The spy in your wallet: Credit cards have a privacy problem
I recently used my credit card to buy a banana. Then I tried to figure out how my credit card let companies buy me.
You might think my 29-cent swipe at Target would be just between me and my bank. Heavens, no. My banana generated data that's likely worth more than it is. It ended up with marketers, Target, Amazon, Google and hedge funds, to name a few.
Oh, the places a banana will go in the sprawling card-data economy. Despite a federal privacy law covering cards, I found six types of businesses could mine and share elements of my purchase, multiplied untold times by other companies they might have passed it to. Credit cards are a spy in your wallet -- and it's time we add privacy, alongside rewards and rates, to how we evaluate them.
Apple, branching out from gadgets, just began offering a needed alternative. The new Apple Card's best attribute is privacy (though the fashion faux pas of its white titanium has gotten more attention). Apple limits bank partner Goldman Sachs from selling or sharing your data with marketers. But the Apple Card, which runs on the MasterCard network, doesn't introduce much new technology to protect you from a lot of other hands grabbing at the till.
With my banana test -- two bananas, one purchased with the popular Chase Amazon Prime Rewards Visa and the other with Apple's MasterCard -- I hoped to uncover the secret life of my credit card data. But in this murky industry, I was only partly successful. Unlike my other recent technology experiments, such as watching what my iPhone does while I sleep, I couldn't hack into cards to follow the data.
Instead, I asked insiders and privacy advocates to help identify the types of companies that had given themselves access to my swipe for purposes unrelated to payment and preventing fraud. "Where does it end? Nobody really knows," says Ted Rossman, an analyst at comparison site CreditCards.com.
I pored over these companies' privacy policies. Then I asked more than two dozen to get specific about what they actually do with our transactions. What data are they sharing, and with whom?
Some didn't answer. Others sent me to a Bermuda Triangle of legalese where few straight answers escaped alive. In 2019, it's hard to trust companies that don't think they owe us clarity about data.
What I learned: The card data business is booming for advertisers, for aiding investors and for helping retailers and banks encourage more spending. And there are many ways a card swipe can be exploited that don't always require a transaction being "sold" or "shared" in a way that fully identifies you. Data can be aggregated, anonymized, hashed or pseudonymized (given a new name), or used to target you without ever technically changing hands.
What's the harm? We're legally protected from fraudulent charges and unfair lending practices. But spending patterns can reveal lots -- possibly enough to blackmail you. Any time data passes to new hands, there's another chance it could get stolen. (Witness: Equifax.)
And card data surely helps businesses, but can put consumers at a relative disadvantage. "The more they know they know about you, the more opportunities there are for manipulation," says Chris Hoofnagle, a law and information professor at the University of California, Berkeley. Data can be used to model behaviors, like figuring out exactly how many price hikes or awful experiences customers will put up with before bolting.
People can have different views on whether it's worth exchanging data for airline miles or cash back. But how are we supposed to make informed decisions when we don't know where our data is going?
So who all can track, mine or share your transactions? Where does the Apple Card help? Let's unravel the six kinds of companies that sold me out. It's bananas.
1. The bank
When I swiped my cards, of course my banks received data. What's surprising is who they can share it with. My data helped identify me to Chase's marketing partners, who send me junk mail. Some even got fed to retail giant Amazon, because it co-branded my card.
Banks have long been required to report suspicious transactions to the government. But the 1999 Gramm-Leach-Bliley Act also allows banks to share personally identifiable data with companies. They just have to send a privacy notice, and give you the right to opt out. (More on opting out below.)
When I used my Visa, Chase's privacy statement reserves the right to share my data for seven different kinds of reasons. The most appalling category is: "For nonaffiliated to market to you." Who are "nonaffiliated?" Whoever the bank darn well wants. The term just means a company not owned by Chase.
Chase would not tell me the specific data it shared from my card or the companies it shared it with. Instead, spokeswoman Patricia Wexler listed kinds of data Chase doesn't share -- including "personalized transaction level data." But that leaves room for lots of uses. Chase, for example, opts us in to receiving offers from partner companies based on our spending habits.
This is where the Apple Card is different. In the Goldman Sachs privacy statement, its answers to most kinds of sharing is "no." Goldman still shares information to credit agencies about whether you pay your bills. But it says it doesn't feed transactions to marketers or a sister company that mines card data.
Co-branded card partners get a piece of the action, too. Of course Amazon receives data when you buy things on Amazon with its card. What about other purchases? Chase says it shares information with co-brand partners "at a high level only -- not specific details around which merchant, and not specific items purchased," but Wexler declined to be specific. Amazon also wouldn't say exactly what it receives. (Amazon CEO Jeff Bezos owns The Washington Post.)
As a co-branded partner, Apple says it can't access data about your transactions outside of Apple. The details of your purchases, visible in the Wallet app, are encrypted so Apple can't see them.
2. The card network
This is where Apple's advantage starts to fade. Once my banana purchase passed to card networks run by Visa and MasterCard, either might have shared them -- in an anonymized form -- with businesses ranging from tourism bureaus to Google.
