Companies need to start thinking of this less in the lens of "evil" and more principle of least astonishment. Would users be surprised and angry to learn you do this? Then don't.
Is there a collection of the sort of unusual / unexpected things that companies do / can do.
Not Google does X, but there is a market that sells X, and X can be linked to you personally by Y, Z
So
* A market exists for reselling credit card transaction data. Your card provider (ie Barclaycard) sells to companies such as $FOO who will aggregate same data from different providers and sells it for marketing purposes. The size of the market is $Billions
* Google can link the purchase history to you personally by multiple means including - reading your gmail, and looking for purchase confirmations using last 4 digits
* There is a market for reselling your mobile location and call history. your cell
provider ...
I would love to see this - I honestly need reminding of this and it seems like a great press expose.
> Google buys your credit card data for advertising purposes
How do they connect my credit card data to my Google activity? My Google account isn't connected to my personally identifiable information in any way. I.e. they don't have my phone number, nor do I use Google Pay.
>"We don't sell your data, we share it." -all the companies involved
Am I the only one thinking there might be some Clapper-level double-speak going on here? Why would these company share admittedly valuable data without being compensated?
A question for contract lawyers: can I sell something (say an API or quarterly report) that "incidentally" includes customer data and get away with saying I'm not "selling customer data"?
Your transaction data is never exposed to anyone outside of $corp.
$corp provides it's marketing partners with insights gleaned from aggregated transaction data. And allows select partners to query an api for derived information about $corp's cardholders using a marketing identifier that tracks across multiple agencies including credit reporting, social media monitoring and customer intelligence analytics.
Additionally $corp uses it's transaction stream to feed information about aggregated spending per retailer to both their internal trading desk and to select financial markets partner firms.
Your personal transaction information is never exposed to anyone outside of $corp.
Definitely not a lawyer, but "sell" to me implies you lose ownership afterward, so as long as they're not doing that, they're not selling. Easy to see how they can give someone your data without doing that.
Not really but third party processors get a lot of info too. And it's not anonymous. They might share actually anonymous data but it can be picked up for a dime or just easily hacked before dealing with high level Visa or MasterCard level
Plaid is the most terrifying company in SV. The fact so many people are comfortable sharing their online banking creds with a third party, and in turn authorizing Plaid to share years of transaction data, your balances, emails, phone numbers, addresses etc scraped from your bank account is insane.
The worst part is that certain banks won't let you link an account that Plaid claims is supported based upon the routing number/account number.
So for example when I attempted to link based upon routing/account number at Simple, it told me I can't continue because I should hand over my account information for the other bank to Plaid instead.
I've done it, and then immediately changed my account info. So yes, technically Plaid has my historical data, but at least they won't get it going forward. It really sucks though, because it locks my money into a singular bank otherwise.
While I do love me some privacy.com, unfortunately they only allow you to tie payments to bank accounts, not credit cards.
So, it's a virtual debit card, not a virtual credit card.
Now, they do let you set transaction limits, and daily/weekly/monthly limits, as well as either locking the card to the first merchant to use it or to make it a "burner" one-time only card.
So, there's lots of additional controls there.
They don't give you a good way to export any of that financial information, so if you want to use a budgeting program to try to help you track what is going where, then privacy.com doesn't help you there.
Overall, I like privacy.com very much. I do want to be able to tie in multiple back-end payment sources, including credit cards, and I'd be fine taking the 2% or whatever fee on my end. And I do want more transparency in terms of being able to easily export my data where I want to use it. But those are both relatively minor problems, compared to the ones they do help you solve.
privacy.com comes up on HN a lot, and every time they do I try to take the time to point out they require a binding arbitration agreement with no opt-out.
Arbitration agreements are bad in general, but not necessarily uncommon. What makes privacy.com different is that they have access to your bank account. They're in a position where they have direct access to your funds, and you can't bring them to court if they wrong you.
