The 600+ Companies PayPal Shares Your Data With

AmiMoJo shares a report from Schneier on Security: One of the effects of GDPR -- the new EU General Data Protection Regulation -- is that we're all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here's a good visualization of that data. Is 600 companies unusual? Is it more than average? Less? We'll soon know.

Looks alarmist

This looks alarmist, but really the only surprising thing is how many companies they partner with under marketing is almost the same number as they partner with for anti-fraud.

Despite that, one legal link.

Not that shocking

[JaredOfEuropa]

A good many of these seem legit: companies to which PayPal has outsourced work, or partners such as banks, which all form an integral part of PayPal's actual operation. The shady ones are the companies listed under "marketing and communications". But all in all there aren't many shocking revelations in there. The sheer number seems high until you look at the list, and realise that this is what comes with running a global service.

What we see there in some cases that "shared data" also includes data collected by embedded crap from 3rd parties such as FaceBook (which pretty much every site has these days). "Advertising ID and device ID to segment user groups based on app behaviour, encrypted e-mail address associated with PayPal users (without indicating account relationship), IP Address, Anonymous ID generated by cookies, pixel tags or similar technologies embedded in webpages, ads and emails delivered to users. Mobile advertiser ID, IP Address and other metadata via Facebook SDK in mobile apps." Yeah, just about what we expected, and it's good that they actually include this sort of stuff on the list.

Here's an odd entry: Carrenza Limited (UK) | To hose a marketing database | Name, address, email address, business name, domain name, account status, account preferences, type and nature of the PayPal services offered or used, and relevant transaction information. I just wish that wasn't a typo...

Re:Not that shocking

Shut it PP shill. We don’t want to hear fellating your master.

It takes sharing data with only a single marketing company operated as a shell company by PP who then spews it forth in unlimited amounts to everyone that pays them a buck.

If PP was serious about privacy, they would have stated that they only share data on individual transactions as needed or for legal compliance and that they don’t sell data in any way, shape or form. Once they don’t do that, everyone knows it’s not in their financial interest to serve you but to serve you to others.

Re:Not that shocking

[houghi]

I work in the financial industry in Brussels, Belgium and we do not share customer information with banks or anybody else.

e.g. you go into a store and open a credit to buy a TV. The person working for Seller will put in the data on our platform.No sharing of personal data is going on.

With another partner, we had to make a secondary company where we BOTH where partners, just so we could share the data.

The third parties we work together with will get very limited data. Basically just a name, address and phone number and they better not do anything else with it, or else. Yes, that is marketing.

Sharing it with 600 companies? Seems extremely high to me. Especially for a financial company. What they need to share is very well regulated up to the wazoo. Stricter regulations are coming. (I believe in May) and they will overturn the current Belgian law and turn it into a European law.

Seriously, 600 is a shitload. We deal with plenty more companies and we have about 4 we share data with and that is strictly regulated.

Re:Not that shocking

[AmiMoJo]

It's interesting because we can potentially build up a map of these business relationships and see how they abuse our data to profile us, and because it will make tracking down the source of leaks easier. When one of these companies gets hit with a leak we can see all the upstream victims who shared data with them.

It's also a handy map of easy pickings for hackers looking to nab some PayPal data. Most of these companies that work is outsourced to have crap security.

Re:Not that shocking

[JaredOfEuropa]

Not at all the same business or scale, by the sound of it. Even so, aren't you sharing data with a lot more companies? For instance, if you collect monthly fees from customers by direct debit, you are sharing personal data with their banks.

Re:Not that shocking

Only one of those 600 companies needs to be a hostile foreign intelligence service and then the whole country is fucked.

It's not just the data collection that people have to worry about. Paypal has been banning people for their politics. Oppose ISIS? You're out. Are they under pressure from these "partners"?

Re:Not that shocking

[Maritz]

HAHAHA Yeah all he does is 'oppose ISIS'. Meanwhile, vile 'leftists' are letting ISIS cells operate from their spare bedrooms. Pretty funny how you felt you had to characterize it like that.

Re:Not that shocking

[gaspyy]

The third parties we work together with will get very limited data. Basically just a name, address and phone number

This is considered personal information, and under GDPR PayPal has to disclose it.

