Wolf Richter: I Just Got PayPal’s New Absolutely-No-Privacy-Ever Policy

By Wolf Richter, a San Francisco based executive, entrepreneur, start up specialist, and author, with extensive international work experience. Originally published at Testosterone Pit.

Sunday, when people had other things to do and weren’t supposed to pay attention, PayPal sent its account holders an innocuous-sounding email with the artfully bland title, “Notice of Policy Updates.” PayPal didn’t want people to read it – lest they come away thinking that the NSA, which runs the most expansive spying dragnet in history, is by comparison a group of choirboys.

The email started with corporate blah-blah-blah on privacy, that PayPal was “constantly” changing things “to give you more of what you want and improve your experience using us.”

Got it. This is going to be for your own good.

The email further discourages you from diving into it: So “this might not be your favorite stuff to read… but if you are interested take a look.” And this having gone out on a Sunday: “if you have other pressing things to do we’ll understand.” The click-through ratio of that link to these policy changes must have been near absolute zero. So I clicked on it.

Once on that page, you have to dig through some dry verbiage before you get to what they cynically call their “Privacy Policy.” Turns out, PayPal is a giant data hog.

It already has the information you hand over when you sign up, including your name, “detailed personal information such as date of birth,” address, phone number, banking and/or credit card information. It further collects information about all “your transactions and your activities.”

When you get on a PayPal site or use its services, it collects “information sent to us by your computer, mobile phone or other access device.” This “includes but is not limited to” (so these are just examples): “data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information, computer and connection information, mobile network information, statistics on page views, traffic to and from the sites, referral URL, ad data, and standard web log data and other information.”

You read correctly: “and other information” – anything it can get.

PayPal also collects personal data by putting cookies, web beacons (“to identify our users and user behavior”), and “similar technologies” on your device so that you can be tracked 24/7 even if you’re not using PayPal’s services, and even if you’re not on any of its sites.

Wait, “similar technologies?” By clicking on another link, you find out that they include pernicious “flash cookies,” newfangled “HTML 5 cookies,” and undefined “other web application software methods.” Unlike cookies, they “can operate across all of your browsers.” And you can’t get rid of these spy technologies or block them through your browser the way you get rid of or block cookies. You have to jump through hoops to deal with them, if they can be dealt with at all.

In addition, PayPal sweeps up any information “from or about you in other ways,” such as when you contact customer support and tell them stuff, or when you respond to a survey (Just Say No), or when you interact “with members of the eBay Inc. corporate family or other companies.” Yup, it sweeps up information even when you interact with other companies!

It may also “obtain information about you from third parties such as credit bureaus and identity verification services.” And it may “evaluate your computer, mobile phone or other access device to identify any malicious software or activity.” So they’re snooping around your devices.

And when you download or use PayPal’s apps to your smartphone, or access its “mobile optimized sites,” it collects location data along with a host of other data on your mobile device, including the unique identifier that ties it to you personally in order to manipulate search results and swamp you with location-based advertising “and other personalized content,” or whatever.

After vacuuming up all this information “from or about you,” PayPal will then “combine your information with information we collect from other companies” and create a voluminous, constantly growing dossier on you that you will never be able to check into.

Who all gets your personal information that PayPal collects? You guessed it.

First, it defines “personal information.” Turns out, much of your personal information is not “personal information”: any information that PayPal has “made anonymous” – we already know how anonymous that really is – is not “personal information,” and thus can be freely shared with or sold to whomever. And it shares the remaining “personal information” with:

  • eBay and its affiliates
  • Contractors that “help with,” among other things, “marketing and technology services”
  • Financial outfits (such as GE Capital) that help decide, for example, if you should receive pre-approved credit-card offers
  • Credit bureaus and collection agencies, which get your account information
  • Companies PayPal might merge with or be acquired by. There goes your entire dossier. You can’t stop it from being sold to the new entity, which might be a Chinese company.
  • A basket of our favorite law enforcement and government agencies and “other third parties pursuant to a subpoena, court order, or other legal process….”

You can’t opt out of PayPal’s spy apparatus.

You can only opt out of receiving their ads and pitches. And activating that “do not track” function in your browser to keep PayPal off your back? No way José. “We do not currently respond to DNT signals,” it says laconically.

