Plaid settled $58M lawsuit over alleged consumer data sharing
ve55 2021-08-16 17:09:23 +0000 UTC [ - ]
Giving my full credentials and my security question answer in plaintext to a third party in order to 'link my bank accounts', and then having them scrape every bit of information they can from my personal banking statements and sell it is... nothing short of a nightmare scenario, from many standpoints (user security, user privacy, user education, anti-phishing, and so on).
I guess it's nice to see this class-action lawsuit, but that it amounts to an average of $0.60 per affected user is, well, not particularly inspiring with respect to my hope that things will ever get better here.
Plaid is used by many industry leaders including Venmo, Robinhood, and Coinbase. When it's not used, usually a similar alternative is. Perhaps the most frustrating part of this is that placing blame on these companies is difficult, as there's no interoperability or open banking APIs that can be used as an alternative.
shostack 2021-08-16 17:47:35 +0000 UTC [ - ]
Business model aside, they do solve a real problem in a space where there are no real incentives for banks to provide their own solution.
I'd love to see a subscription-based, privacy-focused option with API access targeting the consumer personal finance crowd. I think Tiller may get some of the way there, but I'm not sure how secure they are.
trianglesphere 2021-08-16 19:09:00 +0000 UTC [ - ]
I'm not interested in handing over all my info when I can copy and paste two numbers instead
swiley 2021-08-17 00:17:24 +0000 UTC [ - ]
madamelic 2021-08-17 01:15:08 +0000 UTC [ - ]
US banks seem to have zero interest in doing so because it doesn't bring them money and Congress isn't interested in forcing them to. EU though is working on a solution between themselves. [0]
US banks solutions range between "screw off, no scraping allowed even on your account" to (probably) "here's an undocumented SOAP API last touched in 1998"
[0]: https://www.americanbanker.com/opinion/europes-new-api-rules...
swiley 2021-08-17 01:44:04 +0000 UTC [ - ]
I know someone claims my bank supports it but I've never tried.
foxcurve 2021-08-16 17:55:39 +0000 UTC [ - ]
hulitu 2021-08-16 17:48:25 +0000 UTC [ - ]
zeroxfe 2021-08-16 18:00:54 +0000 UTC [ - ]
munk-a 2021-08-16 18:20:59 +0000 UTC [ - ]
drewmol 2021-08-16 20:19:20 +0000 UTC [ - ]
FWIW: I've resorted to using a formula to derive my security question answers from the real answer (kept secret) and the text of the question itself. This seems to help mitigate the damage of the q's and a's getting exposed.
d110af5ccf 2021-08-17 06:24:20 +0000 UTC [ - ]
lutorm 2021-08-16 19:59:07 +0000 UTC [ - ]
In fact, this seems like a _terrible_ liability for them. I guess they're hoping it won't happen and if it does then they'll just go bankrupt anyway?
edoceo 2021-08-16 18:44:35 +0000 UTC [ - ]
Remember that one company that got "crushed" with bills cause a bunch of consumers use the Arb-Clause as intended? Supposed to block law-suits
newfonewhodis 2021-08-16 18:49:07 +0000 UTC [ - ]
Amazon? https://www.wsj.com/articles/amazon-faced-75-000-arbitration...
pbreit 2021-08-16 18:10:49 +0000 UTC [ - ]
WaxProlix 2021-08-16 18:21:50 +0000 UTC [ - ]
mixmastamyk 2021-08-17 00:29:45 +0000 UTC [ - ]
a-priori 2021-08-16 19:28:36 +0000 UTC [ - ]
The allegation is NOT that they shared/sold data to any third parties but that their Plaid Link user interface, where people enter their banking information to add it to Plaid, looks like the customer's financial institution (i.e, uses the bank's branding colours and logo).
Because of this branding, people can reasonably assume that they are sending that data directly to their bank without knowledge, and therefore consent, to share their information with Plaid itself.
If that understanding is correct then this isn't a business practice or security issue, but a user consent issue. That's a problem that definitely needs to be fixed, and the injunctive relief requires them to change the branding and disclosure to make it clearer that people are interacting with Plaid rather than their bank.
