Hacker News new | past | comments | ask | show | jobs | submit login
Chase did a bad thing, so we did a good thing (chaseoptout.com)
610 points by zbruhnke on June 11, 2019 | hide | past | favorite | 231 comments

For me the red flag is them willing to send this letter to Chase, via snail mail at no charge to you. Nobody gives something for nothing. So I thought, why would they do this? after reading through the form, at the bottom, it looks like one of the companies, who sponsors this site, "Radvocate" seems like they are in the "class action" lawsuit business. https://myradvocate.com/

This site is about having enough potential clients are able to sue Chase at some point in the future, whenever a class action lawsuit comes up - and heck, they even will have a customer list and a relationship with you from sending this "free" letter for you in the past.

Usually in those kinds of cases, the end recipient gets very little - perhaps some subscription to a ID protection service or a few bucks but the firm who runs the class action makes a lot.

On the one hand, maybe it helps keep them honest (they cite Wells Fargo) so its good to be able to. But clearly there is some vested interest here on the part of Radvocate.

Radvocate here: We do have a vested interest. Over time, we want to be the place you come when you have a dispute against a big company because we'll fight hard for you.

We're excited to partner on this project partly because it is very "on brand" for us from that perspective — we can help people, get our name out there, and shine light on an issue that matters to us. We're a business, but we're also all in this business (instead of some other business) because we want to make the system fairer for consumers.

ETA: Also, to correct one misapprehension: we are not in the class action business. We actually help consumers pursue individual arbitrations. We think more people should know that even if their contract doesn't let them sue, they actually do have a way to assert their power through arbitration. If anything, we'll have more customers for our current business if no one opts out of their Chase clause.

Bravo. In my view, this connection and upside was made appropriately-clear in the "Who are you and why did you build this?" section, and the context from the logo attached to the site.

Very clever marketing, good on you for managing this, and I hope you see a great return for your efforts.

Thanks – I'm glad you have a long-standing comment history so this doesn't look like I made you up ;-)

Lol. That was good reframing. The first comment had me leaning in the direction of not siding with Radvocate.

Good points and I appreciate what you write here.

And an interesting business concept - to help consumers pursue individual arbitrations. That could be really cool especially against large corporations when they are abusive. What do you charge as people go through their individual arbitration process/ how does the profit model work?

I really have mixed feelings about the legal system - on

Also, Radvocate, wondering if you can address the PII concerns other's have raised, as that is a very big deal.

Hi, thanks for the response.

On the business model – we charge a commission currently set at 15% of whatever compensation you recover. Hopefully that's from a negotiated settlement with the company before a full arbitration process is necessary. (More details at bottom). We currently process against 20+ cable / ISP / wireless companies.

Re: PII, first I want to make clear that I can't speak with legal standing about the terms & conditions as written. That said, if someone checks the (optional) box giving us permission to do so, all we plan to store is an e-mail address (plus an anonymized token?). We at Radvocate don't have current plans to use that e-mail address, but it is true that it likely would be most useful for the purpose of putting together a future class action against Chase. We'd only partner on that with firms we trust and who will make respectful use of the information.

We think this could be of interest and beneficial to someone opting out of arbitration. To repeat a point on this thread, it's another way to take action against Chase. Additionally, while we all have experience with a class action of being mailed a gift card three years later, if someone does make direct contact with a lawyer on the lawsuit, that may put them in a different position (though I'm not a lawyer).

More on our process: The way arbitration works is you usually have to send the company a notice letter (which we automate) 30-60 days before filing. When you do that a lot of companies suddenly want to negotiate, instead of ignoring your dispute, and we provide data and process guidance to help you negotiate most effectively. If negotiation fails then we automate escalating your claim to arbitration by filing with the American Arbitration Association, and we continue to provide guidance as the case moves through their system, including preparation for the hearing (which will typically happen by phone).

I don't think you've come close to adequately addressing the PII issue here. The information you're collecting, if it ends up in the wrong hands, could lead to some nightmarish identity theft.

Surely you're aware of massive and prevalent data breaches[1]. You're collecting sensitive information to help people, but not providing any convincing bonafides on information security, let alone an actual plan for how sensitive information goes in your web form, then (many technical/logistical steps later) ends up in Chase's P.O. box, without leaking out to some unintended party. I don't think anyone should feel comfortable with "all we plan to store is an e-mail address"

1 - https://haveibeenpwned.com/

How would you do any of this without collecting that data? They're lawyers, how else would you deal in a client's name in the legal system?

That seems awesome that you're going after big cable/ISP/wireless companies. Do you think consumers that are harmed by Comcast/Xfinity's abusive practices of bundling and zero-rating their own video services, but charging you for data overages if you use Netflix or other 3rd party video services have a strong position?

Would you help us go after them? I'd sign up in a heartbeat for that. When I moved from Connecticut where we have a relatively benign ISP (Cablevision) who doesn't have data caps, to California where we only have Comcast/Xfinity, my monthly price for Internet doubled and I have less than half the bandwidth available to me.

I am not sure why I want to sue Chase. I bank with them and they have provided the agreed services. What exactly has Chase done to harm someone like me? If I don’t like something they do, I simply bank elsewhere.

Good point, a bank will never, ever screw you over.

oh wait


> Also, Radvocate, wondering if you can address the PII concerns other's have raised, as that is a very big deal.

For credit cards at least, you aren't giving any more information to them than you would any random website where you make a purchase.

Less, even, as there's no expiration date or CVV.

Hope your site is secure. And I don't mean TLS. Collecting that data paints a giant bullseye on it for hackers.

Good transparency here, an appreciated and professional online reaction to criticism.

I hold PoA for my father- what's the best way, using this form, to say they're his accounts, but I'm the one filing the letter on his behalf?

Great Comment.

From a "consumer who wouldn't individually sue chase" perspective I see nothing wrong here.

I know many here consider this to be ideological heresy but it's possible to have a transaction where both parties come out ahead and this seems like one of those win-wins to me. They do a little work for you in exchange for putting your name on a list of people they can use in a class action, you might even get $5 or something out of it if they win.

Putting your PII into a random website should be what raises red flags here. I hope they're not storing the account numbers, or at least not storing them with the associated personal details.

It's a standard HN (and wider society) complaint that makes very little sense: the best case for corporate behavior is having incentives that are aligned with the consumer or whatever your definition of societal good is.


> Usually in those kinds of cases, the end recipient gets very little - perhaps some subscription to a ID protection service or a few bucks but the firm who runs the class action makes a lot.

This suggests to me you feel that class action judgments do not adequately compensate claimants. This shouldn't dissuade us from fighting back against businesses who treat their customers unfairly.

The problem isn't the class action lawsuit or Radvocate. It goes much deeper. It's goes to the core of businesses (e.g, banks) who provide critical access to the financial system forcing you, the consumer, to resolve disputes through their shadow justice system in which they pay the arbiters, which have a history of siding more frequently with the corporation.

