One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good visualization of that data.
Is 600 companies unusual? Is it more than average? Less? We'll soon know.
Posted on March 14, 2018 at 6:24 AM • 39 Comments
JG4 • March 14, 2018 6:53 AM
https://www.nakedcapitalism.com/2018/03/links-3-14-18.html
...
Big Brother is Watching You Watch
AMD allegedly has its own Spectre-like security flaws CNET. Richard Smith:
Seems quite a bit worse than Spectre & Meltdown actually:
Assessment by my favourite gung-ho short seller.
AMD – The Obituary
Me, I think AMD’s TBTF, but I’m willing to learn.
...
Drone • March 14, 2018 6:58 AM
I HATE PayPal sooooo much. They treat me like a criminal even though I've never done anything wrong. After almost 15 years of using PayPal wherever I go, a year or so ago suddenly PayPal made it impossible for me to use or log in to my PayPal account if I am traveling outside the USA. A VPN worked, but not reliably and often not at all. Plus being forced to use a VPN is a risk as well, one forced on me by PayPal. PayPal will not budge on this, they insist on Geo-Jailing me because I travel globally.
We need a viable COMPETITOR to PayPal. Why isn't that happening?
de la Boetie • March 14, 2018 7:33 AM
Paypal has been dreadful - even by the standards of the industry - in providing anything decent in the way of strong two-factor authentication - despite being founder members of Fido. Their offerings are either SMS or the obsolete VIP proprietary key.
Symptomatic I guess of account holders being the product not the customer, I guess.
T H • March 14, 2018 8:35 AM
@JG4
AMD is fine. All those flaws are over-hyped and needs already game-over prequisites:
1)MASTERKEY: "Exploiting MASTERKEY requires an attacker to be able to re-flash the BIOS with a specially crafted BIOS update."
2)RYZENFALL: "Exploitation requires that an attacker be able to run a program with local-machine elevated administrator
privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed."
3)FALLOUT: "Exploitation requires that an attacker be able to run a program with local-machine elevated administrator
privileges. Accessing the Secure Processor is done through a vendor supplied driver that is digitally signed. "
4)CHIMERA "A program running with local-machine elevated administrator privileges. Access to the device is provided by a driver that is digitally signed by the vendor."
They didn't provide any actual evidence of any buid-in backdoor, technical details or POCs. Considering this AMDFLAWS(dot)COM is their first and only project, their word doesn't worth a spit.
Main actor in whole story is well known fraud Viceroy Research company, which is being investigated for stock price manipulation (about 3 billion dollars worth of stock loss due to slander in less then week). Viceroy Research was tipping off AMD stock holder for over a week before AMDFLAWS was released.
Don't forget this very fishy and targeted disclaimer (especially the second sentence): "...This White Paper does not offer the reader any recommendations or professional advice. The opinions expressed in this report are not investment advice nor should they be construed as investment advice or any recommendation of any kind."
Is smells like a fraud, looks like a fraud, talks like a fraud and probably IS a fraud.
Robert • March 14, 2018 9:42 AM
It seems like nothing is fully secured nowadays. And PayPal wasn't really secure anyway. I remember reading an article 3 years ago about its two-factor authentication.
I expressed curiosity and found the link to that blog post:
http://ddi-dev.com/blog/programming/reseacher-says-about-weakness-paypals-two-factor-authentication/
sellIDs • March 14, 2018 9:46 AM
Wow... this is why sites like pipl.com, whitepages.com and other a-likes have so much information on everybody ...
Bob • March 14, 2018 10:12 AM
JG4 feels like Viceroy Research to me.
Rhys • March 14, 2018 10:20 AM
Were any of this disclosure verifiable, you might learn something.
Tell us what you think you hope to learn vis-a-vis what you actually learned?
I don't know why this disclosure should be assumed to be either "complete" or "truthful" (including "the whole truth").