I've had people suggest that I link privacy.com to a limited bank account and manually transfer money. That's a good suggestion, I'd probably do that no matter how they were set up. But that's not going to help if privacy.com takes you to arbitration over a bogus overdraft charge, or if they leak your credit card numbers, or if they start selling data behind your back. My bank doesn't have an arbitration agreement tied to my checking or savings account. I don't think it's justifiable for privacy.com to claim that they have more customer risk than my bank does.
If a business includes an arbitration agreement in your terms of service, I immediately assume that they don't respect their customers. There are some businesses where I tolerate that, but I need a heck of a good reason -- especially if that business is going to be managing my bank account.
Binding arbitration agreements are underhanded. The only reason to have one is because you want to make sure right from the start that you're not accountable to your customers.
In regards to privacy.com in my opinion, it would be very, very unwise to trust any venture capital funded startup to protect your privacy. What happens when their investors decide they aren't monetizing fast enough. They are sitting on a lot a private data that other companies would love to get their hands on. What is the downside to them of selling your information, and making a big exit, that left the founders wealthy?
I would trust Apple a lot more since they already make money, and their reputation is something that they would be more likely to value more than a startup would be.
The privacy.com business promise is privacy, but their privacy policy (as of several years ago) did not actually promise much. I emailed them about it and they said they were surprised by the oversight. I wonder if they changed it
I know, I know, the editorial staff is separate from the advertising/sales staff etc, but still find it funny that when I try to access the article in incognito mode, as I habitually do (for privacy), I get
> We noticed you’re browsing in private mode.
Private browsing is permitted exclusively for our subscribers. Turn off private browsing to keep reading this story, or subscribe to use this feature, plus get unlimited digital access.
I've always wondered: is the data the reason why credit card companies are willing to give cash back as high as 5% even to customers who carefully operate them at a clear loss for them?
The reason credit card companies are willing to give customers rewards/cashback is that they’re competing, primarily for interchange revenue. Most cards are guaranteed to be profitable for the issuer (ex-credit risk); some models (5% rolling category up to $75 back, etc) are not strictly guaranteed to be profitable, but they’re running a portfolio strategy.
You don’t need to make money on every account. You need to make money on every pool of, say, 100,000 accounts. One could conceive of rebate schemes poorly designed enough to not do that, but the industry broadly doesn’t ship them.
There are people who make hobbies off of attempting to get the financial industry’s sweet sweet marketing dollars. The financial industry can afford an infinite number of business analysts and geeks. The marketing dollars are still on offer. What does this suggest to you as to the portfolio-wide impact of hobbyists who exploit the offers?
Credit card issuers don't pay for the cash back, it's the merchant. The merchant's are charged a credit card transaction fee that includes a fixed/percent fee determined by the negotiated contract with their bank (the acquirer), a small fixed/percent interchange fee that goes to the credit card payment networks (Visa, MasterCard, etc.), and finally a fee to the credit card issuer that provided the credit card to the consumer.
The credit card issuer fees can be the worst because of these high reward credit cards.
I'm very aware of this when shopping at a local small business. I'll pay either in cash or with my debit card, because the credit card fees are seriously squeezing small merchants.
> When merchants accept payment via credit card, they are required to pay a percentage of the transaction amount as a fee to the credit card company. If the cardholder has a participating cash back rewards program, the credit card issuer simply shares some of the merchant fees with the consumer
And some is paid by interest being paid by other customers
> Because credit card spending and rewards are positively correlated with household income, the payment instrument transfer also induces a regressive transfer from low-income to high-income households in general. On average, and after accounting for rewards paid to households by banks, the lowest-income household ($20,000 or less annually) pays $21 and the highest-income household ($150,000 or more annually) receives $750 every year
I'm sure this is a great article that highlights an real issue but without executing JS the page doesn't show anything besides the logo and upon inspection of the HTML delivered by the server you can see that it's almost exclusively tracking scripts (at least in the EU).
