Thursday, March 15, 2018

Our lack of online privacy is mind-blowing


When we click on the "Accept" button(s) for online service providers' terms and conditions, we typically don't bother to read all the fine print.  We simply take it on faith that the provider will protect our privacy to at least some extent.  Sadly, that's seldom the case - as demonstrated by PayPal, which offers a list of several hundred "third parties" with whom it shares information.  The extent and use of that information may surprise you.

A few examples of reasons why PayPal shares it:
  • "To allow payment processing settlement services, and fraud checking"
  • "To allow telephone and email customer support and marketing services"
  • "To calibrate and optimise speech recognition performance..." *
  • "To support investigation of suspicious activities related to money laundering, terrorist financing, and/or violation of Global Sanctions and corresponding reporting to regulatory agencies"
  • "To execute and measure retargeting campaigns in order to identify visitors and redirect them though personalised advertising campaigns"
  • "To investigate (including, without limitation, to carry out asset and/or site inspections and/or business evaluations) and/or collect (and/or assist with the collection of) debt from potentially and actually insolvent customers"
*  (This is what happens when a pre-recorded message on the customer support line tells you that "This call may be monitored or recorded for quality assurance purposes".  The recording is provided to other companies to improve their speech recognition algorithms.  It may also be used to develop a speaker recognition system that will allow your voice to be identified by an artificial intelligence system, even if you don't provide your name.)

PayPal will doubtless argue that such use is explicitly permitted in its terms of service, which we accept when signing up for the service;  but many of us aren't aware of how far-reaching that has become.  The quantity and quality of information shared is mind-boggling, when one considers that it represents an almost total invasion of our online privacy.  A few examples:
  • "Name, address, details of payment instruments, and details of payment transactions"
  • "All information supplied when applying for a product or account functionality (including information obtained from social media accounts or online reputation data)" *
  • "Recordings of a sample of customer support telephone calls, which may include any or all account information transmitted during the call"
  • "Name, aliases, address, e-mail address, telephone numbers, time zone location, passport ID, nationality, date of birth, place of birth, gender, marital status, driver’s license ID, social security number or other government ID, transactional and account activity data, funding instrument (bank account, credit card number)"
  • "Photo of customer and document images supplied by customer including all information they contain.  Information from document’s embedded RF chip (when applicable)"
  • "Anonymous ID generated by cookies, pixel tags or similar technologies embedded in webpages, ads and emails delivered to users"
*  The underlined text indicates that PayPal is using third party data and/or programs to link users' accounts with their social media activity, in order to build up a more informative profile of them - and is then sharing that profile with others.  If it contains errors or erroneous linkages, or things we'd rather not have linked to our business personas (for example, those photographs of us, drunken and topless, taken on our summer break at college, and posted online by a "friend" who identified us in the pictures), that's too bad.  It still gets shared.  That can have direct and immediate consequences when we, say, apply for a job.  Do we really want our prospective employer to find out about them?  If they look up our personal data, including running a credit check for which PayPal has supplied information, they might.

Many will argue that all of those uses of our data have a legitimate corporate purpose, and therefore are justified.  My problem is, their sharing is routine - i.e. we never know how many times our data has been shared, or with whom, or for what reason.  After a while, our information might reside on literally hundreds, perhaps thousands of computer systems in companies and organizations with whom we've never had any direct business relationship.  PayPal might be exemplary in its data security, but what about those other organizations?  Are they as scrupulous?  I doubt it - and, if that's the case, is it any wonder how easy hackers find it to steal our personal data, and use it to defraud us?

This makes me angry.  There's nothing I can do about it, because PayPal is only one example.  Almost every organization with whom we do business online will use our data for similar purposes.  However, I long for an earlier age when we had more rights to privacy.  I resent my data being scattered around like so much grass-seed.  Who knows in what unwanted places it might take root?

Peter

6 comments:

Aesop said...

Consider, for all possible values, the definition of "off grid".

I have a voice-changing telephone.

If they're going to use speech-recognition, I'll use speech alteration.

As Calvin said to Hobbes: "They lie. I lie."
https://imgur.com/tlMI63S.jpg

Anonymous said...

"This makes me angry."

And you are exercised about privacy while authoring your own online blog, writing books, speaking publicly about personal activities including where you travel, where you shoot, where you eat?

There is some cognitive dissonance with your concern. You cannot be a "public person" and maintain a significant element of privacy. It is mostly one or the other.

Craig said...

I've been surprised recently at how many times names and information have been "shared". My father died in 1993, he has never lived at my current home nor has his mail ever been fwd'd to my address, yet I am getting mail addressed to him from numerous sources now.
Really strange.

Eric Wilner said...

Worse yet: some government agencies insist on crazy amounts of marketable information in order for one to use their web sites, and of course they claim the right to share it.
Don't like it? You can always take your business to some other government... oh, wait.
"Thank you for using the Google® brand Regional Planning Commission."

Steve Sky said...

To go with the theme, by way of the Instapundit, we have this link to the information facebook collects on you. Please note, you don't have to be logged into facebook, or even have a facebook account (I don't). Facebook still tracks you by its' "thumbs up" gifs, as in, when your web page requests a facebook thumbs up and facebook doesn't have your browser request registered, it creates a unique .gif name for the thumbs up, and then supplies it to every web page your browser requests from then on. By doing so, it can track your URLs no matter where you go. Think about how many pages you visit that want you to give a "thumbs up", and realize that facebook has tracked you visiting those pages.

Will said...

The biggest complaint about PP is their history of cleaning out people's bank accounts. If they autocratically decide that you erred in delivering an acceptable product to your customer, they will take whatever they want, and you have NO RECOURSE. They have access like a bank, but are not rated as one, so they have very little .gov oversight to rein them in.

This has kept me from using them, but if I want to utilize EB, I'm going to be forced to play with them. Then again, I'm local...