never had any commercial relationship with the company. They knew about me, had assembled a profile, marked it as verified, and were selling access to it to real estate agents who used it to ring me about a listing I already had with someone else. I am also on the Do Not Call Register and have been for years. iD4me had also published that fact on my profile. The agent who called ignored it. iD4me could not have been unaware of it.

I complained. They took my data down. They did not explain where the data came from. They did not explain why my Do Not Call status was ignored and published.

iD4me are scumbags straddling both sides of privacy law for profit. They know exactly what they are doing. They are bad actors, and naming them matters because I do not want the systemic argument later in this article to be read as letting them off the hook. They chose to operate in the legitimate space and beyond, in whatever space the system enables. That said, this essay is not about iD4me specifically. They are a single instance of a structural pattern, and the pattern is the larger point.

What I Think Happened

It seems to me that my data was collected without lawful basis. I suspect that somewhere in some website end-user licence agreement for a paid service, there were some weasel words that meant "we are going to sell your data on" without saying it like that. I do not know which service. There are dozens of plausible candidates over the last decade. I cannot trace it, and the asymmetry of that ignorance is itself part of the design.

The agreement I probably signed extracted from me an asset of unknown but non-zero value: the bundle of identifiers that lets a third party sell access to me to anyone willing to pay. The payment I made for the service was not just cash. It was also my data, which I was not aware of when I agreed to purchase. The data had a market price. iD4me knows what that price is. The real estate agency that subscribed to iD4me knows what they paid. Everyone in the chain knows the price of my data except me. I am the only party in this transaction who did not know what was being traded.

This Is Theft

It is not normal in any other domain to take an asset from someone, monetise it without telling them, and refuse to compensate them on the grounds that there was a clause buried in a document they signed for a different transaction.

If a tradesman came to my house to fix a tap and, while there, took photos of every room and sold them to a real estate marketing platform on the basis that he had a clause in his service agreement permitting "use of premises images for business purposes," that would be illegal. It would be straightforward to recognise as taking something from me without paying for it. The fact that I signed something would not save him. I would have actionable claims and the regulator would likely back me.

The same act, performed digitally, against my identifying information, at scale, by industries with lobbyists, has been normalised. The clause holds. The asset is taken. The market clears at a price I do not see and do not receive.

This is the part I want to keep in focus, because others will rant or whine about privacy as moral right, privacy as constitutional value, privacy as personal dignity. My position is that my data is my property. My data has a price. I am the only party in the value chain not getting paid. That is not a privacy problem. That is a theft problem dressed in privacy clothing.

If the rule were "you may collect and resell this user data, but you must explicitly agree a price with that user," I would never have said yes to any EULA that could be used to authorise my inclusion in iD4me's database. The price would have surfaced the trade and I would have declined. It would have to be presented at checkout as an extra, the way delivery cost sits next to free click and collect — a visible line item I could choose to accept or refuse, with the trade-off in full view. The reason the rule is not that rule is that the industries that profit from the current arrangement need the price to remain invisible. Visible prices invite negotiation. The whole apparatus depends on the data subject not knowing what the data is worth, or in most cases not even knowing that their data is being sold on at all. The market may also have no clearing price. My individual data is probably not worth enough to iD4me for them to offer me anything I would accept. They chose aggregation over negotiation, which is the same choice that makes any other form of taking viable — the individual return is too small to bother with, and the scale makes it worth doing anyway.

Weak Regulators

The Office of the Australian Information Commissioner is the regulator for the Privacy Act. It is chronically under-resourced, complaint-driven rather than proactive, and its typical determination arrives years after the complaint with modest compensation if any. ACMA enforces the Do Not Call Register. It issues occasional fines that are small enough to be priced into the cost of doing real estate sales.

There is a small business exemption in the Privacy Act for entities with turnover under three million dollars. A meaningful share of the data broker industry structures itself around this. iD4me operates so many versions of their site (.com, .biz, .me, .org and others) that it is whack-a-mole trying to find their current real storefront. That is not accidental. That looks like corporate structuring designed to keep each entity small enough to slip the regime, while the underlying data and infrastructure persist across the structure.

The result is that the only person who can prosecute identity theft is the victim, on a per-broker basis, on a timeline of months, against an industry that has a multitude of brokers and replicates faster than any individual can prosecute. The current system is not designed to prevent the theft. It makes the theft uneconomic to challenge.

The Simple Fix

The reform that would kill this industry is five sentences.

I may consent to you using my data. You must pay me for that consent. You may not transfer my consent to anyone else. Your right to my data ends when your company ends or changes hands. Wholly owned subsidiaries, parent companies, affiliated companies, group members, service providers, white-label operators, and underwriters are separate entities for the purposes of this rule, and each must obtain its own consent and pay for it directly with me, separately.

That is the entire reform. It does not need a hundred and sixteen recommendations. It does not need a first tranche and a second tranche. It does not need a small business exemption or a statutory tort or a direct right of action. It treats data the way employment law already treats personal services: as a non-transferable arrangement between two specific parties that ends with the relationship.

Under this rule, iD4me has no business model unless they pay people like me to consent. They cannot have bought my consent because they never asked me for it. They cannot have inherited it from a service I did sign up to, because consent does not transfer. They cannot have aggregated it from public sources, because the rule prohibits use without consent regardless of how the data was obtained. They cannot acquire it through a corporate restructure, because change of control terminates the consent. End of business model.

My rule does not kill ad-supported services. It defines what an honest ad-supported service looks like.

