The Mozilla extension paid for privacy.com states:
To use this extension, we will need your consent to collect the following information:
We also collect information about your device for anti-fraud purposes, including IP address, operating system, and browser type.
Isn’t this a bit antithetical to privacy guides’ purpose?
Source: Privacy | Protect Your Payments – Get this Extension for 🦊 Firefox (en-US)
PG generally does not recommend browser extensions, let alone this specific extension. You should therefore instead link the actual privacy policy, not the extension page.
Since you are in the Site Development category, this post most resembles a removal suggestion. If you would rather prefer a general discussion about it, you should switch it accordingly, maybe to General. If this is still intended to be a removal suggestion, you should propose a change in the criteria for the financial services section. That is where the problem seems to lie. There is no criteria against device data collection, so the next step would be to change that rather than directly look at each individual recommendation.
I am not thrilled with them collecting such data. I am certainly not glad for it, and I would rather they not collect it. But it seems to be overall fine, since the result in using such a service trumps its data collection for my threat model. I use Privacy.com as a countermeasure for data breaches on other websites that I use my virtual cards on. The major issue I do have with it, however, is that they can sell this Device Data during a bankruptcy and potentially share it in other circumstances (which I talk about below), not that they merely collect it.
Their privacy policy was last updated on December 15, 2023. ToS;DR’s analysis of it is therefore out-of-date, having analyzed it on July 11, 2023.
“Information” and “data” seem to be used synonymously in this policy a lot. There is no strict definition being employed here. Therefore, you can generally take them to be synonymous unless stated otherwise.
The privacy policy states that Device Data is collected for anti-fraud and payment protection purposes. I am familiar with how this information might be necessary for “anti-fraud”, but not for “payment protection”. I implore others in the know to explain what “payment protection purposes” mean, and if such collection of information is usually necessary.
Something odd to note, however:
- For anti-fraud and payment protection purposes:
Transaction Data: when, where and how a transaction takes place including, but not limited to, the devices and payment methods used
Device Data: hardware model, operating system, unique device identifiers, mobile network data, browser type, and Internet Protocol (”IP”) address- Transaction Data: when, where and how a transaction takes place including, but not limited to, the devices and payment methods used
- Device Data: hardware model, operating system, unique device identifiers, mobile network data, browser type, and Internet Protocol (”IP”) address
They repeat “Device Data” twice. This structure can imply that Device Data is used not just for anti-fraud and payment protection purposes, but also for other purposes. This will be relevant later.
They say they do not sell information for advertising or marketing purposes, but it can still be potentially shared in scenarios outside of that scope, such as “to ensure best possible experience with [their] Services”, or to “improve [the] Services”:
Our Commitment to User Privacy
We collect and use the minimum amount of your data necessary in order to stay in compliance with bank and payment card industry requirements, and to ensure the best possible experience with our Services [bold added]. We do not sell user information for advertising or marketing purposes.
We Limit Use of Your Personal Data to:
- Verifying your identity
- Protecting the legal rights, property and safety of our Services and users
- Providing, maintaining and improving our Services [bold added]
- Sharing personal data with a merchant with whom you open a Payment Dispute for a transaction
However, “improvement” and “experiences” are only ever used in the context of cookies, not Device Data:
- To improve your experience with our Services:
- Cookies: small data files we may store on your computer or mobile device memory to help us manage your engagement with our Services (discussed below)
Cookies
We and our partners use cookies or similar technologies to offer an enhanced experience and Services to users who wish to allow them. These technologies help us analyze trends, administer the website, track traffic, and gather information about users. For information on how to block cookies, see below.
We use cookies to track preferences and settings (e.g., so we can remember your preferences, like whether you’ve selected a “do not display banners” option), for sign in and authentication (e.g., so you don’t have to sign in each time you return to the site, or sign in again whenever you move to a new webpage), and for analytics purposes (e.g., to count page visitors or obtain statistics about our Services’ operations that help us improve our website and Services). We may use cookies from third-party providers.
Cookies are used (1) to track preferences and settings, (2) for sign in and authentication, and (3) for analytics purposes. The obvious issue here is number 3. Number 3 allows cookies to be used “e.g., to count page visitors or obtain statistics about our Services’ operations that help us improve our website and Services [bold added].” Notice how the term “improve” is used here as well. This policy uses a self-referential definition of improve, meaning that “improving the Services” is not explicitly defined at all. Take that as you will.
