Leaked Document Shows How Big Companies Buy Credit Card Data On Millions of Americans (vice.com) 29
An anonymous reader quotes a report from Motherboard: Yodlee, the largest financial data broker in the U.S., sells data pulled from the bank and credit card transactions of tens of millions of Americans to investment and research firms, detailing where and when people shopped and how much they spent. The company claims that the data is anonymous, but a confidential Yodlee document obtained by Motherboard indicates individual users could be unmasked. The findings come as multiple Senators have urged the Federal Trade Commission (FTC) to investigate Envestnet, which owns Yodlee, for selling Americans' transaction information without their knowledge or consent, potentially violating the law.
The Yodlee document describes in detail what type of data its clients gain access to, how the company manages that data across its infrastructure, and the specific measures Yodlee takes to try and anonymize its dataset. The transaction data itself comes from banks, credit card companies, and apps that Yodlee works with, including Bank of America, Citigroup, and HSBC, according to previous reporting from The Wall Street Journal. According to the 2019 document Motherboard obtained, the data includes a unique identifier given to the bank or credit card holder who made the purchase; the amount spent for the transaction; the date of the sale; the city, state, and zip code of the business the person bought from, and other pieces of metadata. Once logged into Yodlee's server, clients download the data as a large text file, rather than interacting with the data in a dashboard or interface that stays solely within Yodlee's control, according to the document. Yodlee does remove personal identifiable information (PII), such as names, email addresses, account numbers, SSNs, and phone numbers, but it "does not remove spatio-temporal traces of people that can be used to connect back the data to them," says Vivek Singh, assistant professor at Rutgers University. As Motherboard notes, "spatio-temporal traces are the various pieces of metadata that the document shows are included with the transaction -- the date, the merchant, the physical location of the sale, and more."
"If an attacker can get hold of the spatio-temporal coordinates for just three to four randomly picked transactions in the dataset, then the attacker can unmask the person with a very high probability. With this unmasking, the attacker would have access to all the other transactions made by that individual," Singh said.
The Yodlee document describes in detail what type of data its clients gain access to, how the company manages that data across its infrastructure, and the specific measures Yodlee takes to try and anonymize its dataset. The transaction data itself comes from banks, credit card companies, and apps that Yodlee works with, including Bank of America, Citigroup, and HSBC, according to previous reporting from The Wall Street Journal. According to the 2019 document Motherboard obtained, the data includes a unique identifier given to the bank or credit card holder who made the purchase; the amount spent for the transaction; the date of the sale; the city, state, and zip code of the business the person bought from, and other pieces of metadata. Once logged into Yodlee's server, clients download the data as a large text file, rather than interacting with the data in a dashboard or interface that stays solely within Yodlee's control, according to the document. Yodlee does remove personal identifiable information (PII), such as names, email addresses, account numbers, SSNs, and phone numbers, but it "does not remove spatio-temporal traces of people that can be used to connect back the data to them," says Vivek Singh, assistant professor at Rutgers University. As Motherboard notes, "spatio-temporal traces are the various pieces of metadata that the document shows are included with the transaction -- the date, the merchant, the physical location of the sale, and more."
"If an attacker can get hold of the spatio-temporal coordinates for just three to four randomly picked transactions in the dataset, then the attacker can unmask the person with a very high probability. With this unmasking, the attacker would have access to all the other transactions made by that individual," Singh said.
Same as Google (Score:2)
I keep trying to tell people you are not as isolated as you think and you cannot avoid giving companies you hate money by directly avoiding them. We are so connected and information driven all the big companies sell and buy information about you whether you have graced their establishment or not.
It's hilarious that I got down voted into oblivion telling people this in the past and there is at least 1 article a month proving me right in some form or fashion.
Re: (Score:2)
Inevitably now will come the FUD jackasses claiming that the cameras that are everywhere are tracking my mo
Re: (Score:1)
Well cameras may not be tracking you, but your mobile phone is.
Re: (Score:2)
The GPS is physically disabled on my $40 plastic clamshell phone and IDGAF about cell tower tracking.
Re: (Score:2)
Well cameras may not be tracking you, but your mobile phone is.
Nope. I only turn it on when I need to make a call, which is not very often. It is not a smart phone either, and it's ancient.
Re: (Score:1)
100% correct. I have been saying that as well and the naive people here also downmod. You are being tracked everywhere. Every transaction you make. How much your make. A profile is built. This has been going on for decades. There are many companies who do this. I really don't understand how people DON'T understand this. What do you think companies like Acxiom do?