So the "downside" is that they might ask for your help causing more problems for Chase in the future? I didn't click the link but now I'm going to go sign up!

An additional point on the logistics:

I don't have direct access to the fulfillment of this particular initiative, but in general we can take advantage of the efficiency of sending multiple legal notices in the same packet. So the cost per individual letter can be much less than one would assume.

> This site is about having enough potential clients are able to sue Chase at some point in the future

...that sounds good to me! I certainly don't have the resources to take Chase to court myself, and who knows, maybe the existence of this class-action-in-waiting will keep Chase from being as shady.

If they're going to sue Chase someday, more power to them.

That seems like a fair trade off.

Nonsense, their FAQ says:

"We’re a group of like-minded companies who like building things that help people. "

They're just doing this out of the goodness of their hearts!!!

Assuming that you're completely legit and utterly competent, there's still a big security problem here: it's encouraging people to put their PII and CC info into arbitrary Web sites.

On top of that, it's further identifying them as both Chase CC holders and receptive to scams, qualifying them as leads for further phishing/scamming.

Unfortunately this is the problem that Chase created ... we give users a way to download a form letter instead, but were just trying to make it as easy as possible for customers to opt out if they would like to do so

>we give users a way to download a form letter instead

But you don't just let them download it. You make them give you their email address first.

Edit: Haha! No wait, you have to click through two levels of "Don't want to give us your info? Click here to get the letter". The first one asks for you email, only after the second do you actually get the letter. Why? They already said "dont want to...". Just give it to them!

Edit2: Also the form letter, prepopulated with the Chase customer service P.O. box address, is another scam pitfall. Anyone using this kind of form letter should always check the address with the financial institution before sending any forms, especially that include PII/financial information.

> Haha! No wait, you have to click through two levels of "Don't want to give us your info? Click here to get the letter". The first one asks for you email, only after the second do you actually get the letter. Why? They already said "dont want to...". Just give it to them!

Yeah. That got me a bit irritated. Here's the form without having to give any info : https://www.chaseoptout.com/ChaseOptOut.pdf

> The first one asks for you email, only after the second do you actually get the letter.

They're pretty clearly trying to collect email addresses through this campaign. I'm okay with that. My email address isn't exactly private, and this site is going to pay to mail physical letters for me.

> Also the form letter, prepopulated with the Chase customer service P.O. box address, is another scam pitfall. Anyone using this kind of form letter should always check the address with the financial institution before sending any forms, especially that include PII/financial information.

Is the address fradulent? If so, please tell us. If not, I don’t see the concern.

>I don’t see the concern.

really? No concern downloading a form letter from some web site and mailing PII/account information to the address they provided? Call me paranoid, but that kind of behavior is just waiting to run into a scam.

My point was not about the address, it was about general wariness of scams. No different than always calling your financial institution using a valid/known number, rather than a number provided to you by a voicemail/email/letter.

You need to consider the two possible evils.

If I don't use this website, there is a 100% chance I will "agree" to binding arbitration. I know myself. There is absolutely no way I am going to print, fill out, and mail in a paper form.

Is this website a perfect solution? No, but I don't see a better option under the circumstances, and from what I can tell, the people running it are doing the right things within the confines of what is necessary for their solution to work.

If that's not the case, criticize away, and certainly let us know if you have a clear reason to believe this specific project is a scam. But keep the goal in mind. It certainly set off some alarm bells for me, but when I read through the site it all made sense.

I presume chaseoptout.com is not a scam.

Tomorrow, an enterprising scammer might clone the site to chaseoptoutservice.com, and do all the nefarious things mentioned above, and they'll be neck-and-neck in SEO.

I agree that's a big potential problem, but I don't know what to do about it.

If the response is to attack the legit version, then Chase wins! That's not an acceptable outcome either.

They could have raised awareness to the problem and provided detailed instructions on how anyone can go about resolving it, in a manner that's consistent with best practices of protecting yourself.

It's a false dichotomy to say its either this web site or Chase wins.

Promoting risky and insecure behavior is just wrong. period. That's independent of whatever Chase or any other company is putting in their agreements.

I think you'd be helping people far more by pointing out all the problems with this kind of website, so they can be aware of the risks and hopefully avoid scams, rather than getting them out of binding arbitration clauses.

> It's a false dichotomy to say its either this web site or Chase wins.

But it's not! No one is going to mail in a form. Chase specifically chose that go that route because they know nobody nobody is going to mail in a form. The only way to get around this is to make the process easier. How else do you do that?

It strikes me as a very shortsighted to say "this behavior is wrong in all circumstances, period," while ignoring the benefits. Everything in life is some kind of risk trade-off.

Edit: I suppose your larger point is, the potential harm of this project greatly outweighs any potential good. I can respect that, but I'd really encourage you to research how messed up binding arbitration agreements are, particularly with regards to institutions like a bank.

fair enough. You're putting more weight on the harm of arbitration agreements, whereas I'm putting more weight on the harm of identity theft and phishing/online scams.

I would say that more broadly speaking the harm of arbitration agreements is solvable in other ways, such as government or advocacy actions. I'm guessing that's what led to this letter/form in the first place: some regulator, or litigation resulted in Chase having to provide an "opt out", and they fulfilled their requirement by making it a mail-in form to discourage opt-out. If the harm persists then consumer advocates, elected representatives, and regulators can take another crack at it.

Educating people to be wary and careful with personal information is trickier. It's hard enough to spot a very well crafted spear-phishing attack, even when you know better and are generally vigilante. I don't know how else to deal with that except hyper-vigilance, and yes "this behavior is wrong in all circumstances, period," But again, I guess I'm weighing that risk higher than you are.

Perhaps a good way to deal with this would be to provide the address for convenience, but also include instructions for how someone could verify it for themselves. IE describe how to go to chase.com and look up the address. (Don't just provide a link to the address at chase.com, as that has the same problem as just providing the address.)

You're teaching users it's OK to give out their account information "sometimes". Which is much less secure than "never".

I give out my credit card number hundreds of times per year. Credit cards wouldn't be very useful if you never gave them out.

An ecommerce site has a merchant agreement with a payment processor to comply with PCI DSS. This does not. It is in no way similar.

FYI we are complying with PCI DSS when you use this site - you can read details in the FAQ

Do we have proof of that? I think the fact that we're taking your word for everything so far is the source of the discomfort here.

Sort of humorous comment, as PCI DSS is self assessment and attestation of compliance. If OP states they’ve met their burden, that’s all that’s required at their scale.

Really? I evidently know nothing of the matter, but you're saying that the auditors only get involved when they become a larger operation?

Yep. Card networks can also unilaterally decide your level.


Disclaimer: I work in governance/risk/compliance, but have not performed PCI compliance work in the last several years.

