Interac and your privacy

If credit cards are merely thin plastic behaviour trackers leaking your private information into a sea of marketers, cash seems the only way to maintain your privacy. What about debit? That is the question @dchymko had in response to my post on how I use cash pretty much exclusively these days. Daryl asks:

An interesting question. If you use the debit card of a small credit union, it is unlikely that they have the bandwidth to be selling on your consumer activity. But what about the debit network itself? That network sees all transactions and would be a treasure trove of data, ripe for monetization. Time for an investigation. interac logo

I was surprised to find that Canada has a pretty interesting system. In the US, credit card companies typically provide debit card services (which probably means they are a privacy sieve just like regular credit cards), but in Canada we have Interac running the inter-bank system, which turns out to be a non-profit! That sounds positive. Even more positive, when Interac tried to become a for-profit company in 2010, it was rejected by the Competition Bureau, which may have indirectly protected the private information of millions of Canadian debit users. But that is just speculation.

Magic 8 ball: sounds pretty great

All in all, this sounds pretty great, but I wanted to be sure. Looking at the Interac website, I could see that they do release some consumer purchase information, but it seemed pretty high level. I wanted to find out more, so I sent a mail to privacy@interac.ca. Unfortunately, I got no reply. After a few weeks I asked on Twitter and was able to get ahold of a communications manager. My email to Interac asked:

Credit card companies often partner with marketing intelligence agencies like Experian and Axiom, with whom they share consumer information like purchasing habits etc.

Does Interac or Axcsys collect and share or re-sell consumer data to third parties?

Interac’s reply:

Thanks for reaching out. To answer your question, no, we do not share or re-sell personal consumer data to third parties. The only data we share is limited aggregated data. For example, the number of debit transactions in 2015, how many e-Transfers are conducted annually, etc.

None of this data used in aggregate could ever be linked back to individual consumers. Hopefully this helps, let me know if you have any additional questions.

Magic 8 ball - Hrmmmm

Seems pretty positive, but that term “limited aggregated data” stuck out to me, so I followed up:

As someone who has worked in big data, “aggregated” is a relative term. I would like to get as specific as possible.

Do you categorize consumer spending patterns? Can you share a small sample of the data?

Who do you share this aggregated data to? Can you give me examples? How much does it cost? Is there a public pricelist?

That email was sent on October 13th 2016 and has yet to receive a reply.

I asked those questions thinking about Bell’s RAP program, which used “aggregated user data” to target ads, a program they had to give up. I wanted to determine if Interac had some sort of categorization scheme like Bell which they could use for either purchases or individuals. But the comms guy at Interac has gone dark, and my investigation seems to be over.

If we could get the proper assurances from Interac, I would love to use debit more. As @chrisfosterelli points out:

C.R.E.A.M.

The War on Cash is an informative piece about the battle against the cashless society. I have been cash-only for a few years, mainly for two reasons: protecting my personal information and financial discipline.

In the old days, a transaction would involve two parties: a merchant and a customer. Nowadays, barely a transaction is processed where a third, invisible party benefits — and more than by simply providing a convenient transaction process. I became more sensitive to protecting my information leading up to and in the wake of the Snowden revelations. Having worked in the online ads industry for the last three years (today is my final day, in fact), I have become even more aware of all the tracking, repackaging and reselling of personal data that goes on. Therefore, I choose to opt out of the personal information industrial complex that powers so much of our world today. 

In 2010 I quit Facebook. In my browser I use prophylactic extensions like Privacy Badger. I use services that protect me and opt out of information-sharing and activity tracking wherever possible. I delete cookies.

In the real world, your credit card is your cookies.

I stopped using credit cards and refuse networked loyalty points cards. I even switched cellphone providers, once I learned how my old one was tracking me.

It is nearly impossible to live completely cash-only in this world. A few years ago reporter Janet Vertesi tried to hide her pregnancy from the “big data dragnet” and found out how difficult opting out really is.

Mine is not a perfect system, but I do what I can.

“Cash-centric” is probably a better descriptor, since I use non-cash options sometimes. Large payments (eg. rent) I pay through online debit. Online shopping can be done with anonymous, rechargeable credit cards. And sometimes I want the card companies to become aware of the services I buy or subscribe to. I want them to be aware of a specific customer segment, and I use my credit card to pay for those items. For example, every month I let Visa and all its data-sharing marketing and consumer intelligence partners know about Ogo Carshare Co-op. If they are market other co-ops to me or people like me… victory?

Productivity hack: Use notes to keep track of things

The second reason I went cash-only is related to our downsizing journey, and our attempt at financial freedom by ridding ourselves of debt. Not using credit cards is the first step, and you will find no budgeting tool works as well as a limited supply of cash in your wallet. Each payday I take out a specific budgeted amount of cash from the bank, turn most of it over to my wife to run the household with, and am left over with a very limited amount which much last me to the next payday. The scarcity is corporeal. Every time I open my wallet, I know how I am doing in regards to my budget.