But to me it's definitely not a reason to cancel your account or boycott Plaid or whatever.
https://newmedialaw.proskauer.com/wp-content/uploads/sites/2...
ahzhou 2021-08-16 21:20:30 +0000 UTC [ - ]
That said I think the suit makes a compelling argument that the disclosures should be better.
ac29 2021-08-16 19:37:28 +0000 UTC [ - ]
a-priori 2021-08-16 19:50:08 +0000 UTC [ - ]
1. They proactively retrieved transaction data when you connect an account. This sounds like an assumption that almost always people are going to want transaction data, so they just do it by default, presumably to improve the first-time user experience so the data's already there when you later request it. This is going to be changed to only retrieve transaction data on demand.
2. If Plaid's connection is broken (e.g. the user changes their password) then Plaid deactivates the connection but keeps the data. They've agreed to delete the data in this case. The drawback of this change is that since many connectivity issues are going to be temporary, this means that in those cases they'll need to delete the data, then retrieve it again when the user reconnects.
Basically it sounds like they optimized a little too hard on user experience, especially when connecting a new account, and in the process they overstepped user consent. I don't see any bad intent there personally, it sounds like they were just a bit overzealous trying to make the experience super slick.
ac29 2021-08-16 20:05:22 +0000 UTC [ - ]
geoduck14 2021-08-17 11:56:30 +0000 UTC [ - ]
Shady would happen depending on what they did with the data.
cmer 2021-08-16 17:22:12 +0000 UTC [ - ]
Are there any banks moving in that direction? I know of exactly zero in Canada.
g_p 2021-08-16 17:47:06 +0000 UTC [ - ]
The end result, now it's available, is that you have 2 levels of API access. One is for access to account information (I tend to think of this as read-only access), and the other is to allow for "payment initiation" (think of it as write access, although not a perfect analogy).
An account information service provider (AISP) can do things like aggregate bank accounts into one view, across different banks. A payment service initiation provider (PISP) can create payment gateways and initiate payments against a bank account using an authenticated session (enabling direct bank payment online, without needing a debit or credit card and the associated infrastructure around that).
You can't just rock up and access the APIs though - I believe you need to get your application approved and engage with the regulator, which is probably for the better, to avoid the "app store problem" of loads of apps springing up in the API ecosystem, asking for permission, then just leeching data to third parties after you apparently consent on page 46 of their terms.
toomuchtodo 2021-08-16 18:06:56 +0000 UTC [ - ]
imglorp 2021-08-16 18:34:00 +0000 UTC [ - ]
The result is middle apps that are forced to use sketchy anti-patterns like screen scraping and asking for user/pass instead of each bank issuing a per-app token. The banks are just fine with this because anything that explodes will be the middle app's fault and they want to preserve their otherwise moatless situation. Consumers can't really tell banks apart so they have to force retention.
Graffur 2021-08-16 21:27:33 +0000 UTC [ - ]
sergiomattei 2021-08-16 17:47:38 +0000 UTC [ - ]
ydant 2021-08-16 18:16:11 +0000 UTC [ - ]
At least if the bank implements some sort of API that means some thought was probably given toward using tokens instead username/password, and some thought was given toward scoping the APIs - at least into read-only and read-write capable access.
Although if you read between the lines in some of the service descriptions and backend documentation, a lot of what Plaid (and Yodlee, and others) do is now a mix of scraping and private APIs the banks provide, but those APIs are only available to commercial entities they've signed a relationship with.
Obviously the ideal is public standardized APIs all banks provide with established security-focused practices and read-only limited data access as an option. But proprietary per-bank APIs available to the general public would be a good step forward.
judge2020 2021-08-16 18:58:55 +0000 UTC [ - ]
Well, I think that would barely change everything on the consumer side. Nobody is going to go through and integrate with the hundreds of credit unions and local banks just for their app - if anything it only encourages a few extra companies enter the battle with Plaid.
Hopefully FedNow fills this void, at least for the U.S. market. https://www.frbservices.org/financial-services/fednow/about....
Gh0stRAT 2021-08-16 17:51:19 +0000 UTC [ - ]
ceejayoz 2021-08-16 18:27:14 +0000 UTC [ - ]
xtracto 2021-08-16 21:04:24 +0000 UTC [ - ]
Banks are so held in last century technology...
shostack 2021-08-16 17:49:29 +0000 UTC [ - ]
foxcurve 2021-08-16 18:24:29 +0000 UTC [ - ]
I'll post a snippet we recently added to our pitch deck:
> Accounts like those catering specifically to the LGBTQ+ community (https://joindaylight.com), the Black community (https://firstboulevard.com), individuals interested in supporting renewable energies (https://www.tomorrow.one/en-EU/), and social media creators (https://www.trykarat.com/) have proliferated. Retail accounts catering to the unique wants and needs of software developers is a natural next step.