PCI DSS assessments are signed by natural persons, not arbitrary HTML content.

Natural persons who are rarely, if ever, pursued when breaches occur.

Anyone can make a FAQ on the web. Not everyone can prove compliance with PCI DSS.

The same could be said about any other online merchant...

It could but they should be able to provide an Attestation of Compliance. If they can't, then you can trust that they're PCI compliant.

I give out my credit card number hundreds of times per year to websites that I have not verified have a merchant agreement with a payment processor to comply with PCI DSS.

In terms of what users are taught (which is plainly the context of the comment you are replying to), this website is identical to ecommerce sites.

What about buying things? This is the same info that would go in an order form.

Chase didn’t set up a website asking for account numbers. So how did Chase create this problem? What exactly have they done wrong? If someone disagrees with the policy, they can opt-out, so what’s the problem that causes someone to need to give a bank account number to a random website? Why not just disclose in big letters what the site is all about: lead generation for a law firm? This isn’t some kind of “we like to help people,” project any more than ambulance chasers seek “justice.” There is a place for lawsuits certainly, but let’s not pretend this is about “helping,” it’s about lead generation.

Is the form letter generated on the client-side?

Collecting/storing credit card numbers, names, and addresses is creating a whole new problem for users.

Note that there is a PDF for those who don't want to enter their information: https://www.chaseoptout.com/ChaseOptOut.pdf

I don't see how that's relevant to what I said. The problem I was citing was the encouragement to put this info into a Web form on an arbitrary site. You should always be discouraging that.

Well you just print the form and mail it yourself. What's the issue? Seems relevant to me.

These people are doing A. A is bad and they should stop.

But they also do B!

Doesn’t matter. A is bad.

This is not constructive feedback; explain your solution and why you feel the trade-offs you prefer are better.

"And who even has stamps lying around anymore?"

People who order stamps online?

If the problem is writing the letter or stamps, then why not just send the user a postage-paid envelope, pre-addressed to Chase, with a generic letter that she can fill in with her personal information and deposit into the mail?

You should now be wondering how this "service" can be "free". As someone else has figured out, this is a company that wants lists of Chase customers to which they can market their consumer arbitration-related services.

This is interesting since the whole point of opting out here is that consumers want to avoid arbitration and reserve their rights to sue.

Other websites are offering a more sensible solution for those who cannot be bothered to write a letter: templates for a simple letter a customer can just print out, fill in her information, sign and mail.

Do you have a link? This is exactly what I want.

Same here.

If you expect customers to print out a template, obtain postage, and mail it, your expectations are too high.


For sure. If you don’t care, you don’t care. If you do care, you might use an online form but not print it out and mail it.

Everyone here fearmongering this site is the enemy of good enough. Your credit card information is no more at risk than at a gas pump that possibly has a skimmer (and you’re not liable). Your PII has already been leaked by Equifax. Why give up even more rights by not opting out through a service that has taken reasonable precautionary measures for data protection?

They offer a template as well

IANAL, so can someone help me understand how bullet proof their privacy policy is (https://www.chaseoptout.com/PrivacyPolicy.pdf)?

It seems to me that it's pretty flimsy? In particular:

> To conduct research and to improve and promote our services . We use the information wecollect to conduct research and to improve or enhance and promote our Services.

Both promotion and research are pretty damn broad terms, right?

Oh dang. So this whole thing is just a big data grab. Even if they aren't going to make fraudulent charges, that's a clear ulterior motive.

not at all! We explicity ask if you want to opt in to future communications on our form - we are NOT using them to communicate with users if they do not opt in.

It's entirely possible you have pure intentions, but I know nothing about (and therefore have no implicit trust in) your organization, so it would be a huge leap of faith for me to even consider putting this amount and degree of personal information into a random website.

The fact that your privacy policy's fine print allows you to use the information for something other than the express purpose at hand seriously undermines that, even if you have no actual intentions of doing anything shady.

Probably want to make the privacy policy more explicit and restrictive then.

Then give the user the letter up front instead of hiding it in small text. This site has NO written all over it!

sorry you feel that way? We did put a fair amount of effort (and are spending our own dollars to mail the letters) so I don't think we are doing anything too unreasonable

So if I was to opt-out of communications does that mean you'll never upload my email address to Facebook or Google for advertising in the future?

I think it's pretty clear that HMBradly/RADvocate is trying to get email addresses through this campaign.

Personally, I'm very much okay with the exchange in this case, particularly given the cost of mailing physical letters.

It's even worse than that. If they try to authenticate you on the phone. They'll suggest calling you back, and they don't know what phone number they'll be calling you from.

They literally ask for their customers to pick up the phone from unknown numbers and give your bank details.

How does this shit get thought up? Their security team was cool with this? Mind boggling

Yes but it’s your Chase account number. If it gets leaked through this service, Chase precipitated that leak through their unethical use of arbitration.

Idk but I only have Chase through Amazon. Chase might get effed, but my Amazon account will probably always be fine.

Under the "What is the actual language in the agreement sent by Chase?" FAQ item, it says --

"Can I (the customer) reject this agreement to arbitrate?

Yes. You have the right to reject this agreement to arbitrate if you notify us no later than 8/9/2019. You must do so in writing by stating that you reject this agreement to arbitrate and include your name, account number, address and personal signature. Your notice must be mailed to us at P.O. Box 15298, Wilmington, DE 19850-5298. Rejection notices sent to any other address, or sent by electronic mail or communicated orally, will not be accepted or effective." (emphasis mine)

How does this service handle the "personal signature" requirement?

We are relying on legal opinions that the site fully complies with the ESIGN Act. That act makes electronic signatures on par with physical signatures. (Disclosure = I'm not a lawyer) https://en.wikipedia.org/wiki/Electronic_Signatures_in_Globa...

Just a layman here but that seems like a misinterpretation of the statute? The idea of the statute seems to be that the government will not void, nullify, or refuse to enforce the terms of an electronic contract. It does not state that in any given contract, private parties must accept the terms signed in any form whatsoever -- that's still left as something for those people to agree on, and Chase very clearly spelled out that that's not valid for the contract. So the "reason" for the invalidity of a contract wouldn't be that it has an electronic signature, but that one of the parties simply didn't follow the terms it set for validity (whatever they were -- in this case, that they be personally signed, and mailed by the actual account holder). So I'm very curious how legal opinions interpret the statute otherwise, since I don't see any hint that it was intended to be interpreted as allowing one of the parties to change the signing terms to include electronic signatures.

Non-layman here, no it's not an misinterpretation of the statute.

It makes electronic signatures as good as regular ones in interstate commerce. Period. Full stop. Caselaw supports this in spades.

The only meaningful case otherwise is where statutes explicitly require in-writing signatures (a good example is copyright transfers).

