Mobile wallet technology raises privacy, security concerns

by Lindsay Wise, The Miami Herald

Your smart phone already serves as a portable office, media player, newspaper, GPS, camera and social network hub. Now it can replace your wallet, too.

Imagine: No more fumbling for credit cards or digging through your pockets for loose change. The technology already exists to let you buy a grande soy latte through your phone, simply by saying your name out loud at the register.

As the number of neighborhood bank branches dwindles, Americans increasingly use their mobile phones to manage money and shop. Payments made via mobile devices in the United States are expected to total $90 billion by 2017, a big jump from the $12.8 billion spent in 2012, according to Forrester, a research and advisory firm headquartered in Cambridge, Mass.

Privacy advocates worry that the emergence of ‘mobile wallet’ technology will leave consumers more vulnerable than ever to identity theft and invasive data collection.

‘All of a sudden the mobile phone is about to be transformed beyond a spy in your pocket to your bank, your mortgage lender and your landlord,’ said Jeffrey Chester, the executive director of the nonprofit Center for Digital Democracy in Washington. ‘In a way, it’s kind of a privacy tipping point, because one single device knows wherever you go your geographic history, your social media connections and your financial behaviors.’

One of the most popular mobile payment systems, Square, enables sellers to accept credit cards through a small device attached to a cellphone or tablet.

Consumers who install the ‘Square Wallet’ app on their phones can pay for an item at participating businesses like Starbucks without ever having to pull out their wallets ‘ or even their phones. Instead, they can just say their names to pay. A photo and the name of the customer pops up at the register, and the cashier taps the picture to authorize the sale, automatically charging the customer’s account., a cloud-based wallet app, allows consumers who input their credit card information to see which card will get them the most rewards or cash back for each purchase. The app also helps consumers take advantage of special offers from banks and merchants.

PayPal, Google and other companies offer similar digital wallets.

Such technologies offer convenience and real-time deals to consumers while allowing companies to better track customer behavior and test marketing strategies. Mobile payments already are widely used in many developing countries, where cash is scarce and the technology allows people to transfer money safely over long distances, avoiding theft and bribes.

But in the United States, the Federal Trade Commission warned in a report this month that these low-cost or no-cost mobile technologies come with hidden costs and risks.

Advertisers, retailers, operating system manufactures and app developers can use the data collected from mobile devices to build more comprehensive consumer profiles, including shoppers’ personal contact information, details of their purchases and their physical locations, the report said.

The report also points out that if shoppers use prepaid accounts, reloadable cards or gift cards to pay for purchases via mobile, they won’t enjoy the same federal protections afforded to credit and debit cards, which limit a consumer’s liability in the event of fraud or unauthorized charges.

Although some companies voluntarily agree to limit liability to $50, the protections aren’t required, ‘and companies that provide them could withdraw or modify them at their discretion,’ the report stated.

Privacy advocates worry that consumer protection laws are lagging behind the technology.

‘At the end of the day, this is about exposing your financial behaviors to a daisy chain of financial and other marketers who will have a very detailed understanding of where you are, where you spend your time and how you buy,’ said Chester of the Center for Digital Democracy.

For now, consumer protections for mobile payments aren’t really on policymakers’ agendas, said Chris Jay Hoofnagle, director of information privacy programs at the Berkeley Center for Law & Technology at the University of California, Berkeley.

‘The FTC knows about these problems and it has written about them, but we’re very early in this process and these types of data transfers are not noticeable to the consumer, so one question is will the consumer ever object’? he said.

‘Going to mobile payments ‘ unless rules are put in place ‘ will be zero privacy,’ he said.

Hoofnagle suggests modernizing a California law that prohibits brick-and-mortar businesses from asking for personal contact information such as a ZIP code and phone number from consumers who pay by credit card. The idea, he said, would be to extend those protections to the digital space and let consumers decide whether to permit the collection of their personal data during mobile transactions.

As the popularity of mobile payments grows, companies’ privacy practices could face more scrutiny.

Google Wallet recently came under fire when an Australian app developer complained in a blog that Google was sending him the names, physical addresses and emails of customers who bought his app on Google Play, the company’s store for Android apps, games, music, books, movies and other digital content.

In response to a letter of inquiry from Democratic Rep. Hank Johnson of Georgia, Google said that it discloses in its Google Wallet privacy notice ‘that we may share your personal information with third parties as necessary to process your transaction and maintain your account.’

Information such as name and email address ‘is necessary for developers to issue refunds, reversals, payment adjustments . . . and investigate chargebacks,’ Google said in its written response to Johnson.

Johnson remains concerned, however. Google should do more to alert customers about the company’s data-sharing policy at the moment when they make their purchases, the congressman said in a statement. ‘A short notice stating the types of personal information that Google shares with third parties and reasons for sharing would provide users with greater transparency,’ he said.

The Google Wallet case is alarming because most consumers don’t expect that their personal information will be sent to app developers whenever they make a 99-cent video game purchase, said Ashkan Soltani, an independent researcher and consultant specializing in consumer privacy and security on the Internet.

‘The fact that a random 22-year-old software developer in the Ukraine that wrote the app in their bedroom gets your name, address and email when you purchase an app will be surprising to most people,’ he said.

Privacy protections need to be updated to reflect today’s technology, Soltani said.

‘From a policy perspective, we want to be careful that the mobile wallets don’t fall through the regulatory cracks,’ he said.