mjcl 2021-08-16 22:42:29 +0000 UTC [ - ]
sprawl_ 2021-08-16 22:08:55 +0000 UTC [ - ]
elliekelly 2021-08-16 18:00:00 +0000 UTC [ - ]
JohnWhigham 2021-08-16 19:46:35 +0000 UTC [ - ]
bananapub 2021-08-16 17:24:12 +0000 UTC [ - ]
1. banks create gap in market by not providing useful access to their customer's data by...their customers
2. regulators don't step in to fix this market failure
3. some company steps in! yay!
4. company decides that charging customers for providing a good and/or service is insufficient, they need to do something creepy with selling off the customers data
5. lawsuit after the fact to maybe stop them being dickheads and definitely enriching a lot of lawyers
why hasn't the FTC or something stepped in to make banks provide some secure read-only access?
mistrial9 2021-08-16 18:04:58 +0000 UTC [ - ]
prepend 2021-08-16 17:15:25 +0000 UTC [ - ]
Venmo is doing this weird thing where for some transactions they are saying they require plaid to get my bank credentials to log in and “verify.” Of course that breaks my first issue. But it also allows them to suck up and use all of my bank transactions forever.
Seems like a shitty tradeoff just to Venmo money to people.
toomuchtodo 2021-08-16 17:43:00 +0000 UTC [ - ]
prepend 2021-08-16 23:15:58 +0000 UTC [ - ]
eshyong 2021-08-16 18:01:33 +0000 UTC [ - ]
w4llstr33t 2021-08-16 17:37:55 +0000 UTC [ - ]
If you use Plaid, I think it should only be if there's no other option and you change your credentials after. I've always thought giving away your credentials to a screen scraping company like Plaid was crazy.
In terms of the class action lawsuit, the only one who will see a meaningful payout from this are the lawyers.
theptip 2021-08-16 17:49:51 +0000 UTC [ - ]
https://plaid.com/docs/auth/coverage/same-day/
Their UI makes it really hard to find this option though, because Plaid makes their money from scraping your transaction history, which doesn't work if you do the micro-transaction approach.
As a consumer, I'm not a big fan of Plaid's business model. But to be fair to them, a lot of the security issues come from the fact that until very recently, no US banks had any form of API to allow delegation of access. Based in large part on the success of Plaid, this is starting to change; some institutions are banning Plaid from using the password-based flow, and are replacing this with a more secure OAuth flow:
https://plaid.com/docs/link/oauth/
This is the correct solution to the technical problem at hand. It'll benefit other systems too; for example it should be possible for open-source accounting software to use this flow to export your transaction history in a maintainable way, which previously relied on scraping that's unfeasible for an OSS project to keep up with (but which Mint could afford to implement).
Hopefully the banks let you selectively grant permissions "can view my account list" and "can view my transaction list", or at least surface those permissions, so that consumers can be aware of what they are giving away -- I'd wager that most end users have no idea that Plaid is slurping their transaction history, and would be even more shocked that it's maintaining ongoing access to continue doing the same.
TedDoesntTalk 2021-08-16 18:34:39 +0000 UTC [ - ]
paws 2021-08-16 17:20:04 +0000 UTC [ - ]
https://news.ycombinator.com/item?id=27982516
While I'm still trying to understand the bigger picture implications, maybe you will find this helpful too.
tehwebguy 2021-08-16 18:47:55 +0000 UTC [ - ]
RHSeeger 2021-08-16 18:50:48 +0000 UTC [ - ]
walrus01 2021-08-16 17:55:29 +0000 UTC [ - ]
https://www.google.com/search?client=firefox-b-1-d&q=current...
Also apparently if you want to use Plaid with many different online banking portals, you need to permanently disable 2FA, also no thanks.
nexuist 2021-08-16 21:52:09 +0000 UTC [ - ]
meowtimemania 2021-08-16 18:55:49 +0000 UTC [ - ]
jeandenis 2021-08-16 19:26:45 +0000 UTC [ - ]
You can use the Plaid Portal (https://my.plaid.com) to view what types of data are being shared, to revoke access (to both the apps and Plaid) and delete data stored in Plaid’s systems. You can also put a data deletion request through support.