Re:Not that shocking

[adosch]

Absolutely. I think this is going to be the classic phrase with a twist of you _now_ know what you _didn't_ know vs you _dont_ know what you _dont_ know and I think it's going to hit that home run a lot of people need to think about: are these free services where we-are-the-customer worth it?

We loosely throw around the idea that we, as consumers, all know our 'data' is 'shared', but to what level and to whom? There's going to be a small movement of douche-bags who are going to manufacture being 'offended' by screaming about on the same platform(s) they are now trying to fact-shame into oblivion about 'this isn't what I signed up for when I wanted to use your whatever AND it was free".

I'm with you, I'm waiting for more of this disclosure to happen and see all the heat-maps and correlations as well. It's going to get really interesting over the summer as the compliance to this EU GDPR makes it's rounds.

Re:Not that shocking

[postbigbang]

There are 600 companies, each of whom can have a tasty snack of your data. Each of these companies has only the strictest security. I'm sure NO one could do proxy queries, because all 600 have the best security ever!

No, there can't be a nearly exponential number of hack possibilities with 600 partners. No factorial representation of port open across so many different jurisdictions.

I'm just positive it's as tight as a drum. Has to be, eh?

So everybody

They give literally everything to everyone for every reason. Mostly the reason seems to be money, there are a lot of data brokers on that list.

This "To verify identity and carry out checks for the prevention and detection of crime including fraud and/or money laundering. RESEARCH AND TESTING as to appropriateness of new products"
Research and testing is literally any cover reason for getting the data.

The list of companies are largely data brokers, some for marketing some for intelligence gathering, some governmental. Giving a known data broker everything including a copy of the photo ID, presumably as the result of a monetary transaction is clearly be illegal in Europe at least. It likely violates the banking privacy act in the US too.

Put it this way, Putin's front data broker is on the list. Paypal have given access to every US Congress/Senate critter's documents and transactions to Putin's nerve gassing friends. Time to implement a privacy law in the US? Or is this like the NRA, too much lobby money to do it?

PayPal not such a concern

I got the heads up about PayPal privacy revisions months ago. Yes, they do seem to share with a lot of others. But clearly PayPal is a large company itself doing business with many areas of the economy. My interest is more in protecting my information through this exchange, not how many receive it as long as its legitimate. At least PayPal tells you up front and you can choose not to accept it and move on. Nobody forces you to use PayPal.

Re:PayPal not such a concern

[stooo]

>> Nobody forces you to use PayPal.
You've never used Ebay, it seems
(Others also similar)

Also, often, when you pay per credit card, you automatically are using paypal without even noticing, and boom, your purchase, address, and private data is gone.

Re:PayPal not such a concern

You've never used Ebay, it seems

Argument still stands. Nobody forces you to buy (or sell) on Ebay. Paypal isn't unavoidable. Even credit cards aren't (a whole lot more difficult to avoid but still)

Re:PayPal not such a concern

[TheRaven64]

eBay no longer forces you to use PayPal. They did back when they owned PayPal, but that doesn't really count because any data that PayPal had, eBay also had.

Re:PayPal not such a concern

[Megol]

That's not an argument - it's fantasy.

Nobody forces you to buy food.
Nobody forces you to seek medical treatments.

So you aren't forced to use money. You will not live but then nobody forces you to stay alive.

Nobody forces you not to kill or do other illegal actions, it will have consequences but the choice isn't forced upon you.

(Skipped some steps in the reductio ad absurdum (sp?) argument, the rest is left as homework for the reader)

Re:PayPal not such a concern

[itwerx]

eBay no longer forces you to use PayPal.

Yes, they do.
Try any other payment method and see where it takes you...

Re:PayPal not such a concern

Hmm, paying with credit card seems to work just fine for me for most sellers. It's up to individual eBay sellers as to whether they require PayPal, credit/debit cards or either for purchases.

Also, https://www.ebay.com/help/buyi... ...

Paying with PayPal
PayPal is how most eBay users pay for their purchases. It's easy to link your eBay account to your PayPal account for a streamlined checkout experience.

Paying for items with a credit or debit card
You can also pay for your eBay items with a card. Find out how you can add, update and pay with credit or debit cards.

Vouchers and discounts
You can pay for all or part of a purchase using an eBay voucher. To pay with eBay vouchers, you need to be a registered eBay member, and use PayPal.

