CareerBuilder created an account for me without my permission
And then was like, “It’s cool because you opted in on some totally different platform like 3 years ago.”
On Saturday, August 25, 2018, I got an email with the subject line, Welcome to CareerBuilder! “Thanks for signing up for the latest job postings,” the email continued once I opened it (some days later). “Let’s Continue [sic] on your job search with these first steps.”
The problem was, I had not signed up for CareerBuilder on August 25.
In fact I hadn’t even touched my laptop. At the time I was on vacation in Southern California, and at the exact moment when this confirmation email showed up in my inbox, 4:54pm, I was sitting next to a swimming pool and sipping a beer.
CareerBuilder had imported an old version of my resume and signed me up for an account without my permission.
Which seems weird, right?
The first effects: Sketchy recruiting emails
So I didn’t notice CareerBuilder had sent me this email until about 10 days later, but in the intervening time I did notice a huge uptick in the number of shady-sounding recruiting emails I was getting. Some of them were actual malicious spam — the ones with the subject lines telling me my “application” was “pre-approved” and I should check out the attached “job packet.” Others were just super unprofessional recruiting-boiler-room-type emails that were usually accompanied by a phone call and a voicemail.
How could I resist tempting offers such as:
I found your profile on one of Job Portal [sic] and wanted to send a quick note.
Or:
As your experience in this area is premier and would like to [sic] have an opportunity to share this position with you.
Or:
We work very closely with one of our Fortune Client [sic] in Sunnyvale, CA.
Then I found out about my CareerBuilder “resume”
I got a couple more emails from CareerBuilder over the next week and a half or so, but they stayed buried in my inbox until I got an email with the subject line “Bryan, your resume is getting attention.” This got my attention.
The email read:
Hi Bryan,
Your resume is getting attention on CareerBuilder. (That’s a good thing!) It means employers are searching for candidates with your particular job title or skills.
See how many times you’ve shown up in search results as well as which employers have taken the time to view your resume in the past week.
This was confusing. At first I figured I’d created an account on CareerBuilder at some point in the past during one of my job searches and forgotten about it, but a quick search of my email inbox revealed this wasn’t the case. I checked my other email accounts as well — no “you’ve just created an account” confirmation emails from CareerBuilder or anything like that.
Which meant that somehow my resume was publicly posted on CareerBuilder, a platform I had never interacted with before.
CareerBuilder’s apparent aversion to basic security
I was pissed, so I tried to get in touch with CareerBuilder. At first I wanted to get in touch with their customer service, so I went to their website and clicked on the “Email Customer Service” link, hoping I could send a quick email.
The link took me to a separate third-party website that wasn’t encrypted:
This was way too sketchy for me. CareerBuilder was already taking liberties with my personal data. They also weren’t encrypting customer messages and email addresses on their contact page, and they couldn’t even be bothered to host the contact page on their own domain.
Not exactly best cybersecurity practices.
Getting in touch
I definitely wasn’t going to email or call them. I went to CareerBuilder’s Facebook page instead and wrote on their timeline, hoping that reaching out in a public fashion like that would get me a quick response. (Most companies have a real person behind their social media presence, typically an overworked 20-something who wants to do a good job, in my experience.)
A day later, on September 4, CareerBuilder sent me a Facebook message in reply. I’ll reproduce our conversation in full at the end of this article.
Where CareerBuilder got my personal information from: StartWire!
From their (eventual) responses via Facebook, I learned that CareerBuilder had gotten my information from a separate company, called StartWire, that I had used to apply to a job several years earlier. Apparently at that point I had opted in somehow, allowing them to use and share my information.
I have no memory of doing so, but my email records show that this is at least partially correct. I did start filling out a job application via StartWire, but I didn’t finish it. I don’t remember giving StartWire permission to then share my information with pretty much anyone, but there was probably some pre-checked box that I didn’t uncheck. This is a very questionable business practice, of course.
At first, the person operating the CareerBuilder Facebook page (who, to be fair, was pretty responsive) tried to hide this behind vague corporate-ese:
We partner with resume aggregators in order to provide job seekers exposure to more job openings and employers exposure to more job seekers.
This is AWESOME corporate doublespeak that I will definitely use if I ever write a novel that takes place in a corporate setting. It’s vague, it sounds like all parties are benefiting, and it uses big words. It also means almost nothing. What does “partner” mean? Who are the “resume aggregators”?
Shutting down StartWire
I reached out to StartWire via StartWire’s support page — and unlike CareerBuilder, they had a support page on their own domain, with HTTPS encryption. My message had the subject line “Opt me out, remove my resume,” and it had the desired effect:
Hi there [they replied] — I’m so sorry for the inconvenience!
Your StartWire account has been deleted. This means we will no longer have a record of you in our system.
To summarize: StartWire, a job platform I had used one time almost 3 years ago, sent my information to CareerBuilder, who then signed me up for their services without my permission and exposed my contact info to the wider internet.
At the end of the day, this was more annoying than malicious. But it was disturbing nonetheless. It felt like an invasion of some kind — not an invasion of “privacy” per se, because I do post some contact information in various public places for the sake of my career, but still an invasion.
It felt sort of like when Apple put U2’s album on all our phones without asking us first. Sure, they were within their rights technically to do so, and we’d probably all opted in to something of the sort, but it felt like a disturbing, over-the-top invasion of our personal space anyway. Like if your landlord were to just show up in your living room uninvited.
My opinionated conclusion:
We need an expiration date for opt-ins. Like, if you opt in to receive emails from a platform but you haven’t opened any of their emails in 2 years, your opt-in should expire. Or if you opt in to share some of your data with a platform and you stop interacting with the platform, that opt-in should go away.
It doesn’t make sense that opting in on one platform almost 3 years ago that you never interact with again can result in a totally different platform creating an account for you several years later.
Here’s my full Facebook conversation with CareerBuilder.
I posted on their timeline on September 3 (it looks like they’ve since deleted it):
Hello CareerBuilder. About 10 days ago I received an email with the subject line “Welcome to CareerBuilder!” Ever since then I have been spammed with job offers I do not want. Here’s the problem: I never signed up for CareerBuilder, at least not with the address at which I am getting these emails. So either: 1. Somebody fraudulently signed up for an account using my name and email address and you did not verify ownership of the address, or 2. You acquired my personal information via dishonest means. I would like to get some help sorting out what happened here. I would prefer to have contacted you via your “Email Customer Service” form online, but when I click to it, I am taken to an unsecured third-party website that does not use HTTPS.
They replied via Facebook message on September 4:
Hi Bryan, what is the email address you’ve been contacted through?
My reply:
[redacted email address]. Would love to get an explanation of what happened.
Their reply on September 5:
We partner with resume aggregators in order to provide job seekers exposure to more job openings and employers exposure to more job seekers. I’ve asked our customer service team to remove your information from our system and unsubscribe you from any emails.
My reply:
What sites do you partner with for aggregating resumes?
My follow-up on September 6 when I didn’t get a response:
Hi, just thought I’d follow up here. I’d like to hear a little more about how I ended up with an account I didn’t sign up for on a website I never use
Where did you get my resume from? And why was that used to sign me up without my permission?
Their reply:
Sorry for the delay! Your resume came to us as part of our agreement with StartWire. StartWire sends an email to each user explaining the partnership and giving each user the opportunity to opt out. [Note: I never got this email.]
I can also confirm that your information has been removed from our database and your email address has been unsubscribed.
My reply:
Thank you for your reply and for removing my info. I will follow up with startwire.
