[HN Gopher] Plaid settled $58M lawsuit over alleged consumer dat...
___________________________________________________________________
Plaid settled $58M lawsuit over alleged consumer data sharing
Author : exotree
Score : 194 points
Date : 2021-08-16 16:45 UTC (6 hours ago)
(HTM) web link (finledger.com)
(TXT) w3m dump (finledger.com)
| prepend wrote:
| Plaids terms are really concerning to me as a user and I'm not
| willing to give them my bank credentials. My main fear is that
| they get hacked and my credentials are used to drain my accounts.
| Plaid waives any liability and my bank doesn't do much if my
| credentials are used to do stuff like initiate wire transfers.
|
| Venmo is doing this weird thing where for some transactions they
| are saying they require plaid to get my bank credentials to log
| in and "verify." Of course that breaks my first issue. But it
| also allows them to suck up and use all of my bank transactions
| forever.
|
| Seems like a shitty tradeoff just to Venmo money to people.
| toomuchtodo wrote:
| I would recommend considering a bank that supports Zelle
| payments. Cut out the middleman (PayPal/Venmo). Fed Instant
| Payments are around the corner (2023), at which point instant
| payments should be available ubiquitously.
|
| https://www.zellepay.com/get-started
| eshyong wrote:
| This recently happened to me as well - Venmo tried to
| invalidate my payment method and pushed me to go through their
| "instant verification" process. Note that "manual verification"
| (i.e. the deposit method) is still an option on their app,
| though you may have to remove your current bank credentials and
| re-add it.
| tommoor wrote:
| Top tip: If you don't want to give Plaid your banking credentials
| and all of your purchase history (you really shouldn't,
| irregardless of this lawsuit), just search for jibberish in the
| "search for bank" option in any app that implements Plaid to get
| the option to "link manually"...
| fasteddie wrote:
| I'm a bit confused reading this. Is the lawsuit that users
| signing up for e.g. Venmo didn't know that they were also giving
| their transaction history/whatever to Venmo, or that Plaid was
| then taking the data passed to Venmo and reselling to, I don't
| know, a hedge fund?
|
| If it's the former -- I certainly think services need to clearly
| state what/why/how they are using the data, but it's on the
| services (like Venmo) and not Plaid.
| meowtimemania wrote:
| I've used Plaid to login to my bank account. How do I delete all
| my data from Plaid??
| jeandenis wrote:
| (Plaid CTO here)
|
| You can use the Plaid Portal (https://my.plaid.com) to view
| what types of data are being shared, to revoke access (to both
| the apps and Plaid) and delete data stored in Plaid's systems.
| You can also put a data deletion request through support.
|
| Not as per my comment above that we don't, and have not, sold
| data. https://plaid.com/legal/#consumer-support
| dreyfan wrote:
| Why did you settle for $58M in fines when Yodlee does the
| same thing but they very blatantly sell customer data, and as
| of yet, remain untouchable?
| briffle wrote:
| I have tried to login to this site, registered my phone
| number, and it says it can't find any accounts of mine. yet I
| know YNAB uses plaid as its backend, and has links to my
| banks, credit card companies, and even my mortgage.
|
| Is this a bug, or are those of use that use certain 3rd
| parties not able to see our data?
| jeandenis wrote:
| Would love to help with this. YNAB hasn't always been a
| Plaid customer, so it might have been a historical
| connection -- either way, please contact our support team
| to help you figure this out ASAP https://my.plaid.com/help
| SevenSigs wrote:
| You have customers that use consumer data and they don't
| have to pay for it? Where can I get this free data?
| lutorm wrote:
| If you change your bank credentials, at least your current data
| is safe. You mean how to delete the data they scraped?
| buu700 wrote:
| I did this recently (well not all my data, but one bank
| account). I had to go through customer support, and they had
| some trouble with it but eventually figured it out.
|
| I'm not a fan of Plaid. The core concept is great, but training
| users to enter credentials (much less _banking_ credentials)
| into third-party sites is nuts. Nowadays, it would be easy for
| someone to pivot from a compromise of a random company 's web
| server to impersonating Plaid and pwning most of their
| customers' bank accounts.
|
| This would be trivial to fix by deprecating their current UI
| and switching to a small popup or redirecting to a different
| URL.
| paws wrote:
| I recently received a helpful reply about liability from an HN
| user who says they're a Plaid employee. Thanks @phoenixy!
|
| https://news.ycombinator.com/item?id=27982516
|
| While I'm still trying to understand the bigger picture
| implications, maybe you will find this helpful too.
| [deleted]
| cmer wrote:
| It is absolutely crazy that in 2021, banks still don't have
| proper secure APIs for other software to interface with. Plaid is
| a major disaster waiting to happen.
|
| Are there any banks moving in that direction? I know of exactly
| zero in Canada.
| sprawl_ wrote:
| Regarding Canada, there has been some (slow, small) progress in
| this area. https://www.canada.ca/en/financial-consumer-
| agency/services/...
| g_p wrote:
| The UK and EU have both adopted effectively what you describe
| under PSD2 - the UK banks in particular were forced by their
| competition and markets regulator (CMA) to adopt open
| interoperable APIs.
