Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy

Square Sells Access To Your Inbox. No One Seems To Know If the Law Cares. (protocol.com) 46

An anonymous reader shares a report: I wanted to know how all these merchants had gotten my professional contact info. What I discovered was both unsurprising in today's world of relentless online marketing and aggressive consumer data sharing, and also a bit disquieting. It also had less to do with these small shops than I might have expected: Square's parent company, Block, was selling access to customers' inboxes, even if all we do is elect to receive a receipt from a single transaction (more on that below). Privacy experts said selling marketing information in this way clearly falls short of best privacy practices. And while it doesn't appear to violate data protection laws, the practice is walking a fine line.

"They're trying to solve for a lot of different nuances whilst trying to serve their objective and their merchant objective, which is keeping as many people opted in as possible," said Sucharita Kodali, a vice president and retail analyst at Forrester. Experts also told Protocol the situation seems to highlight how Block, as well as other payment processors and fintech platforms, operate in a bit of a privacy gray zone. Sometimes that gray zone leaves no one in charge of consumers' data rights, and sometimes it means the companies, deep within their terms of service, have legal loopholes that give them room to use our information in ways we might not expect.

This discussion has been archived. No new comments can be posted.

Square Sells Access To Your Inbox. No One Seems To Know If the Law Cares.

Comments Filter:
  • by Fly Swatter ( 30498 ) on Wednesday October 26, 2022 @09:10AM (#62999301) Homepage
    Generally does not mean what you think it means. Only I can access my inbox, as far as I know.
    • Re: (Score:2, Informative)

      by udittmer ( 89588 )

      The way I read it is that Square maintains an inbox for its users (possibly simply for email forwarding) where it receives confirmation emails from all the businesses where you pay with it. So it would have quite a good idea of where you shop, what for, and for how much money.

    • by tsqr ( 808554 ) on Wednesday October 26, 2022 @10:03AM (#62999443)

      Only I can access my inbox, as far as I know.

      Anyone who has your email address has write access to your email inbox. This is why, when I need a receipt, I ask for a printed one.

      • by dbialac ( 320955 )
        Yep. I used to work for an email marketing firm. I know what happens behind the scene, so I don't hand out my email address. It frustrates merchants, doctors, etc. but they were the ones who signed up for these 3rd party record managers, not me.
        • I don't even care about spam anymore, now that gmail handles it so well. I just unsubscribe from any legit mailings I don't want, and let the report spam button take care of the rest. I'm rarely if ever interrupted by unwanted email junk anymore.

    • Generally does not mean what you think it means. Only I can access my inbox, as far as I know.

      I dunno if they do it any more, but when I was invited to join LinkdIn, they asked me for my email password. They mined people's address books and spammed the bejabbers out of everyone in it.

      I respectfully declined.

      • I respectfully declined.

        Why "respectfully?" Anybody who thinks it's OK to harvest their member's email passwords like that doesn't deserve respect. At the very least, my response would be, "Not only no, HELL NO! "
        • I respectfully declined. Why "respectfully?" Anybody who thinks it's OK to harvest their member's email passwords like that doesn't deserve respect. At the very least, my response would be, "Not only no, HELL NO! "

          Well, I did tell them their practice was completely against my employer's TOS, and I could be fired. But I didn't tell them to go screw themselves.

  • I've seen a spike this last week or two in people harvesting my info from Linkedin and calling and e-mailing me at work, followed by them sending me contact requests on LinkedIn. I say spike because I hadn't seen but 2 or 3 in the last year, now I'm getting 2 to 3 a week.
    • by ahodgson ( 74077 )

      They don't even need to harvest LinkedIn. There are third-party aggregators who do it, compile a nice company directory, and then sell it to marketers and other scum (including phishers).

  • by TheNameOfNick ( 7286618 ) on Wednesday October 26, 2022 @09:41AM (#62999389)

    Be obnoxious to them, every single time you receive spam through them. Call them. Ask inane questions through their web page contact form. Ask them to make small changes to your contact information. Mention that they spammed you, but only after you've taken a couple of minutes of their time. Do it every single time.

