Dealing with SMS Spam from @PaddyPower


This is a cautionary tale of how my personal details have been repeatedly sold and resold by a British network of spammers - each of them turning a blind eye to the provenance of their data. I'm calling on the Direct Marketing Association to create a universal opt-out file - just like they do with junk mail and nuisance calls - to prevent people receiving spam via SMS.


Like lots of people, I awoke on Sunday morning to a spam SMS seemingly sent on behalf of the gambling firm Paddy Power

Lots of Paddy Power Spam-fs8

So, being the fearless spambuster that I am, I decided to investigate from where they sourced my name and number.

Who Sent This?

I spoke to Paddy Power on Twitter and via their complaints team. They were adamant that it was not sent from them.

The SMS shortcode 64446 is run by AQL - a bulk SMS provider.

The site padd.pw was registered by Glaswegian firm Digitonic. The website is pretty crappy, but does give us a few clues.
paddy-fs8

There's an image telling people to contact Data Media and Research DMRi
opt_in_panel-fs8
The email address is not clickable.

Finally, by looking at the source code of the side, we can see a Paddy Power affiliate link.
PaddyPower Affiliate-fs8

It looks like the owners of the site are spamming people in the hope of earning affiliate revenue from PaddyPower. Could this be part of the same gambling affiliate spam operation discovered by Andrew Walsh?

Where Did They Get My Details?

I started by contacting DMRi - the company who said they could provide me with the information. An email to them went unanswered, so I picked up the phone.

As soon as I said that I was calling to find out where they got my details, they gave a weary sigh and asked if it was complaining about a gambling SMS. They agreed to remove me from their list ("it may take 28 days") and said they'd call later to confirm which data broker sold my data to them.

A few hours later they rang back. They confirmed that it was Digitonic which had sent the spam SMS, but claimed that DMRi hadn't supplied my data.

So, I rang Digitonic. The MD, Grant Fraser, was very pleasant and was adamant that his company had a "zero tolerance" approach to spam. All their data, he repeatedly said, came from reputable data brokers. In this case, my details were supplied by "Datatonomy" - he assured me that Datatonomy had promised that all the data came from opt-in methods.

I asked Grant why the message showed as coming from PADDYPOWER when Paddy Power insisted it didn't come from them.
PaddyPowerSpam-fs8

I quoted the ICO guidance:

You cannot transmit, or instigate the transmission of, any marketing by electronic mail (whether solicited or unsolicited) to any subscriber (whether corporate or individual) where:
Your identity has been disguised or concealed;
Information Commissioner’s Office Spam Guidance

Digitonic told me that their end client was Paddy Power! Had the bookies lied to me? Heaven forbid...

As Datatonomy don't have any public contact details, Grant said he'd get them to ring me.

While I waited for the call from Datatonomy, I looked up what is meant by an "opt-in." I can categorically state that I haven't given Paddy Power my name and number directly. So, we move to what the industry calls the "soft opt-in" - had I given someone my details and allowed them to be passed on to a third-party?

This shouldn't matter:

You may send or instigate the sending of electronic mail for marketing purposes to an individual subscriber where:

  • you have obtained the contact details of the recipient in the course of a sale or negotiations for the sale of a product or service to that recipient;
  • the direct marketing material you are sending relates to your similar products and services only;
  • If you satisfy these criteria, you do not need prior consent to send marketing by electronic mail to individual subscribers. If you cannot satisfy these criteria, you must not send marketing by electronic mail to individual subscribers without their prior consent.

    Information Commissioner’s Office Spam Guidance

I've not been negotiating with any gambling companies that I can think of. So how can this message possibly be legal?

I tried to get in contact with Stuart Murgatroyd who appears to run Datatonomy - he wouldn't return my messages so I gave him a phone call.

Once again, he denied that what he was doing was spamming. He merely aggregates data feeds and acquires contact details that way. He was convinced that I had somehow opted-in to third party marketing. Although it would take some time for him to look up my details.

I pointed out that ICO don't accept that as a valid reason to send spam:

If you buy or rent a marketing list you must perform your own due diligence checks to satisfy yourself that the details were obtained fairly and lawfully, that the individuals understood their details would be passed on for marketing purposes, and that you have the necessary consent for your marketing.

You should take extra care if you are using a bought-in list to send marketing texts or emails or to make automated calls. You must have very specific consent for this type of marketing, and indirect consent (ie generic consent originally given to another organisation) will not always be enough.

