Following on from my previous post, Making a hash of privacy, I want to talk about the communication I’ve had with my bank regarding their use of the Facebook Custom Audience API.
Having looked at how the Custom Audience API worked I asked my bank to provide the following:
- An explanation of why they uploaded my details to Facebook
- How they uploaded the information (Custom Audience API, or some other mechanism)
- The information they uploaded (email address, name, DoB, etc.)
- The dates the uploads occurred
- The clause in their terms and conditions that permits the uploading of customer details to Facebook
Their initial response was as follows:
Please know we take the protection of our customers data very seriously and we are happy to answer your questions.
The information you received from Facebook entitled “advertisers_who_uploaded_a_contact_list_with_your_information” refers to a specific advertising option BankX (and other businesses globally) utilise on Facebook called ‘Custom Audiences’.
BankX invests in advertising across many channels like TV, Radio and digital for example Facebook, Google and Trademe. We promote the products and services we offer like Home Loans, Business Banking and Credit Cards across these channels and we optimise them to ensure we are getting as much value as possible from our investment. One way we do this is to create what are known as ‘suppression lists’. For example, if a person is already a Business Banking customer with BankX, then we don’t want to be showing them our Business Banking advertising, as that would be inefficient and also a poor experience for our Business Banking customers. Facebook offers an option to create a Business Banking suppression list which means Facebook doesn’t display any of our advertising to people on Facebook who have been flagged as a Business Banking customer. The following is the process used to create a suppression list:
- BankX identifies Business Banking customers in its database and extracts their email addresses. NOTE: It’s important to understand at this point that Facebook has already hashed (encrypted) all the data that users have provided to it in the past.
- As BankX uploads the email addresses to Facebook they are hashed locally in the browser before they are uploaded to Facebook. Hashing turns the data into short fingerprints that can’t be reversed. It happens before the data is sent to Facebook, so Facebook doesn’t see the email address, it simply see’s the hashed data.
- Once the BankX hashed data is uploaded Facebook then matches the hashed data as best as it can.
- The matches are added to a Custom Audience for BankX.
- The matched and unmatched hashes are deleted.
The Custom Audience that’s been created doesn’t have any identifiable information, it is simply a ‘suppression list’ that we can utilise so our advertising doesn’t go to those people on Facebook. We don’t know who was matched and we can’t reverse the process and download any information. No one else has access to this data other than BankX, we don’t share the data with anyone.
They also quoted the Custom Audience API terms and conditions:
Facebook will not give access to or information about your Custom Audience to third parties or other advertisers, use your Custom Audience to append to the information we have about our users or build interest-based profiles, or use your Custom Audience except to provide services to you.
If it were true they were only uploading email address there would never have been a match because my banking email address is different from my Facebook email address. I therefore asked them again; have you, on any occasion, uploaded customer details other than email addresses?
The next response came in the form of a phone call from BankX’s Technical Marketing Lead. To summarise:
- The assertion they had only uploaded email addresses was incorrect. They actually achieved a 92% success rate by uploading
- Email address
- First name
- Last name
- Date of birth year
- They couldn’t tell me how many times my data had been uploaded, or the suppression lists I had been added to, as they kept no audit record.
- Finally, in response to my complaint they would look at:
- moving the uploading of customer data to Salesforce Marketing Cloud as this integrates directly with the Facebook Custom Audience API, and
- giving customers the ability to opt out of having their details shared with third parties
With regards to whether their terms and conditions permitted the uploading customer details to Facebook they referred to a loosely worded clause that permits them to share my personal details with any third party “for the purposes of managing the customer’s relationship with us”. In essence, carte blanch to do anything they like with my data.
The whole experience has left me disappointed. Disappointed my bank thought it was OK to upload my personal details to Facebook. Disappointed they actually trust Facebook’s terms and conditions, Disappointed they failed to understand that hashing does not equal anonymity or how trivial it is to decode fields with such a small range of possible values. I’m also dubious they’re telling the whole truth. Are the fields listed above the only fields they’re uploading? With no audit record I’ll never know.
I have no sympathy for businesses engaged in this kind of activity. I don’t care if it’s the wild west out there, businesses have a moral obligation to their customers. It’s not good enough to say “everyone else is doing it, so it must be OK”. Behave more responsibly with your customers’ personal data if you don’t want to be judged in the court of public opinion.
Whilst I was clearly naive in expecting higher standards from my bank, there are reasons to be hopeful. With the recent Cambridge Analytica scandal and now GDPR, there’s never been a better time to debate the usage and ownership of personal data in New Zealand. Let’s have the debate now and legislate to protect consumers.
- GDPR Matchup: New Zealand’s Privacy Act 1993
- World Internet Project: latest NZ findings show greatest online privacy concerns focused on corporates not government
- Privacy Foundation New Zealand