Nothing to do with outsourcing

e.g. pull one from the list at random: Global Data Consortium.

"To verify identity and carry out checks for the prevention and detection of crime including fraud and/or money laundering; research and testing as to appropriateness of new products"

There's the cover (fraud prevention) and the catchall "research and testing" which covers any reason at all.

GDC sell data, they buy it from "Data Partners" and resell it. They phrase it real nice here:

"We invest in our data partners, establishing deep relationships with them and providing them with technology to make their information available on our platform. We give them access to a broader market through our MARKETING AND DISTRIBUTION programs, PAYING FAIR ROYALTIES that reflect the value of their services."

i.e. they are a data broker that pays Paypal royalties for selling your data to others. A conduit rather than an endpoint. And Paypal use the catchall phrase to cover bulk sales of all data.

Re:Nothing to do with outsourcing

[TheRaven64]

It's something of an oversight for the GDPR not to require that you list all endpoints. I can imagine PayPal 'fixing' this problem by sharing data only with PayPal US Incorporated, a company based in the USA that has no dealings with any EU company other than PayPal, and then sells on all of the data that PayPal sells to them.

Re:Nothing to do with outsourcing

[JaredOfEuropa]

Under the GDPR as well as the DPA (in the USA), the data controller (the entity collecting the data) remains responsible for what happens to the data. Data processors (3rd parties, in your example PayPal US) are very limited in what they can do with personal data they received from data controllers. Under the DPA for instance, they can only pass that data on to others (4th parties?) 1) with the data subject's explicit permission (not just given in ToS), or 2) under specific provisions set down in the law. For example: aggregated and de-anonimized data can sometimes be shared (with the caveat that de-anonymized data can often trivially be linked to a specific person, which is a separate issue)

How does the GDPR account for data shared with an entity in a country that has insufficient data protection laws? Keep in mind that the data controller is always responsible for what happens with the data, so if something gets shared along such a route, they get the fine.

Re:Nothing to do with outsourcing

[DogDude]

That's neat, but how is that law remotely enforceable?

My Paypal Name is Sausage McMuffin

Share away, Elon! I signed up for Paypal with the name "Sausage McMuffin". I can't change it easily, because they instituted all these name change rules later. I make maybe one or two purchases with Paypal a year (and I would never be so foolish as to share my bank info with Paypal). Share as you wish, guys!

  - Sausage McMuffin

Re:My Paypal Name is Sausage McMuffin

Elon hasn't been part of Paypal since the early 2000s....

CCC Leipzig?

Is that the Chaos Communication Club?

Terrible infographics

I hope she's not into infographics, or computer graphics, or user interface, because she did a poor job . Rebecca Ricks

Now we know

[Beeftopia]

Now we know where these online data aggregators get their information from. They have startling amounts of information about people. It makes stalking a breeze. Before, you'd have to go to the local court and attempt to social engineer a clerk. Now it's just a Google query.

Let's stop calling it "sharing"

"Sharing" is a friendly gesture and a positive thing. This is neither friendly nor positive -- it's an act of pure greed. What these companies are doing is selling your personal data, not "sharing" it.

Re:Let's stop calling it "sharing"

[Maritz]

Your ISPs are allowed to sell your browsing data, lol. I guess corrupt representation leads to that kind of situation.

Re:Let's stop calling it "sharing"

My point was that using the term "sharing" instead of "selling" is a deliberate attempt to disguise their actual behavior and intent. I find that despicable. Don't you?

Re:Let's stop calling it "sharing"

ISP's don't really have that data. There are IP's on packets, but even the local burger joint has TLS now, so all they get is bugerjoint's IP. And DNS is not done with the ISP. So there is a shitton of headers to correlate just to see that I went to burger joint website. And even then there is no way to know if I ordered, or what i ordered, etc. ISP's selling browsing data is a FUD thing, like the fabled "slow lanes" in the debate about network ownership rights.

Re: Let's stop calling it "sharing"

It's not just misleading... sharing does not involve exchange of money. Selling and renting do. So if PayPal got paid for the sharing , whether up front or later via royalties , it wasn't sharing.

When a sleazy executive enters a donut shop are they sharing their product with him or selling? Selling. When he enters the brothel are they sharing or selling? Selling. When he enters the country club are they sharing their facilities with him or renting? Renting. When he goes to jail for insider trading and his cell mates take turns with him are they sharing or selling? Sharing, because that's what friends do.