Information Commissioner’s Office Spam Guidance

Stuart faithfully promised to get to the bottom of this and agreed to call me back.

In the meantime, Paddy Power admitted that the spam was sent on their behalf:

A day later, and I was one step closer to the source of the spam. Datatonomy had obtained my details from DBS Data.

datatonomy dbsdata-fs8

Based on the postcode they held on file, my phone number was obtained over 8 years ago!

Now... Why does the name DBS Data seem familiar to me....?

Oh yes! In 2013 DBS Data sold my details to a different gambling provider! If you read that blog post, you can see that I had previously asked DBS to remove my data from their systems.

DBS Unsubscribe-fs8

At this point, I have fairly strong proof that this is spam. Even if, prior to 2007, I had accidentally opted-in to these messages I've subsequently opted-out.

While I waited for DBS to answer my emails and phone calls, I amused myself by reading the ICO's detailed guide to direct marketing.

93. As a general rule of thumb, if an organisation is making contact by phone, text or email for the first time, we would advise it not to rely on any indirect consent given more than six months ago – even if the consent did clearly cover that organisation.

95. Organisations should therefore make sure that they keep clear records of exactly what someone has consented to. In particular, they should record the date of consent, the method of consent, who obtained consent, and exactly what information was provided to the person consenting. They should not rely on a bought-in list unless the seller or list broker can provide these details. Organisations may be asked to produce their records as evidence to demonstrate compliance in the event of a complaint.

Direct Marketing Guidance (PDF)
Emphasis added.

Each organisation in the chain - Paddy Power, Digitonic, Datatonomy, DBS Data, and USM Digital have obviously failed to check whether my details were recent or opted-in.

Odd, when you consider DBS Data's stated passion for targeted communications...

DBS Data-fs8

Finally, I got a call back from DBS. Despite promising to suppress my number from future marketing text, an "unfortunate error" meant that Datatonomy never received that instruction.

A Pattern Of Abuse

This all follows a depressingly familiar pattern. The previous spam messages I've investigated - Coral Gambling spam and Floors2Go spam - are all caused by companies deliberately failing to do due diligence.

Paddy Power want to send out marketing messages. They get a company like Digitonic to source the numbers so Paddy Power can, in good faith, say "we asked a reputable company."

Digitonic doesn't have the capacity to supply high quality leads, so they subcontract to "reputable firms" like Datatonomy.

Dataonomy scrape from a variety of bottom-feeders like DBS and then claim to have ensured consent.

DBS dig old data out of their rubbish bins - provided by a company called USM Digital - they then spray it with deodorant, and try to pass it off as fresh.

Paddy Power then spam people - all the while claiming that they had no way of knowing that the recipients hadn't opted in.

Complaining

I have lodged complaints with the following bodies - if you've received this or similar spam, I suggest you do the same. Remember, this sort of spam only flourishes because regulators aren't receiving enough complaints.

Hopefully at least one of them will be able to take action against these spamming twunts.

Going Forward

No one wants to receive junk SMS. Companies don't want to waste time and money sending to hostile recipients. The Direct Marketing industry knows that its reputation is unsanitary.

What the Direct Marketing Association needs to do is create a Universal Opt Out service. Allow people to register their details so that DMA members know not to spam mobiles with unwanted messages.

At the moment, people have to reactively track down the source of the problem - and not everyone is as obsessive as I am!

Every company involved in this spam network are acting in a way many would consider to be utterly negligent.

The DMA must ensure that its members aren't allowed to get away with such a lax attitude to people's personal details.

4 thoughts on “Dealing with SMS Spam from @PaddyPower

  1. Terence,

    You are a sleuthing star! If only we could have a few more people like you - then we probably would not be experiencing the current level of SMS spam!

    If you ever feel like becoming an Information Commissioner - I will vote for you!

    JB

  2. I reckon the DMA ought to act on their remit. Did you know that they are supposed to audit companies data protection compliance once a year? I work for a marketing company and we havent seen them in four years. On the last data compliance visit I intentionally witheld the documentation to see if they would follow up, they didnt.
    They ought to perhaps also vet new companies members and run the DP audit on them before they are allowed to join. We used to believe that the DMA logo was a sign of a legitimate business working well within the law but they let anyone pay their membership fees and become a full member. Check out some of the recent one man bands featured in the press recently, all members.

Leave a Reply

Your email address will not be published. Required fields are marked *