So today AT&T announced plans to test a service allowing payment card providers to access the location of a customer’s phone to improve the accuracy of fraud prevention systems for transactions made abroad. AT&T customers will have to opt-in to the fraud protection service, which will also be me made available to enterprise customers later this year.

Antone Gonsalves asked me for my opinions about the privacy implications, which he included some of within his article he published on CSO Online today.  However, I wanted to make several more points to follow-on to his article.

I am all for credit card organizations improving their fraud prevention practices. Last month I drove to Minneapolis and stopped at a rest area and used my credit card to get a $1 pop from a vending machine. Up the interstate further I stopped to get gas, and my same credit card was rejected. Why? Because the $1 charge was suspicious. I know that scammers often use small charges to test the fraud-possibility waters, but completely shutting down my account for getting a $1 drink, and nothing else, was completely ridiculous. And this wasn’t even abroad; it was just hours from my home in the center of the U.S.

It is good to see AT&T is trying to improve their fraud prevention methods. However, they definitely need to ensure they are doing so in a way that preserves, and even strengthens where possible, privacy in the process, and not exposes their card holders to more privacy problems beyond compromised credit cards.

 

1)          Privacy implications

The fact that AT&T intends to allow customers to opt-in, instead of putting everyone in this program and then requiring them to opt-out, is a good privacy practice but it doesn’t stand on its own. They need to do more to address the privacy risks this practice would create.

While assuming the location of the phone will be the same as the location of the credit card will be true some to most of the time, it will lead to problems.

A good case in point: A couple of years ago my pre-teen son traveled to Japan for a couple of weeks on a student exchange program, and I gave him a copy of my credit card to use while there. However, I was still in Des Moines with my own copy of the card.

1. If his card had been declined because their system showed my card was being used outside of the country, that could have caused a problem for him. I know similar situations will be common; cards are not always with phones. AT&T will need to have processes in place to prevent premature cancellations in such situations.  This also leads to other privacy issues…
2. With what other entities will AT&T share this information? I anticipate they will likely subcontract at least one or more companies to help implement and then perform the related GPS tracking and analysis services. How good are the security and privacy protections of those businesses? A privacy breach could occur through them if AT&T does not appropriately vet their contractors’ security and privacy practices, and then obtain ongoing reasonable assurances that they continue to have good practices.
3. Will they do a wholesale, or even occasional, share what will be a large amount of data with government agencies, law enforcement and investigators, as we know they’ve done with call data in the past?  I can see government agencies wanting to have continual access to this data, in the name of catching terrorists. And since this will supposedly be data outside of the U.S., it will be subject to a wider range of monitoring than within the states (which is already significant). This alone will be enough of a privacy concern to stop many from using this service; they will not want all their data lumped into the data being used to find potential terrorists, crooks, and used for a wide range of other things. Such as…
4. *Many* other entities will want to get this data also. Divorce lawyers to show whereabouts of spouses; employers to show whereabouts of employees; and the list could go on for pages. 

The further use and sharing of this GPS phone data is a significant privacy concern.

2)          So, should AT&T customers opt-in?

If AT&T can validate they have appropriate controls in place for handling, storing, sharing, and deleting the data, then it could provide for a good way to catch fraud when you are traveling outside of the U.S.. Here is what they need to do before cardholders opt-in:

1. Allow cardholders to opt-out, and completely delete all the accumulated data from their corresponding GPS tracking to that point, at any point in time after they have opted in.  If this program truly is only for when the cardholder is traveling outside the U.S. then a cardholder should be able to opt-in before travel, and opt-out after returning. That way the possibility of continuously tracking the GPS everywhere (which will be technically possible if you allow the tracking in the first place) should be eliminated (assuming they program the systems and applications correctly).
2. Establish retention standards and practices for the data being collected. They shouldn’t need to retain the data any longer than necessary for the purpose for which they originally collected the data. Why does phone GPS data need to be retained after a valid transaction has been made? It doesn’t for fraud prevention purposes.
3. Provide an independent 3rd party privacy impact assessment (PIA) executive summary report of how this new system will work to all cardholders, and on their website, that shows privacy practices have been confirmed to be appropriate and effective.  An appropriately written executive summary will provide the privacy findings without providing any information that could lead to compromise of the new system.

3)           Do the benefits for preventing fraud outweigh the loss of privacy?

It depends upon who you are and how you live your life (travel, use your card, etc.).

If AT&T does the actions listed in 2) above, then it would be a benefit with mitigated privacy risks.  However, if AT&T does not take these additional important privacy actions, it raises the privacy risks dramatically. 

Consumers will need to decide: is the risk of someone using their credit card fraudulently greater than the risk of others using their GPS and tracking information inappropriately and perhaps in detrimental ways?

You typically have a $50 limit on how much a fraudster can charge against your credit card account.

There is no limit to the amount of damage someone, or some entities, can do by using your personal information, and GPS tracking data, in detrimental ways.

If AT&T would take the actions listed in 2) above, I’d probably do it only when traveling outside the U.S. If not, then I would not opt-in.

Tags: AT&T, breach, credit card fraud, fraud prevention, GPS, GPS tracking, PIA, privacy, privacy impact assessment, privacy professor, Rebecca Herold, surveillance

This entry was posted on Friday, June 6th, 2014 at 3:11 am and is filed under privacy, privacy impact assessment. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.