There is an intra-state version of this is UETA.

Could I ask which part of this "case law supports in spades"? I imagine you're not claiming they have to accept emails (?) and otherwise I don't even see how you could e-sign this to begin with; you have to write the letter that ends up in their P.O. Box somehow, so you have to make the statement yourself and put your personal signature on paper (via ink or toner or otherwise is not the point) and mail it to them. But here you don't even write the letter or sign the letter yourself in any sense of the word. Like if a judge asked you "you need to have written and personally signed this letter for it to be valid; did you do that?" would you just give a straight unqualified "yes" and believe that would fly?

"Yes. I personally filled out an electronic signature for my intent to opt out, Your Honor."

"You did not answer my question" is what I would expect after that.

The answer to your question would be yes. Your electronic signature, printed out and transformed to a different medium, is still a valid signature.

The whole point of the act is to say that clicking a button on a computer to make a signature that is valid. That it later gets transmitted in some other form is irrelevant.

If i create and print out a docusigned document and mail it, it is still a personally written and signed document.

It is no different if I fill out a form that makes a document for me and click a button to sign it.

If this is confusing, answer my reply above and I'll try to start seeing where the confusion is

I'm trying to understand your argument and I guess I don't. So lets start simple so I can understand it better: Do you think a signature made by a human clicking a button on a computer and then printed out is an electronic signature or a physical non-electronic one?

In this case, "a physical non-electronic signature". I could also see it as "a physical copy of an electronic signature" depending on if it's used in circumstances where you're presenting it as merely a copy of the original (e.g. for documentation/records of your contract with that website), but that's not the case here. Either way I don't see it as "an electronic signature" as far as the agreement goes. If it's on paper it's very clearly not "in electronic form".

Actually it's just like how if you send someone a letter via USPS that you typed and printed from Gmail then you've sent them mail, or perhaps a physical copy of an email, but not "an email".

Okay, so you are confusing concepts like "what is a signature", "what is an original", and "what would a court accept as valid evidence".

We are going to mostly put aside the third for now.

First: A signature does not change form once created. A physically signed document is a physically signed document, regardless of whether i scan it in. An electronically signed document is electronically signed regardless of whether i print it. Period. The form does not change once created. Only it's originalness and acceptability as evidence.

So then what is electronic.

Second: Your definition of electronic is ... not encompassing enough. Let's go to the E-SIGN act:

"ELECTRONIC– The term 'electronic' means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities."

That's a lot.

"ELECTRONIC SIGNATURE– The term 'electronic signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."

Note that because of the definition of electronic in the first part, the second is a lot broader than it looks despite it also being fairly expansive.

It only has to be associated with and then executed/adopted by a person with intent to sign a record. Note that it does not say electronic record (which the act defines) or electronic contract. Other parts of the act are restricted to electronic records/contracts, but given the duality, no court i'm aware of has read the limitation into this part of the act (the opposite is in fact true).

So what i gave you what a clear electronic signature. It was electronic process associated with a contract or record, executed by a person with intent to sign it.

It doesn't matter if it was later printed. The act itself will even support this.

Now we move on to what does the act say about such signatures or contract or ... ;


(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form;

(2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.


(g) Notarization and Acknowledgment.--If a statute, regulation, or other rule of law requires a signature or record relating to a transaction in or affecting interstate or foreign commerce to be notarized, acknowledged, verified, or made under oath, that requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable statute, regulation, or rule of law, is attached to or logically associated with the signature or record.


(h) Electronic Agents.--A contract or other record relating to a transaction in or affecting interstate or foreign commerce may not be denied legal effect, validity, or enforceability solely because its formation, creation, or delivery involved the action of one or more electronic agents so long as the action of any such electronic agent is legally attributable to the person to be bound. "

Remember again our definition of electronic is very broad here.

The first says the signatures and contracts are valid even when they were in electronic form. That is again true even if i print it out and later mail it. You may run into the issue about what is acceptable evidence to a court for the document itself, but you will not run into the issue of "is the signature on this document, which was originally electronic, valid as a signature".

The second says that a contract (again, very broad definition, definitely includes letter like this one!) can't be denied validity just because you used an electronic record or signature in forming it.

The printing it out doesn't make it less of an electronic signature. The section on notarization makes this even more clear.

It doesn't even require an electronic record (as other parts of the statute explicitly do), it says you can electronically notarize a regular record, as long as you attach or associate it somehow.

Even further, e-sign destroys the argument that you didn't make the contract. It even allows me to use an electronic agent to make, form, and deliver contracts if i like, as long as it's attributable to me.

UETA is even more straightforward (though inapplicable in this particular case):

" (c) If a law requires a record to be in writing, an electronic record satisfies the law. (d) If a law requires a signature, an electronic signature satisfies the law. "

It even says email does not change form:

"“Electronic mail message” means an electronic message or computer file that is transmitted between two or more telecommunications devices; computers; computer networks, regardless of whether the network is a local, regional, or global network; or electronic devices capable of receiving electronic messages, regardless of whether the message is converted to hard copy format after receipt, viewed upon transmission, or stored for later retrieval."

Note the last sentence. There are lots of state court and federal court opinions on this.

Outside of other laws, etc, clicking a button on this form will be considered mailing a physical copy of an electronically generated signature.

I have some questions about this model. Big ask I know but I am wondering if you'd reach out to me to discuss your interpretation of it (contact info in profile). I think there are some missing pieces here, and I'd really like to discuss this issue in depth with someone who understands the tech and the law as I think there may be a startup in some other places this law is applicable.

Thank you a ton for taking the time to patiently explain all this. So here's where I'm currently stuck. Or actually, I'm stuck in a few places right now:

(1) This is less relevant to this particular debate, but it's highly relevant to the actual opt-out page. On the webpage, I don't see the word "sign" at all. I imagine merely filling in your name into that box and clicking "Submit" doesn't turn your name into your signature. In fact the page explicitly says "the information for the Chase account holder"... which need not be you, so it definitely can't account as the account holder's signature... right? So regardless of the electronic vs. paper issue we still seem to have a pretty fundamental problem that even this page hasn't been signed by the account owner in any shape or form.

(2) This is more specific to our discussion. So if there were a signature box on that form and you put your name in as your electronic signature, what exactly would you have electronically signed? I never (I think) said that you wouldn't have electronically signed anything at all, but rather, that what you signed electronically would not have been the agreement of interest, i.e. the one to be sent to Chase. Rather, as I see it, you would have signed something separate from that -- more like a contract (if it even counts as a contract... not sure how considerations play into this, given it's free) with whoever's running that website, to write your intended letter, put a copy of your signature on it, and basically impersonate you in sending this to Chase. Leaving aside the question of whether this is fraud (which is also something I've been pondering, since Chase would seem to think it came from you), that would mean you never signed that agreement at all. At best, I feel you could only try to argue you gave this site a power of attorney to represent you... not sure how valid a court would find that with the form currently as-is. So I'm still struggling to see how you could claim to have signed the agreement sent to Chase.

