
The 600+ Companies PayPal Shares Your Data With - pmlnr
https://www.schneier.com/blog/archives/2018/03/the_600_compani.html
======
throwaway2016a
Having worked in the financial industry I am not surprised. You have to share
a huge amount of PII just to process a transaction. The more you share the
lower your fees per transaction which for a company like Paypal can mean
mi(bi)llions.

The assumption is, the more data the less likely it is fraud and therefor the
less likely there will be chargebacks.

Most of these are banks, customer service, and fraud prevention companies.

It's also worth noting that this list is of all the companies Paypal MAY share
your data with. If you never opened a credit card in Germany and used it on
Paypal it is unlikely to hit the German processor, for instance.

------
originalsimba
We need to change the language, it's too soft. Paypal isn't "sharing" your
data. They're "selling" your data.

Sharing is Caring. If you want people to take these threats seriously you need
to speak to them with language they can understand.

~~~
JimmyAustin
If Paypal pays service provider Y to validate a credit card hasn't recently
been used in fraud, they would be sharing the data, but they certainly
wouldn't be selling the data.

------
lykr0n
Direct Link: [https://www.paypal.com/ie/webapps/mpp/ua/third-parties-
list](https://www.paypal.com/ie/webapps/mpp/ua/third-parties-list)

Kind of interesting to see the network of companies paypal uses for various
functions. Surprise Surprise the largest sections are fraud prevention and
marketing.

~~~
wslh
PayPal fraud prevention makes it impossible to use, you are guilty until
proven innocent. In a way Coinbase is in a collision course also. Not saying
that it's entirely their fault but there should be an innovative way to offer
a good user experience while following regulations.

Beyond this, GDPR is educating us. I wonder how US regulations/regulators were
so flexible with this kind of companies but are so strict with their users.

~~~
Scoundreller
> guilty until proven innocent

I can’t see reversible payments between strangers over the internet working
without that.

Let alone the tax/money-laundering reporting requirements.

~~~
wslh
Many times I can't even send the payment.

------
onetimemanytime
A lot of it is common sense, banks for example: If you use your bank (you have
to via checking or CC) they have to know your PayPal information.

Also they have to care about fraud.

~~~
dorgo
Wait, what? Why does my bank need to talk to (share information with) PayPal?

------
grantlmiller
Interestingly, under GDPR EU citizens need to opt in to each of these,
explicitly, and be able to toggle them off on an ad hoc basis. Additionally,
PayPal is required to list each of these vendor's vendors (which could
increase the number of vendors by 1 or 2 orders of magnitude). If companies
actually follow the GDPR controls this is going to turtle all the way down.

~~~
dfxm12
_Interestingly, under GDPR EU citizens need to opt in to each of these,
explicitly, and be able to toggle them off on an ad hoc basis._

This sounds terrible. How is your regular EU citizen supposed to know which of
these companies would be required to get your payment to reach its
destination?

~~~
chopin
Maybe PayPal should disclose this?

Not

\- Your data MAY be shared with these 600 companies

but

\- For this transaction to complete, your data WILL be shared with those 10
companies

------
dahdum
This absurd level of data sharing is one of the reasons I use Apple Pay 100%
of the time it's offered, at least they don't go sending half the world your
info and product purchase history.

The merchant may still do so of course...but the footprint is reduced.

~~~
CaptSpify
How do you know that Apple isn't doing that?

~~~
stinos
I'm curious as well. I mean, it might not be '600' (although as commented by
others, that doesn't mean your particluar account data hits all 600 of them),
but at least something should get shared somehow to complete any type of
payment? If not just for the receiving party? And what information exactly do
they get?

------
ivanstojic
The title on the PayPal list itself reads "List of Third Parties (other than
PayPal Customers) with Whom Personal Information _May be_ Shared."

If that's true, this is just the "worst case" scenario - you are very unlikely
to hit any significant fraction of these companies for any single given
transaction.

Or so I hope.

~~~
jhall1468
The overwhelming majority likely _never_ get _anybodies_ info. These lists
have to be extensive, and for the "marketing" category the data is almost
assuredly anonymous. But to avoid hefty lawsuits, companies choose to list any
company that might accidentally get a CC they aren't supposed to.

------
Talyen42
Hopefully none of these 600+ companies ever get hacked.

~~~
thinkMOAR
[https://thehackernews.com/2017/12/paypal-tio-data-
breach.htm...](https://thehackernews.com/2017/12/paypal-tio-data-breach.html)

you were saying? :)

~~~
dovik
Kind of irony? ;-)

------
Scoundreller
> To allow payment processing settlement services, and fraud checking.

So, do they only share my info with them when I make a payment with that
specific institution, or do they share my info even if they’re uninvolved but
sell fraud prevention services?

------
egypturnash
The visualization he links to is pretty nice: [https://rebecca-
ricks.com/paypal-data/](https://rebecca-ricks.com/paypal-data/)

"Credit reference and fraud" companies are pretty much tied with "marketing
and public relations"; the latter seems to be about half "tracking pixel
providers". _Fuck_ ubiquitous advertising. _The Space Merchants_ was supposed
to be a _satire_ , not a manual.