I've discovered this problem by finding out that you can sign up for additional cash back on apps like Yelp and Dosh. When you make a purchase these companies will automatically determine whether this purchase is eligible for cash back. I'm guessing they must be buying the data for all my transactions for the purpose of figuring out whether they would give me cash back. It immediately made me suspicious since I'm getting cash back from a third party instead of from a bank.
+1. I’ve often wondered how these cashback services like the ones you mentioned, or, for example, the restaurant ones like aadvantage dining work. Do the affiliates get all your transactions? (I really hope not). Or, do the affiliates have agreements with the cc processors to flag transactions on their side?
I wish Mondex would try again. Mondex was a MasterCard idea tried in the UK that was basically 'digitized cash in a wallet which has the form of a smart card'.
Approach ATM, insert Mondex card. Feed ATM bills and coins, Mondex card gets loaded. Spend card, swipe as normal. Works offline, no connection to a bank account necessary, the money is deducted from your local card's 'account' to the 'account' on the POS/business. Your card records a transaction date/time/merchant for debits, theirs records the same for a credits.
You can transfer funds from one card to another, cash out the card offline at supporting ATMs, be used for building access/RFID cards, hold up to 5 digital wallets on one card, and more.
It was tried in the UK back in the 90s and NYC right in 2000 and worked about as well as you'd imagine in that world. But today, it would probably work much better. HK has the Octopus card which is conceptually similar and works well.
I'd certainly give either a shot so I don't have to carry physical cash but also aren't worried about having my money in someone else's hands who can lose it all due to bank fraud or have IT issues preventing payment processing.
I would guess that the money laundering potential is why it isn't around now - most stores don't let you buy a gift card with another gift card for the same reason (I've implemented this restriction in an e-comm site before). I might be wrong, but that's a potentially big legal hurdle.
Purchase data has been around for years. Marketers want to know if their ad dollars worked. “How did you hear about us?” provides scant and mostly unusable data. By matching purchase data with ad campaign data there can be more quantitative evaluation of an ad campaign’s performance.
Additionally I imagine this data is available for marketers to target buyers of Product X with Accessory Y.
Finally, marketers may use purchase data to build suppression lists; ie. Stop retargeting people that already purchased Product X. I don’t know if this happens very often in practice. It’s very hard to do well in general, and generally cheaper to spam people than buy data to shrink your list.
None of this is well-disclosed to consumers, not one bit of it is right. It just is, and it has been for going on for 8+ years.
Headline not proven. He claimed to do an experiment and didn't find any security hole or any real results, but then blathered on about what might have happened. I can read privacy policies and make up scenarios and so can you, but so what?
And more generally, credit cards have been around a long time. Shouldn't there be more evidence by now if anyone is being harmed by sharing data about consumer purchases?
Credit cards work a little different in Denmark because we have a national debit card called the Dankort which allows for cheap credit and can be combined with other cards like visa or MasterCard.
Anyway, some years ago banks opened for the possibility to get your receipts electronically. I opted into that, not thinking about privacy at the time, and they certainly have the data to track us in ways we that make Facebook look harmless, because Facebook doesn’t know your pharmacy purchase history.
I’ve never seen an impact of this that I was aware of, so maybe banks don’t actually use the data. It’s certainly not their business model to sell advertising, but who knows.
Every single purchase line by line is recorded by many companies. And the security is absolutely terrible over all. If you don't care if your spending habits are shared that is fine. I don't want my data hacked further
This article is severely deficient and written to draw clicks.
It doesn't go far enough (or at all, really) to explain that the credit card issuer doesn't see the data. They see a transaction amount. There's no banana.
The current top comment about Google linking online to B&M purchases isn't a leak of privacy: it's strictly private both to Google and the merchant. You are being tracked, but not in a privacy-revealing way, just in an uber-annoying I'm-still-being-targetted so-it's-creepy-and-annoying way.
