
Leaked doc shows how big companies buy credit card data on millions of Americans - jordanecks
https://www.vice.com/en_us/article/jged4x/envestnet-yodlee-credit-card-bank-data-not-anonymous
======
lemax
From my observations, for data vendors "anonymization" generally just involves
replacing a name or credit card number with some other identifier. That's the
reality and that's all they are required to do by regulators. People on both
sides of the market know and leverage this. There are legitimate use cases
that people are after that can only be achieved by having the ability to
correlate pseudonymous entities with some kind of history. Lots of data sets
would be significantly less valuable, and lots of industry standard analyses
unachievable with those identifiers out of the picture. As long as there is no
Personally Identifiable Information (which, no, metadata, location history,
medical claims, transaction details, don't count). I would imagine that this
is something regulators are aware of and that the privacy tradeoff has just
been shrugged off so that the market can carry on and do its thing.

~~~
pdkl95
> "anonymization" generally just involves replacing a name or credit card
> number with some other identifier.

DJB's description of "anonymization" while talking[1] about his job as the man
in the middle at Verizon:

>> Hashing is magic crypto pixie-dust, which takes personally identifiable
information and makes it incomprehensible to the marketing department. When a
marketing person looks at random letters and numbers they have no idea what it
means. They can't imagine that anybody could possibly understand the
information, reverse the hash, correlate the hashes, track them, save them,
record them.

> lots of industry standard analyses unachievable with those identifiers out
> of the picture.

Calling something "standard" doesn't mean it's ethical. If someone wants use
that type of identifier, they need to get explicit _informed_ consent from
everyone involved, and they need to be liable for any damages that derive from
their database of identified records.

[1]
[https://projectbullrun.org/surveillance/2015/video-2015.html...](https://projectbullrun.org/surveillance/2015/video-2015.html#bernstein)

------
allovernow
The only antidote to this kind of profiteering is a cultural shift. And if
starts with us, the developers who are building this tech.

Unfortunately most of us are quite powerless to stop it otherwise. As time
passes I'm only more convinced that this is an evil which will inevitably be
abused by governments in the near future to target dissidents. And possibly
other groups - you don't need much information from spending habits and
location history to trivially build a profile consisting of religious
affiliation, political affiliation, sexual orientation, and general interests.
This maliciousness is putting us all at risk in the name of greed.

~~~
rhizome
The US learned in 2016 that information is a tool of war. Defending oneself
against the encroachment of zero privacy operators is going to have to be
fought with information as well. Laws have no teeth, which will continue to be
the case indefinitely due to Citizen's United.

~~~
allovernow
>The US learned in 2016 that information is a tool of war

Uh, people have understood the usefulness of information and information
control for probably hundreds of years - at the very least since the cold war.

What do you think the CIA, KGB, CCP have been doing all this time?

I swear people just stopped thinking critically when Trump was elected. Things
were broken long before 2016.

~~~
rhizome
> _What do you think the CIA, KGB, CCP have been doing all this time?_

Sorry, information as the field of battle. To wit: the US lost an information
war in 2016 and appears now to be occupied.

------
dropoutcoder
Yesterday, a fellow customer of one of the big US wireless telecom carriers
received a spoofed call from my mobile number. He called me up thinking I had
called him, and we started talking, and turns out he’s a Data Broker from the
East Coast (I’m on the West Coast). He was very friendly and discussed
specifics for how the mobile phone anonymous token works and how it’s
supposedly a secure, anonymous arrangement.

I discussed with this gentleman the concerns from this article and he wasn’t
too happy, naturally, given my disagreement with the practice of sharing such
data due to such deanonymization concerns.

As I’m a bit of an activist regarding E2EE and voyeuristically supportive of
certain disliked politicians, and against the described data sharing, I have
to wonder if someone chose my number to play a prank. Of course, it could
simply be an odd coincidence, which is the most reasonable base assumption.
Still, I wonder why my number specifically was chosen to target this
individual, who said he was the victim of substantial identity theft and yet
has refused to change his phone number, likely due to the complexities in
doing so.

I have a habit of consistently following up on such matters, and so perhaps
someone was knowingly demonstrating to me that this wireless carrier can’t
even stop in-network spoofed calls, aware that I would investigate it. Of
course that’s a bit far fetched but who knows? If the offending party was able
to cover their tracks then that says something about the absurd age we are in.

At the least, and unrelated to the original article, it’s clear that this
major wireless carrier doesn’t even have the ability to prevent spoofed calls
from within their own nationwide network from numbers associated with their
own customers. I called their support and pointed out that, at least
conceptually, it should be trivial to build a security feature to prevent
this. And presumably shaken/stirred ss7 cert authentication for did’s should
already cover in-network did authentication and prevent in-network spoofing.
Is this a reasonable assumption? Have all the major carriers built these
protocol upgrades to prevent spoofed calls?

There’s the outside possibility this gentleman lied to me about his carrier,
dialed back the wrong number, or lied to me about the spoofed call but I
gained the sense that he was being truthful to me.

