Bank on privacy
-
Banks in the US and elsewhere have been selling anonymous information about customers’ spending habits for a long time. Now, Norway’s largest bank plans to do the same. Here’s what our security team has to say to that.
Click here to see the full blog post
-
I take it Norway doesn't have GDPR then? Selling data shouldn't be allowed like this, but at least with GDPR you should need to give your explicit consent for sharing data with third parties. And as far as I'm aware there is no way to "grandfather" you into automatically agreeing.
The issue runs a bit deeper than your bank though. Visa, Mastercard, Google & Apple (if you uploaded your card to their payment systems) - these companies could be doing whatever they want with their data even if your bank is 100% secure.
Unrelated: I am a member of a Building Society, not a bank. In the grand scheme of things I'm not sure if there is much difference, but it feels a bit cleaner as it's run by members I can elect, not a permanent board of directors.
-
@LonM Norway do have legislation that implements the GDPR; the issue here is that, based on (long and difficult to read) contracts and/or accepted GDPR noticed they may have permission to do what they are proposing. The real question is whether they should, and if so, how they should implement it? IMO they shouldn't.
-
@yngve I'm not an expert on GDPR - my understanding was that if new contracts for sharing data were implemented, then you needed express consent for that. Bank lawyers probably know a lot more than me and will have covered their backs.
You're right though - in any case this is poor behaviour.
-
:knight:
Could the data collected at some point also be used to answer security questions on a site (some sites have bad security questions)? -
@Chas4 said in Bank on privacy:
Could the data collected at some point also be used to answer security questions on a site (some sites have bad security questions)?
All security questions are bad.
The standard questions are usually easy to guess (or look up on facebook, linkedIn, or the profiles at any other of the data collector pages) and the method you suggest does probably not work too, because humans tend to forget what items they bought a week ago.
That's why "Password1" is still one of the most commonly used passwords
PS: Other data than purchase data can considered to be not reliable because those data might already have been leaked
-
All too common (sadly) in Canada and the US and little oversight (in Canada anyway).
If you have a substantial account(s), not me, you can threaten the bank that you will be changing financial institutions...
or just go to the bank and withdraw cash to use. -
@greybeard said in Bank on privacy:
(...) or just go to the bank and withdraw cash to use.
Yes, banknotes are untraceable ...
... but your online purchases still tell a story, but that data is out in the wild anyway, because with most of the payment processors you have to swallow the toad to allow further data processing and confirm that they are allowed tosharesell "anonymised" data (we can't see if they really aggregate and anonymise the data correctly) to make an extra profit which they don't hand down to you - not even in parts. -
I usually pay as little as possible with a card, knowing that in this way the bank even knows what I bought, which eventually translates into related spam in my mailbox. In a normal daily purchase payment always in cash, this also prevents the store has to pay commissions that affect prices, if everyone pays by card. For this there are also small businesses that do not accept card payment for purchases under € 10
-
Brazil has something called "Sigilo Bancario" (Bank Secrecy Brazil Law 105/2001) which, in practice, "ppffssss ..." is of no use. However, just now, the GDPR is to be effective (we call it LGPD Law No. 13.709 / 2018). Although, in practice, among private entities, I don't know if it will advance to much. Because, here, you can buy from the government the confirmation of personal data of any Brazilian person for only $ 0.20 (https://servicos.serpro.gov.br/datavalid/). Very secretive is our country. >-<
-
@QuHno Some security question I have seen assume you are married.
-
Actually, it is easy to use the card. I don't have to carry coins with me, maybe few bills. As every purchase is documented, most times, you don't need to have paper confirmation, as in guarantees. This had helped me twice. Of course, the card issuer, and the bank knows what I buy, where I bought it etc, maybe even the government. But, do I have to worry about that really? I mean, I'll buy those things anyway, and they are more or less the same things others buy too. In EU, privacy laws are tough. I think as Norway is not in the EU, has more or less the same problems of US or Canada.
-
In Norway there's now a new (well, actually several years old now) app called "Vipps", which is kind of similar to Paypal in that you are registered by phone number (or email, not sure), so others can find you and send you money. It seems everyone uses it these days. Even the homeless magazine sellers and beggars now use Vipps, since very people few carry cash with them. It's kind of absurd.
I don't use it, but whenever I need to give some money, for instance after a shared meal and so on, people are like "don't you have Vipps?" And I'm like "nope, do you have an account number?" :smiling_face_with_open_mouth_closed_eyes:
Vipps is not even owned by my bank. So if I start using it, this separate company will be able to log a transaction history for me... in addition to what my bank knows.
But I do understand why people use it, it makes everything super duper easy whenever you need to transfer a small amount of money to another person.
Like Bruce Schneier said:
"The user's going to pick dancing pigs over security every time." -
@Luluka In the past there was something called telephone books, made of dead trees, with numbers and names printed and every household got one containing all phone numbers, associated names and street addresses of the region. For a small fee you could buy the telephone book of another region. Those information was available to every person who wanted it.
I'd have nothing against publishing all of that in a database, provided that everyone has access to those information.But I would loathe it if this was combined with my daily shopping list or where I was when I had bought it. That would be like a person constantly following me and and noting everything don what I do and where I do it. If thats going to happen, I want my share of everything they earn, say 70% and an opt-out - or better: A revocable opt-in, and if I revoke it, all data sets must be erased, not only from the computers of the companies that follow me, but from the computers they sold this info too.
OK, I stop dreaming now, but the opt-in is still a must.
btw: Did you know that some fully computerized physical shops started to adapt the prices to the customers? Meaning, some customers have to pay more, some less for the goods - not that the customers who earn less pay less, nooo, heavens forbid, but those who spend a lot in the shop pay less or customers who are known to be wealthy because the algorithm rates them as more valuable and wants to keep them.
I think that's unethical. -
@QuHno, in the past they had in a fat book, my name, my address and my phone number, today, if I pay by card, the bank knows my name, my address, my phone number, the number of my shoes, on what day my wife has the menstruation, how many times I use condoms, when I had digestion problems, what I have for food every day ... ... and with them every advertiser knows what they do business with.
-
thats why it so nice that bitcoin exist.
-
For those interested, here is a complete list of extensions and tools to keep privacy
https://github.com/humanetech-community/awesome-humane-tech#tracking
All alternative services and applications, to eliminate Google completely from your life
-