Particularly for these early disclosures- the grudging compliance will more resemble a negotiation than an unveiling (or removal of the shroud).
Do keep in mind that their construct of added value is built not just on the collection but, the retention and sorting (data mining, analytics, correlations, derivations). The analytic products will be considered a 'trade secret' by them.
Of the 600 companies, 'legal', & 'agencies' listed- will any of these subsequently disclose what they have collected? Or just that they "shared" in the engorgement of PII, PCI, PHI without any license from the individual? (I am attempting to address the laundering of the information or 'intelligence' through proxies.)
As far as 'legal' and/or 'agencies' are concerned- will they openly disclose or will they now accept subpoenas to disclose? Will they even permit the disclosure of their 'take'?
This is a battle of attrition. As corporate defendants 'comply' with disclosure to plaintiffs- they'll pass the raw data in a heap hoping that the resources & time available will be exceeded facilitating their evasion of accountability.
All I think what we will learn is how much dogged perseverance we must be prepared to bear.
TheInformedOne • March 14, 2018 10:25 AM
The worlds leaders need to start treating privacy as a human rights issue. I predict the "Golden Age" of data mining will be over soon as the sheeple slowly awake to how they've been exploited for decades without their consent. Don't really know what Facebook, Google, Twitter, YouTube, and all the other social media companies will do for money after that.....
Bob • March 14, 2018 11:21 AM
@TheInformedOne
I disagree. I think people will continue caring less and less about privacy as they are placated and gratified with increasingly insecure, capable shiny shit.
Douglas Coulter • March 14, 2018 11:28 AM
@TheInformedOne
"Don't really know what Facebook, Google, Twitter, YouTube, and all the other social media companies will do for money after that....."
To further inform:
Long BEFORE that, these companies and others have lobbied for and bought law, and will continue to do so, to prevent any such outcome. They also feed governments data which would be illegal for said government to collect - not that legality stops them, but it'd more efficient to outsource raw collection and initial winnowing.
There will always also be some semi-valid (note qualifier) excuse for things we can't even opt out of, like Experian, or for that matter, OPM who have already had pants-down leaks showing us what they - and now everyone who wants to - know about us.
I believe the term that describes your thinking is "wishful". I see no such trend in any government worldwide, and plenty of the opposite.
mark johnson • March 14, 2018 11:50 AM
One reason I use PayPal is they don't share CC info with the vendor. Anytime I purchase something that involves recurring charges, they automatically bill you and it is very difficult to get them to stop. In fact, that's why some won't accept PayPal - they need to hit your CC anytime they want. Sure, you can contact the bank and get them to reverse the unauthorized charge. But it's easier if you can pay with PayPal. They can't hit PayPal again and they don't have your CC info either.
echo • March 14, 2018 11:51 AM
Good Lord. 600!!!?? This kind of thing screams out for a capability bits style anonymised data protocol thingamy to stop world and dog taking liberties. I would be surprised if this doesn't fall foul of the EU goods and services directive and UK data protection act.
Anders • March 14, 2018 12:54 PM
Luckily i have never used PayPal :)
Hmm • March 14, 2018 12:57 PM
@Mark Johnson
You are avoiding the devil and making a deal with Satan's neighbor.
Get a prepaid credit card for those.
https://www.nerdwallet.com/blog/banking/nerdwallets-best-prepaid-debit-cards/
I didn't vet any of these individually for privacy but they exist.
@Bob - I totally agree with you. There's more to it though; there is 'conditioning' over generations to consider. We finally broke down and got my 13 year old daughter a smartphone. On multiple occasions, when ads for businesses that we are near pop up on her phone, I've asked "doesn't it bother you that Google or whoever always knows where you are". She replied - "not really". Cue up the music - "freedom is just another word for nothin' left to lose...".
albert • March 14, 2018 1:56 PM
I count 169 entities labeled (USA). I didn't see the need to go into more detail, but these include:
(1) *Auditor (in Luxumbourg)
(10) *Payment Processors (including Coinbase!)