    • by tsqr ( 808554 ) on Wednesday October 26, 2022 @10:08AM (#62999453)

      Be obnoxious to them, every single time you receive spam through them. Call them. Ask inane questions through their web page contact form. Ask them to make small changes to your contact information. Mention that they spammed you, but only after you've taken a couple of minutes of their time. Do it every single time.

      The only effect this strategy will have will be to waste your time. Well, maybe you'll get some gratification in the process, but you're kidding yourself if you think it will change their behavior.

      • Reporting spammers to their isp can occasionally get them shut down. It's rare, but feels damn good.
      • Spammers rely on your inactivity. Spam is profitable because the cost to the spammer is negligible. If people stop being passive about it, at least the otherwise legitimate businesses which can't play the whack-a-mole disappearing game every once in a while will have to stop spamming. This isn't a solution for all spam, but divide and conquer.

        • by tsqr ( 808554 )

          Spammers rely on your inactivity. Spam is profitable because the cost to the spammer is negligible. If people stop being passive about it, at least the otherwise legitimate businesses which can't play the whack-a-mole disappearing game every once in a while will have to stop spamming. This isn't a solution for all spam, but divide and conquer.

          The only thing spammers rely on is the probability that a tiny percentage of their recipients will be gullible enough to click on their links. Do you seriously believe that they read and respond to input on a web page, assuming that they even have one? The overwhelming majority of spammers are NOT legitimate businesses, unless you consider an outfit offering "Cheap V!agra and Ci@lis!!!" to be legitimate.

          I receive quite a bit of unsolicited marketing email messages at work, mostly from IT companies that assu

          • Profit is a two-variable entity. You can try to reduce spam-driven revenue, but that depends on the gullible people who respond to spam. If you're not one of those, you have scant influence on revenue. The other variable is cost, and you can influence that, by taking up some resources. You don't do it by responding to the spam email. You contact them through means that waste their time. You call them. You open a support ticket.

            • by tsqr ( 808554 )

              Hey, you do you. Personally, I value my own time more than the time of someone at a company hawking products I have no use for.

              Every minute I spend wasting someone else's time is a minute of my time that I'll never get back, and the best result I can hope for by doing that is that they might eventually drop my address from their mailing lists. I doubt it, though -- it's probably cheaper for them to deal with your attempts to annoy them than it is to pay their email marketing service purge addresses from the

    • Most likely Square is the one sending the message on their behalf.

      So if you don't like it, you could just unsubscribe (or if you never subscribed to Square, mark the message as spam) and be done with it.

      • Square sells the email addresses directly to their customers. I know this because The Organic Coup in San Francisco got my email address from Square years ago. They claimed I must have entered it on their kiosk, yet at the time Organic Coup had an employee working the kiosk, you couldn't interact with it at all - but I had used the same card with Square at another merchant and entered my email address to receive the receipt.

        Square at the time claimed they didn't give out customer email addresses, but Organi
    • Nah, stop spending money at places that use Square. Tell the vendor about your experience with Square and that you cannot support Square. Tell the vendor that you'd like to support them but you cannot because of Square. These privacy violations need to hit Square where it hurts, right in the income. If enough people skip vendors using Square then they'll go under or start acting right.

      No more Square for me.

    • I cannot tell you how many times the automated spam systems I've attempted to screw with forward my call to...exactly nothing. It's often a machine running without a head.
  • by RogueWarrior65 ( 678876 ) on Wednesday October 26, 2022 @09:42AM (#62999391)

    This is a company that decides on its own whether or not to allow certain businesses access to financial services. Such practices are evil in general and it speaks to the disturbing trend of elected government abdicating its authority and responsibility to govern while allowing unelected bureaucrats and individual businesses to do its dirty work.

  • If that's not criminal, it ought to be. In the EU, at least it would violate the GDPR.

