

PayPal is now an identity provider - robin_reala
https://www.x.com/identity

======
brador
"PROSPECT SCORE This API enables you to know the purchasing potential of a
user visiting your site. Users are classified into Gold, Silver, or Bronze
based on their average spending value, frequency, and online transactions.
Product details..."

This doesn't feel right. Aren't there privacy issues here? Have I unwittingly
signed some T&C on this?

~~~
jeffclark
Lots of companies sell your demographic information, including your bank,
credit cards and magazine subscriptions.

Ansira* has an amazing product that ties into all of this. It's really creepy,
but packed full of pretty accurate demographic information compiled from all
kinds of sources.

* not affiliated with them. probably others. only one I know of right this second.

~~~
noduerme
Yeah but most of the companies that sell your info aren't payment processors /
pseudo-banks that have direct access to your checking accounts, who you paid
last month, how much, and for what. The implied value in Paypal rating your
users is that Paypal can and will tell you their income level.

There are a few things wrong with Paypal doing this. Firstly, they're
notorious for freezing any user account with more than $2-3k in it, without
warning or reason, until you have a lawyer send them a letter. Hasn't happened
to me, but it's happened to enough friends that I wouldn't trust them with
more than a couple hundred bucks at a time. Sometimes for no reason other than
that they logged on from an IP address Paypal had flagged previously for
someone else's transgressions. We can leave Wikileaks out of this, but suffice
to say that if Paypal has any reason whatsoever for seizing your funds,
they'll be happy to do so and ask questions later. The fact that they don't
adhere to any open standards and never reveal their reasons for freezing
accounts should raise the question of who they are to be an independent
arbiter of identity.

Secondly, consider the ramifications of walking into a store with your tax
bracket printed on your t-shirt. This one's obvious to anyone that's spent
time as an American in a third-world country...the price of Phở goes up by
300% right off the bat. There's no doubt the market wants to rid itself of
inefficiencies by selling to every single consumer at the highest price she's
willing to pay and not a dime less, but the ethical consequences are
staggering.

I would never enter my paypal info for any reason, on any site, other than to
submit a payment -- just like I wouldn't give them my bank account number or
answer questions about my salary. I think many consumers would feel the same
way.

~~~
jeffclark
I think you missed the part where your bank and credit card companies are
selling your personal information.

Ansira knows your income level (and, at least for me, it's accurate).

------
goodweeds
This is sort of frightening. Paypal has a recent history of locking people out
of their own accounts as they layer upon layer of draconian "security"
measures. These "security" measures seem designed to gather as much personal
information as possible, and to restrict access to your funds as frequently as
possible. I log into Paypal about four times per year, and each time its a
frustrating tangle of new user agreements, forced requirements to add new
security questions, and ridiculous restrictions. For example, when I decided I
was going to move to a mobile phone-free life, Paypal decided they would force
me to verify my account via SMS, but they cannot send SMS to google voice, so
I spent 10 hours over four days to get access to my account.

Paypal is less trustworthy than Facebook or the federal government.

~~~
zerostar07
I don't think there's a more trustworthy contender nowadays (definitely not
facebook). Many of their requirements for new terms and compliance are due to
state regulations, especially here in the EU. For me, the fact that they
require verification through official documents makes me trust them more, not
less.

~~~
goodweeds
That's sort of the problem. Paypal is acting more and more like a bank, yet
they're investing millions in lobbyists to make sure they don't become a bank,
legally. If they were a bank they would be accountable and would fall under
all of the rules and regulations that banks must follow, and they wouldn't be
abe to withhold funds from their customers so readily.

~~~
bluelu
They are a bank here in Luxembourg.

Part of this that they have to know their customers. They can't allow someone
without proper ID verification to collect a few hundred thousands of dollars
through simply providing an email account and a name.

~~~
zerostar07
I was just gonna say that. Paypal Europe is a registered bank based in
Luxembourg, and subject to all kinds of bank regulations.

------
MatthewB
I believe this is a smart move by paypal. For the most part, they are a
trusted brand on the Internet.

The few aspects I don't like are the domain name x.com and the actual website
occupying that domain. x.com to me is too close to xxx.com and doesn't have
any meaning besides being the shortest domain name. The website design is poor
and the "win a bose" and "win an ipad" banners are atrocious. They should have
used a subdomain of paypal.

~~~
robin_reala
x.com is effectively “PayPal labs”

~~~
eddieplan9
Unrelated, but that would qualify them to apply for the x.xxx domain. Pretty
cool.