Not as per my comment above that we don’t, and have not, sold data. https://plaid.com/legal/#consumer-support
briffle 2021-08-16 20:23:23 +0000 UTC [ - ]
Is this a bug, or are those of use that use certain 3rd parties not able to see our data?
jeandenis 2021-08-16 20:50:19 +0000 UTC [ - ]
SevenSigs 2021-08-16 21:03:05 +0000 UTC [ - ]
dreyfan 2021-08-16 19:48:31 +0000 UTC [ - ]
madamelic 2021-08-17 01:22:10 +0000 UTC [ - ]
Plaid is a financially juicy target that has a lot of customers.
buu700 2021-08-16 19:12:10 +0000 UTC [ - ]
I'm not a fan of Plaid. The core concept is great, but training users to enter credentials (much less banking credentials) into third-party sites is nuts. Nowadays, it would be easy for someone to pivot from a compromise of a random company's web server to impersonating Plaid and pwning most of their customers' bank accounts.
This would be trivial to fix by deprecating their current UI and switching to a small popup or redirecting to a different URL.
lutorm 2021-08-16 19:29:45 +0000 UTC [ - ]
fasteddie 2021-08-16 18:29:35 +0000 UTC [ - ]
If it's the former -- I certainly think services need to clearly state what/why/how they are using the data, but it's on the services (like Venmo) and not Plaid.
xyst 2021-08-17 04:35:25 +0000 UTC [ - ]
All it takes is a bad actor within the company to re-write the screen scraping to then impersonate the users and have them wire out money to a foreign bank account. Some anti-fraud systems might catch this activity but for people that use the wire system on a frequent basis it might go unnoticed.
Or they may screen scrape the information and sell it on the black market. Wouldn’t be too hard to target a specific group (elderly, retired) since you already have their bank credentials which subsequently has reliable/verified demographic information and account balances.
echopom 2021-08-16 18:14:14 +0000 UTC [ - ]
Thank you court of California to incentive startups and GAFA to use our data knowing their risk nothing.
Just to be clear , Plaid has raised 600+ Millions in it's lifetime , this is nothing for them.
dmitrygr 2021-08-17 00:22:56 +0000 UTC [ - ]
And then we wonder why phishing works so well, and why 2FA is not widely used...
I already advised everyone I know against Plaid, and am working with my bank's local branch to disable any and all access from their IPs, and force anyone whose passwords have been compromised (make no mistake, giving your password away is a compromise) to change their passwords and enable 2FA.
tommoor 2021-08-16 22:34:01 +0000 UTC [ - ]
jqpabc123 2021-08-17 03:50:10 +0000 UTC [ - ]
root_axis 2021-08-16 23:06:14 +0000 UTC [ - ]
hamburgerwah 2021-08-17 00:14:02 +0000 UTC [ - ]
zaptheimpaler 2021-08-16 19:07:42 +0000 UTC [ - ]
vmception 2021-08-16 20:34:46 +0000 UTC [ - ]
There is no secure way to "connect your bank account" in an app. No matter how fancy it looks, or what logo they put up, you are really just giving your username and password to a random person. A random person who may or may not be malicious, but is absolutely a giant target for malicious people.
As for the rebuttals, be nice if there was a way for users to to verify.
akarma 2021-08-16 18:22:17 +0000 UTC [ - ]
[1] https://news.ycombinator.com/item?id=18655417
jeandenis 2021-08-16 19:09:31 +0000 UTC [ - ]
https://plaid.com/legal/#consumer-support
As someone who has overseen our consumer privacy team over the past few years building out products like Plaid Link and Plaid Portal, I can attest this is a foremost priority for the company. FWIIW, I don’t agree with the allegations, and you can read our POV on this blog post.
https://plaid.com/blog/plaids-commitment-to-consumer-privacy...
RileyJames 2021-08-16 20:49:10 +0000 UTC [ - ]
The product was sold as infrastructure, and used as data collection, and 98 million users were not aware of that.
If you’re unable to reconcile why users of square cash would be confused when they hear their data is accessible through some service called ‘plaid’ for which they’ve never signed up, or given their data, then maybe you could start with defining terms as they would, rather than how you’d prefer they sound.