(3) The "electronic agent" thing seems like a red herring (I'm not sure why you brought it up) since it seems to refer the software, not the human on the other side.

(4) Is this really a question of whether the agreement is valid "solely because it is in electronic form"? In my view it's a question of whether it's valid "because its terms for it taking effect are followed". One of the terms was signing it in electronic form, but that's just (if you will) an implementation detail the way I see it. This may be my CS-y brain but the law sounds like it's intended to address governmental "discrimination" against electronic signatures (if you will), not private decisions on how to form valid agreements. It seems kind of like how, even though the law requires that a $100 bill be valid as legal tender for all private debts, no store owner is obligated to accept a $100 bill as a payment of $100 for goods you haven't officially bought yet.

You assumed that the process is done when you click that first Submit button, but it is not. There is an e-signing step that makes it clear what you are doing and what you are signing. [0]


I also did not realize this and it probably would have prevented me from posing the question in the first place. Seems like it would be clearer for the first button say "Click to sign" or something (other than "Submit").

Damn, yeah I had no clue. This makes a ton of difference. Thanks for letting me know!

I spent an afternoon looking into this a few weeks ago (I ran a mass opt-out campaign for Equifax a few years ago[1] and wanted to do it again for Chase) and I came to the exact same conclusion you did. I want to appreciate what’s going on here but at the same time it seems irresponsible to give people the impression that they have opted out when they haven’t.

[1] https://news.ycombinator.com/item?id=15207151

> the idea of the statute seems to be that the government will not void, nullify, or refuse to enforce the terms of an electronic contract

Unless Chase explicitly said wet signature, then a government court would find the electronic signature valid.

While I disagree on that point, what about the fact that the terms require you to mail it yourself.

Edit: Also, I'm not sure what "wet signature" means. The claim was not quite that the signature has to be in ink. The debate is over whether you (not someone else) are performing the signing, and whether you (not someone else) are mailing (not emailing etc.) it on paper (not e.g. a flash drive) or not. Which, to me, means you could sign on your computer/tablet/etc., then print that as your signature with a printer and then mail the form, with no ink involved anywhere in the process. That seems like a pretty reasonable interpretation of "personally signing" the letter and "mailing" it, so Chase would have a hard time arguing you didn't do that. But to type your name on a random website for someone else to print and mail the contract on your behalf? You neither personally signed that letter (whether on the computer or on the paper) nor did you mail it... all you did was casually tell some random guy on the internet to impersonate you to your financial institution.

Reading the above comment, where does it say it has to be personally mailed?

> Your notice must be mailed to us at P.O. Box 15298, Wilmington, DE 19850-5298.

That sounds like it has to be mailed, but who does the mailing doesn't matter. Similarly, wouldn't matter if you used the post or a courier.

I didn't mean "mail" as in "literally drop off the envelope in the post box", I just meant "mail" as in "write the letter to be mailed". And no, when I say "write" I don't mean it necessarily precludes voice recognition or whatever new counterexample you might be trying to think of now either.

Fair enough.

I'm not sure what that means though. If I printed off the form from the website would that count as me writing the letter to be mailed?

In any case, in the stuff quoted up top, I don't read this concept that it must be done personally. For example, it seems like it would be fine for my accountant to do it for me (though they may need me to sign it? maybe they can affix a seal or something)

There must be a way for a business to opt out of this clause, right?

Well I imagine the business case (if they even send the same kind of notification to businesses, which I don't know to be true or false) is easy since presumably the business's name is on the account and said business has someone authorized to take care of such paperwork, and I doubt the letter would (or should, for that matter) be accepted if it comes from someone else in the business. Presumably Chase could call back the business's legal department and ask if they weren't sure if it's valid? Dunno, but I don't see it as a very realistic question.

In terms of you as a consumer using the template they gave you, I mean, in principle I would assume it would count (you put your signature on it and mailed it; it clearly signals your own volition and intent to opt out), but I could see a judge saying no if Chase gave a convincing counterarguments why (e.g. hypothetically if Chase had a habit of getting a lot of legitimately fake opt-outs that they couldn't distinguish from yours, and if it would be obviously bad public policy to accept them, then yours probably shouldn't be valid either). Ultimately I'm not claiming gray areas are nonexistent...

I agree with you on the mailing part. Was just pointing out that a personal signature and electronic signature are identical unless specifically stated otherwise due to the E-Sign Act.

Re: that part: but you don't even have any way to sign this electronically to begin with. They did not provide you with an electronic form/page/whatever to sign, nor an electronic address to send your signature to. The contract required you to personally sign and mail a letter into that P.O. Box, and unless you plan on downloading your signature into that P.O. Box, you don't really have any other option besides paper (unless you get clever with papyrus or something I guess). No matter how I slice and dice it I don't see how the E-Sign act has any kind of relevance here... except perhaps for the part that if you keep a scanned copy of your letter for your records, that'd be considered just as valid of a record as a photocopy?

Edit: dumb question from me. I didn't follow the flow because I don't have a chase account, so I wasn't aware it was a multi-part form.

Original comment below:


I'm likewise not an attorney, but how hard would it be to do a simple "Type your name here to represent your signature" type of deal? This is the most common lay practice I've seen, with the more common CYA practice for electronic records being e.g. what Docusign or Adobe offer, or the use of cryptographic signatures.

If you fill in your info on the page and click the buttom, this happens as the final part of the flow before it submits.

"By checking this box, I certify that my account information is accurate and I want to e-sign and mail this document to chase to opt out of binding arbitration."

The document is not actually present.

Not a lawyer. I'll make sure we have a legal opinion addressing this if we don't already.

I wrote to Chase on their 'secure message portal', which feels like it is straight out of 1995. I told them I'm out of the country and cannot send mail.

I told them that I am rejecting the agreement to arbitrate. I also said that since their message portal feels official, this would be what I would use as proof of my opt out in court, if the need arises. I saved some screenshots as well.

They have updated me once already to say that they are still working on a response.

Can someone knowledgeable explain how a company can pick and chose was does and what doesn't constitute a binding agreement?

AFAIK in the Netherlands oral statements, when overheard by a witness, have the same legal standing as a signed contract.

It's called the "golden rule", they who have the gold make the rules.

OK, seriously, they don't technically get to decide what makes a binding agreement, a judge does that. But US law and US judges are very business-friendly. I mean there's the whole invented crime of "identity theft", whereby a bank who is defrauded by an individual gets to pass off their victimhood to a completely uninvolved third party.

