Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Businesses The Almighty Buck United States

Leaked Document Shows How Big Companies Buy Credit Card Data On Millions of Americans (vice.com) 29

An anonymous reader quotes a report from Motherboard: Yodlee, the largest financial data broker in the U.S., sells data pulled from the bank and credit card transactions of tens of millions of Americans to investment and research firms, detailing where and when people shopped and how much they spent. The company claims that the data is anonymous, but a confidential Yodlee document obtained by Motherboard indicates individual users could be unmasked. The findings come as multiple Senators have urged the Federal Trade Commission (FTC) to investigate Envestnet, which owns Yodlee, for selling Americans' transaction information without their knowledge or consent, potentially violating the law.

The Yodlee document describes in detail what type of data its clients gain access to, how the company manages that data across its infrastructure, and the specific measures Yodlee takes to try and anonymize its dataset. The transaction data itself comes from banks, credit card companies, and apps that Yodlee works with, including Bank of America, Citigroup, and HSBC, according to previous reporting from The Wall Street Journal. According to the 2019 document Motherboard obtained, the data includes a unique identifier given to the bank or credit card holder who made the purchase; the amount spent for the transaction; the date of the sale; the city, state, and zip code of the business the person bought from, and other pieces of metadata. Once logged into Yodlee's server, clients download the data as a large text file, rather than interacting with the data in a dashboard or interface that stays solely within Yodlee's control, according to the document.
Yodlee does remove personal identifiable information (PII), such as names, email addresses, account numbers, SSNs, and phone numbers, but it "does not remove spatio-temporal traces of people that can be used to connect back the data to them," says Vivek Singh, assistant professor at Rutgers University. As Motherboard notes, "spatio-temporal traces are the various pieces of metadata that the document shows are included with the transaction -- the date, the merchant, the physical location of the sale, and more."

"If an attacker can get hold of the spatio-temporal coordinates for just three to four randomly picked transactions in the dataset, then the attacker can unmask the person with a very high probability. With this unmasking, the attacker would have access to all the other transactions made by that individual," Singh said.
This discussion has been archived. No new comments can be posted.

Leaked Document Shows How Big Companies Buy Credit Card Data On Millions of Americans

Comments Filter:
  • I keep trying to tell people you are not as isolated as you think and you cannot avoid giving companies you hate money by directly avoiding them. We are so connected and information driven all the big companies sell and buy information about you whether you have graced their establishment or not.

    It's hilarious that I got down voted into oblivion telling people this in the past and there is at least 1 article a month proving me right in some form or fashion.

    • Due to some brick-and-mortar stores I used to do business with having gone the way of the dinosaurs I'm forced to buy things online, which I really really hate because of the issues you mention, but for years now I have paid cash for everything I buy in person that I possibly can (which is just about everything), so I at least have some of my privacy preserved. It may not be much but it's something.

      Inevitably now will come the FUD jackasses claiming that the cameras that are everywhere are tracking my mo
      • Well cameras may not be tracking you, but your mobile phone is.

        • (here we go with THIS shit again)
          The GPS is physically disabled on my $40 plastic clamshell phone and IDGAF about cell tower tracking.
        • Well cameras may not be tracking you, but your mobile phone is.

          Nope. I only turn it on when I need to make a call, which is not very often. It is not a smart phone either, and it's ancient.

    • 100% correct. I have been saying that as well and the naive people here also downmod. You are being tracked everywhere. Every transaction you make. How much your make. A profile is built. This has been going on for decades. There are many companies who do this. I really don't understand how people DON'T understand this. What do you think companies like Acxiom do?

      • I have been saying that as well and the naive people here also downmod.

        We downmod it, probably as redundant, because we have heard it a thousand times before and we understand it full well. You are preaching to the converted here - why not preach it instead on Facebook or somewhere like that where people are ignorant. Stop insulting us by telling us what we already know in a tone as if it is breaking news.

        To hear about new, or newly uncovered, particular instances of it is interesting though.

    • I keep trying to tell people .... you cannot avoid giving companies you hate money by directly avoiding them. .... whether you have graced their establishment or not. It's hilarious that I got down voted into oblivion telling people this in the past and there is at least 1 article a month proving me right in some form or fashion.