Overall it seems that the cyber world is really quite a mess, whether with
data sharing malfeasance per the article, insecure wireless networks, globally
enabled ransomware, and ever-increasing data in the hands of private global
entities that will exist beyond our lifetimes.

~~~
QUFB
SHAKEN/STIR is rolling out very, very, very slowly. Interoperability is poorly
defined and carriers seem to be sharing on an ad-hoc basis.

Anyone with a prepaid credit card can spoof numbers, make calls for <
$0.005/minute, just by running apt-get install asterisk with a minimal
configuration.

~~~
eitland
And for anyone who wonders, here's the Wikipedia entry:
[https://en.m.wikipedia.org/wiki/STIR/SHAKEN](https://en.m.wikipedia.org/wiki/STIR/SHAKEN)

------
dwild
I use Google Opinion Rewards and I feel like some of their questions are meant
to see if they can deanonymize identities from credit card data and a few
location data point.

~~~
alteria
They push hard to track in-store visit and purchase attribution

[1] [https://support.google.com/google-
ads/answer/6100636?hl=en](https://support.google.com/google-
ads/answer/6100636?hl=en) [2] [https://martechtoday.com/deep-dive-online-in-
store-attributi...](https://martechtoday.com/deep-dive-online-in-store-
attribution-199573)

~~~
dwild
Oh yeah that can definitely be from Google Ads too, but I remember some
question quite surprising. I forgot to install it on my new phone that I got
in December, so I don't remember much theses questions, but it's now
installed, so I'll see. I know that they asked me for receipts a few time.

------
dredmorbius
Incidentally, this story and practice are a partial refutation of the "if
you're not paying for the product, you're the customer" trope. In the sense
that very often when you _are_ paying, you're _still_ the product.

All the more so when payment data are detailed and reliable, as in the case of
credit- and debit-card spending.

Effectively: if there are no practical limits on data gathering, aggregation,
correlation, and sales, you are the product.

There are exceptions to this in both the free and non-free spaces. Much free
software, for example, does not turn users into products. And there are cases
of paid transactions (often using more anonymous mechanisms such as cash) in
which privacy is preserved.

Those are becoming the exceptions however. And barring regulatory and legal
changes, with both civil and criminal penalties having teeth, this will not
change.

------
fnord123
>millions of Americans

I always want to ask... does this mean people living in the US or US citizens?
because the meaning sounds like its limited to citizens but I'm almost
positive any stats that say 'Americans' means 'people in America'.

~~~
kube-system
'American' doesn't necessarily mean citizen. It can be used to describe people
simply living in the US.

[https://en.wikipedia.org/wiki/American_(word)](https://en.wikipedia.org/wiki/American_\(word\))

[https://www.merriam-webster.com/dictionary/American](https://www.merriam-
webster.com/dictionary/American)

------
frostyj
Guess why would Apple/Uber/even Starbucks release their own credit cards?

~~~
edoceo
Heck. I thought the SB one was a joke. It's not.

[https://www.starbucks.com/starbucks-rewards/rewards-
cards](https://www.starbucks.com/starbucks-rewards/rewards-cards)

TF is even going on here!? I face-palmed so hard everyone in MHT is staring.

~~~
servercobra
Starbucks has one of the most seamless payment and ordering systems I use on a
day-to-day basis. I'm not sure why it's surprising they would have their own
credit card to make that even easier. Heck, every big box store seems to have
their own card too. They cut down on the transaction fees if it's their own
card, plus extra data for them.

------
wmurmann
Who do they sell data to ? The phrase 'selling data' always seemed handwavy to
me. What products/services can you make from that data ? Forecasting ?
Customer tracking ? Wouldn't deanonymization make the service illegal or is
that a grey area ?

~~~
dredmorbius
Anyone willing to pay.

Or with the technical chops to exfiltrate.

Banks and marketing organisations are a major customer. So are skip-tracers,
collections agencies, and scammers (who can build impressive profiles of
gullible marks based on purchasing / spending habits).

------
thedance
You don’t need leaks, you just need to read the marketing materials of these
firms. They sell your data. They are ten times worse than what Google does in
the worst fever dreams of the most tiresome DDG/Brave user on HN.

~~~
gdulli
You don't think Google does a superset of this? You think they didn't start
their own payment system just to get the same data for the same reasons?

~~~
thedance
Where is the phone number I can call to order a binder full of transaction
data about you from Google?

~~~
dehrmann
Ironically, while Google buys credit card data (and likely other data), and
advertisers give them data, I'm pretty sure they don't leak personal data like
that.

------
homero
Of course there's unspoken ways to reverse it, how would Facebook use it for
targeting otherwise?

------
esotericimpl
I would assume plaid is doing worse.

------
macmichael01
And leaked documents will also show how VICE exploits users by exploiting
their privacy through ad trackers. Gosh I wonder what could be worst? LOL!!
Lets NOT quickly forget how Mr. Joe Biden's presidential campaign has been
financed through credit card companies.

~~~
ThePowerOfFuet
>Lets NOT quickly forget how Mr. Joe Biden's presidential campaign has been
financed through credit card companies.

[citation needed]