I'm a US attorney but not in contracts. Contracts is a fairly complicated area of law, and the fundamental common law of Ks that you study in law school tends to be very different from how Ks work "on the ground." Most notably, statutes currently exist that change the way this common law operates in sometimes non-obvious ways. Standard disclaimer here that this is in no way to be construed as legal advice, this is not my area of expertise; take this as high-level background.

Essentially, under the common law here, all that a contract needs in order to be valid is three things: a valid offer, a valid acceptance, and valid "consideration," where consideration is a legal term of art referring to 'something of value' gained through the agreement.

The idea is that, there is no servitude. Companies can offer whatever terms they want (subject to a very few number of restrictions, dependent on the industry/regulatory domain). You are under no pressure to accept. You can easily reject the terms by simply not using the product. Courts have generally been reluctant to prevent parties from agreeing to whatever lawful thing they want to agree to. The main exception is that you cannot have contracts which serve 'an illegal end.'

In the US, there's no need for a contract to be written or overheard at all. There need be no written document, no witnesses, no record whatsoever. So long as there is a valid offer (obvious jokes are not held to be valid offers, for instance), valid acceptance (you generally need to affirmatively signal acceptance, but this need not be oral or even explicit), and valid consideration (really nothing more than a formality nowadays, this is why many deeds say "exchanged for consideration of $1"), the contract is valid, even if it only exists in the minds of the two parties.

Obviously, proving such a contract can be difficult, but it can be done, particularly if the parties were acting in accordance with the terms of the claimed contract. If we orally agree that you will start working on building a shed for me, you buy supplies and deliver them to the site, but then stop work, you can't claim the contract never existed, because you've acted in accordance with that oral contract.

In this area specifically, there's been some progress made in getting the courts to understand the enormous power differential at play here. You nearly can't survive in this country without at least one credit card, and if all the major companies' cards have terms like this, then you don't really actually have a choice in the matter. It's been a slow process however.

I just want to point out that, as a user, opting out of this portion of Chase's agreement could result in Chase deciding to close your account. Not advocating what course of action to take, but merely pointing out that there is risk associated with this action.

That being said, I have read through the email from Chase, and there is nothing that explicitly states that they will close it as a result of the user opting out of arbitration.

Does anyone have experience with similar situations with Chase or other banks and agreement opt-outs that they could share?

This is a reasonable consideration in my (non-legal) opinion. Chase has apparently come out and said they will not be closing accounts however: https://milestomemories.boardingarea.com/chase-says-they-wil...

I did contact chase on twitter about this and was told they would not close my account

If people didn't have enough reasons to close their Chase account already, this is a pretty good one.

I would actually like to see that service. A website that closes your bank account for you. They can be very tricky when you try to do that.

Maybe you should close your account if you feel threatened by behavior that could lead them to do so. Better cut ties immediately.

This is disgraceful behavior from a bank and they also made clear that they tend to close accounts for arbitrary reasons.

Yes, just to emphasize this post -- I have read elsewhere that your declining these terms could lead to your account(s) being closed immediately. What makes anyone think they wouldn't do that?

Disagreeing with the terms could close your account, but this section is severable (can be disagreed with separately).

Generally, opt-out is added to reduce the risk that courts will throw out the arbitration clause as unconscionable (unfair). Companies know that most people won't opt out, and any class action brought by somebody who opts out will only apply to other customers who opted out- cutting damages by 99%+.


I was surprised when I received the letter explaining this from Chase. I made a mental note to write them a letter and opt-out, which I had immediately forgotten about until now. Thanks to the creators of the site.

Thanks! We're hoping it helps a few people spur their memory and get this done! :)

Here from myradvocate.com, which is partnering on this project with Zach / HM Bradley. We're psyched for this to go live.

We track news about arbitration pretty closely, and I've been surprised and impressed by how much this Chase issue has "broken through." I no joke overheard a random convo about it on BART on Sunday.

Aside from the issue of trust, the site does a terrible job of explaining how bad arbitration is.

The arbiter is permitted the following: * To make an arbitrary judgement outside the scope of the agreement. * The arbiter is not required to follow any law but the arbitration act. They are permitted a manifest disregard for the law. * The arbiter is not required to be fair or impartial. They aren't a judge. * The arbiter may be blacklisted by companies if they rule against the corporation. The companies know who rules against them. * The arbitrations are secret. You may research how the arbiter acted in the past. The company knows, though. You just don't.

To engage in a corporate controlled mandatory binding arbitration is to leave the rule of law and enter into a dystopia where even the courts of law are privatized. Consumer protection laws? Gone. State consumer laws? Gone.

How secure is this website? What prevents a phishing site from pretending to be an opt-out site?

Hey there,

Maker of the site here! Our servers don't touch any of this data, it goes straight to Very Good Security and lives in a PCI compliant vault ... We ourselves are building a new kind of bank so we take security very seriously and are not phishing.

Happy to talk through in more details but the FAQs do a pretty good job of that too!

With a better understanding of how VGS works I really just fall back to my weakest link in the chain questions:

Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI?

Does Lob provide any interface that shows sent mail and the content (it appears they do)? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token?

What stops you from scraping this data from Lob's API?


Original comment below.

I'm confused on how this data lands at Lob with an account number if you never get it.

Correct me if I'm wrong but the letter you send includes the account number and not the VGS token?

All of my following questions assumes an affirmative answer.

How is the account number landed in Lob? It appears something must be calling the Lob API with an unencrypted account number? What is making that call?

Does Lob hold any PCI level certifications? It appears they hold HIPAA but I see no mention of PCI?

Does Lob provide any interface that shows sent mail and the content? If so and they don't hold any PCI certifications what benefit do we really have with ever getting a VGS token?

So how do you send the mail if you never get the data?

As they mentioned checkout the FAQ where it outlines that process under the aptly named, "How does this site work?" and they also offer a template for you to mail yourself if your prefer.

We cannot send it if we do not get the data - the user would have to fill out the template and mail it themselves in that case

FYI - there is some duplicated content under the "How does this site work?" heading.

Thanks for catching that! fix should be pushed now!

Do you really want to give a site run by someone you don't know vital info and a account number. Probably legit but ...

totally fine if you don't! we also allow you to just download the form so you can fill it out and mail it yourself

You shouldn't even be collecting this info.

Perhaps they should discuss that in an FAQ, but let's face it, they are literally saying "We know you're out of the loop probably, and we know you are too lazy to write the letter yourself, so we'll do it for you".

Other than "user training", if it's legitimate, it is not unethical.

What did your legal counsel say about liability here? For example, what happens if a cardholder who used your opt-out service has a dispute with Chase, and Chase claims they did not receive the opt-out?

What has counsel advised about any risk of federal authorities investigating you as possible CC phishing operation (perhaps initiated by monitoring for bank-phishing-like domain name)? (Obviously you have some defense, but the best case might cost you money and misery.)

Also, do you expect to keep the domain name past an ICANN dispute?