So, if you don’t like being surveilled like that, you’re still free to close your PayPal account. But that’s not going to wipe out the information PayPal has collected “from or about you,” and its automatic systems continues to collect data through cookies, beacons, and “similar technologies,” and through the sophisticated spy capabilities that are part of any smartphone worth its salt [hilarious video…. iPhone 5nSa].

PayPal will simply mark your account as “closed” and you can’t get into it anymore, but it will “retain personal information from your account for a certain period of time” – probably forever – to do all sorts things, including “take other actions as required or permitted by law.” Yup, as permitted by law. It won’t do anything illegal with it. That’s the only promise. Alas, there aren’t exactly a lot of legal restrictions in the US on what companies can do with personal data.

PayPal is not unique. They’re all doing it. They’re part of the enormously hyped bubble of Big Data whose business model is to collect and monetize your personal information, which has become part of a new asset class. And seeing this, the NSA is dying of data envy.

But government agencies are already on a roll with off-the-shelf surveillance technologies, and they justify them with peculiar rationales: According to the LA Police Department, anyone driving a car in the greater Los Angeles Metropolitan area is automatically part of a vast criminal investigation! Read…. Los Angeles Cops Argue ALL Cars in LA Are Under Investigation

Print Friendly, PDF & Email


  1. OpenThePodBayDoorsHAL

    This is where Yves jumps in and says Bitcoin is useless, has no point, and will never work.

    1. allcoppedout

      I’ll just get in first Hal, and say PayPal started as a way to pay secretly for pornography. Buttcoin followed

      1. ambrit

        I’ll go “sloppy seconds” and remark that the Gun Nuts have always hated Pay Pal for the various ways it has manipulated its’ ‘SERVICES.” The Pay Pal family of companies, (sort of a f— buddies for finances,) have always had agendas hiding in the wings. The move to use “secret” methods of payment for pornography has always been a necessity. Porn charges, especially kiddie porn, has been one of the most useful methods for repression of dissent. Just ask “Pee Wee” Herman. If I may add, the Pay Pal “Privacy Policy” is a kind of Pornography that Orwell and Kafka would appreciate.

        1. ruki

          Scuzzy thirds? I’ll just add this adage from the 1950’s: If you wouldn’t say it in front of a cop, don’t say it on the phone.

    2. JGordon

      No kidding; if you want to avoid surveillance pretty much your only option trading gold and silver. Although on the plus side this means that Alex Jones will be in charge of the financial system after the electronics mostly become defunct and all those credits and debits have vanished into the ether.

    3. Yves Smith Post author

      Bitcoin dealers in the US will be required to report to the IRS. That means they’ll have all your info, like SSN and address. It’s been shut down effectively in China and I guarantee the anti-money-laundering types will be watching for large transfers. As much as BTC fans like to go on about the virtues of the blockchain, all the operations around any transaction are handled by humans and subject to surveillance and the reach of the law (as in subpoenaing records and witness testimony). And its use in commerce will be severely restricted due to its designation as property.

      Sure, you can keep BTC on your machine and risk losing it in a crash, or throwing it out, like that guy who lost some $2 million of BTC did. There’s a reason people don’t keep piles of cash in their house.

    4. Cathy

      I’m just starting a business and need a similar gateway… do not have the money to pay what many other similar businesses charge. If not paypal, then what or whom?

      1. Yves Smith Post author

        WePay takes credit and debit cards but its fees are similar to Paypal’s.

  2. rjs

    it’s clear that the whole point of the current generation of browsers was not to provide better or safer access to webpages, but to install the latest in surfing surveillance software on users devices….

    1. jfleni

      RE: Paypal and current browsers “the latest in surfing surveillance” … etc.

      There are many, much safer browsers, expecially Free Open Source (FOSS) progams. Always avoid anything connected with Winbloze, Google, Apple etc, and conversely with Linux, BSD, and other FOSS systems. There is no guarantee, but the lack of a mountain of fast bucks for gargantuan IT Plutocrats usually means far more safety.

  3. TheCatSaid

    Anyone have a working link for that “hilarious video”? I’d love to see it but the link in the post doesn’t work.

    Nothing in the post surprises me, but it’s sobering having it all spelled out in gory detail.