It is actually a very Japanese thing to do. I remember being in Japan in the late nineties and early oughts, and agreeing with all the neoliberal riducule of Japan’s cash-centric society as being backwards and inefficient. Now I understand the value in such a system, and have adopted it here in Canada. Just like not having a Facebook account, always using cash confuses people, but it sparks some meaningful conversations.

These are the main reasons for my choice to be cash-centric. I have not touched at all upon the impact of a cashless society on minority communities and the poor, and all the other reasons to continue carrying cash until the morally right solution comes along. To learn more about these issues, there is no better place to start than the article: The War on Cash.

Undermining C-51

OpenMedia.ca organized an open letter about how C-51 will undermine Canada’s business climate:

The challenge of being Canadian today is to uphold our values of openness, tolerance, and trust of others, while maintaining a very real understanding of the dangers of terrorism and the government’s need to protect us. But sometimes this balance is not struck correctly and we, as business people and entrepreneurs, are convinced that Bill C-51 is not balanced the way we as Canadians would want.

Why rush this legislation when there are so many reasons to rethink the approach? Why not establish effective Parliamentary oversight on par with our global counterparts? Why not establish a Royal Commission into the general state of digital privacy protection in Canada and get this right? Our values are too important to rush such an important decision.

The letter was signed by 59 technology and business leaders… and me.

Learn more and sign the petition at StopC51.ca

Bell rejiggers RAP, but will delete user data

The victories just keep piling up (see previous victory here). The Office of the Privacy Commissioner of Canada ruled against Bell and it’s collection of personal data for targeted advertising under the Relevant Ads Program (RAP). The question then became: what is Bell’s next move? Well, there was a little back and forth here, so I shall recap:

Apparently Bell withdrew the RAP at the urging of the Privacy Commissioner. They then said they would re-introduce it as “opt-in” only, as per advised by the PrivCom. However, there was remained the outstanding question of what to do with the existing data? During the last victory I had questions about what exactly was being deleted (I am still waiting on my request for clarification from Bell’s privacy officer). PrivCom wants Bell to delete everything. Time passed, but today, PrivCom says that Bell promised to delete the data.

Great! That is excellent news. Does this mean the whole saga is over? No! PrivCom may close there case, but the CRTC case is still ongoing, as far as I know, and there is a laundry list of other issues that need to be addressed. Stay tuned.

Thanks to PIAC and all the others who have done such great work in moving the ball forward. We still have a way to go, but the positive momentum is building up.

If you are a Bell customer, and still in doubt, opt-out of the RAP here.

A victory against Bell’s use of customer information

Michael Geist, law professor at the University of Ottawa, has criticized Bell Mobility’s Relevant Ads Program (RAP), saying it “falls short on privacy.” His main concern is that it is opt-out, but he also points out some of the other problems of a telecom provider mining and selling user data. Much is coming to light about the extent of Bell’s user data collection since the Public Interest Advocacy Centre (PIAC) and the Consumers’ Association of Canada (CAC) filed a complaint at the Canadian Radio-television and Telecommunication Commission (CRTC).

PIAC’s Executive Director argued that “Bell has overstepped its role as a neutral provider of telecommunications services.” The President of the CAC pointed out that “Bell is trying to ‘double-dip’ by taking your subscription fees and then selling information based on your use of the services you just paid for.”

The application to the CRTC has produced some wins. Before, opting out of the program simply meant that targeted ads wouldn’t be shown to you. You weren’t opting out of your information being used. Now things are different. In Bell’s response to the PIAC’s filing, they promise (paragraph 41):

Bell has changed its opt-out process so that an opt-out will terminate all use of personal information for the RAP and the deletion of any browsing, interest and category information from existing profiles. This change was made retroactive to cover anyone who chose to opt-out since the initiation of the RAP.

To parse this a bit: this says just the CATEGORIES are what is being deleted, not the actual browsing history. In other words, Bell is still collecting information on browsing habits, it is just not categorizing those habits for use in ad targeting. I have emailed Bell’ Privacy Ombudsman for clarification. It remains an opt-out system, as criticized by Michael Geist above, but this is still a positive development: the flawed opt-out system has become somewhat more robust.

