Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Privacy Businesses Communications Security

The 600+ Companies PayPal Shares Your Data With (schneier.com) 48

AmiMoJo shares a report from Schneier on Security: One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good visualization of that data. Is 600 companies unusual? Is it more than average? Less? We'll soon know.
This discussion has been archived. No new comments can be posted.

The 600+ Companies PayPal Shares Your Data With

Comments Filter:
  • by Anonymous Coward

    This looks alarmist, but really the only surprising thing is how many companies they partner with under marketing is almost the same number as they partner with for anti-fraud.

    Despite that, one legal link.

  • Not that shocking (Score:5, Informative)

    by JaredOfEuropa ( 526365 ) on Friday March 16, 2018 @04:56AM (#56268313) Journal
    A good many of these seem legit: companies to which PayPal has outsourced work, or partners such as banks, which all form an integral part of PayPal's actual operation. The shady ones are the companies listed under "marketing and communications". But all in all there aren't many shocking revelations in there. The sheer number seems high until you look at the list, and realise that this is what comes with running a global service.

    What we see there in some cases that "shared data" also includes data collected by embedded crap from 3rd parties such as FaceBook (which pretty much every site has these days). "Advertising ID and device ID to segment user groups based on app behaviour, encrypted e-mail address associated with PayPal users (without indicating account relationship), IP Address, Anonymous ID generated by cookies, pixel tags or similar technologies embedded in webpages, ads and emails delivered to users. Mobile advertiser ID, IP Address and other metadata via Facebook SDK in mobile apps." Yeah, just about what we expected, and it's good that they actually include this sort of stuff on the list.

    Here's an odd entry: Carrenza Limited (UK) | To hose a marketing database | Name, address, email address, business name, domain name, account status, account preferences, type and nature of the PayPal services offered or used, and relevant transaction information. I just wish that wasn't a typo...
    • by Anonymous Coward on Friday March 16, 2018 @05:23AM (#56268381)

      e.g. pull one from the list at random: Global Data Consortium.

      "To verify identity and carry out checks for the prevention and detection of crime including fraud and/or money laundering; research and testing as to appropriateness of new products"

      There's the cover (fraud prevention) and the catchall "research and testing" which covers any reason at all.

      GDC sell data, they buy it from "Data Partners" and resell it. They phrase it real nice here:

      "We invest in our data partners, establishing deep relationships with them and providing them with technology to make their information available on our platform. We give them access to a broader market through our MARKETING AND DISTRIBUTION programs, PAYING FAIR ROYALTIES that reflect the value of their services."

      i.e. they are a data broker that pays Paypal royalties for selling your data to others. A conduit rather than an endpoint. And Paypal use the catchall phrase to cover bulk sales of all data.

      • It's something of an oversight for the GDPR not to require that you list all endpoints. I can imagine PayPal 'fixing' this problem by sharing data only with PayPal US Incorporated, a company based in the USA that has no dealings with any EU company other than PayPal, and then sells on all of the data that PayPal sells to them.
        • Under the GDPR as well as the DPA (in the USA), the data controller (the entity collecting the data) remains responsible for what happens to the data. Data processors (3rd parties, in your example PayPal US) are very limited in what they can do with personal data they received from data controllers. Under the DPA for instance, they can only pass that data on to others (4th parties?) 1) with the data subject's explicit permission (not just given in ToS), or 2) under specific provisions set down in the law.
    • Re:Not that shocking (Score:5, Interesting)

      by houghi ( 78078 ) on Friday March 16, 2018 @06:49AM (#56268519)

      I work in the financial industry in Brussels, Belgium and we do not share customer information with banks or anybody else.

      e.g. you go into a store and open a credit to buy a TV. The person working for Seller will put in the data on our platform.No sharing of personal data is going on.

      With another partner, we had to make a secondary company where we BOTH where partners, just so we could share the data.

      The third parties we work together with will get very limited data. Basically just a name, address and phone number and they better not do anything else with it, or else. Yes, that is marketing.

      Sharing it with 600 companies? Seems extremely high to me. Especially for a financial company. What they need to share is very well regulated up to the wazoo. Stricter regulations are coming. (I believe in May) and they will overturn the current Belgian law and turn it into a European law.

