
Credit cards have a privacy problem - mlb_hn
https://www.washingtonpost.com/technology/2019/08/26/spy-your-wallet-credit-cards-have-privacy-problem/
======
dehrmann
Yup, do-no-evil Google buys your credit card data for advertising purposes:
[https://www.bloomberg.com/news/articles/2018-08-30/google-
an...](https://www.bloomberg.com/news/articles/2018-08-30/google-and-
mastercard-cut-a-secret-ad-deal-to-track-retail-sales)

Companies need to start thinking of this less in the lens of "evil" and more
principle of least astonishment. Would users be surprised and angry to learn
you do this? Then don't.

~~~
avocado4
> Google buys your credit card data for advertising purposes

How do they connect my credit card data to my Google activity? My Google
account isn't connected to my personally identifiable information in any way.
I.e. they don't have my phone number, nor do I use Google Pay.

~~~
nordsieck
> How do they connect my credit card data to my Google activity?

Most people have a phone number with google for gmail (you didn't need one in
the beginning, but do now). There's also their wallet, app store, voice,
broadband, phone plan, etc.

Some people will dodge all of that, but most won't.

~~~
avocado4
> Most people have a phone number with google for gmail (you didn't need one
> in the beginning, but do now)

I just created a new Google account without a phone number 10 seconds ago.
Phone number was optional and of course I didn't provide it.

~~~
jstanley
It's only optional if they are already pretty sure they know who you are.

If you try to sign up using Tor, for example, it's not optional.

------
arfrank
Will leave these here, just one small step to help you regain your privacy:

* [https://marketingreportoptout.visa.com/OPTOUT/request.do](https://marketingreportoptout.visa.com/OPTOUT/request.do)

* [https://www.mastercard.us/en-us/about-mastercard/what-we-do/...](https://www.mastercard.us/en-us/about-mastercard/what-we-do/privacy/data-analytics-opt-out.html)

~~~
adtac
Did anyone else notice Mastercard's easily breakable captcha? It's just
unmodified text with the _same_ noise filter added to all codes.

Perhaps there's opportunity here for someone to be Robinhood here and improve
the privacy of a lot of people...

~~~
kbenson
I'm pretty sure that's a good way to get the endpoint flagged as a target of
abuse, and the page pulled until they can figure out what's going on,
resulting in anyone who wants to opt-out after that point either running into
a temporary or permanent problem, depending if they ever bother to put it back
online.

How about instead of fraudulently providing someone else's credit card because
"we know best", we just make sure to spread the pages as much as possible
where appropriate, and let people make their own educated choices (and
hopefully it opens their eyes to other places in their lives they can do so as
well).

I understand the impetus to help, but it's important to consider that what one
person views as helping another might view as terribly invasive in itself.

~~~
mindslight
> _I understand the impetus to help, but it 's important to consider that what
> one person views as helping another might view as terribly invasive in
> itself._

This is a sense of decency that the surveillance companies didn't share.
People didn't make any sort of educated choice to _be surveilled_ \- the
surveillance companies arrogantly "opted" them in. Opting them out is much
lesser transgression onto their will.

I do agree from the practical perspective - surveillance companies will parry
any legible bulk activity into an excuse to continue surveilling. Fine point
white text at the bottom of the homepage: "Due to an attack from scary
hackers, all opt out requests from 2019 have had to be discarded. If you had
submitted a request during that time, please resubmit your request. To protect
yourself in the future, buy our nonsensical "identity insurance" for only
$10/mo."

~~~
kbenson
> Opting them out is much lesser transgression onto their will.

So, that makes it okay? They've been abused before, so what what's the big
deal if we do it too? That's a troubling perspective to me. Two wrongs don't
necessarily make a right.

I think this is very straightforward. You, as a third party, have no place
making decisions for me without my consent in this case. If I have a
relationship with Visa or MasterCard, please stay out of it. The appropriate
way for this to change is for a) me or someone I've authorized to request it,
b) the company in question deciding not to do it anymore, or c) a legislative
body with jurisdiction mandating a change through law or regulation.

