I was sitting at work, with about an hour left in the day, when my mobile phone rang with a Seattle number I didn’t recognize.
It’s an election year, so I’ve been getting a lot of survey calls, and my normal policy is to answer them so that they won’t call me again.
I’ve spent a surprising amount of my adult life in jobs that involved phones – all the way from debugging IVRs to answering phones as grunt customer service – so I have a pretty straightforward reaction to a spam call: I answer it, politely, greet the caller with “Good , thank you for calling, how may I direct your call?”
If the thing calling me is an IVR – sorry, “Interactive Voice Response”, aka the thing that answers when you call your bank and says “If you’d like to press one, press one now” – it usually flags me as an answering machine and hangs up. Normal people answer the phone with “Hello”, after all, and machines are smart enough to know that they can’t sell anything to an answering machine.
If what’s calling me is a person, I usually get an embarrassed “I’m sorry, is this a business?” and they offer to remove the number from their list.
So it’s usually a win.
This wasn’t a win. I got as far as “Good…” when I was interrupted by a simulated steam horn and “THIS IS THE CAPTAIN SPEAKING”
I have a policy for anything that gets past my initial greeting – I simply call the person or persons responsible and politely ask if they wouldn’t mind taking me off their list. This generally works quite well – the people who run these businesses are humans, too, and if you ask them politely and treat them like people they will usually do you the small favor of telling their machines not to call you.
Normally this is about a 10 minute process involving figuring out which organization is calling me, finding out whose services they’ve hired as pollsters or marketers and calling that company directly. It usually isn’t too hard to find a phone number because, well, anonymity is a difficult thing these days and companies who do polling and marketing services, while they tend to be secretive, do need some way for customers and potential customers to find them.
Even if you don’t have customers and aren’t seeking them out, it’s still pretty tough to be anonymous. Personally, I’ve taken about enough care with this blog to give me 5-10 minute’s worth of anonymity, but it wouldn’t take anyone who cared more than that to track down my personal information.
In this case, it was fascinatingly tricky to track the company down, so I thought I’d share.
I’m leaving out a few of the more specific details because they were quite nice once I finally did get in touch with them.
The number that had called me came up on all kinds of “Who Called Me?” web sites, and those gave me a good couple dozen other phone numbers used by the same company, all with various area codes, so they were obviously spoofing their ANI data and it was a waste of time to follow up on it.
It also led me to a web site associated with The Captain, at surveycruise.com, and the first of many company names.
Surveycruise.com was very locked down. It had the normal sorts of things – a domain name registered through an anonymous proxy service, web hosting on a site that was tricky to track down geographically – the traceroute timed out somewhere in Illinois – and a lack of any names or phone numbers.
It DID have “If you’d like to use our services, here’s how to contact us”, but this was nothing more than a web form with no actual contact information associated.
There were plenty of images, but all of the stock photo variety – no handy EXIF data pointing me to a person or physical location – and the site’s source code was of the “Learn HTML in 24 hours variety”, very straightforward and doing everything it needed to do but with no identifying marks.
But, buried in the source code was the site’s Google Analytics code, and looking THAT up gave me a list of 17 different web sites all using the same Google Analytics code, and I started seeing if any of those had been set up with less care given to anonymizing them.
My first hit, looking through the list, was a web site for a company based in Virginia that actually had phone and fax numbers listed on its site. It wasn’t a registered corporation with the state of Virginia, however, so it seemed more like a dead end than anything else – particularly as it was operating out of a box at a UPS store.
It was registered by a real person, however, not a proxy. So I had a name. Not a very useful name, as it turned out, but I was starting to see a human face behind the organization.
While it wasn’t registered with the state of Virginia, it was a company, so it was tracked by various sites that aggregate corporate data. I got a couple more names from this, both living in the same UPS box.
I felt like I’d hit a dead end in Virginia, so I kept going down the list of sites using the same Google Analytics code.
I ran into a lot more companies based out of UPS store boxes, mostly with anonymized domain registrations and the same sort of black hole web forms as on surveycruise.com, and an awful lot of people complaining on various web sites. Nothing useful, in other words.
I went through about a dozen of these companies before I started getting very different search results. Someone working for one of them had given about $8000 to various campaigns over the last few years, which wasn’t the sort of behavior associated with a throwaway company. It also gave me a name and a home address for the donor, which tied the company to Florida and which matched one of the names from the UPS boxes in Virginia.
I didn’t have a phone number yet, though, and looking up the guy’s home number would have been going out of bounds, so I concentrated on the corporation.
Florida has a very consumer-friendly corporation lookup web site. It let me plug the name in and get a list back of businesses they’d registered.
This chap had more companies than I have pairs of socks, and many of them matched the web domains from my Google Analytics list. Keeping track of all of them has to be a full-time job.
Again, most of them lived in UPS boxes, and the phone number that was tied to their incorporation papers was a mobile phone with a full voice mail box, so I still didn’t have valid contact information.
I did have a HUGE attack surface now, though, and some more searching turned up several domain registrations from before the gentleman in question had started using anonymizing proxies, or that perhaps simply weren’t very good about being anonymous.
I wound up with a street address – and looking at satellite maps proved that it was a legitimate building, not a UPS store – and a phone number that was (at least according to the Florida White Pages) a land line instead of a mobile.
So I called the number and a very pleasant person answered and tried to transfer me to the person Behind The Captain.
Sadly, The Captain was “on another call” and “going out of town” and had “very sporadic hours” so actually talking to him was a bit tricky.
They did, however, offer to help me in his stead, and transferred me to yet ANOTHER very pleasant person when I explained that I’d like to not get calls from The Captain anymore.
That person took my number and promised that they’d take me out of their system. All very polite, all very human.
This took a solid two hours, which is at least double the longest time I’ve ever needed to invest in this sort of thing. The Captain likes his privacy, and unwinding it has actually taught me some useful tricks which I’m going to keep in my toolbox for later.
So, Captain, my hat’s off to you. Just stop calling, OK?