That retail merchants are tracking you is a huge, huge problem. The CC facilitates this by linking all your purchases into a single history, but it isn't the CC per se that is the problem. eg the store's own rewards card specifically does this. They don't even care if you give your actual PII up to signup for the rewards card, all they care about is that they can [even anonymously] identify the purchase stream tied to an individual.
They should go to length to better distinguish this problem because then they can get to the fact that every Apple Pay transaction is tokenized and not linkable to prior or future Apple Pay transactions.
[+] [-] dehrmann|6 years ago|reply
Companies need to start thinking of this less in the lens of "evil" and more principle of least astonishment. Would users be surprised and angry to learn you do this? Then don't.
[+] [-] lifeisstillgood|6 years ago|reply
Not Google does X, but there is a market that sells X, and X can be linked to you personally by Y, Z
So
* A market exists for reselling credit card transaction data. Your card provider (ie Barclaycard) sells to companies such as $FOO who will aggregate same data from different providers and sells it for marketing purposes. The size of the market is $Billions
* Google can link the purchase history to you personally by multiple means including - reading your gmail, and looking for purchase confirmations using last 4 digits
* There is a market for reselling your mobile location and call history. your cell provider ...
I would love to see this - I honestly need reminding of this and it seems like a great press expose.
[+] [-] avocado4|6 years ago|reply
How do they connect my credit card data to my Google activity? My Google account isn't connected to my personally identifiable information in any way. I.e. they don't have my phone number, nor do I use Google Pay.
[+] [-] decoyworker|6 years ago|reply
Doesn't this already exist since nobody wants to piss off shareholders?
[+] [-] arfrank|6 years ago|reply
* https://marketingreportoptout.visa.com/OPTOUT/request.do
* https://www.mastercard.us/en-us/about-mastercard/what-we-do/...
[+] [-] krick|6 years ago|reply
> To opt-out from our anonymization of your personal information...
Uh, I'm no lawyer, but the wording really gets my attention here.
[+] [-] adtac|6 years ago|reply
Perhaps there's opportunity here for someone to be Robinhood here and improve the privacy of a lot of people...
[+] [-] Naac|6 years ago|reply
[+] [-] craftyguy|6 years ago|reply
[+] [-] mLuby|6 years ago|reply
Am I the only one thinking there might be some Clapper-level double-speak going on here? Why would these company share admittedly valuable data without being compensated?
A question for contract lawyers: can I sell something (say an API or quarterly report) that "incidentally" includes customer data and get away with saying I'm not "selling customer data"?
[+] [-] olefoo|6 years ago|reply
$corp provides it's marketing partners with insights gleaned from aggregated transaction data. And allows select partners to query an api for derived information about $corp's cardholders using a marketing identifier that tracks across multiple agencies including credit reporting, social media monitoring and customer intelligence analytics.
Additionally $corp uses it's transaction stream to feed information about aggregated spending per retailer to both their internal trading desk and to select financial markets partner firms.
Your personal transaction information is never exposed to anyone outside of $corp.
[+] [-] mehrdadn|6 years ago|reply
[+] [-] paulie_a|6 years ago|reply
[+] [-] kevin_thibedeau|6 years ago|reply
[+] [-] tempsy|6 years ago|reply
[+] [-] X-Istence|6 years ago|reply
So for example when I attempted to link based upon routing/account number at Simple, it told me I can't continue because I should hand over my account information for the other bank to Plaid instead.
I've done it, and then immediately changed my account info. So yes, technically Plaid has my historical data, but at least they won't get it going forward. It really sucks though, because it locks my money into a singular bank otherwise.
[+] [-] root_axis|6 years ago|reply
[+] [-] bradknowles|6 years ago|reply
So, it's a virtual debit card, not a virtual credit card.
Now, they do let you set transaction limits, and daily/weekly/monthly limits, as well as either locking the card to the first merchant to use it or to make it a "burner" one-time only card.
So, there's lots of additional controls there.
They don't give you a good way to export any of that financial information, so if you want to use a budgeting program to try to help you track what is going where, then privacy.com doesn't help you there.