If you have access to my credit card number and I haven't given it to you, the
only appropriate things you should do with it are to notify me, the company
providing it, or the authorities that it's been exposed and should probably be
changed. If I have given it to you to authorize a payment, you are authorized
to use it for that payment (and possibly later payments that I agree to), not
to keep it to use as you see fit later on without my consent.

If you have my card because I've given it to you and you show me a dialog
letting me know you can opt me out and give me the choice, that's acceptable.
But I view any action taken on my behalf without my consent with regard to
this as a violation of my trust, privacy, and personal information. We are in
a very scary place if we as random third partied think we're allowed to make
decisions for people just because we think it's better for them.

~~~
mindslight
My main assertion was merely "This is a sense of decency that the surveillance
companies didn't share".

It's okay to acknowledge this as a vulnerability of your personal paradigm but
still hold yourself to it. Just don't act like it's the only permissible way
to interpret the situation, when the present state of affairs has been created
by the surveillance companies not following the same moral requirement -
_already_ "[making] decisions for [everyone] without [our] consent".

More generally, a sense of _right_ and _wrong_ cannot mean simply following
low level axiomatic rules, but rather requires judging constructive behavior.
I'd say an action that mainly undoes a wrong is a lot closer to being right
than another wrong.

~~~
kbenson
The person in question has a relationship with the credit card company, in
that they have requested and use the credit card (and if they aren't using it,
nothing is being collected). I agree that opting into collection automatically
is less than ideal, and I don't want it to happen, but this isn't some third
party getting between some other nefarious third party and myself, it's them
injecting themselves into an ongoing business relationship between two
parties.

You can label them surveillance companies all you want, and in some contexts
it might be the most fitting description. In this context, I would say it's
more fitting to say they are contractual partners abusing the looseness of the
contract for their own benefit.

Just in case you missed where this particular thread started, the top level
comment is about the opt out forms for data collection at Visa and MasterCard,
and the reply's (possibly somewhat in jest) suggestion that since the CAPTCHA
is so simple, someone just use whatever card numbers they have access to to
opt people out automatically. All my comments are specifically in that
context, which is one of random third parties using card numbers they
shouldn't have direct access to anyway to alter the business relationship of
others without authorization.

~~~
mindslight
Due to the constraints on understanding, I believe "fine print" in contracts
carries zero moral weight. In order for Visa and Mastercard to credibly claim
people have opted in, there needs to be an overt choice (no default already-
checked option) as part of the direct card relationship, as well as specific
consideration for that specific aspect of the relationship to remove any
incentive to downplay the choice.

Furthermore, I do not view a person's associating with Visa/MC in today's
society to be in any way voluntary - opting out is only possible at
significant personal expense. So the mere existence of a business relationship
also cannot be a basis for general consent. (As an aside: people generally do
not contract with Visa/MC directly)

Taken together, these put "abuse" of a "business relationship" is in the exact
same category as interjected actions by "third" parties - unwanted
transgressions. They only feel different because we've become fatigued to
accepting these transgressions when they pad someone else's bottom line.

And yes I am aware of the context of the discussion. I wouldn't personally do
such a thing, but that doesn't mean I wouldn't applaud someone who did.

~~~
kbenson
> Furthermore, I do not view a person's associating with Visa/MC in today's
> society to be in any way voluntary - opting out is only possible at
> significant personal expense.

Hardly. There are other creditors, and if you aren't worried about credit at
all (and there are other ways to build credit), then you can use cash, buy
gift card variants of their products which don't link to you, use some other
provider (paypal), or some other form of payment entirely in some cases (e.g.
cryptocurrency). There are more choices now than ever before.

> Taken together, these put "abuse" of a "business relationship" is in the
> exact same category as interjected actions by "third" parties - unwanted
> transgressions. > I wouldn't personally do such a thing, but that doesn't
> mean I wouldn't applaud someone who did.

The only way I can read this is as you condoning _additional_ violations of
someone's privacy just because _you_ think it's for the best this time. As
I've noted, I don't think your value judgements have any place in my life, nor
my interactions with other parties.

This has nothing to do with whether the whether the credit card company was
justified in doing what they did, it has to do with people minding their own
business and not violating other people's privacy. If you think the credit
card companies are going too far, then calk to the authorities for legal
action or legislative remedy. I applaud that action, but I don't want your
vigilante activism, and I don't condone breaking the law by people that think
they're more special than other people because they're doing it for "a good
reason" or because "it's really just helping people".