    Opportunities abound for new companies that refuse to share data–if they can think of some way of doing this. (The most private email services have closed up shop, right?)

  4. William

    “Privacy” statements have always been this way. Anyone who actually reads one (and they really hate that at the Dr. or dentist clinic, but I really hate being forced to sign it in order to get treatment) will discover they say that basically, “we can do whatever we want with the information you provide.”

    1. ScottS

      I like to sign the arbitration clause with a scripty “Seventh Amendment” instead of my name. No one has noticed yet.

    2. Nathanael

      I usually write “under duress” on all forms given to me at a doctor’s office. I do not freely consent to anything as a condition for medial treatment.

  5. YankeeFrank

    Paypal has always been a noxious, horrible company. I think the only time I’ve used it in the past 10 years now is for Yves’ fundraisers. I’m sure there are other times I’ve used it that I can’t remember (I’m sure paypal sure can), but its about time online merchants or anyone who collects money for any reason figure out a new way to get paid. Hell, use Dwolla or something. Anything but paypal.

  6. Ben Johannson

    You can block the unblockable cookies of which Wolf speaks by downloading FireFox and installing the BetterPrivacy addon.

  7. craazyman

    See. This is what happened to me last week. I tried to make a financial contribution to a highly regarded political and economic blogger whose work I appreciate and support — since we all know that money talks and bullsh*t walks — but my credit card was rejected. Even though my credit card works everywhere else, including Amtrak and the Men’s Wearhouse, in addition to online subscriptions.

    After struggling in confusion with this for 20 minutes I discovered it was rejected because my PayPal account, which I never use, was inactivated pending reconfirmation of my identity. Paypal’s notification said I had to send them a utility bill with my address or official ID and they’d reinstate service.

    The fact is, I didn’t try to pay through Paypal. I tried to pay directly through the credit card payment functionality on the blogger’s web site. But I noticed the URL of the payment processing engine had Paypal in it. So I guess Paypal was running the processing back end and blocking my card until I got with their program. I wasn’t interested in their program. I wanted to support the bloggers program.

    After half a hour of trying, it kept refusing to take my payment. It had nothing to do with emptying the cache or any browser issues. I tried to make the payment from two separate computers and my iPad. Paypal is taking money out of people’s pockets by doing this.

      1. OpenThePodBayDoorsHAL

        Repeat: Bitcoin.
        And before you start telling me that with Bitcoin, everything is trackable, I’ll send you one, and then we can see if you can track it back to me.

        1. Yves Smith Post author

          Guess you haven’t heard of subpoenas. They worked just fine in the case of Silk Road.

    1. Yves Smith Post author

      If you are referring to our site, our donation page allows you to use WePay (which also takes credit cards) or send a check. But thanks for the thought.

  8. OMF

    The blame here lies not with PayPal or private companies; The blame lies the browser companies who design their software to allow this kind of surveillance. In particular, Mozilla have simply not stepped up their game with the Firefox webbrowser to make it untrackable by default.

    This may sound harsh on the browser companies, but it must be understood that the problems with cookies and tracking have been around for at least a decade and more realistically two. It was a problem, it had the potential to get worse, it wasn’t addressed, it got worse.

    The internet has turned into a panopticon and it’s now up to web-browser creators and other software writers to make it more difficult to track people online by default.

    1. ambrit

      Dear OMF;
      The trouble with that prescription is that the PTBs are slowly but surely making everything a potential “Terrorist Threat.” 9/11 was our Reichstag Fire. Sooner or later, a coalition of BRICS or Stones or whatever will arise to wage some sort of holy war against us, and win.

  9. peepy

    Can’t imagine why Mozilla hasn’t stepped up to the plate to stop paypal’s panty-sniffing. Oh, unless it’s because Eric Rescorla, the NSA saboteur who pushed the Extended Random surveillance software, works for Mozilla.

    1. Generalfeldmarschall von Hindenburg

      Thanks for that little nugget, Peepy. I would expect to see assets of the intel apparat filtering into exactly such positions.

  10. agkaiser

    Do you remember when MicroSucks gave the option to: “always trust Microsoft?”