PayPal... Ugh... we locked you out of your account due to inactivity ... so how the f*** am I supposed to use it now??

Just assume ALL companies are Windows 10

Forced Telemetry / spying, installing programs you do want, taking away your choices.

Sitting down and your computer to feel like your nice computer is an enemy.

Re:Equivalent to 3 billions

the real question is, why haven't you just topped yourself yet?

I had a PayPal account briefly,

[jenningsthecat]

back when they first started. They were such assholes that I've only used them once or twice since. And even then, it was only their credit card processing service that I used, and only because I really, really wanted to donate money and that was the only way to do it. In the meantime there have been lots of musical artists, software authors, etc. that I wanted to give some money to - but not badly enough to suck it up and support a company that I'd like to see die. As for making purchases, if PayPal is the only way to pay, then I simply don't buy. I've made special arrangements to do Interac transfers, both to make a point with a vendor, and as a 'fuck you' to PP. As for an actual PayPal account with my money in it? I wouldn't be caught dead with one of those. PayPal is utterly evil, and I'm glad that the choice to never support them in any way is a viable one. Now if only I found it viable to make the same choice with Google...

I'd like to hope that this latest report about PayPal will hurt their business. Sadly, I don't think it will.

Re:I had a PayPal account briefly,

Fucking PayPal sucks monkey balls. They will freeze your account without the slightest provocation, and not unlock it until whatever hoop they are attempting to make you jump through is met...unless they add more hoops after that one, ad infinitum. And you have zero recourse.
They seriously need to go the way of the fucking dodo...post-haste.

Re:I had a PayPal account briefly,

Even with all that I'd rather trust PayPal with my credit card details than Hewlett Packard's retail site.

LinkedIn Data Sharing

LinkedIn recently started sharing their "private" data with public records databases such as Intelius. (https://en.wikipedia.org/wiki/Intelius)

Selling your dignity

[DogDude]

I don't have much respect for people who sell their dignity for a few seconds of convenience. If you use PayPal, or Amazon or Google or Facebook or Apple, you're a sucker, plain and simple.

Re:Selling your dignity

[Oswald+McWeany]

I don't have much respect for people who sell their dignity for a few seconds of convenience. If you use PayPal, or Amazon or Google or Facebook or Apple, you're a sucker, plain and simple.

Or visa... or mastercard... or discovery... or American express... or shop at any store online... or visit any website... or have an ISP... or have a mobile phone provider... or have a bank account... or...

The problem is, it's not just one or two stores. It's not just one or two institutions. They're ALL collecting data on you. They're ALL sharing information about you. You don't use Google or Facebook... do you think that means they don't have copious data about you? They do.

You could limit who you do business with- but that means you have to do business with whose left- and they get more concentrated information about you (and share it with Google, and Facebook and...). The concern here should be that even if you're not a customer of "XYZ" - they're still buying your data from elsewhere, maybe your bank, maybe your ISP, maybe both... The world is one interconnected web of privacy violation.

Re:Selling your dignity

[DogDude]

No, not all. You can shop locally and use cash. It works fine. I think that you may mean to say that it's *convenient* for you to do business with all of these soul-sucking shit companies, and less convenient to do business with respectable companies. They're not "ALL" doing this. Just the ones that you see as most convenient.

It's not ok!

A good many of these seem legit: companies to which PayPal has outsourced work, or partners such as banks, which all form an integral part of PayPal's actual operation. The shady ones are the companies listed under "marketing and communications". But all in all there aren't many shocking revelations in there. The sheer number seems high until you look at the list, and realise that this is what comes with running a global service.

I disagree! Under 'operational' it lists Microsoft US to obtain the images of the profiles. I don't find that OK and this has nothing to do with the purpose of being a payment processor.

I hope the EU will take appropriate action!

Stop using PayPal for plain transactions

Only use PayPal when it's absolutely necessary. Remember that you can sell to people in your own country much easier than via PayPal, in particular in the EU where Internet banking is growing faster than anywhere else.

There is often no need to use PayPal, and cutting out this middle-hand will 1. lower all the fees for you/customers and 2. keep both your and your customer's data private.