|
| The end result, now it's available, is that you have 2 levels
| of API access. One is for access to account information (I tend
| to think of this as read-only access), and the other is to
| allow for "payment initiation" (think of it as write access,
| although not a perfect analogy).
|
| An account information service provider (AISP) can do things
| like aggregate bank accounts into one view, across different
| banks. A payment service initiation provider (PISP) can create
| payment gateways and initiate payments against a bank account
| using an authenticated session (enabling direct bank payment
| online, without needing a debit or credit card and the
| associated infrastructure around that).
|
| You can't just rock up and access the APIs though - I believe
| you need to get your application approved and engage with the
| regulator, which is probably for the better, to avoid the "app
| store problem" of loads of apps springing up in the API
| ecosystem, asking for permission, then just leeching data to
| third parties after you apparently consent on page 46 of their
| terms.
| toomuchtodo wrote:
| This is the template for US financial regulators and
| legislators to implement. Plaid is filling a regulatory
| vacuum.
| imglorp wrote:
| It's a vacuum that encourages banks to continue sabotaging,
| foot dragging, and target moving.
|
| The result is middle apps that are forced to use sketchy
| anti-patterns like screen scraping and asking for user/pass
| instead of each bank issuing a per-app token. The banks are
| just fine with this because anything that explodes will be
| the middle app's fault and they want to preserve their
| otherwise moatless situation. Consumers can't really tell
| banks apart so they have to force retention.
| Graffur wrote:
| From my view, PSD2 has been slowly and terribly introduced.
| Would love to hear from some people who are AISPs or PISPs
| though.
| sergiomattei wrote:
| The problem isn't banks not having APIs, the problem is not
| having standard APIs for accessing them. The situation wouldn't
| be any better if every bank had its own proprietary API, hence
| why Plaid exists.
| ydant wrote:
| The situation _would_ be better than it is now, even with
| every bank implementing their own proprietary API. As it is
| now, the APIs may or may not exist - and a lot of times the
| fall-back for these services is web-scraping, using the same
| _full access_ credentials the user has to use to log in
| otherwise. It 's a security nightmare and it's fragile.
|
| At least if the bank implements some sort of API that means
| some thought was probably given toward using tokens instead
| username/password, and some thought was given toward scoping
| the APIs - at least into read-only and read-write capable
| access.
|
| Although if you read between the lines in some of the service
| descriptions and backend documentation, a lot of what Plaid
| (and Yodlee, and others) do is now a mix of scraping and
| private APIs the banks provide, but those APIs are only
| available to commercial entities they've signed a
| relationship with.
|
| Obviously the ideal is public standardized APIs all banks
| provide with established security-focused practices and read-
| only limited data access as an option. But proprietary per-
| bank APIs available to the general public would be a good
| step forward.
| judge2020 wrote:
| > The situation would be better than it is now, even with
| every bank implementing their own proprietary API.
|
| Well, I think that would barely change everything on the
| consumer side. Nobody is going to go through and integrate
| with the hundreds of credit unions and local banks just for
| their app - if anything it only encourages a few extra
| companies enter the battle with Plaid.
|
| Hopefully FedNow fills this void, at least for the U.S.
| market. https://www.frbservices.org/financial-
| services/fednow/about....
| shostack wrote:
| What is the bank's incentive to offer this? Answer that and
| you'll have the answer to your question.
| mjcl wrote:
| Wells Fargo worked with Plaid to implement a direct API
| (incl. oauth) because it meant Plaid would no longer hold
| onto the credentials of millions of WF customers.
| foxcurve wrote:
| I see it as a differentiator and unique competitive
| advantage. New banks aren't solely competing on interest
| rates and fees, but also on social and personal interests.
|
| I'll post a snippet we recently added to our pitch deck:
|
| > _Accounts like those catering specifically to the LGBTQ+
| community (https://joindaylight.com), the Black community
| (https://firstboulevard.com), individuals interested in
| supporting renewable energies (https://www.tomorrow.one/en-
| EU/), and social media creators (https://www.trykarat.com/)
| have proliferated. Retail accounts catering to the unique
| wants and needs of software developers is a natural next
| step._
| Gh0stRAT wrote:
| Chase is the only big US bank I'm aware of which lets you give
| Oauth tokens with limited permissions to third parties.
| ceejayoz wrote:
| Capital One and Citi both have OAuth APIs that permit
| different levels of permissions.
| xtracto wrote:
| And the Capital One flow was utter crap the last time I had
| to program against it. A past company I was in used a Plaid
| competitor that suddenly had to implement Capital One flow,
| which was utter shit, including their (Capital One) Sandbox
| environments that basically didn't work.
|
| Banks are so held in last century technology...
| elliekelly wrote:
| The only way this will happen in the US is if Congress requires
| it. The vast majority of the infrastructure to make it happen
| already exists. Especially with the large custodial banks
| offering "white label" services.
| JohnWhigham wrote:
| The Federal Reserve could go ahead and do exactly this
| without Congress's help. You know, actually serve the people
| and come up with a solution to the changing times like they
| did with ACH back in the 1970s. That's probably asking too
| much of our leaders though.
| vmception wrote:
| The worst thing about Plaid is the alternatives to Plaid that
| I've never heard of
|
| There is no secure way to "connect your bank account" in an app.
