I don't think it's unexpected when you use one phone number as both personal and business number.

Initially I still felt like it wasn't correct of Google to publish this as public phone number, but I think Google Play clearly asked what phone number customers can use to contact you.

One day my neighbor call me, and i had not register his number, so Samsung shows "<his name> GRINDER", because someone else had him like that in their contacts ^^.

He was openly gay within the neightborhood but he was also working as some sales representant for real estate and he was not exactly happy when i told him Samsung was broadcasting his sexual orientation to unknown people he would call >< (not to mention he told me hadn't used grinder in like 7 years).

A few years ago I worked for a company that no longer exists today. They had, among other things, a job search service connected to their ID system. I was also doing my own project at the same time and needed Python developers. I was young and naive and thought I could find a junior and train him quickly. So I posted a vacancy on this job board: "Looking for a Python developer without experience." It turned out that they showed my phone number and it couldn't be turned off.

I received about 3-4 calls from very strange people who demanded to know how to become programmers. For some reason, they all started calling at about 5am. I even gave some useful advice to the first one, because I was taken aback by such impudence.

Today I use about 4 different phone numbers to separate my private life and data leaks like that.

In Germany, lieferando (subsidiary of takeaway.com) registers domains in the form of restaurantname-city.de, points them to their lieferando cloudflare account, and claims ownership for the google business entry where they set the phone number to their own call center.

Then they call the business owner and _force them_ to sign the contract with them, because effectively the owner knows they cannot be found anymore via google, and everyone that wants to order something will reach the call center hotline and leave a negative review after the hotline tells them wrong number, effectively destroying their business. And the people working for lieferando via Zeitarbeitsfirmen know this, and mention this in the call to pressure the restaurant owners to get their sales provision.

Crimeflare before it got taken down had around 130k domains that were pointing to the lieferando website using this kind of scheme, I helped provide the dataset for a couple of local business owners that were extorted this way and refused to abide by that scheme.

Guess what happened, nobody could be sued and the financial damages were too small to escalate it on the European court level. Sadly, class-action lawsuits don't work the same way as in the US, apparently.

Effectively Google does not abide by the laws and gets away with it due to their financial structures of their holding companies.

And they certainly know about this, they just don't give a single fvck.

Applying Occam's Razor here, the explanation given in the post seems like possibly the least likely option.

One way to shed some light on this would be to use Takeout to get a copy of data held and see if they still have the number and what they hold it for.

https://www.google.com/search?q=Three+Rings+CIC&hl=en#irp=ph

On a day off work, I got a cold call to my personal mobile. This salesperson called me by my name and then tried to flog something relevant to my job. Being hugely irritated, I shared my thoughts with the caller demanded to know where they'd found my number. They were at least a little bit apologetic, and said they found it on LinkedIn using a plugin called "Lusha".

Lusha's website has claims about being GDPR compliant, but at the same time being a "crowsourced data community". They do at least publish a "Privacy Policy" and some contact details for a data controller.

I emailed them with a Subject Access Request, which they responded to two weeks later in a very cagey manner. Actually, I did some sleuthing of my own. I found an unlisted link for a broken OneTrust request form. This didn't seem to be linked anywhere on the website and I literally guessed the URL for it. After some poking around in the debugging console, I recieve a more fully furnished copy of my profile.

The data source for my email was... "Lusha's email guess algorithm" - now, one of the downsides of working for a small business and getting a firstname@domain.com is that guessing it isn't particularly difficult.

The data source for my phone number was more interesting. "L.S Mobile Apps Holdings Ltd." a company I'd never heard of, but eventually found an App Store[0] and Play Store[1] listing under a very similar name.

Looking at the apps published by this company, you can immediately see where this is going: a "Caller ID" and an even more transparent "Contacts Backup" app - both having complete access to all your contacts. At this point it becomes clear where my contact information has actually come from: someone I probably work with has created a contact in their phone with both my email and personal phone number, then used one or two of these apps.

I decided to pick the Contacts backup app to take a closer look. Installing the app on a wiped phone, I explored the UI, disassembled code and snooped the requests to their servers to see where exactly this mysterious "GDPR Compliance" was. The primary functionality is of course to create an account, upload all your contacts, and let you sign in on another phone to download them. There was some effort to make this work for most users, workarounds for edge cases, etc. It was more than the low-effort app I was expecting.

All the sharing functionality was checked behind a "consent" dialogue (and I use that term extremely loosely). The deal was that app would helpfully hydrate my entire contacts book with missing details! All I had to do was share it in turn. What I found peculiar about this was it simply didn't work. It seemed as through not only would the server not populate the missing data, but the code that handled this client-side was unfinished.

If you're wondering what the link between Lusha & L.S Mobile Apps is, they're effectively the same company. Yoni Tserruya, the co-founder of Lusha, has their fingerprints all over the the certificates used to sign the Android LSM Apps. It's clear this app's data is what they've built their company on.

Now, both Google and Apple have well known to display "Data Sharing" information as part of the store pages. The Play Store page explicitly says "No data shared with third parties", whereas the App Store omits the usual section you'd see when data is shared with third parties.

I contacted both Apple and Google with full details about what I'd found, and in the least surprising event to my saga, they did nothing.

Sadly, instead of having any satisfying conclusion, what I saw was what I already knew. I even got angry when reading their privacy policy, and how completely clear that all this "GDPR Compliance" labelling they have is there to sell their product to EU customers and they're clearly not compliant.

Here's some ragebait for the rest of HN who cares about their data:

- French DPA (CNIL) says Lusha is full of shit, but they can't do anything because they're based in Israel[2]

- Lusha doesn't think consent is important[3]

  [0] - https://apps.apple.com/gb/developer/lsm-apps/id1634388352
  [1] - https://play.google.com/store/apps/dev?id=5128998142474323958
  [2] - https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046775564?isSuggest=true
  [3] - https://www.lusha.com/privacy-articles/please-show-me-where-i-have-consented/