I guess it's nice that you wouldn't do it yourself, but why would you applaud
someone doing something that you wouldn't do yourself? It's real simple, if
you can't or don't want to ask for permission to do something for someone
else, then you shouldn't be doing that thing.

~~~
mindslight
The issue isn't credit, but payment processors. Add Paypal and ACH to Visa/MC
and you rule out basically every web retailer. If Monero/Zcash get to the
point where they are well-adopted practical choices this judgement can change,
but we are nowhere near that state of affairs.

> _additional violations of someone 's privacy_

I've agreed that flipping that surveillance preference flag is a type of
violation, just of territory that has already been trodden on. It's like if
someone breaks into your house while you're away, then a neighbor comes along
to put a tarp over your window before it rains, and you're complaining that
the neighbor has trespassed. In a sense you'd be technically correct, but most
people would consider that action to have been reasonable.

There is also the aspect where someone leaving this preference flag
_unmaintained_ is contributing to a larger attractive nuisance.

> _why would you applaud someone doing something that you wouldn 't do
> yourself?_

Because I simply wouldn't want to take on the legal risk.

------
mLuby
>"We don't _sell_ your data, we _share_ it." -all the companies involved

Am I the only one thinking there might be some Clapper-level double-speak
going on here? Why would these company share admittedly valuable data without
being compensated?

A question for contract lawyers: can I sell something (say an API or quarterly
report) that "incidentally" includes customer data and get away with saying
I'm not "selling customer data"?

~~~
mehrdadn
Definitely not a lawyer, but "sell" to me implies you lose ownership
afterward, so as long as they're not doing that, they're not selling. Easy to
see how they can give someone your data without doing that.

~~~
dkersten
Are you saying that every single SaaS startup is selling anything because they
don’t lose ownership when they provide a service in return for money? I think
typically the exchange of money for a good or service is what we refer to as
“selling” even if the seller doesn’t lose said service after selling it.

~~~
mehrdadn
No, I was merely referring to "selling" as it pertains to products, not
services. Your data would be a product, not a service. They may build services
around your data that use it in some way, but it'd be the service they'd be
selling, not your data. Just like how Uber would be selling a ridesharing
service, not your car.

~~~
sokoloff
If I sell to you the knowledge that the derivative of ln(x) is 1/x, I still
have that knowledge.

No different than if I sell to you knowledge of the fact that cardholder XYZ
lives at 123 Main St, has phone number 555-867-5309, and shopped at Giant
Dildos, LLC 3 times in the summer of 2019.

~~~
mehrdadn
It is very different. It's literally impossible for you to dispossess yourself
of that derivative. So clearly you will still have it. It's not impossible for
you to dispossess yourself of users' data. They're not the same thing.

------
tempsy
Plaid is the most terrifying company in SV. The fact so many people are
comfortable sharing their online banking creds with a third party, and in turn
authorizing Plaid to share years of transaction data, your balances, emails,
phone numbers, addresses etc scraped from your bank account is insane.

~~~
X-Istence
The worst part is that certain banks won't let you link an account that Plaid
claims is supported based upon the routing number/account number.

So for example when I attempted to link based upon routing/account number at
Simple, it told me I can't continue because I should hand over my account
information for the other bank to Plaid instead.

I've done it, and then immediately changed my account info. So yes,
technically Plaid has my historical data, but at least they won't get it going
forward. It really sucks though, because it locks my money into a singular
bank otherwise.

~~~
mindslight
I'm not arguing against the general idiocy of this, but the net effect should
be to keep money away from such banks.

My understanding of the ACH system is that it's best used in a "pull" manner,
as if you're writing a check. Link your Simple account from another bank and
initiate the pull from there. (Then work on transitioning your activity to the
better bank while you're at it).

~~~
X-Istence
Yup... that's what I have been doing.

------
bradknowles
While I do love me some privacy.com, unfortunately they only allow you to tie
payments to bank accounts, not credit cards.

So, it's a virtual debit card, not a virtual credit card.

Now, they do let you set transaction limits, and daily/weekly/monthly limits,
as well as either locking the card to the first merchant to use it or to make
it a "burner" one-time only card.

So, there's lots of additional controls there.

They don't give you a good way to export any of that financial information, so
if you want to use a budgeting program to try to help you track what is going
where, then privacy.com doesn't help you there.

Overall, I like privacy.com very much. I do want to be able to tie in multiple
back-end payment sources, including credit cards, and I'd be fine taking the
2% or whatever fee on my end. And I do want more transparency in terms of
being able to easily export my data where I want to use it. But those are both
relatively minor problems, compared to the ones they do help you solve.