In any case, this change is an example of consumer power. Last year Shaw changed it’s process for storing service calls in response to my PIPEDA request. Now, the PIPEDA request I made revealing Bell’s 56 categories for ad targeting has contributed to reform at Bell. Luckily, thanks to a concerned citizen who found my post from last year, the results of my PIPEDA request were submitted as part of the PIAC filing. The process has been long and very involved, and I would like to publicly thank that concerned citizen for their hard work. I have not had any direct contact with PIAC or the CAC. Everything was mediated by this private citizen, who says:

As to why I got involved? The previous Privacy Commissioner of Canada stated something along the lines of, if you don’t put up a fight for your privacy, privacy lost will not be regained. Once it’s gone you are not getting it back … I’m not about to let corporate interests and shareholder-value tell me what privacy rights I have, so it was time to fight and speak up. PIAC was the force that started it, and I jumped in as the regular Joe that I am.

The fight isn’t over. More and more information is coming to light about how our telecoms treat their customers. Consumer organizations like PIAC know how to take action, but they need data. Thus, I encourage everyone to take five minutes and send off the form letters Chris Parsons prepared in his post to shed light on what our telecoms are doing, and give them the ammunition they need to effect change.

Also, if you are a Bell Mobility customer, opt-out of the RAP program here.

“The means of information”

Information Doesn't Want to Be Free by Cory Doctorow

Cory Doctorow’s new book Information Doesn’t Want to Be Free is ostensibly a guide for creators on how to approach the Internet, and does so in an extremely informative, yet conversational manner. Furthermore it is concise, making it very accessible. When people ask me why I care so much about copyright and DRM, I will point them to this short and entertaining book.

Funnily enough, this book reminded me a lot of Astra Taylor’s The People’s Platform: Taking Back Power and Culture in the Digital Age (which I was critical of in my Literary Review of Canada review). One thing I didn’t like about her book was tone. I had even expressed that she be more academic in her approach. I think that opinion was wrong. She should have taken an approach more like Doctorow: conversational and entertaining.

Doctorow lays out a lot of the challenges that today’s creators face. He is familiar with the means of production and the regulations concerned (he did spend a number of years at the EFF fighting this stuff) and communicates it easily. Furthermore, he offers realistic solutions. This is the kind of book I wish Taylor had produced.

Although I didn’t think People’s Platform was all that great, I still recommend it to people because it encapsulates a lot of the Internet criticism of the past five years or so. Doctorow essentially does the same thing for copyright, piracy and digital locks, and then shows how it affects the wider society through censorship, privacy and surveillance. I prefer his execution. There is some overlap (and sometimes conflicting), but otherwise I think these books complement one another, and will probably recommend them as a pair. I would love to see Taylor’s review of Doctorow and vice-versa.

Bell’s 56 categories for ad targeting

BACKGROUND: On May 5th I sent Shaw Communications and Bell Mobility each a request for the personal information they have on me as per the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). I used Citizen Lab research Chris Parson’s form letter which made it easy. You can read about the weird results from Shaw at the links below:

It was easy, and I learned a lot. You should do it too!

Reply from Bell

On July 10th I received my privacy report from Bell Mobility. The report was expected within 30 days but I received an email extending the deadline, and then adjusting that extension. I am unsure if a claim can be made here.

bell_emails2
Bell replies on May 8th, May 27th and Jun 12th.

I have been a subscriber for just 2 years, and only subscribe to their mobile services — no television or internet. The package was about 40 pages with a 2 page intro letter and a 2 page glossary of technical terms. The glossary is pretty necessary since the rest of the package was all screen caps of Bell’s customer management application. That’s right, they showed me exactly what their reps see, going through every menu and tab, redacting only the names and other identifiers of the agents I have dealt with. It was all pretty routine and as expected. The only interesting thing about these screencaps is it looks like Bell is still using Win 95. 😉

There was one omission: there were no references to Bell’s controversial Relevant Ads program. So I emailed the Privacy Officer who promptly replied with the following:

My apologies, it was an oversight on my part, I inadvertently did not include the information related to the Relevant Ad Program in your information package. I have attached it for your information.

Excellent and timely response! Especially considering how long it took to get the first package. The only thing I have to complain about is she uses double spaces after her periods. 😉

On to the interesting bits: as soon as the Relevant Ads Program was announced, I opted out right away. I understood that what I was opting out of was being shown relevant ads, not being collected against. Thus it is not surprising the extent of the profile that Bell has on me, even though I only use just one of their services.

Below are all 56 categories they submitted to me and how they classified me. There are 3 main categories with a series of subcats each with various options. I have no idea how many potential options there are. I have reorganized them by topical category at the very bottom of this post. Since some of them repeat, it seems like they have 56 slots to put in an interest for an individual. We need more reports to reverse-engineer this!

The picture of me it paints is pretty accurate. I am interested in tech, movies and football (soccer). But, it also makes me think I should be using Tor on my phone more.

Anyways, take a gander at my preferences, and my all means, submit your own request and find out what they are recording about you!


