Tell HN: Salary data is for sale

NOTE: It is possible to freeze access to your employment data here: https://employees.theworknumber.com/employee-data-freeze

That being said, it doesn't stop employers from continuing to hand Equifax your data on a gold platter, and therefore does nothing to protect you from the inevitable data breach that will result in Equifax being required to give everyone affected $0.36 or one year of free credit monitoring.

varenc · 4 years ago

Wow placing a freeze requires filling out a PDF form, attaching a scan of your ID, and then sending it in over email, mail, or fax. The PDF lacks built in form fields you can type in. The extra friction is probably a feature: https://assets.equifax.com/wfs/theworknumber/assets/twn_Empl... (the exif data on that PDF shows the name of the employee that created it and that they used Word 2010...)

The Equifax CCPA request process on the other hand is very smooth and automated. Though doesn't seem like it's including Work Number information: https://myprivacy.equifax.com/

nip · 4 years ago

Shameless plug [1] that hopefully provides value: simplePDF.eu [2] will allow you to fill it in more easily (the fields are already set)

[1] It's a side-project of mine

[2] https://www.simplepdf.eu/editor?open=https://assets.equifax....

gruez · 4 years ago

>The extra friction is probably a feature: https://assets.equifax.com/wfs/theworknumber/assets/twn_Empl... (the exif data on that PDF shows the name of the employee that created it and that they used Word 2010...)

I don't get it. how is "PDF shows the name of the employee that created it and that they used Word 2010" relevant to the claim that "extra friction is probably a feature"?

snitch182 · 4 years ago

And then they have all of that as well ready to be breached!

staunch · 4 years ago

When I submit the myprivacy.equifax.com validation it hangs at "Processing..." indefinitely. #AbolishCreditAgencies

drunner · 4 years ago

At least they let you mail or email.

I faxed them 4 times in 6 months to verify my identity because they have me confused with someone else and eventually just gave up.

They said any other alternative was not supported.

konschubert · 4 years ago

With GDPR you could just send them a formless deletion request.

There are good parts in GDPR for sure.

luckydata · 4 years ago

well there's no law that forces them to make it easy.

BeefySwain · 4 years ago

Hijacking here to say, literally all you need to get access to someones employment + salary history is their SSN and birthdate.

edit: and a past employer that used this system

Birthdays are extremely easy to get (public record), and I seem to recall a specific large organization leaking a bunch of SSN's not too long ago.......

cmeacham98 · 4 years ago

Unless you are very young (read: born after 2011) your SSN can be trivially brute forced if an attacker knows where and when you were born, because those details were (before 2011) mapped onto 5 of the 9 digits in an SSN.

divbzero · 4 years ago

It seems crazy to allow a large organization like that to continue operation after such an egregious error, especially if their business is centered around a bunch of personal information.

mellavora · 4 years ago

SSNs are generated by a not very secret algorithm. They were explicitly designed to be public information.

You don't need a data leak to get someone's SSN.

Also, malicious actors are almost never targeting you specifically. It is enough for them to

1) choose a birthdate

2) generate all SSNs associated with that birthdate

3) get all employment/salary histories accessible with that info.

4) scan the list for interesting tagets

5) ...

6) profit

davidsawyer · 4 years ago

And you'd need to know a past employer, right? I couldn't seem to find a way to get access to the info without inputting an employer first.

yoaviram · 4 years ago

Or send them a CCPA data deletion request: https://yourdigitalrights.org/d/equifax.com. This will generate a request email. You can then change the wordings to indicate that you are interested in deleting your salary history data.

Disclaimer: I'm one of the creators of YourDigitalRights.org.

Larrikin · 4 years ago

What are the potential ramifications for submitting a request on your site when you don't have residency in one of the listed areas?

maratbn · 4 years ago

Great site, I just used your service to email "Right to Access Request (Section 110 of the CCPA)" to Equifax.

Question / suggestion -- Have you considered monetizing by allowing lawyers specializing in CCPA / consumer privacy issues to advertise on your site?

xfz · 4 years ago

Nice site. You should probably update it for Brexit though. There are two GDPRs, for now.

givemeethekeys · 4 years ago

But, I didn't opt in for them to have this information about me to begin with.

geoduck14 · 4 years ago

>But, I didn't opt in for them to have this information about me to begin with.

Everyone is up in arms about Facebook and Google collecting our information... meanwhile credit bureaus are sitting in the shadows giggling to themselves

vulcan01 · 4 years ago

You don't need to. Your employer can give this info to whoever they want, and many give this data to Equifax or one of the other credit agencies.

Also, you might give your bank employment details, and your bank will most likely send that info to a credit agency as well.