~~~
danShumway
privacy.com comes up on HN a lot, and every time they do I try to take the
time to point out they require a binding arbitration agreement with no opt-
out.

Arbitration agreements are bad in general, but not necessarily uncommon. What
makes privacy.com different is that they have access to your bank account.
They're in a position where they have direct access to your funds, and you
can't bring them to court if they wrong you.

I've had people suggest that I link privacy.com to a limited bank account and
manually transfer money. That's a good suggestion, I'd probably do that no
matter how they were set up. But that's not going to help if privacy.com takes
you to arbitration over a bogus overdraft charge, or if they leak your credit
card numbers, or if they start selling data behind your back. My _bank_
doesn't have an arbitration agreement tied to my checking or savings account.
I don't think it's justifiable for privacy.com to claim that they have more
customer risk than my bank does.

If a business includes an arbitration agreement in your terms of service, I
immediately assume that they don't respect their customers. There are some
businesses where I tolerate that, but I need a heck of a good reason --
especially if that business is going to be managing my bank account.

Binding arbitration agreements are underhanded. The only reason to have one is
because you want to make sure right from the start that you're not accountable
to your customers.

~~~
drdaeman
> What makes privacy.com different is that they have access to your bank
> account.

In my understanding, they have the account numbers and can do ACH withdrawals
- just like someone who has your debit card number (but against a checking
account, not a card). So I believe it's like every other transaction (or
check) - there's an intentional (as I get it) processing period for a day or
two, and you can always call your bank and request to not honor it. I could be
wrong though.

And actually, they can be associated with a debit card instead of a bank
account - they've failed to associate with my bank, so I have had to go this
route (and there's no way to switch it afterwards).

Oh, and I totally agree that arbitration clauses without a way to opt out are
disrespectful to say the least.

~~~
mindslight
One can't use the technical situation to escape the legal situation. If you
dispute the ACH transaction, privacy.com could still claim you owe them that
debt.

They likely _won 't_, being still subject to the court of public opinion. But
it doesn't bode well that they're trying to escape the more direct avenue of
accountability.

(IMO the FAA is blatantly illogical and should be judicially nullified. But
until that happens, we're stuck being on guard for these offensive customer-
hostile terms)

------
FabHK
I know, I know, the editorial staff is separate from the advertising/sales
staff etc, but still find it funny that when I try to access the article in
incognito mode, as I habitually do (for privacy), I get

> We noticed you’re browsing in private mode. Private browsing is permitted
> exclusively for our subscribers. Turn off private browsing to keep reading
> this story, or subscribe to use this feature, plus get unlimited digital
> access.

~~~
johnisgood
Disgusting. I avoid those kind of places like plague.

~~~
hyperbovine
Yes, isn't it revolting that they try and get people to pay for the content
they spend money to produce? How dare they.

~~~
FabHK
Oh, I wouldn't even mind if they served me ads.

But what they're saying is: We won't let you read our stuff unless we can
track you (and see exactly what you read how long from where using which
device, etc.)

~~~
Infinitesimus
"... unless you are willing to pay us for reading this content. In which case
you've already paid for it so browse however you like"

~~~
Nextgrid
Would you really trust them to not track you even if you pay? Do they even
have the technical ability to not serve the tracking shit based on whether
you're a paying subscriber or not?

I don't want to volunteer personal & payment details (which is more info than
their tracking can get, considering I block it all) to find out.

------
mehrdadn
I've always wondered: is the data the reason why credit card companies are
willing to give cash back as high as 5% even to customers who carefully
operate them at a clear loss for them?