As long as Device Data is not related to cookies (which they seem not to be as how they are defined in the policy, but someone let me know otherwise), this potential issue of self-referential definitions about improvement of Services is not relevant to it. Any exploitation that is possible with the self-referential definition is therefore only relevant to cookies, not the fingerprinting done via collection of Device Data.
Look at this portion of the section in where they “explicitly” explain when they share data:
We may share aggregated and anonymized information that does not specifically identify you or any individual user of our Services.
“Analytics purposes” from the previous section about cookies can fall under “Aggregated and anonymized information” in this section here. This is where exploiting the legalese can happen. This means that they were able to say they could share data related to cookies without explicitly stating it in the cookies section by appealing to the “improvement of Services” or whatever. To me, this is not as big of an issue since the information is anonymized. But it’s still confusing for lay people, and I think any privacy-respecting privacy policy should aim to be as clear as possible to lay people as best they can.
They “explicitly” explain the circumstances under which they share data here:
We Share Personal Information Under Controlled Circumstances Only:
- With third parties who may access data about you to provide you with the Services
- With third parties who may access data about you to perform functions on our behalf
- With financial institutions, processors, payment card associations and other entities that are involved in the payment process
- With government and law enforcement where reasonably necessary to protect user or public safety or comply with applicable law, regulation, legal process, governmental request
- With others where reasonably necessary to protect the security or integrity of our Services or user safety
- In connection with, or during the negotiation of, any merger, sale of company stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business, or
- With your consent
We may share aggregated and anonymized information that does not specifically identify you or any individual user of our Services.
Recall the first paragraph above on fingerprinting: They stated that they collected Device Data (i.e., they fingerprinted you) for anti-fraud and payment protection purposes. But the structuring of the policy implies that they can also collect such data outside that scope.
The potential scope of sharing such Device Data is therefore listed out in the above quote: they are able to share Device Data (your digital fingerprints) under those circumstances laid out. The issue is that it is not explicitly laid out when Device Data is actually shared, so you can most likely consider all of those circumstances as potential avenues for your fingerprint to be shared.
The first three circumstances laid out are explicitly third parties and “financial institutions, processors, payment card associations and other entities that are involved in the payment process”, which are usually considered first parties. But those non-Privacy.com first parties may have irresponsible, privacy-invasive privacy policies, meaning that if Device Data is shared with them, it’s always possible that they can share or sell your Device Data.
The fourth and fifth circumstance is this:
- With government and law enforcement where reasonably necessary to protect user or public safety or comply with applicable law, regulation, legal process, governmental request
- With others where reasonably necessary to protect the security or integrity of our Services or user safety
This is presumably what was referred to when talking about anti-fraud and payment protection purposes in the earlier sections. But it can also mean that law enforcement can potentially request Device Data from them. If you are involved in activities that attract law enforcement in any way, you don’t want to use Privacy.com, which is an obvious point. Privacy.com is not for high threat models.
A worrysome circumstance is the sixth…
- In connection with, or during the negotiation of, any merger, sale of company stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business, or
… which says that our data, including Device Data, can be sold as part of a bankruptcy, among other things… Kind of worrysome.
We Retain Personal Data as Required by Law
When you close your account, financial regulations require us to retain certain information for at least a minimum time period that varies based on the information involved:
- Identity verification data: 5 years from the date of account closure
- Payment card data: 5 years from the date of account closure
- Funding bank account information: 6 years from the date of account closure
- Audit logs: 3 years from date of creation
- ACH transactions: 6 years from the date of an ACH entry
Device Data might fall under “Audit logs” if it is collected for anti-fraud and payment protection purposes. If this is so, such data is deleted 3 years after it is collected (or “created”, using their words). This is better than the other forms of data listed.
However, since we’ve established that they can collect Device Data outside that scope, it’s possible that it can also fall under those other forms of data as well. This is probably not likely, since the other forms of data (identity verification data, payment card data, funding bank account information, and ACH transactions) does not seem related to Device Data as how it is described in the policy.
One thing to note: The first three are only deleted upon a set time after account closure. So if Device Data does fall under this, it is also retained for a set time after your account closure. But again, it’s not likely the case. The last one (ACH transactions) are deleted 6 years from its “ACH entry”. If Device Data falls under this, it is automatically deleted, thankfully. But the set time is a bit long in my opinion. I doubt that Device Data falls under this form as well, so it’s irrelevant nonetheless.