Facebook’s Proposed Financial Data Use Ignites More Controversy

Facebook reportedly is working with several financial institutions to incorporate customers’ personal financial data, including credit and debit card transactions and checking account balances, to extend the social network’s footprint.

According to the Wall Street Journal, and other sources, Facebook held conversations with Chase, Wells Fargo, Citigroup and US Bancorp over the past year to discuss the possibility of adding features, such as fraud alerts or screening account balances, on Facebook Messenger.

This news comes on the heels of public and congressional heat following the March 2018 reports that data analysis firm Cambridge Analytica acquired and used Facebook data (at last count, of some 71 million Americans).

“Like many online companies with commerce businesses, we partner with banks and credit card companies to offer services like customer chat or account management,” a Facebook spokesperson said in an email statement. “Account linking enables people to receive real-time updates in Facebook Messenger where people can keep track of their transaction data like account balances, receipts, and shipping updates.”

So far it seems none of the banks mentioned accepted the offer, yet. One bank reportedly ended talks with Facebook, mentioning privacy concerns, according to the WSJ report. Facebook assured financial institutions it won’t use data for targeted advertisements or share it with third parties.

Rebecca Herold, president of Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, warned, “Reportedly, initially, this would be done with consumer consent. And it is not just Facebook who is looking at this. It is also Google and Amazon. However, the more personal data is shared, the more risks exist that the data will be breached, shared even further, used for other purposes, and the list could go on infinitely.” Herold said recent history showed personal data expanded beyond for which the data subjects gave consent. “Privacy promises are only words when actions do not align. Keep in mind the saying: ‘Fool me once, shame on you. Fool me twice, shame on me.’ Don’t be fooled.”

Tim Erlin VP of product management and strategy at Portland, Ore.-based Tripwire, said “Those long, tedious terms of service you agree to aren’t important, until they are. At this point, this is hardly more than a trial balloon, to see if consumers would accept this type of integration. The more they can integrate with consumers’ lives, the more they can find ways to generate revenue.”

However financial services organizations currently use less secure means to communicate with customers, Tyler Reguly, manager of software development at Tripwire added, “My credit card company can send me email alerts for international transactions, charges above a specific price, and other noteworthy items; some of them will also use push notifications on my iPhone. My bank uses SMS to verify when I want to add a new bill or e-transfer payee. We know that both email and SMS can be insecure, so why not move to a better platform.”

The fear, Reguly added, seems to be that Facebook will have access to the data, but that’s not immediately clear in the details provided. “Facebook Messenger supports end-to-end encryption between active devices (meaning that the data can’t be accessed by Facebook and you can’t access the conversation via your browser after it has happened).”

Reguly suggested given the recent privacy issues Facebook would look at this to increase their user base rather than harvest data. Additionally, if signing up for Messenger provides secure real-time access to his banking information by interacting with a bot that’s a huge value add over a competing service.

Stephen Moore, chief security strategist, San Mateo, Calif.-based Exabeam, maintained tech companies who don’t profit from personal information will most certainly make changes and offer more privacy features over time. “However, when your personal information is the currency, there won’t be privacy – that’s the agreement going in. Free email isn’t free, nor is the information collected from most of the applications you use. The long-term outcomes are hard for most to understand today.”

Moore noted, Facebook already said, it’s not for targeted marketing. “But for what then? Where does it end?” He further suggested will be little change until the long-term penalty for the misuse of user data is greater than the profits associated with the collection and monetization of it. “Most privacy laws are well-meaning, but out of touch in terms of outside attacker behavior and the steps to stop it. They instead modify business-customer and not business-adversary outcomes and consume resources and attention away from security efforts.”