Take Google search as a worked example. Under the rule, my deal with Google is direct. I consent to Google using my data. Google pays me with the search service. Payment in kind is still payment — same legal structure as any barter. Google can use everything it knows about me to choose which ads to show me, because that use is internal to the relationship I consented to. The advertiser pays Google for the placement and pays again if I click. The advertiser learns nothing about me that I have not separately consented to share with them. Google can tell the advertiser that someone in my demographic cohort clicked — aggregate data that cannot identify me — but that is all. No pixel fires. No cookie. No fingerprint. No session log sent back to the advertiser's analytics stack.

That is my rule applied. Five sentences, one example, no carve-out required. The advertiser is structurally outside the consent chain because no data about me ever flows to them without my separate agreement. The platform's sophisticated internal use of my data is fine because it is internal to the party I consented to. The transaction is legible to me at every step.

Google as currently operated does not work like this. You click on an ad. The advertiser receives your IP address. Tracking pixels fire. Cookies are set. The advertiser's analytics infrastructure logs your visit, fingerprints your browser, and ties the session to any other identifier they can correlate. Conversion tracking pixels send data back to Google about what you did on the advertiser's site, which Google then feeds back into its profile of you and shares in aggregate form with other advertisers. Your click was a navigation event. The industry treated it as consent to a data exchange you were not aware was happening.

This is the core issue and it is general. No one who receives your data should assume your consent to use it or to pass it on. The click is a navigation event, not a consent event. Arrival at a website is not consent. Being shown an ad is not consent. Having a previous account with the same parent company is not consent. Consent is the explicit agreement of the data subject, to a specific party, for a specific purpose, in exchange for specific value. Anything less is taking.

The reform will not happen. The reasons it will not happen are the same reasons the current regulatory architecture cannot enforce the rights it nominally protects. The fact that the reform is so simple, and so completely outside the political possibility space, is itself the strongest evidence I can offer that the regime is doing what it is designed to do.

The Paragentist Diagnosis

A Processor is someone who runs a script and optimises within it without ever asking whether the process actually does the thing it claims to. Organisations can be Processors too, and organisational capture is more dangerous because their scripts tend to last longer.

The OAIC is a captured Processor. Not corruptly — the people there are doing what their resourcing allows. But the institution runs a script that produces motion without producing the outcome the script claims to exist for. Complaints are processed. Determinations are issued. The data broker industry continues to grow.

iD4me are not captured. iD4me are one bad actor operating inside the space the captured regulator leaves open. The two roles are mutually reinforcing: the captured regulator produces the conditions under which the bad actor's business model is profitable, and the bad actor's business model produces the volume of breaches the regulator cannot meaningfully address. Ironically, the breaches validate the regulator's continued funding. Each enables the other.

This is the standard Paragentist reading. What I want to add is a second observation, on which I am going to be honest about what I do and do not understand.

The Missing Pivot

Australia has a substantial underground economy of fraudsters running sophisticated automated operations against the same population the data broker industry profits from. Phone scammers, phishing operators, fake invoice rings, romance and investment scams. The successful ones run distributed systems, do social engineering at industrial scale, automate target identification, manage cross-jurisdictional payment infrastructure, and adapt continuously to detection. The capability is real.

The legitimate version of that capability set has a market. Privacy enforcement automation — services that exercise statutory access, correction, and deletion rights against data brokers on behalf of paying users — is an active global industry. Mine in Israel. Optery and DeleteMe in the US. Incogni bundled with Surfshark. Same fundamental premise as the scam operations: individual rights enforcement is uneconomic per case but profitable at scale through automation.

The skills overlap looks substantial from outside. Persistence, automation, operating at the boundaries of bureaucratic systems, comfort with adversarial counterparties and scale.

The pivot from one to the other has not happened in Australia at any visible scale. The legitimate operators in adjacent markets are mostly building from the privacy-policy side — lawyers, ex-regulators, privacy professionals — not from the operational-automation side that the scam economy could in principle supply.

The absence of the pivot is observable. The reasons for the absence are not. The honest list of possibilities I can posit: the skills may not transfer as cleanly as they appear; the scam operator's actual edge may be specifically the willingness to lie, and removing that may remove what makes the operation work; the legitimate version requires KYC, banking relationships, and corporate compliance that scam operations are organised to avoid; the legitimate margins may be lower per operator-hour and the current allocation may be rational on numbers we don't have; the pivot may be happening invisibly — when an operator pivots, they stop being visible as a scammer.

I do not know which of these is correct. Probably some mix. What I do know is that the same skill set could close the gap from either side and is being deployed only on one. That tells us something about the structure of incentives. I do not yet know what.

Help Wanted

The citizen sits in the middle of all this and cannot match the scale of either operation. The fraudsters have automation. The data brokers have automation. The regulators do not. The citizen does not.

My data has a market price, that price is being captured by intermediaries who never asked me, and the regime that pretends to defend my interests has produced an environment where I have no realistic mechanism to either prevent the capture or claim the proceeds. I would have negotiated. The architecture is built so I never see the offer.

The Paragent move is structural. The regulatory failure and the extraction industry come from the same forces. The available enforcement tools are mismatched to the scale of the offence. The gap is closeable by automating lawful processes. The fact that this move is profitable, lawful, and not being executed at any meaningful scale in Australia is the data point worth sitting with.

I am not going to build that business. Seventy-four ventures and the lesson I am still learning about which efforts produce returns that come back to me — a privacy enforcement SaaS is not on that list.

So this is a help-wanted ad. To the operators currently extracting from this population by lying to them: the regime you exploit pays your counterparts on the legitimate side of the same market. The skill set you have built is more valuable than the use you are putting it to. The first one of you to pivot will find a market that has been waiting for years.

iD4me took my data down when I asked. They did not explain where it came from. They did not address the Do Not Call breach. For all I know it is back up again. The system processed my complaint. The script ran. The system is captured.

The job is open. The pay is real. Someone should take it.