New Bank Privacy Tool Exposes Opaque, Possibly Illegal Sharing Policies

Carnegie Mellon did a machine analysis of 6,326 bank privacy notices. The results aren't encouraging.

Aug 28 2016, 2:00pm

Image: Mike Mozart/Flickr

What does your bank share? With access to consumers' most revealing private information—what they do with their money—we might naively assume that the answer is "nothing." But of course "revealing private information" is about the most valued commodity in the information economy, which means that it is of course being bought and sold like the currency that personal data is circa 2016.

Naturally, these transactions happen far from view.

Banks are required to disclose what information they share and what their policy is with respect to that sharing—including whether customers have the option of opting out. This requirement is the result of the Gramm-Leach-Bliley Act (GLBA) of 1999, which, generally, had the effect of allowing different types of financial institutions to consolidate (thus neutering the 1933 Glass–Steagall Act). The privacy rules added by the GLBA can be found in Subchapter 1: "Disclosure of Nonpublic Personal Information." They are at least better than nothing.

The privacy policies mandated by the GLBA were criticized by advocates—led by Ralph Nader, no less—for being opaque and inaccessible. The Electronic Privacy Information Center and other consumer advocates petitioned for new rules requiring policies to be published in reasonably consumer-friendly form. Given that the GLBA puts the burden of opting out on the consumer, the consumer should be ensured of having access to the information required to make those decisions. This kinda-sorta happened in 2009, when federal agencies published the so-called model privacy form, which provided a skeleton of standardized boilerplate that banks could use as a template for publishing privacy info.

The new forms make privacy info easier to digest, but they also have a side effect. By standardizing the presentation of this information, the forms enable machine analysis. To this end, computer scientists at Carnegie Mellon developed an automated tool for crawling and parsing bank privacy notices. Their work, which is described in a paper published in the journal ACM Transactions on the Web, culminated in a web-based tool, simply known as "Bank Privacy," that consumers can not only use to find information about their own bank's privacy policies, but that they can use to find information about other banks in their area, perhaps with preferable policies. (An earlier draft of the paper can be accessed here.)

"We collected lists of financial institutions in the United States and wrote a computer program that automatically queries Google in search of companies' standardized notices on their websites," the paper explains. "Upon finding such a notice, the program automatically parses the standardized notice and feeds the extracted information into a database, enabling a large-scale comparison of financial institutions' privacy practices. Starting from lists of financial institutions from the Federal Reserve (Fed), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA), we searched for standardized notices from 19,329 financial institutions, finding standardized notices from 6,191 of these institutions."

That's a pretty unsettling find in itself. Around three-quarters of all banks have opted to skip the recommended form presumably in favor the friend of online disclosures everywhere: obscurity. At the very least, skipping the form excludes banks from the Bank Privacy tool and this sort of analysis, generally. One implication of this, according to the Carnegie Mellon paper, is that regulators don't appear to have done any sort of large-scale of privacy policies and notices themselves. Which is troubling.

This is also troubling:

A large-scale, automated analysis also has the potential to detect problematic privacy practices. We identified financial institutions whose stated sharing practices violate United States law. For three data-sharing purposes considered in the privacy model, institutions were required to provide consumers a way to limit sharing [Federal Register, December 2009]. In violation of the law, about 100 (2%) of institutions said they shared data for these purposes, yet reported that consumers could not limit sharing. In a preliminary evaluation with a smaller number of analyzed institutions conducted last year, we found 24 institutions with notices that were not compliant with the law [Cranor et al. 2013]. When we contacted those institutions, some of them explained that the stated sharing practices on those notices were erroneous and that their actual practices were different.

The online tool is definitely worth screwing around with. As noted in the paper, the bigger the banks get, the worse they get in terms of privacy, generally. My mid-sized credit union does pretty well (relatively), but when you start getting to the Bank of America-level institutions, things start sliding. Which is about the least surprising thing ever published in an academic paper ever.

What the authors really seem to want to impress on consumers is that they have a choice when it comes to privacy. You don't have to be stuck with some bank that violates your own personal sharing standards because it's very likely that there is another bank nearby that does not. Now you can find it.