| No matter how fancy it looks, or what logo they put up, you are
| really just giving your username and password to a random person.
| A random person who may or may not be malicious, but is
| absolutely a giant target for malicious people.
|
| As for the rebuttals, be nice if there was a way for users to to
| verify.
| a-priori wrote:
| I just read the settlement document, and it looks like this is
| being reported incorrectly or at least ambiguously.
|
| The allegation is NOT that they shared/sold data to any third
| parties but that their Plaid Link user interface, where people
| enter their banking information to add it to Plaid, looks like
| the customer's financial institution (i.e, uses the bank's
| branding colours and logo).
|
| Because of this branding, people can reasonably assume that they
| are sending that data directly to their bank without knowledge,
| and therefore consent, to share their information with Plaid
| itself.
|
| If that understanding is correct then this isn't a business
| practice or security issue, but a user consent issue. That's a
| problem that definitely needs to be fixed, and the injunctive
| relief requires them to change the branding and disclosure to
| make it clearer that people are interacting with Plaid rather
| than their bank.
|
| But to me it's definitely not a reason to cancel your account or
| boycott Plaid or whatever.
|
| https://newmedialaw.proskauer.com/wp-content/uploads/sites/2...
| ahzhou wrote:
| +1. Bad reporting here. This seems to be mostly about consumer
| disclosure, not that what's happening under-the-hood is
| different that what your average security-conscious developer
| might expect after reading that Plaid doesn't sell your data.
|
| That said I think the suit makes a compelling argument that the
| disclosures should be better.
| ac29 wrote:
| Looks like there is some other deceptive stuff going on as well
| - for example, they apparently collected and stored transaction
| data even when developers didnt request it (at least, they are
| agreeing to delete this data now, so it must have been
| collected in some cases).
| a-priori wrote:
| Again, I don't see anything shady there. There's two things I
| see in the settlement about that:
|
| 1. They proactively retrieved transaction data when you
| connect an account. This sounds like an assumption that
| almost always people are going to want transaction data, so
| they just do it by default, presumably to improve the first-
| time user experience so the data's already there when you
| later request it. This is going to be changed to only
| retrieve transaction data on demand.
|
| 2. If Plaid's connection is broken (e.g. the user changes
| their password) then Plaid deactivates the connection but
| keeps the data. They've agreed to delete the data in this
| case. The drawback of this change is that since many
| connectivity issues are going to be temporary, this means
| that in those cases they'll need to delete the data, then
| retrieve it again when the user reconnects.
|
| Basically it sounds like they optimized a little too hard on
| user experience, especially when connecting a new account,
| and in the process they overstepped user consent. I don't see
| any bad intent there personally, it sounds like they were
| just a bit overzealous trying to make the experience super
| slick.
| ac29 wrote:
| Optimizing away user consent for collection and storage of
| highly sensitive banking transaction data certainly meets
| my bar for "shady".
| echopom wrote:
| > If all 98 million people were to file a claim, each would
| receive just 60 cents.
|
| Thank you court of California to incentive startups and GAFA to
| use our data knowing their risk nothing.
|
| Just to be clear , Plaid has raised 600+ Millions in it's
| lifetime , this is nothing for them.
| bananapub wrote:
| it's so frustrating that this sort of shit keeps happening.
|
| 1. banks create gap in market by not providing useful access to
| their customer's data by...their customers
|
| 2. regulators don't step in to fix this market failure
|
| 3. some company steps in! yay!
|
| 4. company decides that charging customers for providing a good
| and/or service is insufficient, they need to do something creepy
| with selling off the customers data
|
| 5. lawsuit after the fact to maybe stop them being dickheads and
| definitely enriching a lot of lawyers
|
| why hasn't the FTC or something stepped in to make banks provide
| some secure read-only access?
| mistrial9 wrote:
| my colleague - you are missing the willing, enthusiastic,
| extensive and competing-to-out-do each other, aspect of
| tracking and selling profiles on "customers." I was told a
| story about a man in Florida making seven figures in the 90s by
| compliling and selling profiles, that were absolutely not legal
| and everyone knew it! so now its legal right?
| zaptheimpaler wrote:
| 98M customer accounts for $58M so 60c a piece. Sounds like they
| got a great bargain! Justice is served!
| walrus01 wrote:
| The "Current" online-only bank insists on using Plaid if you want
| to transfer money from an existing account to Current. No thanks.
|
| https://www.google.com/search?client=firefox-b-1-d&q=current...
|
| Also apparently if you want to use Plaid with many different
| online banking portals, you need to permanently disable 2FA, also
| no thanks.
| nexuist wrote:
| FWIW my bank uses 2FA and it works with Plaid. Plaid has a
| working 2FA authorization process, they might just not have
| implemented with every portal yet.
| ve55 wrote:
| It is particularly sad how common scenarios this are for users,
| especially in the US. I have known how terrible applications like
| Plaid (and alternatives) were, but at various points have been
| required to use them to do something like pay my rent (this is
| also a very common theme in my life: I strongly dislike a certain
| company or app, but find myself required to use them regardless,
| even knowing that my usage and information will be abused).