    If you are paying at a merchant, you may think to check the T&C of the merchant. Literally no one is going to think to check on the payment service. They have zero business selling your data. Even in the US I would assume that financial data (which this is) would be subject to some protections.

    Jail a few CxOs and this crap will stop.

  • I need to remember to keep a few Hide my Emails handy for the next Square transaction. Get the receipt, shutoff the email, done.
  • Here we are... (Score:4, Informative)

    by jpellino ( 202698 ) on Wednesday October 26, 2022 @10:17AM (#62999497)

    Buy a stick of gum with a retail account, and the opt-out universe manifests... you will get an email detailing the purchase, then one offering a coupon on your next stick of gum, then one asking how your in-store experience is, another asking to rate the gum, another asking to subscribe and like to the gum company's facebook, instagram, twitter feed, tiktok, linkedin, indeed, yelp, foursquare, and tripadvisor pages, endless suggestions to join everything from the Gummo Marx fan club to the sustainable chicle growers collective, and then weeks later out of nowhere another series of emails offering curated tours of the great candy stores of the world... and I wish I were making *all* of this up. Know how you'll know if you did a good job? I'll buy more gum and you'll see that in your daily drawer. Also, get off my lawn.

  • Lets make a law. I shouldn't have to give away my email address every time I make a purchase.
    • But you don't. You can choose not use Square's service. Don't blame (lack of) regulation when the sheep are not showing any signs of giving a fuck.
      • I can't, I don't have a choice, if I want to purchase something with a credit card there is no way for me to opt out. I don't think you use cash for all your transactions, don't ask me to use cash. And over the internet transactions can't use cash. Square get's your email from merchants and there is no way to opt out.
        • You're not required to provide your email address for Square transactions. These are usually point-of-sale where you're interacting with a kiosk and swiping/tapping/dipping your card. Email and phone number ("for receipt"/really so they can sell it) are optional.
  • Are there for this. Fastmail calls them masked emails. If you use one per company, then you know which ass-hat sold your data if something unrequested drops in your inbox. I find this better than the '+' extension for example with Gmail, which many sites refuse, whether because they don't understand the address spec or because they know people are using the + to track down spam.
  • The states antispam law makes this explicitly illegal.

  • Last time I worked with electronic payments on non-retail systems (i.e. if you bought something from our website), I think they all provided you with some information about the customer's identity, and it always included an email address. I don't mean to imply it should be abused as a marketing contact, but I can see how some personalities might see it differently and get in trouble.

    It's hard to believe Square is unique here, other than the fact that they sell the info to the vendor, rather than the vendor

  • I wonder how this works with California law, which requires that merchants do not keep credit card info after purchases.

    I realized years ago that giving Square my email address after a purchase might result in Square selling data about me, so I just decline the receipt.

  • The free services make it easy to create a spam email address to pass out, complete with +potentialspammer extension so you know who gave out your email. I've signed up with plenty of things with bogus addresses, birthdates, etc.
    • Because providing my email address to the vendor (and Square in the process) means that I can get their in-store rewards, no email no in-store rewards. In the case I'm thinking of, those rewards can be worth $50/year or more to me and I would still shop there anyway.

      • Because providing my email address to the vendor (and Square in the process) means that I can get their in-store rewards, no email no in-store rewards. In the case I'm thinking of, those rewards can be worth $50/year or more to me and I would still shop there anyway.

        However, that does not require your real email. I use my burner email for that or the + modifier depending on the case.

        • I like the vendor and don't care if they have my real email. Completely not obvious that Block takes advantage there. I use burners or individual/specific email addresses for things but didn't in this case as I trust the vendor.

          • I like the vendor and don't care if they have my real email. Completely not obvious that Block takes advantage there. I use burners or individual/specific email addresses for things but didn't in this case as I trust the vendor.

            I agree with you there. I use my real address, often with the + modifier, for vendors I trust. The + makes it easier to sort my mail to submailboxes; in the burner email it tells me who sold my address.

  • but instead "sells your email address".

    Please try harder, slashdot editors.

    PS: Have you missed me? I haven't commented for long!

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Working...