Q&A with Herbert Lin, senior research scholar for Cyber Policy and Security at CISAC; Jerry Kaplan, lecturer at CDDRL; and Didi Kuo, academic research and program manager for CDDRL’s Program on American Democracy in Comparative Perspective. Written with Nicole Feldman.
On Monday, The Wall Street Journal published a story, stating that Facebook has asked large U.S. banks to share financial information about their customers, including credit card transactions and checking account balances, so that it can offer new services to users. According to the article, these services could include chatting with banks on Facebook Messenger, checking account balances, and receiving fraud alerts.
In response, Facebook denied that the company is seeking financial transaction data.
“Like many online companies with commerce businesses, we partner with banks and credit card companies to offer services like customer chat or account management,” a Facebook spokesperson told Engadget.
The statement goes on to say that a partnership with banks could be used to chat with customer service personnel in Facebook Messenger and to receive real-time updates on account balances, receipts, and shipping. They added that the service would be “completely opt-in” and would not be used for advertising.
If Facebook partners with U.S. banks, what exactly will this mean for mean for the average Facebook user and bank customer?
Lin: The way the first stories were written, it seemed as though Facebook was trying to get the financial information of every Facebook user. That’s not what’s happening. Essentially, Facebook is saying that they want to be able to connect users with their banks via Facebook Messenger and that the service will be opt-in. There are two questions to consider: how will consumers feel if they do everything properly, and do you trust them to not screw it up?
With that in mind, what will happen if they do this properly?
Lin: If they do it right, it seems perfectly innocuous. Could it be used for nasty purposes? Maybe. For instance, if you know that you can get into a chat with a bank on Facebook Messenger, maybe someone else can pretend to be the bank. They won’t have the official seal, but somebody might overlook that and unwittingly compromise their financial information.
And if they do it poorly?
Lin: They are getting information they would not otherwise have, and that means there is an additional non-zero probability that such information may leak to parties I don’t want to have it. I just opened up a new bank account. Their privacy notice says they can share your information with third parties for marketing purposes. If I had forgotten to read the fine print, I would have been automatically enrolled. An arrangement with Facebook could ask users to opt-in, or it could enroll them automatically with an option to opt-out. It all depends on the details. I would say that opt-out should be the default rule and so default opt-in is a screw-up, but my bank would probably not agree. I don’t know what Facebook will do, but I would hope the former (opt-out).
Can banks share customers’ financial information without their permission?
Kaplan: Banks regularly share customers’ information with third parties without explicit permission, for instance with credit bureaus. However, when, how, and with whom this information is shared is carefully guarded by the banks, because their customers’ trust in them is essential to their businesses. In effect we permit our banks to share our financial information at their discretion. That said, banks are unlikely to share such information with companies like Facebook, not the least because many of their customers are likely to object.
Facebook is already under fire for sharing its users’ personal information with companies like Cambridge Analytica. What do you think the public’s reaction will be if Facebook receives access to their banking information?
Kaplan: If Facebook decides not to proceed as planned, this would most likely be to avoid a PR backlash rather than any legitimate concern about the practice. It’s common throughout the industry, as long as it’s done with permission. If they were to abuse the information, that would be a different story. If you don’t trust Facebook to safeguard your financial information, then the obvious reaction is to withhold permission for them to access it.
Kuo: The Cambridge Analytica scandal illustrates the often-confusing choices presented to users when using both Facebook and third-party apps. Cambridge Analytica acquired data of some 50 million Facebook users when users authorized access to their Facebook accounts for a personality quiz app — but ended up sharing both their own personal information and that of their friends with Cambridge Analytica. The public outcry over Cambridge Analytica stemmed from a perception that Facebook had not adequately protected consumer data. When using Facebook or third-party apps, however, many users are unaware of the exact terms of service and what information of theirs can and cannot be shared. Facebook is ubiquitous on the internet, allowing people to access other sites or apps by using their Facebook logins, or asking users to grant permission for Facebook to access certain sites or for apps to access Facebook. The public outcry over Cambridge Analytica shows how uncomfortable people are with the platforms that they simultaneously rely on but do not understand.
After recent events like the Cambridge Analytica scandal and Russian interference in the 2016 election, along with ongoing cybersecurity issues like identity theft that affect people around the globe, many Americans want companies — particularly Facebook — to be more careful about sharing information. In this climate, what does it say about the state of democracy on the internet that companies like Facebook, Google, and Amazon have asked banks to share customer data?
Kaplan: It boils down to this: who do you trust to have access to your personal information? The information shared in the Cambridge Analytica scandal was generated as result of your interactions with Facebook. In this case, you are being asked for permission for Facebook to gather information from other parties for the stated purpose of serving your interests. If you trust Facebook to live up to this commitment, then it makes sense to give them permission. If not, you can simply decline the offer.
Kuo: Our lives are increasingly lived not only online, but through the platforms. What we’re interested in, who we know, what we buy, where we live: all of this information is used not only for our own benefit (as users and consumers), but also to help advertisers and developers understand consumer preferences. This information can also be acquired and abused by others. The problem with cybersecurity and democracy is multi-fold. There are, of course, direct cybersecurity threats to the integrity of our elections. There are threats in the form of disinformation and conspiracy theories, which poison the information environment. There are threats in the form of echo chambers, whereby we seek like-minded communities online, which may further polarize and divide us.
Banking is somewhat new territory in the debate about privacy and democracy. Banks have incentives to safeguard both consumer’s assets as well as their information. But financial information itself is highly valuable: consumers’ credit levels determine their ability to participate in the economy by securing loans or buying homes, for example. Information about consumers’ banking practices and holdings could theoretically be used in a myriad of unsavory ways, and Facebook faces a crisis of public confidence because it did not adequately protect against some of these in the past. The platforms may be seeking consumer financial information for helpful and harmless purposes, but they also need to be vigilant in safeguarding against abuses.