Having data in a database doesn’t make it yours, it’s the users. It was when it was in their bank, it is when you move it to your service and it remains when you provide it to someone else.
jeandenis 2021-08-16 23:20:01 +0000 UTC [ - ]
We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
Here's the policy if you want to look: https://plaid.com/legal/#consumers
neolog 2021-08-16 23:48:09 +0000 UTC [ - ]
> We share your End User Information for a number of business purposes:
> - With the developer of the application you are using and as directed by that developer (such as with another third party if directed by you);
> - With our data processors and other service providers, partners, or contractors in connection with the services they perform for us or developers;
This is so vague that I don't know what it's even supposed to mean. What Plaid lawyers will argue it means when pressed is a further question.
jjulius 2021-08-17 00:56:26 +0000 UTC [ - ]
And thanks to Plaid settling, their lawyers won't be pressed.
akarma 2021-08-16 19:22:21 +0000 UTC [ - ]
You just settled a claim that you sold customer transaction histories, and from the article linked, the plaintiffs' lawyers claim that you have agreed to implement meaningful business practice changes to remediate these issues.
(1) If you've never sold transaction histories, why settle a lawsuit alleging that you sold transaction histories?
(2) What meaningful business practice changes could you be making if there's no issue to begin with?
(I'm relying on the article here as a source of truth).
jeandenis 2021-08-16 20:13:47 +0000 UTC [ - ]
The bottom line point is, we don’t sell data and that’s not the main allegation. The main allegation is that people didn’t understand that we were part of the flow of connecting banks to apps. We disagree.
Before 2017, there was a whitelabel experience of Plaid that didn’t say “Plaid”, didn’t have the Plaid logo, etc. We still stand by our belief that our disclosures at the time were more than adequate. But it’s not something we want to have protracted litigation around.
The reality is that our experience today is vastly different (and has been for a while). As for “what meaningful business practice changes could you be making if there's no issue to begin with.” Like most companies, we’re always making improvements to our experience -- today we have a consent pane that makes our role clear, a portal for people to manage their data, etc.
akarma 2021-08-16 20:35:16 +0000 UTC [ - ]
This is allegedly from the lawsuit. I can see your perspective — that it made sense to settle because of the privacy accusation, but you still deny the other accusations. I understand that perspective, though as I'm sure you can understand, it's hard to know for sure based on the allegations and the settlement.
[1] https://newmedialaw.proskauer.com/2021/05/11/plaid-federal-e...
adrr 2021-08-16 21:54:29 +0000 UTC [ - ]
https://plaid.com/signal/
thallium205 2021-08-17 06:22:33 +0000 UTC [ - ]
archenary 2021-08-16 19:38:08 +0000 UTC [ - ]
Edit: Update [0] to source
[0] https://newmedialaw.proskauer.com/2021/05/11/plaid-federal-e...
akarma 2021-08-16 19:48:47 +0000 UTC [ - ]
From the article you linked:
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps.
madamelic 2021-08-17 01:01:55 +0000 UTC [ - ]
They would kind of have to be idiots to do so, to be quite frank.
Up until like a year ago, their baseline product was $500 / mo plus $x / user after 100 users (iirc) with a 12 month contract.
Plaid has basically no competition, is worth billions and was almost acquired if not for an anti-trust suit.
I am not sure how Plaid or its founders would benefit financially by betraying the trust of their customers and their customers' customers by getting a few cents per record out of it.
> Plaid would retain access to their credentials and use them to mine, aggregate and then sell users’ financial transaction data to third parties (including to the fintech apps that use its services) for purposes unrelated to the plaintiffs’ use of the fintech payment apps.
People's hatred / mistrust of Plaid stems for a misunderstanding of what Plaid is.
Yes, Plaid does """sell""" that information... to the app that you willfully gave permission to, information like cash flow, debt, types of debt, etc.
Oh, also, if people are so terrified of Plaid, they should write to the Congresspeople and ask them to write a bill to force banks to write & provide REST APIs. The lack of banking APIs is the only reason Plaid exists and has to resort to scraping or storing banking information.
tzs 2021-08-17 02:08:10 +0000 UTC [ - ]
Why REST? Yes, I’d certainly rather call rest APIs than, say SOAP APIs, but do really want Congress specifying that much technical detail?
ericwooley 2021-08-17 07:42:52 +0000 UTC [ - ]
geoduck14 2021-08-16 21:52:52 +0000 UTC [ - ]
1) Users use Plaid to buy/sell with a variety of vendors and banks 2) Vendors and banks were aware that specific users were buying /selling because they were buying/selling their products 3) Users consented to #2 because they were buying/selling their products
4) Plaid provided aggregated reports that said "5% of your customers also shopped on Amazon"
People sued over #4
2021-08-17 01:03:58 +0000 UTC [ - ]
2021-08-16 19:46:24 +0000 UTC [ - ]
wheaties 2021-08-16 19:18:20 +0000 UTC [ - ]
Hope you have success and I have no ill will towards you.