(10) *Customer Service Outsourcing (not required if not used)
(40) *Credit Reference and Fraud Agencies
(4) Financial Products
(3) Commercial Partnerships (incl Apple)
(52) Marketing and Public Relations
(25) *Operational services
(2) Group companies (both PayPal)
(20) Commercial partners
(3) Legal
(-) Agencies (all non-US)
I would guess that one would only need to use a few individual companies(marked *) to process even overseas transactions, but what do I know?
There are lots of pigs feeding in the trough.
. .. . .. --- ....
Mark Johnson • March 14, 2018 2:31 PM
@Hmm
A prepaid CC? How does that prevent the vendor from hitting it again, from placing additional charges on it?
Hmm • March 14, 2018 2:41 PM
@Mark
I said credit, it's actually debit. You can't be charged for money that isn't there.
It's the commerce equivalent of a burner phone.
Jesse Thompson • March 14, 2018 2:43 PM
@Drone
We need a viable COMPETITOR to PayPal. Why isn't that happening?
Well, you can try out Venmo, Circle, Coinbase, Zelle, Flattr, Coinapult, and that's just off the top of my head.
But do you know what all of these services critically lack that Paypal appears to have mastered?
Nothing more nor less than a large network of people already signed up to use their payment network.
So ultimately dislodging Paypal is an identical feat to dislodging Facebook.
There's no special technology or IP or talent that keeps them in place, just first-mover luck and networking effects.
Hmm • March 14, 2018 2:45 PM
@Mark
Obviously you have to manage that and it's not super-convenient. I'm not saying it's a panacea.
But if you don't want Peter Thiel selling your trends, that's one way to do it.
Everything is a trade-off.
Nick • March 14, 2018 3:21 PM
That a truly horrible company like Paypal (link) can acquire a quasi-monopoly speaks volumes about what the average consumer is willing to give up for a little extra convenience.
I think it's a waste of time trying to educate the average Joe. He/she is too stupid to understand that one day, an identity theft won't just be something he reads about. Sorry if I sound elitist, but I honestly believe that that's just reality.
Douglas Coulter • March 14, 2018 4:03 PM
I don't know what my bank shares with the world, to say that up front.
However, what I've had them do for me, and which a few bank employees have also adopted, is just to create another checking account with no overdraft "protection", and use the debit card from that online - no issues ever, other than whenever management changes at the bank that overdraft protection tends to get turned back on, and I had to tell them again. Maybe no more now that they themselves are doing this.
This was in response to a couple of hacks on another debit card that had been attached to my outfit's payroll account. The bank nicely took care of the fraud on that - but I'm a decent size fish in that small pond, and it's a worry.
To use this - I only keep
Funny that now that there's a debit card for me that doubtless a lot of entities know the specifics of - it's never been hacked. Maybe anecdotal, but it's as if the hackers had some way to know if there was enough money to be worth it?
Today I found out that to get an account with the US gov "MySSA" social security administration, you must be on file at the credit bureaus. I was told this after calling their help desk to find out why I couldn't successfully sign up online.
Too inept to call NSA (oh, they'd never answer)? WTF, I didn't know that our government depended on this for their own verifications....I haven't borrowed money or other credit event for decades, and evidently, you drop off the lists.
Douglas Coulter • March 14, 2018 4:05 PM
Oops. Half my comment went away?
I only keep $20 in the burner acct, and only xfer money into it online just before clicking "place order" at whatever other site. Very low hassle.
dan • March 15, 2018 2:48 AM
that visualisation is very hard to read. you have to zoom in to read the text but then zoom out to go to another node. something like dynalist or workflowy would be much better
Drone • March 15, 2018 4:14 AM
@Jesse Thompson,
You said: "Well, you can try out Venmo, Circle, Coinbase, Zelle, Flattr, Coinapult, and that's just off the top of my head."