Re: (Score:2)
I have been saying that as well and the naive people here also downmod.
We downmod it, probably as redundant, because we have heard it a thousand times before and we understand it full well. You are preaching to the converted here - why not preach it instead on Facebook or somewhere like that where people are ignorant. Stop insulting us by telling us what we already know in a tone as if it is breaking news.
To hear about new, or newly uncovered, particular instances of it is interesting though.
Re: (Score:2)
I keep trying to tell people .... you cannot avoid giving companies you hate money by directly avoiding them. .... whether you have graced their establishment or not. It's hilarious that I got down voted into oblivion telling people this in the past and there is at least 1 article a month proving me right in some form or fashion.
I expect you got voted down because people know it already a thousand times over, but you are acting as if you have only just found this out yourself. You see only one article abiout this per month!? Are you in a cave or something?
This is so much the norm (Score:2)
I has a sad
Individual Copyright Freedom (Score:2)
Re: (Score:1)
Re:Individual Copyright Freedom (Score:4, Interesting)
And here's the problem with that: copyright is alienable. You can give permission to use it in ways you don't understand (you do read the fine print on all TOSs you sign, right?). You can even sell it so it doesn't belong to you anylonger.
The loss of privacy and personal autonomy isn't like theft, where you can compensate people and make them whole. It's more like chopping of someone's leg. You can never get things back the way they were.
Re: (Score:2)
It isn't your data. The company is collecting it, not you. It is theirs. You would have a hard time asking for copyright on data you don't even collect. But go on kids, mod me down because you don't like it hear it.
Re: (Score:2)
By that logic you'd own the copyright to the movies you shot through the whole in the women's locker room because "you collected the images"
Re: (Score:1)
Moneyspire.... (Score:5, Informative)
Looking for a new money management package, I stumbled across Moneyspire who touts the privacy and security of your data - stays on your computer, they don't have access to it, yadda yadda. Unless you look in their privacy policy, where they note that "Moneyspire uses Yodlee as a provider for downloading transactions from financial institutions". Sent a query to customer support, and got back a comment to the effect of "Show us where Yodlee sells your information". When I posted the relevant sections of the Yodlee privacy policy, and that their website touts selling user information collected from bank and credit card records, support stopped responding to me.
No real point here; I just wish that I had some control over my own information. Sure, I didn't sign up with Moneyspire, but I figure that Visa and Mastercard or my bank are selling all this information anyway. I guess Cash it is - except every store now has cameras to "protect them from robbery" that can be used with facial recognition to identify me. Double sigh.
Re: (Score:2)
Facial recognition in retail stores (Score:2)
A pilot program is already underway in a shoppping mall in Stockholm, Sweden (link to Swedish Broadcasting's home page, swedish only: https://sverigesradio.se/avsni... [sverigesradio.se]).
Re: (Score:2)
My local convenience store is, or at least claims to be.
I hit them with a GDPR request. Deadline is next month, will be interesting to see what they have.
Re: (Score:2)
Looking for a new money management package, I stumbled across Moneyspire who touts the privacy and security of your data - stays on your computer, they don't have access to it, yadda yadda. Unless you look in their privacy policy, where they note that "Moneyspire uses Yodlee as a provider for downloading transactions from financial institutions".
You should check out Moneydance. It's cross-platform (Linux, Mac, Windows -- though potentially others since it's pure Java) and downloads from your banks directly instead of going through Yodlee. It also has an API for writing extensions and a pretty good suite of extensions, nearly all of which are open source. You can set a password which it uses to derive an encryption key to encrypt your files (the approach is inherently brute-forceable, but that's okay if you use a passphrase with sufficient entrop
My Purnhub payments ..... (Score:3)
oh nohs! Which malicious investment firm is now coming after me trying to monetize on that information!
Every retailer has access (Score:2)
Please (Score:2)
Omg Tesla blew through a stop sign that kids had removed!
Re: (Score:2)
Omg Tesla blew through a stop sign that kids had removed!
Those tricky researchers can also trick you into posting into the wrong thread. LMFTFY
Omg kids that remove stop signs can also figure out I own a Tesla by my card transactions!
There we go, back on topic. Quick fix: Pay for your Tesla with a bag o' cash from the bank.
Just make sure you're not stopped by the cops on the way there [wikipedia.org].
Sorry... (Score:1)