    They’ve been sabotaging competing software on your computer in collusion with Intel since the 1980s. Snooping since the advent of the internet. Windows 8 now “guards” your harddisc against competing operating systems, in collusion with BIOS/computer manufacturers and Intel.

    I think we swallowed the camel years ago. Yet the straining of gnats is at least a hopeful sign that the dupes are awakening at last.

  11. Brooklin Bridge

    The only way to avoid this would be for enough people to never use pay-pal or any online payment services of any kind, go back to standalone applications tied by physical wire to your printer (for writing checks) on machines that do not have proprietary apps, nor wireless, nor cameras, nor microphones, nor heat and moisture sensitive inputs, etc., etc., and where the operating system is open source that you compile yourself from source you can read with powerful tools to detect malware (in it’s more abstract sense). Basically machines and applications and attitudes that encourage computer literacy rather than the contrary. Guess how soon that will happen.

    Most sites including NC have ways that you can send payment by check. If they don’t, they don’t get contributions. As to buying stuff on net. Stop. or simply browse the net and don’t buy anything unless you can order it over the phone from a human (or -for the time being- someone who sounds convincingly like a human). Again, convenience trumps civil liberties any day of the weak week.

    No one should buy a tablet nor a smart phone nor even most of the previous generation of dumb phones until they come with proper privacy contracts in 5 sentences or less.

    And speaking of tablets, I hear the new ones are already requiring thumb print and/or retina scans just to log in. Of course they would never, ever use that data to track you now would they? Not a chance.

    Allcoppedout seemed a tad despondent after Bill Black’s post on idiot financial journalists. This stuff unfortunately doesn’t provide much relief.

    1. Keenan

      One poster on an automotive site, commenting on the recently announced DOT edict mandating for 2018 the already widely implemented backup camera, wondered whether the images along with the vehicle GPS and other data may be tapped by various government or corporate entities.

    2. Brooklin Bridge

      Note, my use of proprietary apps is probably confusing. By proprietary, I mean applications that are not entirely owned by the client including any client data generated and the way that data is communicated to others. Tablets, for instance, as far as I know, retain some control (ownership) over who and what can be put on their systems. By standalone, I mean applications that run entirely on the client machine using data coming from and stored only on the client machine. That whole model has been turned on it’s head by tablets and smart phones and more generally by the server centric model of the Web. What we now have, basically, is the rental of applications -called “apps”- or of data (that run or are stored on servers – the cloud) or both where rent is either by subjection to propaganda -advertizement for instance- or for the more wealthy by money and subscription.

  12. Brooklin Bridge

    This whole thing is a sort of nightmare that can’t be stopped. Developers who were poo-poo-ing this only five years ago are now starting to wonder just what the hell it is they have unleashed (the ones who are honest enough). And of course, many many more think it’s just wonderful, or inconvenient but necessary, or horrible but not their fault, and so it goes. And the marketeers march on more powerful than any military.

  13. Mel

    Collections of personal information are the newest hot commodity. Related to the link several days ago about the on-line microcontracting services where ordinary people log in to offer to perform odd jobs, deliveries, replace taxi drivers — all that. A commenter mentioned all the time spent filling in the application forms, only to be constantly turned down. All that data is now in there.

    Like the ancient joke about smuggling wheelbarrows. Or this XKCD: http://xkcd.com/792/ , if you think less specifically than password reuse.

  14. docg

    PayPal wants not only your credit card information but also your banking information. I refuse to surrender that, sorry PayPal. You can have the cc info, but NOT the banking info. And I often wonder why they feel they need that. And why anyone would give it to them.

  15. casino implosion

    I think if I were scheduled for a heart transplant and the surgeon only took paypal, I might actually forgo the life saving procedure just to spite Peter Thiel.

  16. bob

    #1 High level tracking is done not by cookies, in these instances, but by “browser printing” and IP location tables. This requires a huge backend database.

    #2 PP puts on events where they show local cops how easy it is to work with them. No subpoena required. “Just call us, you can have everything we do”.

    It’s not technically a bank, so they have no duty to their unsecured creditors, aka balance holders. Part of how they stay “not-a-bank” is because of this cooperation.

    If you want to find out what a person is doing with their bank account, you need a reason, and a judge. PP? “None of that, we’re here to help, and keep us completely unregulated.”

Comments are closed.