Overall, I like privacy.com very much. I do want to be able to tie in multiple back-end payment sources, including credit cards, and I'd be fine taking the 2% or whatever fee on my end. And I do want more transparency in terms of being able to easily export my data where I want to use it. But those are both relatively minor problems, compared to the ones they do help you solve.
[+] [-] danShumway|6 years ago|reply
Arbitration agreements are bad in general, but not necessarily uncommon. What makes privacy.com different is that they have access to your bank account. They're in a position where they have direct access to your funds, and you can't bring them to court if they wrong you.
I've had people suggest that I link privacy.com to a limited bank account and manually transfer money. That's a good suggestion, I'd probably do that no matter how they were set up. But that's not going to help if privacy.com takes you to arbitration over a bogus overdraft charge, or if they leak your credit card numbers, or if they start selling data behind your back. My bank doesn't have an arbitration agreement tied to my checking or savings account. I don't think it's justifiable for privacy.com to claim that they have more customer risk than my bank does.
If a business includes an arbitration agreement in your terms of service, I immediately assume that they don't respect their customers. There are some businesses where I tolerate that, but I need a heck of a good reason -- especially if that business is going to be managing my bank account.
Binding arbitration agreements are underhanded. The only reason to have one is because you want to make sure right from the start that you're not accountable to your customers.
[+] [-] RcouF1uZ4gsC|6 years ago|reply
I would trust Apple a lot more since they already make money, and their reputation is something that they would be more likely to value more than a startup would be.
[+] [-] jammygit|6 years ago|reply
[+] [-] FabHK|6 years ago|reply
> We noticed you’re browsing in private mode. Private browsing is permitted exclusively for our subscribers. Turn off private browsing to keep reading this story, or subscribe to use this feature, plus get unlimited digital access.
[+] [-] johnisgood|6 years ago|reply
[+] [-] dredmorbius|6 years ago|reply
Disabling JS bypasses for now.
[+] [-] mehrdadn|6 years ago|reply
[+] [-] patio11|6 years ago|reply
The reason credit card companies are willing to give customers rewards/cashback is that they’re competing, primarily for interchange revenue. Most cards are guaranteed to be profitable for the issuer (ex-credit risk); some models (5% rolling category up to $75 back, etc) are not strictly guaranteed to be profitable, but they’re running a portfolio strategy.
You don’t need to make money on every account. You need to make money on every pool of, say, 100,000 accounts. One could conceive of rebate schemes poorly designed enough to not do that, but the industry broadly doesn’t ship them.
There are people who make hobbies off of attempting to get the financial industry’s sweet sweet marketing dollars. The financial industry can afford an infinite number of business analysts and geeks. The marketing dollars are still on offer. What does this suggest to you as to the portfolio-wide impact of hobbyists who exploit the offers?
[+] [-] andrewferk|6 years ago|reply
The credit card issuer fees can be the worst because of these high reward credit cards.
I'm very aware of this when shopping at a local small business. I'll pay either in cash or with my debit card, because the credit card fees are seriously squeezing small merchants.
[+] [-] TylerE|6 years ago|reply
[+] [-] ketralnis|6 years ago|reply
https://www.investopedia.com/articles/personal-finance/04071...
> When merchants accept payment via credit card, they are required to pay a percentage of the transaction amount as a fee to the credit card company. If the cardholder has a participating cash back rewards program, the credit card issuer simply shares some of the merchant fees with the consumer
And some is paid by interest being paid by other customers
http://www.bos.frb.org/economic/ppdp/2010/ppdp1003.pdf
> Because credit card spending and rewards are positively correlated with household income, the payment instrument transfer also induces a regressive transfer from low-income to high-income households in general. On average, and after accounting for rewards paid to households by banks, the lowest-income household ($20,000 or less annually) pays $21 and the highest-income household ($150,000 or more annually) receives $750 every year
I also have a vague memory that some cards from the same issuer (mostly American Express) charge the merchants more for the higher-level cards, and prevent the merchant from treating those customers any differently. I can't find a source for that, but some starting points might be https://www.washingtonpost.com/business/economy/supreme-cour... and https://about.americanexpress.com/press-release/american-exp...
