Users beware: The banks are spying on you! It recently emerged that deep inside a TD Canada Trust Visa cardholders agreement are embedded a couple of troubling lines giving the bank the legal right to collect data on everything a person does online.
The scope of these provisions, revealed last week by the CBC, is expansive. They basically give the bank the right to view the content of Google searches, the sort of online videos a cardholder watches, their social media activity and much, much more.
The bank can learn a lot from this information. Are you searching for legal advice on defaulting from a loan? Are you thinking of moving or getting married? Are you straight or gay? Do you prefer cats or dogs?
TD might have overreached in wanting to gain access to all this information, because maybe the bank doesn’t really need to know that much about its customers.
At the margin, more information is probably going to give the bank a business edge – for example, knowing which people are having financial troubles could be useful. But these advantages probably aren’t enough to justify violating customers’ privacy.
At the end of the day, though, TD is not the problem. It’s just one cog in a much larger data-driven market.
And even the bank’s own legal language paints the wrong picture.
Despite wording to the effect that the bank is “collecting” information on our online activity, it’s probably not “collecting” anything in the strictest sense of the term. It’s most likely buying information from data brokers and private companies that aggregate information gleaned from mobile applications, Google Inc., Facebook Inc., Twitter Inc., Instagram and other online platforms.
This practice is hugely common and hugely problematic. As Frank Pasquale notes in his book The Black Box Society, insurers in the United States routinely try to buy records of people’s pharmaceutical visits in order to gain an edge.
Target, the retail giant, famously sent individually tailored advertising to a teenaged girl near Minneapolis because its data aggregation and analytics had correctly predicted that she was pregnant – a fact she hadn’t yet told her family.
Other cases include a data broker selling information on 500,000 gamblers to criminals and the sale of information on people with severe diseases such as cancer or Alzheimer’s to those who sought to profit from those with poor health.
The real problem with the cases mentioned above, including the one involving TD, is the lack of clear rules in an era of Big Data.
We don’t yet really know who can collect what, and even fewer restrictions exist on how data that have already been collected can actually be used.
But the onus here is not on the private sector alone. We, the individual users of Twitter, Facebook and Gmail, share a lot of the responsibility. We have all struck a Faustian bargain that encourages us to use free online applications and services.
But, as the old saying goes, nothing in life is actually free. It’s the digital age, but the dusty old rule from the analog era still applies. Facebook, Gmail, Twitter and all the rest are not providing you with a free service. They are selling data on your voluntarily turned-over habits and behaviours to marketers and data-aggregation services. As the new saying goes, if you’re not paying for it, you are the product.
In short, we should be worried about what TD was reportedly doing, but we shouldn’t view it as an isolated event. It’s part and parcel of the new normal.
What we need now is a new approach that clarifies both who can collect specific types of information and how user-generated data can be utilized once it does exist. All this can only start if people realize that nothing is free. We pay for our free e-mail somehow.
If we really care about privacy, we need to start from the source and work our way out – rather than merely trying to roll back the edges of the Big Data tide.
Bank denies collecting general information about what customers do online
Colin Laughlan is one of thousands of Canadians who had his Visa cards switched from CIBC to TD in 2014 after the Aeroplan rewards program changed banks.
"When I saw this — I really had to read it two or three times to make myself believe I was reading what I was reading," he said.
He points to two lines in the 66-page Visa cardholder agreement that allows TD to collect details about anything — and everything — customers do online.
Under the privacy section of the cardholder agreement:
"COLLECTING AND USING YOUR INFORMATION — At the time you request to begin a relationship with us and during the course of our relationship, we may collect information including:
- Details about your browsing activity on your browser or mobile device.
- Your preferences and activities.
Laughlan, from Vancouver, has a background in privacy issues as a former journalist and communications specialist. He said his radar was up when his new TD Visa card and cardholder agreement arrived in the mail.
"I couldn't see any reason they had to do that sort of surveillance on Canadians and they weren't being particularly forthright about it. This was slipped into the fine print of the policy and I'm well aware that the vast majority of people don't read these things," he said.
Laughlan said it took almost a year before his complaint finally reached TD's privacy office.
The bank eventually apologized, according to Laughlan, and said it was in the process of removing the "browsing activity" line from the agreement. In the meantime, it sent him what it called a "personalized policy" with the browsing activity line crossed out by hand and initialled by a senior officer in the bank's privacy office.
Questionable clause remains
Six months later, Laughlan received another user agreement for a different TD Visa and realized nothing had changed. He complained again and said he was told the agreement was sent by mistake and again assured the problem would be fixed.
Then it happened a third time. That's when he contacted Go Public.
"This is now going on to 18 months. They hadn't changed it as they had promised ... I'm really upset … I thought this is something Canadians should know about," he said.
Go Public put the issue to TD Bank Group, which responded with an email saying the intention was to allow the bank to collect information only when customers use TD websites and TD mobile apps.
"TD has never, at any time, collected general information regarding details about customers' browsing activity, their browser or mobile device," the statement said.
The bank did remove the browsing clause from its online cardholder agreement, but it remains part of the printed version mailed out to customers. The bank tells Go Public that will change when the paper agreements need to be reprinted.
It will keep, however, the line that allows it to monitor customers' "preferences and activities." The bank said it uses that information for banking purposes, including managing products and services and assessing risk.
It has a 'creepy factor,' says tech expert
Sharon Polsky, the president of the Privacy and Access Council of Canada, believes that kind of general wording in user agreements opens Canadians up to sharing far more than they intended, and not just with banks.
"The waters are very murky. People do not realize very often that their information is being disclosed," Polsky said.
Under Canadian law, consent is needed in order to allow anyone to access your online activity. But Polsky said the problem is most people don't realize that by signing up for a credit card or downloading an app they are granting that permission.
'I've heard it said that Google and Facebook know more about you and me than we do.'- Sharon Polsky, privacy expert
"It has a creepy factor.... They can create a very, very detailed profile of each of us … what we do, where we go, what we think," she said.
What businesses do with the information they collect is concerning to Polsky, because it is unclear how it will be used.
"A lot of people don't realize just how invasive organizations are already with our personal information," said Polsky. "So, when you see a clause that says the organization will gather whatever it wishes about you and use it however it wishes — that's when you start wondering why? For whose benefit? Certainly not the consumer," she said.
Are banks going too far?
Polsky said all banks need to collect some information about their customers' online habits in order to meet legal and governmental obligations, but she believes often the amount of information being collected goes too far.
She points to several online articles that say some banks and other businesses are beginning to look at using information taken from monitoring online activity to assess risk and sometimes gauge a customer's credit worthiness.
"They figure out what are the likely behaviours. If you shop at a certain store where other people who shop have declared bankruptcy you became a higher risk. If you go to certain neighbourhoods, if you live in a certain postal code," she said.
"If you say certain keywords on your social media page — innocent words that you wouldn't think twice about using. The word 'wasted' for example. If that's used on your social media profile, that's a trigger, because it apparently indicates certain risky behaviors."
83% of certain apps can mine online info
Polsky said it's not just banking apps that collect information. She points to a recent study that found 83% of Android apps available in the Google Play store can include "full network-access" permission which allows an app to access whatever network a user's device is connected to.
The amount of information that can be collected differs based on how the app is designed.
"Apps can gather basically anything that's on your phone or any device your phone is attached to. They can tie into your contact list, the content of your tweets, your email, your texts, your camera, the microphone," Polsky said.