The privacy nightmare in our wallets

Privacy news
3 mins
An illustration of a credit card reader spewing out data.

Google’s been keeping track of your online purchases, hotel bookings, and newsletter subscriptions for years, but a new privacy concern takes this several steps further.

An experiment by The Washington Post uncovered that data on two seemingly innocuous credit card purchases — both a banana that cost $0.29 each — were shared with countless organizations including Target, Amazon, Google, and marketing firms.

[Want more privacy stories? Sign up for the ExpressVPN newsletter.]

The reporter in question used the newly-launched Apple credit card (which touts privacy as one of its defining benefits) as well as a Chase Amazon Visa. After the transactions were completed, he called up the banks in question to unravel where his data had gone and who the offending parties were.

Predictably, the banks were extremely guarded with their responses, preferring to bury the issue with references to “de-anonymized data” and “high-level” information sharing.

Whatever that means is up for interpretation. Eventually, however, there were some troubling discoveries.

While Apple stuck to its promise of not sharing your transaction data with any third-parties, Chase wasn’t as forgiving.

A photo of the Washington Post credit card privacy report.
Source: Washington Post

Its privacy statement listed seven reasons when the company could share personal information to “non-affiliates”, or any company that wasn’t Chase itself.

And it did just that, with the reporter receiving unsolicited junk mail at his address in the days after the transaction.

Your information is pooled into giant data vats

While individual companies can prevent details of specific purchases from being leaked to nosy entities, they can’t exert as much control over the payment processors.

Visa and Mastercard process millions of transactions per second, and reports have suggested that data patterns are sold back to companies hungry for retail patterns.

Plus, when you use your card at large stores like Target and Walmart, they can build individual profiles based on your visit and transaction history in their internal systems. There’s nothing individual card issuers can do about this – point of sale data is available for the store where the transaction took place too.

It’s a similar story when you use mobile wallets such as Google Pay or fintech apps like Venmo. They’re aggregating purchases and storing it in internal databases. What they do with it is murky and unclear.

Washington Post’s investigative report tried to get to the bottom of this to figure out where the data went and which companies profited from it. But a combination of stonewalling from bank representatives and jargonistic legalese meant that it was a futile endeavor in the end.

What’s confirmed, though, is that your data is distributed liberally and with little regard for consumer privacy.

Credit card privacy has been a problem for years

A 2015 study by researchers at the Massachusetts Institute of Technology revealed that it’s possible to identify individuals with a 90% accuracy level by just examining four “anonymized” purchases. And if pricing information was included, all the researchers needed were three transactions.

In one of the examples cited in the study, the researchers looked at data from two consecutive days. From this, they were able to draw patterns that determined specific individuals, the stores they visited, and what they bought.

Credit card companies and financial institutions routinely point to their use of metadata as a saving grace of sorts, saying that personally identifiable information is excluded from these mass tactics and that individuals aren’t at risk.

But a failure to disclose data gathering and information sharing practices is against federal law. Safeguarding sensitive data is enshrined in the constitution of the United States, but active adherence is far from guaranteed.

And the fact is that de-anonymized data can still be used to track and identify you.

“With just a few data points, it is often possible to ascertain the identity of an individual, even though the data has been scrubbed of identifying information,” explained Paul Stephens, the director of Policy and Advocacy for the Privacy Rights Clearinghouse in San Diego.

“Privacy experts have been aware of this problem for years.”

What can you do to prevent this?

While it’s not possible to hide your mailing address, gender, or name from your bank or credit card issuer, there are other details you can opt to exclude.

For example, your marital status, dependents, and other personal information doesn’t need to be disclosed. Plus, it’s okay to refuse to give other companies your real name, phone number, or address if it isn’t absolutely necessary.

I like to think about the impact that the internet has on humanity. In my free time, I'm wolfing down pasta.