Online Payment Programs — Easy, Solid, Mundane — Carry Big Privacy Risks

By Peter A. McKay

Of all the things tech companies know about you, your spending habits are perhaps among the most sensitive — and the most overlooked by users.

Chalk the latter up to the Cambridge Analytica scandal in 2018, which since has thrown a bright spotlight on potential abuses of social-networking data in particular, with Facebook arguably taking the brunt of criticism for the entire technology industry. 

By comparison, relatively little public discussion has taken place regarding the more mundane topic of payment data, especially on mobile devices, where two other tech giants dominate: Google and Apple Inc.

Industry experts say these companies’ built-in wireless payment systems on mobile, dubbed Apple Pay and Google Pay, unquestionably do a solid job of securing the strictly financial aspect of each transaction — the actual exchange of money.

But it’s much less clear what metadata they retain about where, when and what you buy — and what exactly they do with that information.

“Considering how much of our lives we spend on these devices, users should really educate themselves and ask a lot of questions about these new services and technologies,” Zavosh Zaboliyan, chief executive of Ekko Space, a Toronto consultancy, told Digital Privacy News. “We don’t want to repeat the same thing with payments that we saw in social media.”

To the extent that U.S. regulators have focused on big tech companies’ privacy practices in recent years, they have mostly focused on social data, including a landmark $5 billion fine of Facebook by the Federal Trade Commission last year because of Cambridge Analytica.

In some cases, more traditional financial institutions have also come under scrutiny, as when the FTC fined the Equifax Inc. credit bureau up to $700 million for a 2017 breach that involved 147 million Americans’ personal information.

“Users should really educate themselves and ask a lot of questions about these new services and technologies.”

Zavosh Zaboliyan, CEO, Ekko Space.

FTC’s Warning

By comparison, issues related to payment data that’s held by Big Tech companies, not Wall Street firms, have gotten less attention of late.

However, the FTC did document some concerns about mobile payments in the relatively early days of that technology’s evolution.

In 2013, the agency issued a staff report on such payments’ rising popularity, including potential privacy pitfalls.

In its report, the FTC noted:

“In addition to the banks, merchants, and payment card networks present in traditional payment systems, mobile payments often involve new actors such as operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators.

“When a consumer makes a mobile payment, any or all of these parties may have access to more detailed data about a consumer and the consumer’s  purchasing habits as compared to data collected when making a traditional payment.”

While the commission’s language was even-handed, it’s notable that Apple and Google combine the various roles within the mobile ecosystem that the FTC described in a way that is unparalleled and growing.

Each company makes a mobile operating system, hardware and applications — in addition to being a merchant itself. And Google is sometimes a telecom carrier as well through its Google Fi and Google Fiber programs. 

The Bitcoin Dilemma

For now, some industry insiders believe the most promising threat to tech giants’ hoarding of mobile payment data may be the open blockchain networks on which cryptocurrencies trade.

The global market cap of cryptoassets now stands at almost $260 billion, about two-thirds of which is represented by the popular bitcoin token alone, according to the market data site CoinMarketCap.

However, wider use of blockchain may carry privacy pros and cons of its own, depending upon how exactly the technology is implemented and delivered to new users.

For instance, even some blockchain fans are wary of several national governments’ recent plans to implement “official” crypto tokens, with China notably in the lead. 

Alex Gladstein, chief strategy officer for the Human Rights Foundation, often advocates bitcoin as a useful tool to support democracy and privacy.

But he’s concerned that the particular implementation of a new “digital yuan” that China is planning may produce the opposite, creating a new venue for the Chinese Communist Party to surveil citizens.

Writing for Bitcoin Magazine in November, Gladstein said: “They want to ride the hype of a new technology, and use it as lipstick for a panopitcal pig.”

— Peter A. McKay

Working With Algorithms

It remains unclear whether or how the companies co-mingle payment metadata with other information they collect through those multiple channels to create fuller profiles of users along the lines of practices that have come to light in social media.

In part, that stems from the lack of transparency about not just the raw data stored by companies, but also the algorithms they use to dynamically parse relationships and draw inferences among specific datapoints on each user.

Such algorithms are tightly guarded as “secret sauce” by tech companies and add programmatic power to their data-collection that is unparalleled by companies outside the industry.

The algorithms, when applied to deep troves of data across multiple services, are why online ads sometimes seem to “creepily” anticipate needs a user hasn’t explicitly mentioned, for instance.

But experts say it’s not entirely clear how payments information, in particular, fits into that literal and figurative equation.

“We don’t know, for instance, if Facebook cross references your dating information with your shopping information,” Zaboliyan told Digital Privacy News. “They treat that as their proprietary information.

“Same with Google on the data it collects,” he added. “Same with Apple and Microsoft.

“Same with all the companies.”

Peter A. McKay is a technology writer and consultant in Florida.

Sources (external links):