The networks, whose main business is connecting banks, have side gigs in aggregating purchases and selling them as "data insights." Visa said it allows clients to see data on populations as small as 50 people, often tied to groups in ZIP codes. MasterCard wouldn't disclose its minimum group size.
One MasterCard program particularly irks privacy advocates. Bloomberg has reported that data from millions of MasterCards -- now likely including Apple Cards -- ends up helping Google track retail sales. Data goes into a double-blind system that lets the Web giant link ads people have seen back to purchases they've made in the real world. A person familiar with the matter, who wasn't authorized to speak about it, confirmed the deal to me.
The firms wouldn't acknowledge the specific program, but emphasize MasterCard scrubs identifiable information. MasterCard spokesman Jim Issokson says, "MasterCard is not sharing any data or insights for ad measurement purposes to any of the tech giants." Google spokeswoman Anaik von der Weid says, "We have developed advanced, privacy protective technology in this area, precisely to avoid the sharing of personal information."
3. The store
To Target, my credit card acted as a kind of ID -- each swipe helps build a "guest profile" about me. That's useful for learning my habits, targeting me with ads on Facebook and sharing information about me with others. It made no difference whether I paid with the Chase Visa or Apple Card.
Who are these companies: Marketers? Data brokers? Other retailers? Target spokeswoman Jenna Reck wouldn't say.
What specifically does Target share? That "varies," Reck says, but adds "we provide aggregated, de-identified information whenever possible," she says.
4. Point-of-sale systems and retailer banks
The tech that helps stores track us often comes from card-swipe machines and the merchant banks that process transactions for them. Those firms gain access to your name, card number and other details, and often reserve rights to share data in some form. What are they doing with it?
This is where my data trail gets particularly murky. Target wouldn't say who its so-called acquiring bank is or what restrictions it places on it.
Target also wouldn't say what data restrictions it puts on the company that makes its swipe terminals, VeriFone. That company didn't answer my emails.
An experience you might have had at a coffee shop shows what's possible. Ever swipe your card and the terminal already knows the phone number or email to send a receipt? That's because the system has linked your card to a profile -- and you've volunteered those details before.
Square, one maker of those systems, says it does not "sell" that data. But it does pass emails or phone numbers we enter for receipts back to merchants. And it shares aggregated data about purchases with organizations including trade groups.
5. Mobile wallets
I paid for my bananas with physical cards, but smartphone-payment systems introduce even more hands on transactions. Apps can access and store not only what you buy, but also where you go.
Google Pay for Android stores transactions in your Google account. Google says it doesn't allow advertisers to target you based on that data. But Google Pay's default privacy settings, which you can adjust, grant it rights to use your personal information to allow Google companies to market to you.
The Samsung Pay app has details from your last 20 transactions, though the company says the information isn't stored on its servers. The app also delivers location-based promotions.
Apple says it doesn't retain transaction information "that can be tied back to you" when you use Apple Pay.
6. Financial apps
Many free financial services are actually after your data. Intuit's Mint, which lets you track all your accounts in one place, uses your data to market to you in its app. Financial software maker Yodlee sells de-identified data from customers to market research firms, retailers and investors.
Your email might also be a mole. Any time you receive a receipt in Gmail, Google adds to it to a purchases database. Google says it doesn't use the contents of Gmail to target ads, but that leaves open other uses.
7. Opting out
If you care about privacy, there are steps you can take to better protect your life as a consumer -- but it's patchwork.
Perhaps it goes without saying, but you could pay with cash. That won't help if you swipe a loyalty card ... or once businesses start using facial recognition.
I plan to continue using the Apple Card, even though its rewards aren't as good as other cards. Its contracts with Goldman protect you from some bank surveillance capitalism. Apple Card also doesn't work with nosy apps like Mint -- you have to access your account details through the app on your iPhone.
But I'm disappointed Apple didn't build new kinds of privacy technology to help counteract all the other categories of companies using each swipe. For example, the card offered by a startup called Privacy uses a different number for each (online only) transaction so you can't be as easily tracked.
By law, credit card companies give us ways to opt out of some of their data sharing, though sharing with other financial institutions and joint-marketing partners is usually exempt. Chase and American Express have online forms you can fill out. To opt out with Citibank you have to call 888-214-0017; for Discover call 800-225-5202.
Through online forms, you can also opt out of the data-sharing programs with Visa and MasterCard. (Anyone with an Apple Card will need to do this to bolster their privacy.)
Even some stores offer an out. Target says customers can call 800-440-0680 and ask to be removed from having personal information shared for marketing.
Many of these companies say giving us these "choices" is sufficient. That's nonsense. With data, the devil is in the defaults -- companies know a vanishingly small number of people will ever adjust settings. And how can we exercise a choice if we don't even know what's happening with our data?
The recent headlines about Facebook and Equifax opened a lot more eyes to how privacy impacts our lives in unforeseen ways. Other businesses should take that as a warning: Data is the new corporate social responsibility.
If a company wants our trust, it's no longer good enough to say "we care about your privacy," and point to some legalese. It's time to come clean.