C'mon Jesse, when was the last time a seller you want to patronize accepted payment via Venmo, Circle, Coinbase, Zelle, Flattr, or Coinapult? Never - that's when.
Google Pay (or Google Wallet or whatever they're calling it this week) has the potential to seriously compete with PayPal. But unfortunately Google is like a four year old child with attention deficit disorder when it comes to developing businesses, so don't hold your breath.
Anon • March 15, 2018 8:29 AM
Interesting would be with who the following company's share information:
PayPal Inc. (USA)PayPal Europe Services Limited (Ireland),
PayPal Malaysia Services Sdn Bhd (Kuala Lumpur),
PayPal Israel Ltd (Israel),
PayPal India Private Limited (India),
PayPal (UK) Ltd (UK),
PayPal France S.A.S. (France),
PayPal Deutschland GmbH (Germany),
PayPal Spain SL (Spain),
PayPal Italia Srl (Italy),
PayPal Nederland BV (Netherlands),
PayPal European Marketing SA (Switzerland),
PayPal Polska Sp Zoo (Poland),
PayPal Bilisim Hizmetleri Limited Sirketi (Turkey),
PayPal International S.à r.l.(Luxembourg),
PayPal International Treasury Centre S.à r.l.
PayPal SE (UK), Bill Me Later Inc. (Germany),
PayPal Information Technologies (shanghai) Co., (China),
PayPal Australia Pty Limited (Australia),
PayPal Charitable Giving Fund (USA),
PayPal Giving Fund UK (UK), Tradera AB (Sweden)PayPal Pte. Ltd. (Singapore)
or all with the Column "Data Disclosed" and have included "All Account information"
:-P
65535 • March 15, 2018 8:33 AM
@ Nick and others
“…truly horrible company like Paypal (link) can acquire a quasi-monopoly speaks volumes about what the average consumer is willing to give up for a little extra convenience. I think it's a waste of time trying to educate the average Joe. He/she is too stupid to understand that one day, an identity theft won't just be something he reads about.”- Nick
Once you step into the financial arena your OPSEC is blown up. Everything from your age, gender, name, race, address, political and spiritual beliefs, your address, family, job, telephone number, driving license records, social security number, loan record and so on are revealed to hundreds of people/corporations. The main way around this is cash and carry.
If you are a “high risk” political reporter you are exposed to your many enemy’s via multiple companies. The same for other people in sensitive positions. This leads us as to how a high risk person gets a security clearance. The first thing a security clearance requires is a credit check. If you fail a credit check you are probably not getting a security clearance.
How do police, politicians, agents of the Federal government do it? I would guess less than legal front men and front companies. The same goes for millionaire executives and movie stars.
It is not a secret that foreign born persons tend to get security clearances easier than some Americans – to a degree. How to remedy this is a difficult question. How keep from getting your OPSEC blown is just as difficult. The answer is to use “Snowden” security practices. That is difficult for the average Jane/Joe. They need a job and a so called credit history. Financial records tell everything.
OPSEC is very difficult. Does anybody has a good solution? Please speak up.
Anders • March 15, 2018 11:08 AM
@65535
re:OPSEC
Learn from the LulzSec failures.
http://privacy-pc.com/articles/hackers-guide-to-stay-out-of-jail-3-lulzsec-failures.html
D-503 • March 15, 2018 11:12 AM
There's a huge unmet need for a secure, cheap method of making small payments. Flattr is a great concept, but very limited in its application.
Paypal stores excessive financial information on customers, apparently forever, creating an uncomfortably large attack surface for identity fraud. But it's been able to carve out a large enough market share that some vendors only accept Paypal, which is annoying for people like me who refuse to use Paypal.
For a few years, Bitcoin's main strength was that transaction costs were low – after the initial investment of time and equipment to get set up – compared with the exorbitant retail transaction fees charged by financial institutions.