|
| Giving my full credentials _and my security question answer_ in
| plaintext to a third party in order to 'link my bank accounts',
| and then having them scrape every bit of information they can
| from my personal banking statements and sell it is... nothing
| short of a nightmare scenario, from many standpoints (user
| security, user privacy, user education, anti-phishing, and so
| on).
|
| I guess it's nice to see this class-action lawsuit, but that it
| amounts to an average of $0.60 per affected user is, well, not
| particularly inspiring with respect to my hope that things will
| ever get better here.
|
| Plaid is used by many industry leaders including Venmo,
| Robinhood, and Coinbase. When it's not used, usually a similar
| alternative is. Perhaps the most frustrating part of this is that
| placing blame on these companies is difficult, as there's no
| interoperability or open banking APIs that can be used as an
| alternative.
| pbreit wrote:
| On the flip side, if banks are not going to make my data
| available on a better basis, what choice is there?
| WaxProlix wrote:
| Something that doesn't fleece and abuse its customers and
| then expose their data irresponsibly?
| shostack wrote:
| Part of the challenge is there is no great way to easily get my
| data out of banks and accessible in one place.
|
| Business model aside, they do solve a real problem in a space
| where there are no real incentives for banks to provide their
| own solution.
|
| I'd love to see a subscription-based, privacy-focused option
| with API access targeting the consumer personal finance crowd.
| I think Tiller may get some of the way there, but I'm not sure
| how secure they are.
| foxcurve wrote:
| If that's something you're interested in, I'd encourage you
| to send me an email (check profile). This is exactly what
| we've been working on for the better part of the year.
| trianglesphere wrote:
| One problem I have with plaid is that the most common use for
| them that I see is a company using them in order to setup
| direct deposit. It's also really hard to figure out how to
| manually set it up (I usually have to click deny on plaid and
| then I can input it myself)
|
| I'm not interested in handing over all my info when I can
| copy and paste two numbers instead
| hulitu wrote:
| So in US if you have enough money you can do anything and then
| settle in court if problem arise.
| arthur_sav wrote:
| The cost of doing business.
| zeroxfe wrote:
| Most of the world works this way.
| user-the-name wrote:
| No, the US is actually much worse.
| munk-a wrote:
| I disagree somewhat to this - it's certainly true to an
| extent but when it comes to gross negligence or malicious
| intent most of the world will seriously come down on you.
| Only in the US is intentional malice generally written off
| with fatalist cries of "It was inevitable that some market
| participant would abuse this system."
| drewmol wrote:
| > Giving my full credentials and my security question answer in
| plaintext
|
| FWIW: I've resorted to using a formula to derive my security
| question answers from the real answer (kept secret) and the
| text of the question itself. This seems to help mitigate the
| damage of the q's and a's getting exposed.
| edoceo wrote:
| Could we all open an Arbitration Case which may be in their TOS
| (I'll have to look). Edit: California JAMS
|
| Remember that one company that got "crushed" with bills cause a
| bunch of consumers use the Arb-Clause as intended? Supposed to
| block law-suits
| newfonewhodis wrote:
| > Remember that one company
|
| Amazon? https://www.wsj.com/articles/amazon-
| faced-75-000-arbitration...
| lutorm wrote:
| Isn't giving your credentials to a third party also a violation
| of the terms of service with your bank? It seems, at the very
| least, the bank will just tell you "too bad" if there's a
| breach and someone drains your bank account using the
| credentials you gave Plaid. You'd be left suing Plaid.
|
| In fact, this seems like a _terrible_ liability for them. I
| guess they're hoping it won't happen and if it does then
| they'll just go bankrupt anyway?
| akarma wrote:
| I actually mentioned in a thread about Plaid in 2018 that they
| sold transaction history to third parties, and the cofounder came
| onto HN to explicitly deny that [1]. I actually felt convinced
| they didn't afterwards, as I couldn't imagine such a direct and
| clear refutation if it were true.
|
| [1] https://news.ycombinator.com/item?id=18655417
| tartoran wrote:
| So the cofounder was not telling the truth then?
| edoceo wrote:
| Correct.
| collectedparts wrote:
| The cofounder was telling the truth (or, at least, nothing in
| the lawsuit implies that he was not).
|
| The plaintiffs in this case are claiming that when they
| linked their bank accounts to PayPal/Venmo/etc using Plaid
| they didn't realize what they were doing, or that it's
| somehow unfair that Paypal/Venmo/etc got their banking data
| (despite knowingly inputting their credentials into
| Paypal/Venmo/etc).
|
| Paypal/Venmo/etc is not a third party in that case. They're
| the party that the customer was knowingly interacting with.
|
| A third party would be an unknown / unrelated data broker.
| Ie, the cofounder is claiming that they don't turn around and
| resell data to anyone other than the app that the customer
| was deliberately using.
| majormajor wrote:
| The "using Plaid" part of what you're saying confuses me.
| My reading is that the plaintiffs are claiming that they
| signed up for Paypal or Venmo directly, linked their banks
| account, and were unaware that behind the scenes this meant
| their data went to Plaid, and that then Plaid both gathered
| data from this and sold the data.
|
| If that's accurate - if the plaintiffs were just trying to
| use Paypal + their bank account, and only coincidentally
| using Plaid because Paypal used Plaid - then any data being
| captured and stored by Plaid does sound extremely fishy.