There's not much of an escape.

maratbn · 4 years ago

theworknumber.com is yet another symptom of a much larger problem in that it is currently impractical for a regular person to enforce their rights via the court system.

According to Peter Thiel “If you’re a single-digit millionaire like Hulk Hogan, you have no effective access to our legal system...” https://theintercept.com/2016/10/31/trump-fan-peter-thiel-sa... So never-mind the non-millionaires.

However it is really nice to see efforts by some regular people out there setting up services such as https://yourdigitalrights.org which is the service I just used to request my information from Equifax. It will be interesting to see what comes of it. I suppose if they do not respond in 45 days I'll file a complaint with the CA Attorney General to put yet another ping regarding Equifax on their radar. https://oag.ca.gov/contact/consumer-complaint-against-busine...

This shows that ultimately it is the regular people who drive progress, while the powerful and the wealthy just take credit for it.

Ultimately United States will transition to European-style privacy laws when it comes to private information like income and these credit agencies will be abolished, but the way to get there is for the regular non-millionaire people to exercise whatever "rights" they kinda have to ultimately get these annoyances shut down.

the_arun · 4 years ago

So a new company you are joining can easily verify your current salary with your ssn & dob. Right? They have your history of employers from your resume already.

chrisjc · 4 years ago

Just also want to point out that freezing might result in certain parties that you do want to verify your employment from being able to do so.

If you're in the process of buying a house, you might want to hold off on this freeze until your mortgage has been approved. Might be true if you re refinancing or buying some else that requires a significant loan.

I'm not entirely sure if what I've stated above is true, but I've had to use theworknumber in the past when going through the mortgage process.

mulmen · 4 years ago

What are the consequences of doing this? What conclusion do HR departments draw about a person who freezes their employment information?

mesozoic · 4 years ago

Are there other agencies we have to do this for as well?

I checked earlier today and yep, my employer is selling my data and future earnings potential to the company that is infamous for poor data security.

A confounding factor is that as a hiring manager, and at least for all the hiring decisions I have been involved in, I know we did not use this to check candidates. So what's the upside?

EDIT: ADP Workforcenow appears to do this automatically. I'm curious to find out if anyone in our company even knows it is happening. I will find out soon enough, as this is definitely a hill to die on.

Traster · 4 years ago

I've seen how this works before, and what happens is all the companies submit their data to equifax, equifax then goes and creates a set of "profiles" for example "Junior software engineer", take all the data for employees with software engineer related titles and less than 3 years of experience, remove outliers and sell the result to employers as "salary band information". The result is that your employer gets a number saying "Junior software engineers in X location earn from 80,000 to 110,000" and that's used by your HR team to ensure that you don't drive up salaries by over offering. The role of equifax in this is to act as a level of protection, because the actual resultant behaviour is all the software companies working as a cartel to limit employee wages.

mumblemumble · 4 years ago

We rarely hear, it has been said, of the combinations of masters, though frequently of those of workmen. But whoever imagines, upon this account, that masters rarely combine, is as ignorant of the world as of the subject. Masters are always and everywhere in a sort of tacit, but constant and uniform combination, not to raise the wages of labour above their actual rate. . . We seldom, indeed, hear of this combination, because it is the usual, and one may say, the natural state of things, which nobody ever hears of.

- Adam Smith, The Wealth of Nations

m_ke · 4 years ago

Pave (https://www.pave.com/) is another startup doing this

Deleted Comment

tomrod · 4 years ago

I worked in a two person company last year where I ran payroll with ADP.

It's there for me too, and I don't recall opt in permission on this.

dlubarov · 4 years ago

Just to add another data point, our startup uses Gusto and my salary isn't in the data. My old salary from Google (which I think used ADP) is though.

arwhatever · 4 years ago

"Do you agree to allow your data to be shared with 3rd parties as necessary to provide you with the best service possible?"

[races off to something much worse than you imagined with your data]

dboreham · 4 years ago

Three-person company here. We do our own payroll, using Quickbooks (not their payroll processing service, just Quickbooks the desktop application). We have employees in two states.

lumost · 4 years ago

you know, I spoke with a company not too long ago and they gave me an offer that was 30% lower than what I currently make. The gap was entirely due to not accounting for public company RSU grants (that I had already mentioned)

In hindsight I wouldn't be surprised if their department used this tool to check my current cash income and automatically generated an offer. I wouldn't trust this data for much, and I can almost guarantee that someone in HR/Finance thinks their clever for using it.

BeefySwain · 4 years ago

The report tells you in the last 24 months who has looked at this info, so you could check that.

anyfactor · 4 years ago

Equifax is the Dow Jones Chemical of the data world. They have a tendency to mess up catastrophically yet they keep surviving by some miracle!

