Sunday, when people had other things to do and weren’t supposed to pay attention, PayPal sent its account holders an innocuous-sounding email with the artfully bland title, “Notice of Policy Updates.” PayPal didn’t want people to read it – lest they come away thinking that the NSA, which runs the most expansive spying dragnet in history, is by comparison a group of choirboys.
The email started with corporate blah-blah-blah on privacy, that PayPal was “constantly” changing things “to give you more of what you want and improve your experience using us.”
Got it. This is going to be for your own good.
The email further discourages you from diving into it: So “this might not be your favorite stuff to read… but if you are interested take a look.” And this having gone out on a Sunday: “if you have other pressing things to do we’ll understand.” The click-through ratio of that link to these policy changes must have been near absolute zero. So I clicked on it.
Once on that page, you have to dig through some dry verbiage before you get to what they cynically call their “Privacy Policy.” Turns out, PayPal is a giant data hog.
It already has the information you hand over when you sign up, including your name, “detailed personal information such as date of birth,” address, phone number, banking and/or credit card information. It further collects information about all “your transactions and your activities.”
When you get on a PayPal site or use its services, it collects “information sent to us by your computer, mobile phone or other access device.” This “includes but is not limited to” (so these are just examples): “data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information, computer and connection information, mobile network information, statistics on page views, traffic to and from the sites, referral URL, ad data, and standard web log data and other information.”
You read correctly: “and other information” – anything it can get.
PayPal also collects personal data by putting cookies, web beacons (“to identify our users and user behavior”), and “similar technologies” on your device so that you can be tracked 24/7 even if you’re not using PayPal’s services, and even if you’re not on any of its sites.
Wait, “similar technologies?” By clicking on another link, you find out that they include pernicious “flash cookies,” newfangled “HTML 5 cookies,” and undefined “other web application software methods.” Unlike cookies, they “can operate across all of your browsers.” And you can’t get rid of these spy technologies or block them through your browser the way you get rid of or block cookies. You have to jump through hoops to deal with them, if they can be dealt with at all.
In addition, PayPal sweeps up any information “from or about you in other ways,” such as when you contact customer support and tell them stuff, or when you respond to a survey (Just Say No), or when you interact “with members of the eBay Inc. corporate family or other companies.” Yup, it sweeps up information even when you interact with other companies!
It may also “obtain information about you from third parties such as credit bureaus and identity verification services.” And it may “evaluate your computer, mobile phone or other access device to identify any malicious software or activity.” So they’re snooping around your devices.
And when you download or use PayPal’s apps to your smartphone, or access its “mobile optimized sites,” it collects location data along with a host of other data on your mobile device, including the unique identifier that ties it to you personally in order to manipulate search results and swamp you with location-based advertising “and other personalized content,” or whatever.
After vacuuming up all this information “from or about you,” PayPal will then “combine your information with information we collect from other companies” and create a voluminous, constantly growing dossier on you that you will never be able to check into.
Who all gets your personal information that PayPal collects? You guessed it.
First, it defines “personal information.” Turns out, much of your personal information is not “personal information”: any information that PayPal has “made anonymous” – we already know how anonymous that really is – is not “personal information,” and thus can be freely shared with or sold to whomever. And it shares the remaining “personal information” with:
- eBay and its affiliates
- Contractors that “help with,” among other things, “marketing and technology services”
- Financial outfits (such as GE Capital) that help decide, for example, if you should receive pre-approved credit-card offers
- Credit bureaus and collection agencies, which get your account information
- Companies PayPal might merge with or be acquired by. There goes your entire dossier. You can’t stop it from being sold to the new entity, which might be a Chinese company.
- A basket of our favorite law enforcement and government agencies and “other third parties pursuant to a subpoena, court order, or other legal process….”
You can’t opt out of PayPal’s spy apparatus.
You can only opt out of receiving their ads and pitches. And activating that “do not track” function in your browser to keep PayPal off your back? No way José. “We do not currently respond to DNT signals,” it says laconically.
So, if you don’t like being surveilled like that, you’re still free to close your PayPal account. But that’s not going to wipe out the information PayPal has collected “from or about you,” and its automatic systems continues to collect data through cookies, beacons, and “similar technologies,” and through the sophisticated spy capabilities that are part of any smartphone worth its salt [hilarious video…. iPhone 5nSa].
PayPal will simply mark your account as “closed” and you can’t get into it anymore, but it will “retain personal information from your account for a certain period of time” – probably forever – to do all sorts things, including “take other actions as required or permitted by law.” Yup, as permitted by law. It won’t do anything illegal with it. That’s the only promise. Alas, there aren’t exactly a lot of legal restrictions in the US on what companies can do with personal data.
PayPal is not unique. They’re all doing it. They’re part of the enormously hyped bubble of Big Data whose business model is to collect and monetize your personal information, which has become part of a new asset class. And seeing this, the NSA is dying of data envy.
Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.