| I'd want them to just be a bridge to let info flow between
| the bank and Paypal, not store any of that themselves too.
| That part seems sketchy even if they never sold it - I
| still don't think they should keep it in the first place.
| nemothekid wrote:
| > _then any data being captured and stored by Plaid does
| sound extremely fishy_
|
| I've integrated with Plaid's API (a long time ago), and
| this doesn't sound fishy. Plaid's API is pretty
| comprehensive and it would have PayPal's job to unlink
| the connection after the verification took place. Plaid
| gives you a "token" representing the user that can be
| used to further look up information in their account -
| such as new transactions. If PayPal had naively enabled
| the usage of those APIs, then it's not surprising Plaid
| stored that data.
|
| For example, if you (the API client) didn't want to store
| _any_ information except for a user token (similar how
| you might store tokens with Stripe 's API), then every
| time you needed to lookup the client's account number you
| would call Plaid's API to retrieve that data (which, by
| definition, they would be storing).
| majormajor wrote:
| As a customer, though, that still sounds very dismaying
| to me.
|
| If I'm linking my bank to paypal to send money back and
| forth, I don't want: (a) paypal getting transaction
| history, (b) a third party company hanging on to those
| credentials, (c) that third party company getting any
| view of transactions either. I just want Paypal to
| send/retrieve money.
|
| I thought Plaid just translated "different bank acount
| APIs" to a dev-friendly one. If they're using that to
| collect a lot of data THEMSELVES from customers who just
| wanted bank interop... that's bad. Nobody "using" Plaid
| is intended to give this intermediary company all that
| info.
|
| I'm linking my account to Paypal because I (thought that)
| I trusted Paypal. I never knew I was actually giving all
| this shit to this other company too.
|
| (In my case, I've used routing number/checking number
| because they seemed to require handing over less
| privileges than my full password, and this certainly
| seems to reinforce my skepticism about using the "sign in
| to your bank" password auth for linkage.)
| nemothekid wrote:
| > _If I 'm linking my bank to paypal to send money back
| and forth, I don't want: (a) paypal getting transaction
| history, (b) a third party company hanging on to those
| credentials, (c) that third party company getting any
| view of transactions either. I just want Paypal to
| send/retrieve money._
|
| 100%, which is why I think this lawsuit is valid. That
| said, even though I don't believe Plaid sold any data, a
| lot of people brought this up as a concern to using
| Plaid. I don't consider it shady behavior, because I
| don't think Plaid ever misrepresented their capabilities
| to their clients. In other words, PayPal _knew_ Plaid
| would be storing this data, and used their reputation to
| provide legitimacy to Plaid. In my opinion, it was PayPal
| who was irresponsible with your data.
| ahzhou wrote:
| Check the source material. Here's the suit:
| https://www.classaction.org/media/cottle-et-al-v-plaid-
| inc.p....
|
| The relevant section is on pg 16, under the heading
| "Plaid Sells and Otherwise Exploits the Unlawfully-
| Obtained Private Data".
|
| The suit alleges that "Plaid has admitted that it
| routinely sells the consumer banking data it collects. At
| a minimum, Plaid sells the data it obtains from
| consumers' accounts back to the very app providers,
| including the Participating Apps, who use its services.
| [40] Plaid calibrates its prices based on the type of
| information being sold. [41]".
|
| Footnotes 40 and 41 are, respectively:
|
| [40] See Feb. 21, 2017 Response by Plaid to CFPB's RFI,
| https://plaid.com/documents/PlaidConsumer-Data-Access-
| RFI-Te... (Plaid acknowledges to CFPB that it sells data
| to party "permissioned" by consumer).
|
| [41] See Feb. 2019 interview with Zach Perret,
| https://www.saastr.com/build-a-platformecosystem/.
|
| -----
|
| IANAL. The suit alleges that Plaid sells the data, with
| the specific proof that Plaid sells data to the
| authorized app (Paypal or Venmo in your example above).
| The plaintiffs do provide proof in the suit that Plaid
| sells the data to third parties, but suggest that Plaid
| might, since they already sell the data to the app that
| users authorized.
|
| At risk of misrepresenting their argument, the suit seems
| to claim that Plaid doesn't do enough to give consumers
| (think average non-tech savvy person) enough of a heads
| up on what's happening behind the scenes. According to
| the suit, a consumer using Plaid doesn't understand that
| they give banking credentials to a third party (Plaid),
| which uses the credentials and "sells" data to the app
| that is being connected to the bank.
|
| The above seems consistent to what the Plaid CTO wrote. I
| haven't seen anything that indicates Plaid sells your
| data to unrelated third parties. That said, I agree with
| the suit - Plaid should do a better job of making it
| clear exactly how your banking information is going to be
| used.
| owenversteeg wrote:
| So, in other words, they're selling my data, just not to
| third parties. So when I go to click "connect to Plaid",
| now whoever I'm connecting to suddenly has every single
| transaction from my bank/credit card/whatever I just
| connected.
|
| So still a privacy nightmare, just a slightly different
| one.
|
| What's so hard about not selling my data at all, and not
| collecting any data except for what's absolutely
| necessary to connect A to B?