briffle 2021-08-16 20:11:33 +0000 UTC [ - ]
Gimpei 2021-08-18 01:06:03 +0000 UTC [ - ]
jeandenis 2021-08-16 20:17:43 +0000 UTC [ - ]
Your data goes from your bank to the app that you authorized, via Plaid. It is not sold to anybody.
adrr 2021-08-17 01:50:43 +0000 UTC [ - ]
sroussey 2021-08-16 22:45:42 +0000 UTC [ - ]
oh_sigh 2021-08-16 20:42:42 +0000 UTC [ - ]
Neither here nor there, but I just used Plaid for the first time yesterday to pay for the downpayment on my Tesla. It was a really nice, seamless experience.
infogulch 2021-08-16 21:22:28 +0000 UTC [ - ]
Also a happy user of a service enabled by plaid tech.
jeandenis 2021-08-16 21:51:03 +0000 UTC [ - ]
No, your personal data is not sold or rented or given away or bartered to parties that are not Plaid, your bank, or the connected app. We talk about all of this in our privacy policy, including ways that data could be used — for example, with data processors/service providers (like AWS which hosts our services) for the purposes of running Plaid’s services or for a user’s connected app to provide their services.
infogulch 2021-08-16 22:08:14 +0000 UTC [ - ]
For any interested, here is a link to relevant section of the referenced privacy policy: https://plaid.com/legal/#consumers
I am also impressed by the Legal Changelog on the same page that clearly lays out a log of changes made to privacy & other published legal documents.
geoduck14 2021-08-16 21:54:07 +0000 UTC [ - ]
hellbannedguy 2021-08-16 22:42:25 +0000 UTC [ - ]
newfonewhodis 2021-08-16 19:59:56 +0000 UTC [ - ]
jsonne 2021-08-16 20:35:50 +0000 UTC [ - ]
kodah 2021-08-16 21:14:27 +0000 UTC [ - ]
HeyLaughingBoy 2021-08-16 20:39:09 +0000 UTC [ - ]
themacguffinman 2021-08-16 19:50:12 +0000 UTC [ - ]
OnlineGladiator 2021-08-16 19:19:46 +0000 UTC [ - ]
I don't know the details of this case so I have no strong opinions, but this response makes me trust you less, not more.
jeandenis 2021-08-16 20:19:04 +0000 UTC [ - ]
mikeiz404 2021-08-16 19:59:48 +0000 UTC [ - ]
We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research.
We do not sell or rent personal information that we collect.
geoduck14 2021-08-16 21:59:43 +0000 UTC [ - ]
Perhaps something like "all users who are in the UK and logged in last Sunday morning". Something like that could have been a pain to sess out for each instance of data sharing, in addition, if you "settle in court", you can also set court-approved definitions of what "anonymously aggregated" means.
jjulius 2021-08-16 20:23:05 +0000 UTC [ - ]
Forgive my ignorance here, but how exactly would one "rent" personal information?
sodality2 2021-08-16 21:13:24 +0000 UTC [ - ]
lancesells 2021-08-16 21:13:03 +0000 UTC [ - ]
chuckcode 2021-08-17 00:31:08 +0000 UTC [ - ]
I'd like to take a minute though to express my frustration with the banks that refuse to supply any sort of limited APIs. How is it 2021 and I still can't give my tax person read only access to a specific year of transactions? Plaid and others trust issue would be so much easier if the banks had any sort of control over sharing aside from none or authorized to do anything.
geoduck14 2021-08-17 12:01:25 +0000 UTC [ - ]
Go ahead and explain to a bank who has a STAGE COACH in their logo what an API is and why they need one with fine grained access.
phyzome 2021-08-16 19:40:01 +0000 UTC [ - ]
I'd like to hear a broader statement on the specific phrasing in this article: « the fintech firm passed on personal banking data to third party firms without user consent ».
jeandenis 2021-08-16 21:36:09 +0000 UTC [ - ]
stefan_ 2021-08-16 20:02:25 +0000 UTC [ - ]
lmilcin 2021-08-16 23:35:33 +0000 UTC [ - ]
"According to the lawsuit, filed Thursday in California federal court, the plaintiffs alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and use that information to gain access to and sell their transaction histories. Allegedly, these actions occurred without users knowing about Plaid’s role is a variance of “deceptive tactics.”"