~~~
Raphael
I'm sure it's taken.

------
axefrog
People are used to logging into PayPal in order to send money or pay for
purchases, so I would think that associating PayPal with a website login is
going to be hard for a lot of people to feel comfortable with, particularly
because people are so used to the PayPal logo being used with actual purchase
buttons. As developers we can try to explain the difference, but ultimately I
think that PayPal logo has a pre-existing connotation in most people's minds
and I think that will work against them as an OpenID provider.

~~~
garethsprice
Can't see this working for things like logging in to leave comments or play
games like Twitter and Facebook identities.

Where I can see it working (and working well) is SaaS subscription services -
it streamlines the signup process, provides additional data to the provider
and pushes signups towards Paypal (and away from merchant account or other
providers).

~~~
pbreit
And that's where it's intended to be used.

------
ck2
Yikes this is scary stuff. I really hope congress takes a very close look at
regulating paypal like a bank and giving consumers some rights against them,
very soon.

PayPal users better have the ability to opt out of their buying habits being
transmitted to unknown 3rd parties.

~~~
jeffreymcmanus
Why does it require regulation? If you don't want to use this, then don't use
it.

~~~
nowarninglabel
I think the parent comment is referring to: "PROSPECT SCORE This API enables
you to know the purchasing potential of a user visiting your site. Users are
classified into Gold, Silver, or Bronze based on their average spending value,
frequency, and online transactions. Product details..."

Which, if you had been a Paypal customer prior to this, it might prove
difficult to get your spending habits scrubbed if you no longer wanted to be a
customer/didn't want your data available in this way.

~~~
ryanhuff
How is this much different than a credit score? One is estimating your
purchasing potential, while the other is estimating your likelihood to pay.
Two sides of the same consumer purchasing coin.

In fact, I am surprised I haven't seen the credit reporting companies already
pushing this kind of product. Seems like a natural extension.

------
pdmccormick
How was PayPal able to get a single-letter dot com domain? I thought they were
all reserved. But then there is x.org on the other hand too, hmm...

~~~
Urgo
X.com used to be a bank back in the day, my first bank I got while in college
as it happens. They bought paypal (I think it was that way, not the other way
around but I may be mistaken) and killed the bank. X.com just resurfaced a few
years ago in its new form.

~~~
treyp
It looks like what you were thinking of was a merger:
<http://en.wikipedia.org/wiki/PayPal#Beginnings>

PayPal was the new result of a merger between Confinity (the company Max
Levchin founded, as discussed in Founders At Work) and X.com, an online bank.

------
icey
Are there any companies that do nothing but paid identity management?

One of the sticking points I've always had when using my TwitBookOogle account
as an OAuth provider is that if something happens to that account & it gets
locked out, I'm screwed everywhere that I've used that identity provider.

I'm also of the opinion that the only reason these companies provide identity
is for user lock-in. I would pay money to have a reliable service that only
cared about managing my identity securely online.

~~~
waffle_ss
I don't think this entirely addresses what you want, but if you use OpenID,
you can use a delegate. I use my own domain name for the purposes of an ID
(<http://abevoelker.com>), which then defers to myopenid.com when I need to
authenticate (you can see this in the HTML of the page). If something ever
happens to myopenid.com, I just find a new OpenID provider and change the HTML
of my homepage to point there (the site that is asking for my ID stores
abevoelker.com, not myopenid.com).

The problem, of course, is that most sites do not support OpenID. The only
ones that come to mind are StackOverflow and some blog commenting systems.

~~~
icebraining
And even if you don't need a website, you can just configure the domain (or a
subdomain) as a CNAME to MyOpenID. It's faster too, although probably not
enough to be noticeable.

------
BlazingFrog
If anybody else is curious to learn more about single-letter domain names.
They were grandfathered in from another era.

"As of August 2011 only three domains, i.net, x.com and x.org host a web site.
q.com is active but redirects to centurylink.com."
[http://en.wikipedia.org/wiki/Single-letter_second-
level_doma...](http://en.wikipedia.org/wiki/Single-letter_second-level_domain)

------
fooey
creepy

I'll certainly never use a paypal account to log in to some arbitrary website,
and I'll never offer it as an option for my own users.

ESPECIALLY after reading all the data they're bragging about sharing.

~~~
zengr
It's not meant for "any arbitrary website". But it will surely help where you
need a real identity. Places like when you shop for something, some where.
Definitely better than sharing your CC/Bank info!