| [deleted]
| akarma wrote:
| The link mentions third party firms:
|
| > Plaid has settled a $58 million class action lawsuit over
| claims that the fintech firm passed on personal banking
| data to third party firms without user consent.
|
| and selling transaction histories:
|
| > the plaintiffs alleged that Plaid has "exploited its
| position as middleman" to obtain app users' banking login
| credentials and use that information to gain access to and
| sell their transaction histories.
|
| For what it's worth I haven't read the actual lawsuit yet,
| but would love a link if it refutes the article.
| ahzhou wrote:
| Here's the actual suit.
| https://www.classaction.org/media/cottle-et-al-v-plaid-
| inc.p....
|
| I wrote a post above on my take but TL;DR - I think that
| the suit is mostly alleging that Plaid doesn't do enough
| disclosure of what's happening behind the scenes. It
| suggests that Plaid might sell the data to unrelated
| third parties, but doesn't support it with any proof. It
| does support itself with proof that Plaid "sells" data to
| the app that is being connected to the bank.
| 908087 wrote:
| Archived:
|
| https://archive.fo/kWPJk
|
| https://web.archive.org/web/20210816190158/https://news.ycom...
| Justin_K wrote:
| Unreal... straight up lies and fraud if you ask me.
| NicoJuicy wrote:
| Let's see if @whockey has the balls to come explain him.
|
| But, we're not in Japan. So i doubt he will.
| jeandenis wrote:
| Hey, CTO from Plaid here. We don't, and have not, sold data.
|
| https://plaid.com/legal/#consumer-support
|
| As someone who has overseen our consumer privacy team over the
| past few years building out products like Plaid Link and Plaid
| Portal, I can attest this is a foremost priority for the
| company. FWIIW, I don't agree with the allegations, and you can
| read our POV on this blog post.
|
| https://plaid.com/blog/plaids-commitment-to-consumer-privacy...
| RileyJames wrote:
| Based on this, and the blog post, they clearly take issue
| with the term 'sold'. Making the users data accessible via
| api to customers who've paid for access to said data does not
| constitute 'being sold', as far as their lawyers are
| concerned. The fact that 98 million users disagree is
| unfortunate...
|
| The product was sold as infrastructure, and used as data
| collection, and 98 million users were not aware of that.
|
| If you're unable to reconcile why users of square cash would
| be confused when they hear their data is accessible through
| some service called 'plaid' for which they've never signed
| up, or given their data, then maybe you could start with
| defining terms as they would, rather than how you'd prefer
| they sound.
|
| Having data in a database doesn't make it yours, it's the
| users. It was when it was in their bank, it is when you move
| it to your service and it remains when you provide it to
| someone else.
| wheaties wrote:
| I don't have the time to read and research exactly what
| happened. I see you settled for a large sum. Thus, I don't
| believe you. We've all been burned by companies that claim
| one thing and do the exact opposite. It doesn't matter if
| legally they are stating things accurately. What matters is
| how we, a mere human, would believe the plain English phrases
| used to be construed.
|
| Hope you have success and I have no ill will towards you.
| briffle wrote:
| Yep, its right up there on the 'corporate-speak' next to
| "we're taking these alegations very seriously"
| themacguffinman wrote:
| A legal settlement over a lawsuit is the epitome of "if
| legally they are stating things accurately", how can you
| possibly conclude that their settlement relates to how you,
| a mere human, believe the English phrases to be
| constructed. One explanation is dismissed because it
| touches on supposedly irrelevant legal details yet your
| belief is based entirely on another legal detail. It sounds
| like you've made up your mind already regardless of what
| the "plain English" circumstances could be.
| jeandenis wrote:
| I understand your point (and yes we are all mere humans who
| like plain language).
|
| Your data goes from your bank to the app that you
| authorized, via Plaid. It is not sold to anybody.
| sroussey wrote:
| Derived data? All that aggregated stuff? Nothing?
| oh_sigh wrote:
| Not to be nit-picky, but is that data(or derivatives of
| the data) gifted, given, bartered for, or otherwise sent
| to parties that are not (plaid, user bank, connected
| app)?
|
| Neither here nor there, but I just used Plaid for the
| first time yesterday to pay for the downpayment on my
| Tesla. It was a really nice, seamless experience.
| infogulch wrote:
| I would also like to see the (notably, very carefully
| followed) 'data is not sold' line strengthened to include
| all other forms of transmission.
|
| Also a happy user of a service enabled by plaid tech.
| jeandenis wrote:
| I replied in some other thread. Copy-pasta:
|
| No, your personal data is not sold or rented or given
| away or bartered to parties that are not Plaid, your
| bank, or the connected app. We talk about all of this in
| our privacy policy, including ways that data could be
| used -- for example, with data processors/service
| providers (like AWS which hosts our services) for the
| purposes of running Plaid's services or for a user's
| connected app to provide their services.
| infogulch wrote:
| I saw that. Thank you for your patience and persistence
| in responding to so many pointed questions.
|
| For any interested, here is a link to relevant section of
| the referenced privacy policy:
| https://plaid.com/legal/#consumers
|
| I am also impressed by the Legal Changelog on the same
| page that clearly lays out a log of changes made to
| privacy & other published legal documents.
| geoduck14 wrote:
| Just because you settle, doesn't mean you are guilty.