~~~
andrewferk
Credit card issuers don't pay for the cash back, it's the merchant. The
merchant's are charged a credit card transaction fee that includes a
fixed/percent fee determined by the negotiated contract with their bank (the
acquirer), a small fixed/percent interchange fee that goes to the credit card
payment networks (Visa, MasterCard, etc.), and finally a fee to the credit
card issuer that provided the credit card to the consumer.

The credit card issuer fees can be the worst because of these high reward
credit cards.

I'm very aware of this when shopping at a local small business. I'll pay
either in cash or with my debit card, because the credit card fees are
seriously squeezing small merchants.

~~~
mehrdadn
Citation? It seems pretty crazy to me that every merchant would have to pay
the difference when a customer decides to use a 5% cash back card. They can't
even know the full list of cards out in circulation, and I doubt their
contract says "the fee is whatever portion of the card's cash back we can't
pay for" or something like that. It could work for a closed subset of cards
they know about and might want to negotate separately, but I don't see how it
can work for every card out there.

~~~
kalenx
They do not pay the whole cash back, but they do pay more for "premium" cards
(that they cannot refuse, also). See for instance this [https://www.cfib-
fcei.ca/sites/default/files/pdf/5513.pdf](https://www.cfib-
fcei.ca/sites/default/files/pdf/5513.pdf) (in Canada, but the same thing
applies to the US)

~~~
mehrdadn
Right, these are just Visa/MC/etc. card classes, which don't determine the
cash back on them. And so if that doesn't make up the difference, then the
card companies paying the rest, right? My point is that for high-cash-back
cards there are easily customers who consistently make more in cash back than
whatever fees these folks get and who don't rack up interest, meaning they're
costing money, so why should they still be kept as customers?

~~~
ceejayoz
Enough of them wind up over-extending and paying interest to make it
lucrative.

I'm also not aware of any across-the-board 5% rewards cards, and most have an
"up to $x,000 annual spend" on the categories that are that high.

~~~
tzs
A neat little hack with some cards can make it effectively almost across-the-
board.

Some rewards cards let you select "online shopping" as your high rewards
category. You can extend that to in-store shopping at Walmart by enrolling
that card in Walmart Pay and then paying in-store via that.

For a lot of people, "online shopping" and Walmart together will cover 95+% of
their credit card use.

~~~
kube-system
Are there any of those that are 5%? If so I’m very interested.

~~~
tzs
BofA has a card that is 3% in your selected category, which can be boosted to
5.25% if you have a large enough total in your accounts at BofA and Merrill
Lynch.

The base card is 3% in your selected category (online shopping; gas; dinning;
travel; drug stores; or home improvement and furnishing), 2% in grocery and
wholesale clubs, 1% everything else. The 3% and 2% are limited to $2500 per
quarter.

The base rate is multiplied by 1.25, 1.5, or 1.75 if your total at BofA and
Merrill Lynch is at least $20k, $50k, or $100k, respectively.

------
t0astbread
I'm sure this is a great article that highlights an real issue but without
executing JS the page doesn't show anything besides the logo and upon
inspection of the HTML delivered by the server you can see that it's almost
exclusively tracking scripts (at least in the EU).

------
smcleod
I wonder how this applies in Australia and New Zealand, our privacy laws
prevent the use of credit card “Address Verification” for example.

------
kccqzy
I've discovered this problem by finding out that you can sign up for
additional cash back on apps like Yelp and Dosh. When you make a purchase
these companies will automatically determine whether this purchase is eligible
for cash back. I'm guessing they must be buying the data for all my
transactions for the purpose of figuring out whether they would give me cash
back. It immediately made me suspicious since I'm getting cash back from a
third party instead of from a bank.

~~~
larrybud
+1. I’ve often wondered how these cashback services like the ones you
mentioned, or, for example, the restaurant ones like aadvantage dining work.
Do the affiliates get all your transactions? (I really hope not). Or, do the
affiliates have agreements with the cc processors to flag transactions on
their side?

~~~
zaroth
There seems to be no non-terrifying answer to this question.

~~~
astura
Depends on your definition of "terrifying."

I dont personally care that some marketer knowns I purchased toilet paper then
went to the tacorita on Tuesday; I'll gladly give that information away for
$4.

------
Multicomp
I wish Mondex would try again. Mondex was a MasterCard idea tried in the UK
that was basically 'digitized cash in a wallet which has the form of a smart
card'.

