The 600+ Companies PayPal Shares Your Data With(schneier.com)
schneier.com
The 600+ Companies PayPal Shares Your Data With
https://www.schneier.com/blog/archives/2018/03/the_600_compani.html
28 comments
We need to change the language, it's too soft. Paypal isn't "sharing" your data. They're "selling" your data.
Sharing is Caring. If you want people to take these threats seriously you need to speak to them with language they can understand.
Sharing is Caring. If you want people to take these threats seriously you need to speak to them with language they can understand.
If Paypal pays service provider Y to validate a credit card hasn't recently been used in fraud, they would be sharing the data, but they certainly wouldn't be selling the data.
I doubt they're "selling" your data to payment processors, though. If you follow the links, it is refreshingly candid.
Direct Link: https://www.paypal.com/ie/webapps/mpp/ua/third-parties-list
Kind of interesting to see the network of companies paypal uses for various functions. Surprise Surprise the largest sections are fraud prevention and marketing.
Kind of interesting to see the network of companies paypal uses for various functions. Surprise Surprise the largest sections are fraud prevention and marketing.
PayPal fraud prevention makes it impossible to use, you are guilty until proven innocent. In a way Coinbase is in a collision course also. Not saying that it's entirely their fault but there should be an innovative way to offer a good user experience while following regulations.
Beyond this, GDPR is educating us. I wonder how US regulations/regulators were so flexible with this kind of companies but are so strict with their users.
Beyond this, GDPR is educating us. I wonder how US regulations/regulators were so flexible with this kind of companies but are so strict with their users.
> guilty until proven innocent
I can’t see reversible payments between strangers over the internet working without that.
Let alone the tax/money-laundering reporting requirements.
I can’t see reversible payments between strangers over the internet working without that.
Let alone the tax/money-laundering reporting requirements.
Many times I can't even send the payment.
A lot of it is common sense, banks for example: If you use your bank (you have to via checking or CC) they have to know your PayPal information.
Also they have to care about fraud.
Also they have to care about fraud.
Wait, what? Why does my bank need to talk to (share information with) PayPal?
Interestingly, under GDPR EU citizens need to opt in to each of these, explicitly, and be able to toggle them off on an ad hoc basis. Additionally, PayPal is required to list each of these vendor's vendors (which could increase the number of vendors by 1 or 2 orders of magnitude). If companies actually follow the GDPR controls this is going to turtle all the way down.
Interestingly, under GDPR EU citizens need to opt in to each of these, explicitly, and be able to toggle them off on an ad hoc basis.
This sounds terrible. How is your regular EU citizen supposed to know which of these companies would be required to get your payment to reach its destination?
This sounds terrible. How is your regular EU citizen supposed to know which of these companies would be required to get your payment to reach its destination?
Maybe PayPal should disclose this?
Not
- Your data MAY be shared with these 600 companies
but
- For this transaction to complete, your data WILL be shared with those 10 companies
Not
- Your data MAY be shared with these 600 companies
but
- For this transaction to complete, your data WILL be shared with those 10 companies
Which section of the GDRP says that?
As far as I know you don't need your customers opt in if you have a contract based on a standard contract
This absurd level of data sharing is one of the reasons I use Apple Pay 100% of the time it's offered, at least they don't go sending half the world your info and product purchase history.
The merchant may still do so of course...but the footprint is reduced.
The merchant may still do so of course...but the footprint is reduced.
How do you know that Apple isn't doing that?
I'm curious as well. I mean, it might not be '600' (although as commented by others, that doesn't mean your particluar account data hits all 600 of them), but at least something should get shared somehow to complete any type of payment? If not just for the receiving party? And what information exactly do they get?
The merchant doesn't get your credit card number, though; it gets a one-time code.
The title on the PayPal list itself reads "List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared."
If that's true, this is just the "worst case" scenario - you are very unlikely to hit any significant fraction of these companies for any single given transaction.
Or so I hope.
If that's true, this is just the "worst case" scenario - you are very unlikely to hit any significant fraction of these companies for any single given transaction.
Or so I hope.
The overwhelming majority likely never get anybodies info. These lists have to be extensive, and for the "marketing" category the data is almost assuredly anonymous. But to avoid hefty lawsuits, companies choose to list any company that might accidentally get a CC they aren't supposed to.
Dear customer, we may betray you in some of these 600 ways. This is just the "worst case" scenario. You are very unlikely to hit any significant fraction of these posibilities for any single given Transaction.
At least we hope so.
Hopefully none of these 600+ companies ever get hacked.
https://thehackernews.com/2017/12/paypal-tio-data-breach.htm...
you were saying? :)
you were saying? :)
Kind of irony? ;-)
This should be fairly alarming because it makes a whole new attack surface very publicly visible.
> To allow payment processing settlement services, and fraud checking.
So, do they only share my info with them when I make a payment with that specific institution, or do they share my info even if they’re uninvolved but sell fraud prevention services?
So, do they only share my info with them when I make a payment with that specific institution, or do they share my info even if they’re uninvolved but sell fraud prevention services?
The visualization he links to is pretty nice: https://rebecca-ricks.com/paypal-data/
"Credit reference and fraud" companies are pretty much tied with "marketing and public relations"; the latter seems to be about half "tracking pixel providers". Fuck ubiquitous advertising. The Space Merchants was supposed to be a satire, not a manual.
"Credit reference and fraud" companies are pretty much tied with "marketing and public relations"; the latter seems to be about half "tracking pixel providers". Fuck ubiquitous advertising. The Space Merchants was supposed to be a satire, not a manual.
The assumption is, the more data the less likely it is fraud and therefor the less likely there will be chargebacks.
Most of these are banks, customer service, and fraud prevention companies.
It's also worth noting that this list is of all the companies Paypal MAY share your data with. If you never opened a credit card in Germany and used it on Paypal it is unlikely to hit the German processor, for instance.