I try not to cover data privacy much any more, despite being an advocate, because we have already crossed the point of no return. We have allowed just about every piece of our personal data to be available on the Internet, making privacy effectively a dead issue, but in most cases the user makes the choice. But many very large public firms have been promising consumers that carefully protect customer information, and fully anonymize any data before it’s sold. This is bull$&!#.
As an example, Visa and Mastercard have been in the news lately, because of the sale of ‘anonymized’ data to marketing firms. True to form, “MasterCard told the Journal that customers have nothing to worry about.” But most firms that collect customer data – Mastercard included – know full well that their marketing partners can and do link purchase histories to specific individuals. Especially when you leave bread crumbs to follow: something like customer ID, or last name and age – either of which serves as a surefire way of pinpointing user identity. And the third party firms can do this because Visa leaves enough information to accommodate linking. We know Mastercard is speaking from both sides of its mouth on this – their own corporate sales presentations to marketing organizations tout this as an advantage.
“We have extensive experience partnering with third parties to link anonymized purchased attributes to consumer names and addresses (owned by third party)”
This sort of thing may bother you; it may not. But let’s be clear that Mastercard is lying about the practice because they know the majority of the public feels selling their personal data is a betrayal of trust. These slides clearly demonstrate that this isn’t just a simple lie or mistake – it’s a bold-face lie. They have been marketing their concern for user data privacy on one side, and marketing de-anonymization to third party marketers for years. And third party marketing firms pay a lot of money for the data because they know it can be linked to specific card holders. I am especially aggravated by this compromising of user data because Mastercard & Visa don’t just facilitate electronic fund transfers, but they also actively market the trustworthiness of their brands to consumers. Turning around and selling this data, obviously intending for it to be reverse engineered, betrays that trust. As I mentioned recently in a post on Payment Trends and Security Ramifications, the card brands are eager to increase revenue through these third party relationships for targeted ads and affinity marketing. I fully expect to see coupons available via smart cards in the next two years, in an attempt to disintermediate companies like Groupon. And in their rush to profit from profiling, they seem have forgotten that users are tired of these shenanigans.
Of course their legal teams say customer privacy comes first, then get defensive when people like me say otherwise, touting their ‘opt-out’ options. But customers can’t really opt out. Not just because the options are hidden on their various sites where no one can find them all. And not just because you’re automatically opted in when you get each card. The deeper problem is this data is always collected, no matter what. It’s hard coded into the systems that process the transactions. Always. It’s simply a question of whether Mastercard chooses to sell customer data – and in light of the above quote it is difficult to trust them.
If they want to earn our trust, they should show us sample data and of how it is anonymized. I am willing to bet it cannot stand up to scrutiny.