So, the lawsuit is for selling the transaction histories and you say you never did it.
Why do you settle for $58M if you never did it rather than go to court so that they present proofs that, according to your explanation, must be false?
I am not convinced.
Or, the simpler explanation you just lie here to us because you can. But you settle to not go to court because you know you can't lie yourself out of loosing.
madamelic 2021-08-17 01:09:02 +0000 UTC [ - ]
Ever seen Fight Club and that recall equation?
Yeah, that's why. It would cost them more time, bad PR and money to fight than it would be to just settle and take the lumps even if it is untrue.
lmilcin 2021-08-17 01:20:14 +0000 UTC [ - ]
In this case, you ask to dismiss the case for lack of evidence. That is, if you are innocent and there really is no evidence.
scottydelta 2021-08-17 07:16:40 +0000 UTC [ - ]
phoenixy1 2021-08-17 16:40:11 +0000 UTC [ - ]
2021-08-16 19:36:36 +0000 UTC [ - ]
squeaky-clean 2021-08-16 19:44:52 +0000 UTC [ - ]
2021-08-16 19:13:45 +0000 UTC [ - ]
mdoms 2021-08-16 21:05:44 +0000 UTC [ - ]
rimeice 2021-08-17 14:28:00 +0000 UTC [ - ]
didntknowya 2021-08-17 03:53:58 +0000 UTC [ - ]
sorry_outta_gas 2021-08-16 20:58:56 +0000 UTC [ - ]
tartoran 2021-08-16 18:36:20 +0000 UTC [ - ]
collectedparts 2021-08-16 19:07:32 +0000 UTC [ - ]
The plaintiffs in this case are claiming that when they linked their bank accounts to PayPal/Venmo/etc using Plaid they didn't realize what they were doing, or that it's somehow unfair that Paypal/Venmo/etc got their banking data (despite knowingly inputting their credentials into Paypal/Venmo/etc).
Paypal/Venmo/etc is not a third party in that case. They're the party that the customer was knowingly interacting with.
A third party would be an unknown / unrelated data broker. Ie, the cofounder is claiming that they don't turn around and resell data to anyone other than the app that the customer was deliberately using.
majormajor 2021-08-16 19:30:22 +0000 UTC [ - ]
If that's accurate - if the plaintiffs were just trying to use Paypal + their bank account, and only coincidentally using Plaid because Paypal used Plaid - then any data being captured and stored by Plaid does sound extremely fishy. I'd want them to just be a bridge to let info flow between the bank and Paypal, not store any of that themselves too. That part seems sketchy even if they never sold it - I still don't think they should keep it in the first place.
ahzhou 2021-08-16 21:08:17 +0000 UTC [ - ]
The relevant section is on pg 16, under the heading "Plaid Sells and Otherwise Exploits the Unlawfully-Obtained Private Data".
The suit alleges that "Plaid has admitted that it routinely sells the consumer banking data it collects. At a minimum, Plaid sells the data it obtains from consumers’ accounts back to the very app providers, including the Participating Apps, who use its services. [40] Plaid calibrates its prices based on the type of information being sold. [41]".
Footnotes 40 and 41 are, respectively:
[40] See Feb. 21, 2017 Response by Plaid to CFPB’s RFI, https://plaid.com/documents/PlaidConsumer-Data-Access-RFI-Te... (Plaid acknowledges to CFPB that it sells data to party “permissioned” by consumer).
[41] See Feb. 2019 interview with Zach Perret, https://www.saastr.com/build-a-platformecosystem/.
-----
IANAL. The suit alleges that Plaid sells the data, with the specific proof that Plaid sells data to the authorized app (Paypal or Venmo in your example above). The plaintiffs do provide proof in the suit that Plaid sells the data to third parties, but suggest that Plaid might, since they already sell the data to the app that users authorized.
At risk of misrepresenting their argument, the suit seems to claim that Plaid doesn't do enough to give consumers (think average non-tech savvy person) enough of a heads up on what's happening behind the scenes. According to the suit, a consumer using Plaid doesn't understand that they give banking credentials to a third party (Plaid), which uses the credentials and "sells" data to the app that is being connected to the bank.