Cerium · 4 years ago

Ask HR how you should verify your employment and salary for a mortgage application. I know my company intentionally shares since they ask you to use the work number to send a verification to the lender.

dboreham · 4 years ago

The whole "verify your salary with employer" process is BS. Lenders can verify income by requesting your tax returns, and N recent pay stubs (source: I own my employer and have verified income this way, since obviously they are not going to call myself up and ask me to verify my own income). This is only about reducing their verification costs. If there needs to be a giant database of everyone's income, the government should run it, and they already have the data.

cortesoft · 4 years ago

Yeah, I used the work number thing to verify my salary for my mortgage.

BeefySwain · 4 years ago

Great idea!

ecf · 4 years ago

We had some schmuck HR consultant come in to a startup I was previously working for and their primary job duty was implementing ADP.

Glad to know they chose a product that involuntarily sold out my HR information.

mgraczyk · 4 years ago

Very interesting, I didn't expect the accuracy and detail in this data.

All of my pay from Intel, Google, Facebook is in here. Qualcomm apparently did not report.

Also, Google (my latest employer) pulled the data just before I started working, after giving me an offer. My credit card company pulls the data every month, sometimes 2-3 times per month. Several mortgage originators have also pulled the data even though I have not gotten a mortgage (I probably filled out a form on their website).

I guess I'm okay with credit card companies monitoring this, but I'm not sure I am okay with potential employers having access to this. Is it even legal in California for them to read this information? Maybe it was legal at the time but not any more?

int_19h · 4 years ago

> I'm okay with credit card companies monitoring this

I'm not. If they want to know, they can ask me for a paystub.

kube-system · 4 years ago

Credit card companies do ask for permission to pull financial information from brokers when you sign up.

hypothesis · 4 years ago

If they pulled salary info after making an offer, then this is likely qualified as verification of data that prospective employee submitted. They can probably revoke that offer if one provided misleading info during application.

That's some shady behavior though. The whole point of the law is to prevent companies from penalizing employees based on prior salaries. Wouldn't be surprising if Google was finding excuses to retract offers based on seeing that they "overbid" on someone's comp. If anyone has had suspicious stuff like this happen, it sounds like it'd make a great lawsuit.

Would be nice if some journalist(s) made a big stink out of Google finding a loophole in this employee protection law.

what_ever · 4 years ago

Does the system not ask for SSN to pull this data? If yes, how did Google get your SSN?

Disc: Googler.

qbasic_forever · 4 years ago

At the very least you need to provide proof of your SSN before you start employment in the US (as a US citizen at least). This is required for your social security benefits and some tax info. I believe in most states you actually have to physically show your social security card on the first day of employment now too.

bradlys · 4 years ago

Pretty sure Google needs your SSN to be employed at the company. Whole I-9 form, withholding taxes, giving you a W2 and all that jazz...

hansvm · 4 years ago

Google asks for SSN for background checks and whatnot.

IIRC Google requests SSN data for all applicants ahead of interview.

throwawayboise · 4 years ago

LOL. Google knows your SSN. They know everybody's SSN.

wheelinsupial · 4 years ago

Does the data contain start and end dates for each employer?

juancb · 4 years ago

Yes it does.

Can confirm it is 100% correct. Employed in Washington and California. All numbers were correct for the ones I cared about - more or less. They missed three jobs and the dates were fucked up for a few - but is pretty upsetting. Definitely should be illegal.

They even had pay period dates and everything for my current job. Including dates I was doing 401k. Like - what the fuck - why is my employer selling that information? It's a big tech company, of course. You could even see when my RSUs were vesting. The hell!

Funny enough - the only ones who have been looking at my data are Credit Karma. Maybe I should delete my account with them - lol. I use them for taxes because they are free.

sincerely · 4 years ago

"It's 100% correct, except for the errors"

Yeah - true. I could’ve corrected it to say - “100% correct about the shit I care about” but I figured someone would get a laugh out of someone replying with this kind of comment. Enjoy your upvotes.

spiznnx · 4 years ago

I now better understand how Credit Karma can offer a free product.

astura · 4 years ago

Credit Karma's business model isn't somehow secret, they are very much upfront about it - https://support.creditkarma.com/s/article/Is-Credit-Karma-re...

They display ads for credit cards and other financial products on their site. They use your personal information to target specific financial products to you. Your credit karma ads are personalized.

I just wish I got better credit card offers from them; I haven't found any product they've advertised to be particularly enticing.

beembeem · 4 years ago

Employers are outsourcing what should be an internal HR function of employment verification. Except in specific cases regarding government contractors, there is no legal requirement for employers to provide this data to a third party like TWN.

mcculley · 4 years ago

A few years ago there was a startup called Paysa. You searched by employer and it showed you the salaries of each job title. My company was small enough that it made it easy to see the salary of many of my employees. We did not initially understand where that data came from. I did not leak it. We put together that each leaked salary was of someone who had recently applied for a mortgage or auto loan.