| hellbannedguy wrote:
| I get it. It's just 58 million. I would fight.
| newfonewhodis wrote:
| No company would settle for such a large sum unless they
| were guilty or afraid of going through discovery.
| kodah wrote:
| As an engineer that's had to advise corporate legal on
| how to look at various things I can assure you that most
| of it is just risk mitigation and reward. From lawsuits
| to contracts, it's all the same stuff. That's just how
| legal people think. I don't think it goes any deeper than
| that.
| jsonne wrote:
| That's just not at all true. If you've ever worked in /
| around law you'd understand how it's less about right and
| wrong and more about risk management. Non guilty parties
| settle all the time. (I have no idea if that is true in
| this case or not) but simply the idea that they settled
| for $$$ amount means they're guilty is just false.
| HeyLaughingBoy wrote:
| How much did they settle for? I don't see that in the
| article. Just because they were sued for $58M doesn't
| mean that the settlement amount was anywhere near that!
| OnlineGladiator wrote:
| This really sounds like you're just doubling down without
| really responding to anything directly. You say you disagree
| with the allegations - why do you disagree with them? I
| understand you probably can't speak to this for legal
| reasons, but this vague rebuttal is worse than saying nothing
| at all. It just sounds like typical corporate PR, which makes
| me automatically assume you're lying.
|
| I don't know the details of this case so I have no strong
| opinions, but this response makes me trust you less, not
| more.
| jeandenis wrote:
| I wrote a comment above on the main allegation which
| hopefully answers your question. It's not about selling
| data.
| squeaky-clean wrote:
| So... does anyone here actually believe this comment?
| akarma wrote:
| Thank you for the response -- I know you're likely very
| restricted in what you can say here, but:
|
| You just settled a claim that you sold customer transaction
| histories, and from the article linked, the plaintiffs'
| lawyers claim that you have agreed to implement meaningful
| business practice changes to remediate these issues.
|
| (1) If you've never sold transaction histories, why settle a
| lawsuit alleging that you sold transaction histories?
|
| (2) What meaningful business practice changes could you be
| making if there's no issue to begin with?
|
| (I'm relying on the article here as a source of truth).
| jeandenis wrote:
| You're right that I can't write much (legal, PR team say
| hello).
|
| The bottom line point is, we don't sell data and that's not
| the main allegation. The main allegation is that people
| didn't understand that we were part of the flow of
| connecting banks to apps. We disagree.
|
| Before 2017, there was a whitelabel experience of Plaid
| that didn't say "Plaid", didn't have the Plaid logo, etc.
| We still stand by our belief that our disclosures at the
| time were more than adequate. But it's not something we
| want to have protracted litigation around.
|
| The reality is that our experience today is vastly
| different (and has been for a while). As for "what
| meaningful business practice changes could you be making if
| there's no issue to begin with." Like most companies, we're
| always making improvements to our experience -- today we
| have a consent pane that makes our role clear, a portal for
| people to manage their data, etc.
| akarma wrote:
| > Plaid would retain access to their credentials and use
| them to mine, aggregate and then sell users' financial
| transaction data to third parties (including to the
| fintech apps that use its services) for purposes
| unrelated to the plaintiffs' use of the fintech payment
| apps. [1]
|
| This is allegedly from the lawsuit. I can see your
| perspective -- that it made sense to settle because of
| the privacy accusation, but you still deny the other
| accusations. I understand that perspective, though as I'm
| sure you can understand, it's hard to know for sure based
| on the allegations and the settlement.
|
| [1] https://newmedialaw.proskauer.com/2021/05/11/plaid-
| federal-e...
| adrr wrote:
| Risk scores for this product.
|
| https://plaid.com/signal/
| archenary wrote:
| IANAL and have no affiliations to Plaid. My takeaway from
| the article and [0] is that Plaid violated privacy laws
| because they provided insufficient disclosure with respect
| to the collected data, not that they are selling data to
| third parties.
|
| Edit: Update [0] to source
|
| [0] https://newmedialaw.proskauer.com/2021/05/11/plaid-
| federal-e...
| [deleted]
| akarma wrote:
| (IANAL either) I understand and agree that part of the
| issue is that they, allegedly, underhandedly collected
| this data. My question is focused around the potential
| selling of that data, which took place according to the
| lawsuit and was likely the reason to collect the data.
|
| From the article you linked:
|
| > Plaid would retain access to their credentials and use
| them to mine, aggregate and then sell users' financial
| transaction data to third parties (including to the
| fintech apps that use its services) for purposes
| unrelated to the plaintiffs' use of the fintech payment
| apps.
| geoduck14 wrote:
| I haven't used Plaid and I haven't read the litigation,
| but it seems the following scenario may have happened:
|
| 1) Users use Plaid to buy/sell with a variety of vendors
| and banks 2) Vendors and banks were aware that specific
| users were buying /selling because they were
| buying/selling their products 3) Users consented to #2
| because they were buying/selling their products
|
| 4) Plaid provided aggregated reports that said "5% of
| your customers also shopped on Amazon"
|
| People sued over #4
| sorry_outta_gas wrote:
| You should be ashamed of yourselves, period
| [deleted]
| mikeiz404 wrote:
| I'm guessing this is the relevant section stating that
| summarized anonymized data is shared.