The above seems consistent to what the Plaid CTO wrote. I haven't seen anything that indicates Plaid sells your data to unrelated third parties. That said, I agree with the suit - Plaid should do a better job of making it clear exactly how your banking information is going to be used.
owenversteeg 2021-08-16 21:37:25 +0000 UTC [ - ]
So still a privacy nightmare, just a slightly different one.
What's so hard about not selling my data at all, and not collecting any data except for what's absolutely necessary to connect A to B?
2021-08-16 22:34:59 +0000 UTC [ - ]
nemothekid 2021-08-16 20:50:00 +0000 UTC [ - ]
I've integrated with Plaid's API (a long time ago), and this doesn't sound fishy. Plaid's API is pretty comprehensive and it would have PayPal's job to unlink the connection after the verification took place. Plaid gives you a "token" representing the user that can be used to further look up information in their account - such as new transactions. If PayPal had naively enabled the usage of those APIs, then it's not surprising Plaid stored that data.
For example, if you (the API client) didn't want to store any information except for a user token (similar how you might store tokens with Stripe's API), then every time you needed to lookup the client's account number you would call Plaid's API to retrieve that data (which, by definition, they would be storing).
majormajor 2021-08-16 20:56:55 +0000 UTC [ - ]
If I'm linking my bank to paypal to send money back and forth, I don't want: (a) paypal getting transaction history, (b) a third party company hanging on to those credentials, (c) that third party company getting any view of transactions either. I just want Paypal to send/retrieve money.
I thought Plaid just translated "different bank acount APIs" to a dev-friendly one. If they're using that to collect a lot of data THEMSELVES from customers who just wanted bank interop... that's bad. Nobody "using" Plaid is intended to give this intermediary company all that info.
I'm linking my account to Paypal because I (thought that) I trusted Paypal. I never knew I was actually giving all this shit to this other company too.
(In my case, I've used routing number/checking number because they seemed to require handing over less privileges than my full password, and this certainly seems to reinforce my skepticism about using the "sign in to your bank" password auth for linkage.)
nemothekid 2021-08-16 22:03:56 +0000 UTC [ - ]
100%, which is why I think this lawsuit is valid. That said, even though I don't believe Plaid sold any data, a lot of people brought this up as a concern to using Plaid. I don't consider it shady behavior, because I don't think Plaid ever misrepresented their capabilities to their clients. In other words, PayPal knew Plaid would be storing this data, and used their reputation to provide legitimacy to Plaid. In my opinion, it was PayPal who was irresponsible with your data.
akarma 2021-08-16 19:12:24 +0000 UTC [ - ]
> Plaid has settled a $58 million class action lawsuit over claims that the fintech firm passed on personal banking data to third party firms without user consent.
and selling transaction histories:
> the plaintiffs alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and use that information to gain access to and sell their transaction histories.
For what it's worth I haven't read the actual lawsuit yet, but would love a link if it refutes the article.
ahzhou 2021-08-16 21:14:51 +0000 UTC [ - ]
I wrote a post above on my take but TL;DR - I think that the suit is mostly alleging that Plaid doesn't do enough disclosure of what's happening behind the scenes. It suggests that Plaid might sell the data to unrelated third parties, but doesn't support it with any proof. It does support itself with proof that Plaid "sells" data to the app that is being connected to the bank.
edoceo 2021-08-16 18:41:58 +0000 UTC [ - ]
Justin_K 2021-08-16 18:39:03 +0000 UTC [ - ]
newfonewhodis 2021-08-16 18:48:31 +0000 UTC [ - ]
> Plaid used consumers’ banking login credentials to gather and distribute detailed financial data without prior consent
> Allegedly, these actions occurred without users knowing about Plaid’s role is a variance of “deceptive tactics.”
And for all this:
> If all 98 million people were to file a claim, each would receive just 60 cents.
> The San-Francisco based platform raised a $425 million funding round in April
The current capitalistic system is broken beyond repair. We need stricter corporate regulation (especially in fintech but more broadly) very urgently.
cowpig 2021-08-16 19:36:26 +0000 UTC [ - ]
NicoJuicy 2021-08-16 18:43:23 +0000 UTC [ - ]
But, we're not in Japan. So i doubt he will.
908087 2021-08-16 19:04:04 +0000 UTC [ - ]
https://archive.fo/kWPJk
https://web.archive.org/web/20210816190158/https://news.ycom...