PayPal’s Identity Service, Gone Too Far

Looks like PayPal is offering a new identity service. Gaining access to over a 100 million users who trust the brand seems like a pretty good opportunity. However reading through the benefits of using this service made me a feel a little queasy. This service is abusing the privacy of their customers, badly. If you don’t believe me take a look at what information they are offering to developers on the people who use their service:

That’s getting pretty personal, especially if I am just logging in to a site for something other than banking purposes. I can’t imagine other people would be too comfortable with this either.

However, I firmly believe that if a company is transparent with the information they gather then that’s OK — caveat emptor. With that in mind, after reading about the service, I went to their privacy policy to see if they ask for permission to give out this sort of data. Here is the relevant paragraph:

How we use the personal information we collect

Our primary purpose in collecting personal information is to provide you with a secure, smooth, efficient, and customized experience. We may use your personal information to:

  • provide the PayPal Services and customer support you request;
  • process transactions and send notices about your transactions
  • resolve disputes, collect fees, and troubleshoot problems;
  • prevent potentially prohibited or illegal activities, and enforce our User Agreement;
  • customize, measure, and improve the PayPal Services and the content and layout of our website and applications;
  • deliver targeted marketing, service update notices, and promotional offers based on your communication preferences;
  • compare information for accuracy and verify it with third parties.

Does the information offered by the identity service fit into this policy? I guess that’s a legal question, but it sure feels wrong to me. Also related, the privacy policy explicitly states:

PayPal will not sell or rent any of your personal information to third parties for their marketing purposes and only shares your personal information with third parties as described in this policy.
I guess PayPal defines “personal information” somewhat differently then I would.

PayPal has a pretty bad reputation in the small business community already. This certainly isn’t going to help that. PayPal is going too far with this and I hope the public wakes up and takes action by taking their business elsewhere.


Now read this

Cryptography: A Primer for the Non-Technical

if you’re a regular reader of this blog you know that I generally write about privacy to those in the IT industry and prattle on about the importance of paying attention to the rapid changes in privacy norms. This time I’m going to... Continue →