      I expect you got voted down because people know it already a thousand times over, but you are acting as if you have only just found this out yourself. You see only one article abiout this per month!? Are you in a cave or something?

  • I don't even bother reading about it anymore.

    I has a sad :(
  • Another /. user mentioned this the other day and it is something I have been saying for a while myself. We as individuals need total control of our data, as it affects us personally in a daily lives -knowingly or not. The data obtained can stop you from doing all manner of things from buying goods or services up to mortgages. Taking control as an individual with copyright of personal data means one can fight the dogs at their own game. We all need to rally up support in designing ICF on a global scale and t
    • in *our daily
    • by hey! ( 33014 ) on Wednesday February 19, 2020 @08:16PM (#59745378) Homepage Journal

      And here's the problem with that: copyright is alienable. You can give permission to use it in ways you don't understand (you do read the fine print on all TOSs you sign, right?). You can even sell it so it doesn't belong to you anylonger.

      The loss of privacy and personal autonomy isn't like theft, where you can compensate people and make them whole. It's more like chopping of someone's leg. You can never get things back the way they were.

    • It isn't your data. The company is collecting it, not you. It is theirs. You would have a hard time asking for copyright on data you don't even collect. But go on kids, mod me down because you don't like it hear it.

      • By that logic you'd own the copyright to the movies you shot through the whole in the women's locker room because "you collected the images"

      • Although I agree in the sense that data is intangible and in no way should impact me personally, but the real truth of the matter is that it is a copy/sub-set of me and in today's world can hurt me personally, and therefore IS my data. In many cases data is obtained without any consent/permission or knowledge. It is a dangerous field and will get much worse before you realize and cry with the wagon, by then it will be too little too late. Data thieves are have long since crossed the stalking threshold with
  • Moneyspire.... (Score:5, Informative)

    by FrankSchwab ( 675585 ) on Wednesday February 19, 2020 @08:25PM (#59745402) Journal

    Looking for a new money management package, I stumbled across Moneyspire who touts the privacy and security of your data - stays on your computer, they don't have access to it, yadda yadda. Unless you look in their privacy policy, where they note that "Moneyspire uses Yodlee as a provider for downloading transactions from financial institutions". Sent a query to customer support, and got back a comment to the effect of "Show us where Yodlee sells your information". When I posted the relevant sections of the Yodlee privacy policy, and that their website touts selling user information collected from bank and credit card records, support stopped responding to me.

    No real point here; I just wish that I had some control over my own information. Sure, I didn't sign up with Moneyspire, but I figure that Visa and Mastercard or my bank are selling all this information anyway. I guess Cash it is - except every store now has cameras to "protect them from robbery" that can be used with facial recognition to identify me. Double sigh.

    • by DogDude ( 805747 )
      Nobody is using facial recognition in retail stores. It doesn't work well, it's expensive, and what's the point?
    • Looking for a new money management package, I stumbled across Moneyspire who touts the privacy and security of your data - stays on your computer, they don't have access to it, yadda yadda. Unless you look in their privacy policy, where they note that "Moneyspire uses Yodlee as a provider for downloading transactions from financial institutions".

      You should check out Moneydance. It's cross-platform (Linux, Mac, Windows -- though potentially others since it's pure Java) and downloads from your banks directly instead of going through Yodlee. It also has an API for writing extensions and a pretty good suite of extensions, nearly all of which are open source. You can set a password which it uses to derive an encryption key to encrypt your files (the approach is inherently brute-forceable, but that's okay if you use a passphrase with sufficient entrop

  • by thesjaakspoiler ( 4782965 ) on Wednesday February 19, 2020 @08:25PM (#59745406)

    oh nohs! Which malicious investment firm is now coming after me trying to monetize on that information!

  • Every retailer has access to this info through their merchant provider. And now that it's card + phones, you can literally track anybody anywhere, anytime, for only a few bucks a month.
  • Omg Tesla blew through a stop sign that kids had removed!

  • This is nonsense. Only the Borg can track you by using spatio-temporal coordinates.

Beware the new TTY code!

Working...