      Seriously, 600 is a shitload. We deal with plenty more companies and we have about 4 we share data with and that is strictly regulated.

      • by Anonymous Coward on Friday March 16, 2018 @08:05AM (#56268669)

        "Sharing" is a friendly gesture and a positive thing. This is neither friendly nor positive -- it's an act of pure greed. What these companies are doing is selling your personal data, not "sharing" it.

      • Not at all the same business or scale, by the sound of it. Even so, aren't you sharing data with a lot more companies? For instance, if you collect monthly fees from customers by direct debit, you are sharing personal data with their banks.
      • by gaspyy ( 514539 )

        The third parties we work together with will get very limited data. Basically just a name, address and phone number

        This is considered personal information, and under GDPR PayPal has to disclose it.

    • by AmiMoJo ( 196126 )

      It's interesting because we can potentially build up a map of these business relationships and see how they abuse our data to profile us, and because it will make tracking down the source of leaks easier. When one of these companies gets hit with a leak we can see all the upstream victims who shared data with them.

      It's also a handy map of easy pickings for hackers looking to nab some PayPal data. Most of these companies that work is outsourced to have crap security.

      • by adosch ( 1397357 )

        Absolutely. I think this is going to be the classic phrase with a twist of you _now_ know what you _didn't_ know vs you _dont_ know what you _dont_ know and I think it's going to hit that home run a lot of people need to think about: are these free services where we-are-the-customer worth it?

        We loosely throw around the idea that we, as consumers, all know our 'data' is 'shared', but to what level and to whom? There's going to be a small movement of douche-bags who are going to manufacture being 'offended

      • There are 600 companies, each of whom can have a tasty snack of your data. Each of these companies has only the strictest security. I'm sure NO one could do proxy queries, because all 600 have the best security ever!

        No, there can't be a nearly exponential number of hack possibilities with 600 partners. No factorial representation of port open across so many different jurisdictions.

        I'm just positive it's as tight as a drum. Has to be, eh?

  • by Anonymous Coward

    They give literally everything to everyone for every reason. Mostly the reason seems to be money, there are a lot of data brokers on that list.

    This "To verify identity and carry out checks for the prevention and detection of crime including fraud and/or money laundering. RESEARCH AND TESTING as to appropriateness of new products"
    Research and testing is literally any cover reason for getting the data.

    The list of companies are largely data brokers, some for marketing some for intelligence gathering, some gove

  • Now we know where these online data aggregators get their information from. They have startling amounts of information about people. It makes stalking a breeze. Before, you'd have to go to the local court and attempt to social engineer a clerk. Now it's just a Google query.

  • back when they first started. They were such assholes that I've only used them once or twice since. And even then, it was only their credit card processing service that I used, and only because I really, really wanted to donate money and that was the only way to do it. In the meantime there have been lots of musical artists, software authors, etc. that I wanted to give some money to - but not badly enough to suck it up and support a company that I'd like to see die. As for making purchases, if PayPal is the

  • by Anonymous Coward

    LinkedIn recently started sharing their "private" data with public records databases such as Intelius. (https://en.wikipedia.org/wiki/Intelius)

  • I don't have much respect for people who sell their dignity for a few seconds of convenience. If you use PayPal, or Amazon or Google or Facebook or Apple, you're a sucker, plain and simple.
    • I don't have much respect for people who sell their dignity for a few seconds of convenience. If you use PayPal, or Amazon or Google or Facebook or Apple, you're a sucker, plain and simple.

      Or visa... or mastercard... or discovery... or American express... or shop at any store online... or visit any website... or have an ISP... or have a mobile phone provider... or have a bank account... or...

      The problem is, it's not just one or two stores. It's not just one or two institutions. They're ALL collecting data on you. They're ALL sharing information about you. You don't use Google or Facebook... do you think that means they don't have copious data about you? They do.

      You could limit who you do

      • by DogDude ( 805747 )
        No, not all. You can shop locally and use cash. It works fine. I think that you may mean to say that it's *convenient* for you to do business with all of these soul-sucking shit companies, and less convenient to do business with respectable companies. They're not "ALL" doing this. Just the ones that you see as most convenient.

Nondeterminism means never having to say you are wrong.

Working...