[+] [-] t0astbread|6 years ago|reply
[+] [-] smcleod|6 years ago|reply
[+] [-] kccqzy|6 years ago|reply
[+] [-] larrybud|6 years ago|reply
[+] [-] Multicomp|6 years ago|reply
Approach ATM, insert Mondex card. Feed ATM bills and coins, Mondex card gets loaded. Spend card, swipe as normal. Works offline, no connection to a bank account necessary, the money is deducted from your local card's 'account' to the 'account' on the POS/business. Your card records a transaction date/time/merchant for debits, theirs records the same for a credits.
You can transfer funds from one card to another, cash out the card offline at supporting ATMs, be used for building access/RFID cards, hold up to 5 digital wallets on one card, and more.
It was tried in the UK back in the 90s and NYC right in 2000 and worked about as well as you'd imagine in that world. But today, it would probably work much better. HK has the Octopus card which is conceptually similar and works well.
I'd certainly give either a shot so I don't have to carry physical cash but also aren't worried about having my money in someone else's hands who can lose it all due to bank fraud or have IT issues preventing payment processing.
https://en.wikipedia.org/wiki/Mondex
https://en.wikipedia.org/wiki/Octopus_card
[+] [-] JoshuaRedmond|6 years ago|reply
[+] [-] reilly3000|6 years ago|reply
Additionally I imagine this data is available for marketers to target buyers of Product X with Accessory Y.
Finally, marketers may use purchase data to build suppression lists; ie. Stop retargeting people that already purchased Product X. I don’t know if this happens very often in practice. It’s very hard to do well in general, and generally cheaper to spam people than buy data to shrink your list.
None of this is well-disclosed to consumers, not one bit of it is right. It just is, and it has been for going on for 8+ years.
[+] [-] burner6565|6 years ago|reply
[+] [-] singron|6 years ago|reply
[+] [-] dredmorbius|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] ubermonkey|6 years ago|reply
[+] [-] skybrian|6 years ago|reply
And more generally, credit cards have been around a long time. Shouldn't there be more evidence by now if anyone is being harmed by sharing data about consumer purchases?
[+] [-] moksly|6 years ago|reply
Anyway, some years ago banks opened for the possibility to get your receipts electronically. I opted into that, not thinking about privacy at the time, and they certainly have the data to track us in ways we that make Facebook look harmless, because Facebook doesn’t know your pharmacy purchase history.
I’ve never seen an impact of this that I was aware of, so maybe banks don’t actually use the data. It’s certainly not their business model to sell advertising, but who knows.
[+] [-] paulie_a|6 years ago|reply
[+] [-] Uhrheber|6 years ago|reply
[+] [-] zipotm|6 years ago|reply
[+] [-] ibps965|6 years ago|reply
[deleted]
[+] [-] jiveturkey|6 years ago|reply
It doesn't go far enough (or at all, really) to explain that the credit card issuer doesn't see the data. They see a transaction amount. There's no banana.
The current top comment about Google linking online to B&M purchases isn't a leak of privacy: it's strictly private both to Google and the merchant. You are being tracked, but not in a privacy-revealing way, just in an uber-annoying I'm-still-being-targetted so-it's-creepy-and-annoying way.
That retail merchants are tracking you is a huge, huge problem. The CC facilitates this by linking all your purchases into a single history, but it isn't the CC per se that is the problem. eg the store's own rewards card specifically does this. They don't even care if you give your actual PII up to signup for the rewards card, all they care about is that they can [even anonymously] identify the purchase stream tied to an individual.
They should go to length to better distinguish this problem because then they can get to the fact that every Apple Pay transaction is tokenized and not linkable to prior or future Apple Pay transactions.