Read the fine print next time you attach a paystub to a loan application. They are likely selling your data to aggregators.

spdcbr · 4 years ago

What are my options though? I can't opt out of them selling my data, can I?

You might be able to pick a lender who does not sell your data. I have no idea.

TimJRobinson · 4 years ago

I hope Zero Knowledge proofs become widespread over the next decade to prevent having to give companies your data. With them you'll be able to prove you earn over X amount without actually letting them know what you earn.

atty · 4 years ago

While I share the hope for such technologies (and hopefully some form of complete digital personal ID system in the same vein), that would require government mandates, which I think will be unlikely considering we can’t even get major investments for climate change, because the companies collecting this data benefit from it, and almost certainly won’t give it up willingly.

xwdv · 4 years ago

What is the impact of this to me personally?

It depends on how you feel about others knowing your income. Many people are very unhappy to have such information leaked.

buro9 · 4 years ago

Salaries are not a secret.

Ergo, as employees... Share your salaries.

Knowledge is power and if the only entities that have power from knowing salaries are your employers then you have no power.

And for people hiring, make hiring decisions that are defensible, equal, and would survive full transparency. Act as if every employee is already sharing salary info, for if they aren't today they will be soon.

franga2000 · 4 years ago

Fully agree, but selling information to a for-profit company behind people's backs is not the way to ensure transparency.

mywittyname · 4 years ago

Agreed. This information is more dangerous to companies than it is to employees.

If people figured out a way to get this same information for their colleagues to use for salary negotiation, companies would likely stop contributing the data.

lolinder · 4 years ago

Note that QuickBooks will now contribute to this data unless an employer explicitly opts out. I had to bring it to my employer's attention when they first rolled it out. Most small businesses that use QuickBooks won't have heard of it and will be contributing salary data by default.

https://quickbooks.intuit.com/learn-support/en-us/help-artic...

mpmpmpmp · 4 years ago

Straight from your link.

"No data is shared unless your employees specifically request it to be shared, usually as part of an application process for loans, credit, or public aid, or in response to a permissible purpose under the Fair Credit Reporting Act (“FCRA”), such as a court order."

I read that the first time as "no data is shared with verifiers", rather than "no data is shared with Equifax", but on a closer reading I believe you're correct: the data stays with QuickBooks until Equifax receives a request and they forward that request to QuickBooks. So they're not shipping data to Equifax en masse.

That somewhat mitigates the concerns of data being lost in another Equifax data breach assuming that Equifax only fulfills requests from verifiers that have received my express consent, and assuming that consent doesn't become mandatory for employment (which is the subject of the larger discussion on this thread).

basseq · 4 years ago

I've used this before as an employee. While it may also be a bulk dataset of employment information (which any HRS or payroll provider would have), the ostensible use of this solution is, to quote their homepage, "credentialed verifiers with permissible purpose access to income and employment data".

Key words there are credentialed and permissible purpose.

In other words, it's an automated way for me as an employee to have my employer verify my employment and/or salary information—not necessarily both—without having to hunt down someone in HR. This is particularly useful for previous companies where I no longer have access to internal systems.

I have used it most commonly for mortgage applications.

I can log in and generate a one-time or limited-use code to provide access, and select which data I want to provide access to. I then provide that key to the third party, who verifies with Equifax.

shmatt · 4 years ago

I think the issue is - do companies who give them information also get access to it for people outside their org

Others have wrote this in the thread, but anecdotally I once tried to push up what I considered a low ball offer, and lied about my current comp. HR quickly said - no, thats not your current comp

I'm pretty sure they didn't reach out to my current company to ask, so the only other option was abusing a system like this

I very much doubt it. The "Salary data is for sale" title is misleading; There's no way for me to go pay Equifax for access to u/shmatt's data. They might have some aggregate datasets for sale, removing PII.

The same goes for credit data; you (largely) can't run a credit check on me without my permission.

This is an HR service to ease the burden of legitimate requests for employment or salary data that you, as an employee, request.

More logically, employers wouldn't want other companies to be able to access their payroll information for competitive reasons.

I can't explain your previous experience; perhaps you were at a company with firm pay bands, and they knew you were already at the top of your current one?

exhilaration · 4 years ago

without having to hunt down someone in HR

When I worked for UPS they specifically told me there was absolutely no way that HR would verify salary/employment over the phone for mortgage applications and the only way to do it was via theworknumber.com. UPS has ~500,000 employees so you can understand why they'd want to offload this work to a third party. I was working with a smaller mortgage company so they grumbled about having to do it this non-traditional way but it all worked out in the end.