Approach ATM, insert Mondex card. Feed ATM bills and coins, Mondex card gets
loaded. Spend card, swipe as normal. Works offline, no connection to a bank
account necessary, the money is deducted from your local card's 'account' to
the 'account' on the POS/business. Your card records a transaction
date/time/merchant for debits, theirs records the same for a credits.

You can transfer funds from one card to another, cash out the card offline at
supporting ATMs, be used for building access/RFID cards, hold up to 5 digital
wallets on one card, and more.

It was tried in the UK back in the 90s and NYC right in 2000 and worked about
as well as you'd imagine in that world. But today, it would probably work much
better. HK has the Octopus card which is conceptually similar and works well.

I'd certainly give either a shot so I don't have to carry physical cash but
also aren't worried about having my money in someone else's hands who can lose
it all due to bank fraud or have IT issues preventing payment processing.

[https://en.wikipedia.org/wiki/Mondex](https://en.wikipedia.org/wiki/Mondex)

[https://en.wikipedia.org/wiki/Octopus_card](https://en.wikipedia.org/wiki/Octopus_card)

~~~
JoshuaRedmond
I would guess that the money laundering potential is why it isn't around now -
most stores don't let you buy a gift card with another gift card for the same
reason (I've implemented this restriction in an e-comm site before). I might
be wrong, but that's a potentially big legal hurdle.

------
reilly3000
Purchase data has been around for years. Marketers want to know if their ad
dollars worked. “How did you hear about us?” provides scant and mostly
unusable data. By matching purchase data with ad campaign data there can be
more quantitative evaluation of an ad campaign’s performance.

Additionally I imagine this data is available for marketers to target buyers
of Product X with Accessory Y.

Finally, marketers may use purchase data to build suppression lists; ie. Stop
retargeting people that already purchased Product X. I don’t know if this
happens very often in practice. It’s very hard to do well in general, and
generally cheaper to spam people than buy data to shrink your list.

None of this is well-disclosed to consumers, not one bit of it is right. It
just is, and it has been for going on for 8+ years.

------
burner6565
Summary? Wapo appears pay walled.

~~~
singron
[https://outline.com/fMCL96](https://outline.com/fMCL96)

~~~
rambojazz
This link doesn't work either on Firefox ESR.

> Something went wrong

> We're sorry. This page failed to Outline.

~~~
benplumley
And their 'report a problem' link goes to a 403 page on form submit...

------
ubermonkey
How do privacy-forward payment methods like ApplePay change the math?

------
skybrian
Headline not proven. He claimed to do an experiment and didn't find any
security hole or any real results, but then blathered on about what might have
happened. I can read privacy policies and make up scenarios and so can you,
but so what?

And more generally, credit cards have been around a long time. Shouldn't there
be more evidence by now if anyone is being harmed by sharing data about
consumer purchases?

~~~
paulie_a
Every single purchase line by line is recorded by many companies. And the
security is absolutely terrible over all. If you don't care if your spending
habits are shared that is fine. I don't want my data hacked further

~~~
astura
Then use cash?

~~~
vageli
> Then use cash?

This is typically infeasible for online transactions.

------
Uhrheber
Says the pot to the kettle.

------
zipotm
Good morning

------
jiveturkey
This article is severely deficient and written to draw clicks.

It doesn't go far enough (or at all, really) to explain that the credit card
issuer doesn't see the data. They see a transaction amount. There's no banana.

The current top comment about Google linking online to B&M purchases isn't a
leak of privacy: it's strictly private both to Google and the merchant. You
are being tracked, but not in a privacy-revealing way, just in an uber-
annoying I'm-still-being-targetted so-it's-creepy-and-annoying way.

That retail merchants are tracking you is a huge, huge problem. The CC
facilitates this by linking all your purchases into a single history, but it
isn't the CC per se that is the problem. eg the store's own rewards card
specifically does this. They don't even care if you give your actual PII up to
signup for the rewards card, all they care about is that they can [even
anonymously] identify the purchase stream tied to an individual.

They should go to length to better distinguish this problem because then they
can get to the fact that every Apple Pay transaction is tokenized and not
linkable to prior or future Apple Pay transactions.