Raw data

immedCat

  1. Technology=Cell Phones
  2. Technology=Network Security
  3. Arts & Entertainment=Movies
  4. Hobbies & Interests=Video & Computer Games
  5. Technology=Antivirus Software
  6. Technology=Web Design/HTML

shortCat

  1. Arts & Entertainment=Television
  2. Technology=Cell Phones
  3. Sports=General
  4. Shopping=Online
  5. Arts & Entertainment=Movies
  6. Technology=Network Security
  7. Science=Weather
  8. Technology=Antivirus Software
  9. Arts & Entertainment=Books & Literature
  10. News=Local News
  11. Arts & Entertainment=Music
  12. Style & Fashion=Beauty
  13. Hobbies & Interests=Video & Computer Games
  14. Hobbies & Interests=Photography
  15. Travel=Budget Travel
  16. Automotive=Road-Side Assistance
  17. Business=Government
  18. Technology=Web Design/HTML
  19. Technology=Shareware/Freeware
  20. Technology=Computer Peripherals
  21. Hobbies & Interests=Freelance Writing
  22. Business=Business Software
  23. Education=College Life
  24. Home & Garden=Entertaining
  25. Home & Garden=Entertaining

longCat

  1. Arts & Entertainment=Television
  2. News=Local News
  3. Technology=Computer Peripherals
  4. Hobbies & Interests=Photography
  5. Technology=Cell Phones
  6. Science=Weather
  7. Sports=General
  8. Technology=Network Security
  9. Arts & Entertainment=Movies
  10. Arts & Entertainment=Music
  11. Shopping=Online
  12. Technology=Shareware/Freeware
  13. Technology=Antivirus Software
  14. Technology=Web Design/HTML
  15. Hobbies & Interests=Video & Computer Games
  16. Arts & Entertainment=Books & Literature
  17. Technology=Data Centers
  18. Style & Fashion=Beauty
  19. Automotive=Road-Side Assistance
  20. Personal Finance=Investing
  21. Technology=Email
  22. Hobbies & Interests=Freelance Writing
  23. Home & Garden=Entertaining
  24. Hobbies & Interests=Radio
  25. Sports=Soccer

Options by Category

Technology

  • Cell Phones
  • Network Security
  • Antivirus Software
  • Web Design/HTML
  • Shareware/Freeware
  • Computer Peripherals
  • Data Centers
  • Email

Arts & Entertainment

  • Movies
  • Television
  • Music
  • Books & Literature

Hobbies & Interests

  • Video & Computer Games
  • Photography
  • Freelance Writing
  • Photography
  • Radio

Sports

  • General
  • Soccer

Shopping

  • Online

Science

  • Weather

News

  • Local News

Style & Fashion

  • Beauty

Travel

  • Budget Travel

Automotive

  • Road-Side Assistance

Business

  • Government
  • Business Software

Education

  • College Life

Home & Garden

  • Entertaining

Personal Finance

  • Investing

Orwellian?

The US PCAST report puts forward the following scenario to illustrate how privacy mores change over time, and what the future could be like if digital natives fully trust in the cloud. They admit that “Taylor’s world seems creepy to us”, but they want to demonstrate that “In such a world, major improvements in the convenience and security of everyday life become possible.”

Taylor Rodriguez prepares for a short business trip. She packed a bag the night before and put it outside the front door of her home for pickup. No worries that it will be stolen: The camera on the streetlight was watching it; and, in any case, almost every item in it has a tiny RFID tag. Any would‐be thief would be tracked and arrested within minutes. Nor is there any need to give explicit instructions to the delivery company, because the cloud knows Taylor’s itinerary and plans; the bag is picked up overnight and will be in Taylor’s destination hotel room by the time of her arrival.

Taylor finishes breakfast and steps out the front door. Knowing the schedule, the cloud has provided a self‐ driving car, waiting at the curb. At the airport, Taylor walks directly to the gate – no need to go through any security. Nor are there any formalities at the gate: A twenty‐minute “open door” interval is provided for passengers to stroll onto the plane and take their seats (which each sees individually highlighted in his or her wearable optical device). There are no boarding passes and no organized lines. Why bother, when Taylor’s identity (as for everyone else who enters the airport) has been tracked and is known absolutely? When her known information emanations (phone, RFID tags in clothes, facial recognition, gait, emotional state) are known to the cloud, vetted, and essentially unforgeable? When, in the unlikely event that Taylor has become deranged and dangerous, many detectable signs would already have been tracked, detected, and acted on?

Indeed, everything that Taylor carries has been screened far more effectively than any rushed airport search today. Friendly cameras in every LED lighting fixture in Taylor’s house have watched her dress and pack, as they do every day. Normally these data would be used only by Taylor’s personal digital assistants, perhaps to offer reminders or fashion advice. As a condition of using the airport transit system, however, Taylor has authorized the use of the data for ensuring airport security and public safety.

Alluring.