Last fall, Bitcoin's transaction costs skyrocketed into the same overall range as fees charged by banks, and will stay high due to Bitcoin's inability to be scaled up. This has ruined Bitcoin's usefulness as a currency – though apparently people in Venezuela are still using it as a hedge against inflation. It remains to be seen whether any decentralized electronic currency can work in the long term at the sorts of scales needed. Even if a currency uses a computationally expensive method that consumes massive amounts of electricity, people still find many ways to cheat. And given the financial incentive involved, it’s hard to predict future methods of cheating.
@Jesse:
“But do you know what all of these services critically lack that Paypal appears to have mastered?
Nothing more nor less than a large network of people already signed up to use their payment network.”
Yes, that’s a huge hurdle for any new payment method. And the network effect is the reason why anyone who controls a widely-accepted payment method can rake in dangerously massive amounts of economic rent.
VinnyG • March 15, 2018 2:55 PM
eBay recently announced (I have a link *somewhere* but of course cannot find it at need) that it will be winding down its relationship with Paypal over the next 2 years. Much too late and too slow, but that should at least serve as a small check on PP ubiquity, going forward. Something to keep in mind re debit & credit cards (at least in US, otherwise YMMV) is that the maximum customer liability on a credit card in the event of fraud is capped by law at 50 USD, while the limitation on a debit card is the amount in the account (i.e., no equivalent legal consumer protection exists.) For most of my online purchases I use a credit card. I do monitor the account regularly for unauthorized purchases. That, of course, does nothing to mitigate the sharing of any PI that can be gleaned from my purchases, it's only loss control. For those purchases (relatively few) that I truly want to be confidential, I'll go to Walmart and purchase a debit card for cash in an amount equal to or a few pennies more than the shipped cost of goods I wish to purchase. I make the purchase, then shred the card.
Ratio • March 15, 2018 3:03 PM
@VinnyG, here’s a link.
Rickle • March 15, 2018 7:05 PM
I'd love to know what data they share with which third party.
Jim • March 15, 2018 8:09 PM
I quit using PalPal/eBay well over 10 years ago as I detested them having direct access to my bank account. They could withdraw funds even if I disagreed.
They initially sided with me in a contested sale but then charged me the entire sale price after the customer contested to her credit card company. I was powerless. The customer kept the $900 product.
Even more disturbing is the position of the USA HealthCare.gov site allowing virtually every intrusive Big-Data corporation to eavesdrop as consumers apply for healthcare coverage. They get your sensitive extensive medical and financial data for free.
To limit your personal health data collection the government insists consumers visit EACH data-collector, create an account, then agree to their massively invasive term-of-service just to be able to disable your data collection at HealthCare.gov.
No one can practically do this insanity and they know it.
The reality is the Obama Federal Government was unable to set-up an on-line system and had to bring in G**gle. Now years later we see the price paid: our essential human privacy
JustAGuy • March 16, 2018 12:25 PM
This isn't really about PayPal, it's about the GDPR requirement to disclose business partners you share data with. What we're going to see that it's useless, the cyber equivalent of "This product is known to the state of California to contain a chemical that causes cancer". Great, thanks California, everything causes cancer. This requirement will simply show you that every website you use shares data with hundreds of third parties, most of whom you have never heard of before. There's no practical way to vet or take precautions based on this info especially given the size of the partner lists you will see, so (much like the Prop 65 warning) it will largely be ignored. The only possible benefit today is that if vendor X announces a breach, you can search these disclosure lists and find the clients who may be affected, even if they won't tell you themselves.
Eric • March 22, 2018 5:57 AM
@JustAGuy
There's no practical way to vet or take precautions based on this info especially given the size of the partner lists you will see, so (much like the Prop 65 warning) it will largely be ignored.
In case of companies like PayPal a person can simply choose to not to use them for anything.
Although there is of course the risk that some alternative, such as a pre-paid credit card company, does something similar.
On another note the data sharing networks between these companies will probably work out to become an interesting data science project.
Subscribe to comments on this entry
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.
Leave a comment