I caught these assholes at Chase doing this and demanded a refund of fees, which of course they provided. They're just testing your resolve, every day:

"JPMorgan agreed to pay $110 million to settle a class-action lawsuit over its procedures for charging customers overdraft fees. It was among more than a dozen big banks sued by their customers for reordering debits from their accounts to maximize the possibility that the accounts would become overdrawn, which would generate more fees."

I think I'll just close my Chase credit card account.

Wait, you want me to put my credit card number and my personal info?

We also give you the ability to just download the form and mail it yourself!

Unfortunately Chase forces customers to mail a letter with this information on it so there's not much we can do

I wrote to Chase on their 'secure message portal', which feels like it is straight out of 1995. I told them I'm out of the country and cannot send mail.

I told them that I am rejecting the agreement to arbitrate. I also said that since their message portal feels official, this would be what I would use as proof of my opt out in court, if the need arises. I saved some screenshots as well.

They have updated me once already to say that they are still working on a response.

Awesome, seems like a great service. I myself don't think it'll be a good idea to give someone my credit card number.

In another comment you talked about starting another kind of bank? details?

We do link to our site on the top and I can talk about this ad nauseam but suffice it to say we have a plan to build an (actual) bank from the ground up and we're trying align our incentives with the customers by doing things like paying customers higher interest rates for saving more instead of spending more etc.

tbh I'm not trying to use this as a platform for advertising but I'm happy to chat if you want to email me. zach [at] hmbradley.com

> there's not much we can do

Open-source a script I can run locally to generate PDFs with the information your form uses.

Geez, or just send a letter.

I’d still have to mail the result. Might as well just use the paper form.

Is Chase's practice itself legal? Forcing mailing a physical letter that must contain a lot of personal identifying information...?

That's a really shady move and I'll take note to avoid any business with Chase in the future.

I know everyones talking about how sketchy the online forms are. But my question is what sketchy practices is Chase involved in that they need this to be part of their agreement. Secondly and its been noted here before why are such clauses even legal? I really hope we can take the concept to court and murder it completely.

> Secondly and its been noted here before why are such clauses even legal?

It's legal because of a staggeringly overbroad reading of the Federal Arbitration Act that the Supreme Court has said is fine and Congress has refused to reign in.

> I really hope we can take the concept to court and murder it completely.

Many will enter, zero will win. Virtually every attempt at limiting the Federal Arbitration Act's scope in legal proceedings has been turned down by the Supreme Court.

* https://en.wikipedia.org/wiki/AT%26T_Mobility_LLC_v._Concepc...

* https://www.scotusblog.com/case-files/cases/american-express...

* https://en.wikipedia.org/wiki/Epic_Systems_Corp._v._Lewis

* https://en.wikipedia.org/wiki/Preston_v._Ferrer

Link to the "full privacy policy" 404s, which is not a good thing, given you are asking people to enter their full names, addresses, CC numbers.

Hi, site creator here - link is here and is not 404'ing for me

https://www.chaseoptout.com/PrivacyPolicy.pdf - let me know if you mean something else?

Question: how do we prove in the court in the future that we've sent them the rejection letter?

We're getting tracking on all of the letters and will send that information with the emails as well! Sorry we did not make that more clear

Tracked mail would do, although it also means extra $$$

Certified mail with a return receipt

Sending certified mail only can prove that something was sent. Doesn't necessarily mean that the mail you sent contained an opt-out notice.

Isn't the likely outcome of opting out that Chase just closes your account?

So few will opt out, Chase will get what it wants: No customers can make a dispute with chase in a court of law. They cannot band together for gross abuse. They will have achieved removing courts of law from the equation and replacing them with secret privatized courts that do not have to have any regard for the rule of law.

They have said they will not: https://twitter.com/ChaseSupport/status/1135961244760977409

I've been party to some interesting convos about whether it would be legal for them to do so.

If so, that would be convenient. It would save having to arrange for it yourself.

Not if there is a critical mass of people opting out.

This is great!

What would be really cool is to see this extended to many types of opt-out-by-email things — I know it's a pretty widely-used dark pattern by e.g. newspapers and spam mail companies.

Wow, Chase is acting like they are a gym or something by requiring a snail-mail letter to opt-out.

One red flag for me is that for Chase, your Credit Card number is your account number. So we're going to give third parties our credit card number... That's safe.

I give third parties my credit card number a half-dozen times per day. It’s not secret.

Does this only apply to Chase credit cards? Or also to other Chase services?

It's mostly cards they changed TOS on but I'd have to advise you to check your emails to see if it applies to you

Can Chase take adverse actions against customers that opt out? For example, denying future account applications, closing existing accounts, exclusion from future promotions, etc.

It mentioned that the opt-out requires a specimen signature (from the FAQ as well What do I need to do to opt-out?). How would you be able to ensure that the opt-out process for the customer will be valid / accepted by Chase if there's no actual human signature?

From Chase's perspective, wouldn't they be asking for more details especially if their business hinges on retaining people into their business as much as they can?

Update: Additional wording

There are laws around what counts as a signature. A company doesn't really get to set that unilaterally: https://en.wikipedia.org/wiki/Electronic_Signatures_in_Globa...

Are you collecting email addresses of your future customers for marketing purposes ? Whats the guarantee that you don't mine the customer address information you collect for your new bank venture http://pdf.secdatabase.com/92/0001772417-19-000001.pdf

For those of you who do have stamps, the PDF version of the letter is here : https://www.chaseoptout.com/ChaseOptOut.pdf

Mailing address: Chase Customer Service P.O. Box 15298 Wilmington, DE 19850-5298

P.S. The website gave the info. Don't sue me :-)

Thanks, I'd been meaning to do this but couldn't be arsed.

This seems to be, at least in part, advertising for your bank. I clicked on it, but could get no real information about it. Would be curious for more info about it, as I'm generally tired of dealing with bad online presence.

Want to make the same thing for SoFi? They require the same within 60 days after opening and account: https://www.sofi.com/b/policy/arbitration

Any advantages or downsides to opting out of Chase’s arbitration if Chase sues you for credit non-payment? I read the sites FAQs (only mentioned class action and if one or more people sue Chase) and appears that situation is likely not relevant for this opt-out?

Cool service. A concern is that scammers can use variations of the domain (chaseoptout.co optoutchase.com etc) and use adwords to get on top of search results to trick people and steal personal identifying information if this thing gets popular enough.

Well, its the same concern with any eCommerce website that takes your CC, or really, just about any website that has a form input field. Few people in my office click on pretty much any link random people email them. I've even told friends/co-workers to reset their PW because they've been breached based on HIBP, but people never seem to care unless they personally get affected. I've given up..

I read somewhere that Chase will close out your account if you opt out. Is this true?

Yup, I just happened to notice this by chance when the email came. I was really surprised to see this. Fortunately, I do have stamps lying around, so I've already mailed out a letter rejecting the agreement to arbitrate.