|
| _We may collect, use, and share End User Information in an
| aggregated, de-identified, or anonymized manner (that does
| not identify you personally) for any purpose permitted under
| applicable law. This includes creating or using aggregated,
| de-identified, or anonymized data based on the collected
| information to develop new services and to facilitate
| research._
|
| _We do not sell or rent personal information that we
| collect._
| geoduck14 wrote:
| I'm betting you are right. It may be that they sold
| aggregated data, and that they aggregated based on factors
| that might have been _too_ granular in some situations.
|
| Perhaps something like "all users who are in the UK and
| logged in last Sunday morning". Something like that could
| have been a pain to sess out for each instance of data
| sharing, in addition, if you "settle in court", you can
| also set court-approved definitions of what "anonymously
| aggregated" means.
| jjulius wrote:
| >We do not... rent personal information that we collect.
|
| Forgive my ignorance here, but how exactly would one "rent"
| personal information?
| lancesells wrote:
| Access through something like an API and then losing
| access once you stop paying your monthly fee?
| sodality2 wrote:
| Sell a subscription to access current transactional data.
| Like if Verizon charged $x/mo to have access to call
| logs, and was sold to advertisers
| mdoms wrote:
| Hmmmm could have saved yourself a cool $58 million if what
| you're saying is true.
| [deleted]
| stefan_ wrote:
| The old overly specific denial. Never did sell the data, but
| collected and stored it just in case you ever changed your
| mind about that.
| phyzome wrote:
| Facebook claimed repeatedly that they had never sold user
| data, and it turns out this was true: Instead, they had
| _bartered_ user data for increased access or other privileges
| elsewhere.
|
| I'd like to hear a broader statement on the specific phrasing
| in this article: << the fintech firm passed on personal
| banking data to third party firms without user consent >>.
| jeandenis wrote:
| No, your personal data is not sold or rented or given away
| or bartered to parties that are not Plaid, your bank, or
| the connected app. We talk about all of this in our privacy
| policy, including ways that data could be used -- for
| example, with data processors/service providers (like AWS
| which hosts our services) for the purposes of running
| Plaid's services or for a user's connected app to provide
| their services.
| newfonewhodis wrote:
| Wow what a jerk. Very, very explicit lie:
|
| > Plaid used consumers' banking login credentials to gather and
| distribute detailed financial data without prior consent
|
| > Allegedly, these actions occurred without users knowing about
| Plaid's role is a variance of "deceptive tactics."
|
| And for all this:
|
| > If all 98 million people were to file a claim, each would
| receive just 60 cents.
|
| > The San-Francisco based platform raised a $425 million
| funding round in April
|
| The current capitalistic system is broken beyond repair. We
| need stricter corporate regulation (especially in fintech but
| more broadly) very urgently.
| cowpig wrote:
| dude you can't just drop a hard R like that on HN
| tehwebguy wrote:
| I say this basically every time it comes up but I cannot imagine
| handing my bank login + password over to Plaid or pretty much any
| third party ever for pretty much any reason.
| RHSeeger wrote:
| You're not the only one. I find it staggering that people do
| this.
| w4llstr33t wrote:
| I think companies should still provide a way to link accounts via
| small deposits. It takes a few days, but at least you don't have
| to share your credentials. (This applies to US accounts, maybe
| there are better solutions elsewhere.)
|
| If you use Plaid, I think it should only be if there's no other
| option and you change your credentials after. I've always thought
| giving away your credentials to a screen scraping company like
| Plaid was crazy.
|
| In terms of the class action lawsuit, the only one who will see a
| meaningful payout from this are the lawyers.
| TedDoesntTalk wrote:
| I've always refused to use plaid thankfully and go with the
| micro transactions route (2 small deposits and withdrawals from
| your account).
| theptip wrote:
| Plaid does support this:
|
| https://plaid.com/docs/auth/coverage/same-day/
|
| Their UI makes it really hard to find this option though,
| because Plaid makes their money from scraping your transaction
| history, which doesn't work if you do the micro-transaction
| approach.
|
| As a consumer, I'm not a big fan of Plaid's business model. But
| to be fair to them, a lot of the security issues come from the
| fact that until very recently, no US banks had any form of API
| to allow delegation of access. Based in large part on the
| success of Plaid, this is starting to change; some institutions
| are banning Plaid from using the password-based flow, and are
| replacing this with a more secure OAuth flow:
|
| https://plaid.com/docs/link/oauth/
|
| This is the correct solution to the technical problem at hand.
| It'll benefit other systems too; for example it should be
| possible for open-source accounting software to use this flow
| to export your transaction history in a maintainable way, which
| previously relied on scraping that's unfeasible for an OSS
| project to keep up with (but which Mint could afford to
| implement).
|
| Hopefully the banks let you selectively grant permissions "can
| view my account list" and "can view my transaction list", or at
| least surface those permissions, so that consumers can be aware
| of what they are giving away -- I'd wager that most end users
| have no idea that Plaid is slurping their transaction history,
| and would be even more shocked that it's maintaining ongoing
| access to continue doing the same.
___________________________________________________________________
(page generated 2021-08-16 23:00 UTC)