I have a feeling that Chase will send a letter to the operator of this website using some excuse like unauthorized use of the Chase trademark or something.

Interesting point. Here from Radvocate (partner on this product). We currently help consumers take action under their contracts with 20+ wireless / cable / ISP brands. We are up and running fine.

Corporations do have a stake in contractual and legal systems continuing to function, as well as in not calling down negative news coverage on themselves.

Side note, arbitration is cheaper than litigating in court. The only thing opting out affords consumers is easier access to class action suits. If you think you might bring an individual claim against Chase, arbitration is cheaper and a more level playing field (no countersuit strategy) than state or federal court.

TL; DR arbitration is not the corporate-controller enigma many seem to think it is. You trade off real benefits by opting out of Chase's mutual binding arbitration terms.

Most people should opt out, but not everyone. (Nobody should opt out unthinkingly.)

Very nice! I was actually in the process of building the exact same thing but charging users for the cost of mail and server/API expenses.

I have nothing better to say than clever marketing for the two sponsors and nice website design.

Give a random website my name, address, email and account number?? Yes please!

They have a direct link to the letter here:


JCrew credit card requires a post card mailed to opt out of arbitration

HN title is contentless and doesn't even match the linked site.

Does this use Lob under the hood for print & mailing?

ps can’t click last button on iphone se via iOS hn app

Nice initiative, but who pays the bill, like the stamps etc?

We're covering that for now because we thought it was the right thing to do

That was easy. Thank you for creating this!


Snail Mail As A Service

From one media manipulator to another: when you pay the premium price for a long-standing hacker news account, it's usually more convincing to let people find the comment history for themselves.

We detached this subthread from https://news.ycombinator.com/item?id=20160672 and marked it off-topic.

Looks suspicious enough anyway if users check their history, considering that user posted for the first time in a year just to make that comment.

True. But they've never posted very frequently. So maybe this is just an important issue for them.

Also, are baseless allegations OK here?

This. I just don't post here frequently or check HN. Rest assured I am a real person.

I have mentioned my Twitter in previous comments (https://twitter.com/peterkimfrank) and you'll see my submission history maps pretty well to my role at my company (https://dev.to/peter).

This was a weird comment thread to wake up to...

Well, personally my guess is that it's actually a legitimate user since the username is based on their real name, and they've linked to their Twitter account in the past. It'd be pretty silly to sell an account so closely linked to your identity. Unless it was hacked and sold without the user's knowledge I guess.

Plus it'd be really stupid for the buyer to mention it. How about stopping this thread derailment?

Is it really that much of a premium price? I’ve found a few HN accounts with downvote privileges for sale for reasonable prices compared to what people usually spend on marketing.

Touché. If I need Hacker News "influencer" services going forward, I will turn to you.

Wait, just how what are points worth in an account resale? It can't possibly be worth it for first world adults to sell.

This sort of activity and behavior is common on sites like reddit. It's used by media companies and brands, especially as the reach is much bigger than HN comments.

Astroturfing is big business and can be very profitable. An account itself isn't worth much, it's the overall execution that matters.

I'd love to see HN or Reddit or someone work with the feds on how to investigate and prosecute astroturfing/sockpuppets/shilling, perhaps as unauthorized computer access and/or fraud.

Except it's not really unauthorized access if the owner of the account allows you to publish in his/her name, is it?

I suspect lawyers could figure out the ToS so that it is.

That wouldn’t be “criminal” — a TOS violation isn’t “prosecuted” as its civil. And, the aggrieved party would have to prove actual damages.

Unauthorized access in connection with fraud, for example. I'll let the lawyers figure it out, and I hope they do.

Astroturfing and shilling isn’t illegal. Unless an account was hacked, no crime has been committed. Even lying generally isn’t a crime. In terms of fraud, there has to be a determination of unlawful gain or to deprive a victim of a legal right. Astroturfing isn’t fraud, nor is shilling.

Which is why I said they'd have to work with the feds on how.

ok, so this is being provided by a new/competing bank and a marketing agency. What could possibly go wrong?

A quick read of privacy policy should dissuade anyone form putting information into this system.

A+ for guerilla marketing

F- for anything related to privacy, etc...

This seems sketchy as fuck - your website, I mean

Might as well leave a box for the SSN while you're at it

They also provide a form for you to mail yourself and looks like they are only asking for info that Chase requests (chase does not require a social so that wouldn't be on this =).

Again, I wish we did not have to do this but this is what Chase is forcing customers to do.

We also give customers a way to just download the form without giving us the info but then of course we can't mail it for them ... we were just trying to make this easier for customers to opt out with the shitty options we were given

Can you make the link for the download more obvious and less dark-pattern-y? I found it only after scouring the page (somehow the text under the form didn't catch my eye easily), and then it popped up a modal that unnecessarily asks for my email address. I closed it, annoyed, just barely noticing the small-font link to download without entering my email address.

If you actually care about privacy and claim to not be using or selling our information for anything, why don't you make it easier to avoid giving information entirely?

Having said that, thank you for creating this. I had left Chase's email about the terms change in my inbox, starred, so I'd remember to take care of this, but not having to formulate my own letter makes things so much easier.

>If you actually care about privacy and claim to not be using or selling our information for anything, why don't you make it easier to avoid giving information entirely?

Hmm, I don't see it that way. It seems like people are learning about the chase issue for the first time through this website. Ideally you'd have another website/article informing you about the issue, and then a link to this website for sending the letter. And so it would be weird to go to a website designed to send a letter, and be told that you can also not send the letter through the website...

Maybe an option would be a client-side only version of this form that onsubmit simply renders a PDF...then users could choose to mail or upload said PDF? (Double-sided for the address bit in a clear envelope window)

Good on you guys for making the thing and showing some effort, wasn't aware of their opt-out policy.

I mean, I believe this is well-intended but Chase is not forcing anyone to to enter their banking info into some random site on the internet. That's something you're asking and, at first glance, it seems completely bonkers.

Chase is not forcing their customers to give you their info.

There's often a sinister motivation for such goodwill. Most often than not.

Are you just going to discard all the data afterwards or is it just a ploy to build a mailing list for your bank?

I'm betting the latter. If you click on the HM Bradley logo it takes you to their homepage where it says that they're building a bank for the "next hundred years". I'll hand it to them, this is a pretty good way of collecting lots of email addresses.

Very suspicious. Why should I opt out? Why did some companies/individuals think this was worth spending time building and promoting this service and spending potentially millions of dollars in print & postage to mail letters?

Fact: If millions of people were to take us up on this, we (Radvocate and our friends at HM Bradley) would get tangible value from the publicity around it.

I'd love for us to have that problem.

As for whether you should opt out, I honestly don't know and that is your decision to make.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact